Auto commit, 1 new patch{es}.

[thirdparty/grsecurity-scrape.git] / test / changelog-test.txt

commit e8658e072c00c4c4124383dba46d91f67a24cf97
Merge: b48043e f70f945
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Apr 18 21:05:15 2014 -0400

    Merge branch 'pax-test' into grsec-test

commit f70f94597c07e3902709100b9e8b0ca88ee5be4d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Apr 18 21:04:32 2014 -0400

    Update to pax-linux-3.13.10-test20.patch:
    - forward port to 3.13.10
    - temporarily reverted the previous fix of the overflow plugin as it triggers more problems than it solves

 tools/gcc/size_overflow_plugin.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit b48043e1a01025db96cbbe3b9817a221c8dc154b
Merge: 30ce675 0338ded
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Apr 17 17:55:02 2014 -0400

    Merge branch 'pax-test' into grsec-test

commit 0338dedbccd1d623ef78ccebd057893a8510905d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Apr 17 17:54:33 2014 -0400

    Update to pax-linux-3.13.9-test20.patch:
    - Emese fixed two size overflow false positives due to intentional overflows, reported by 7LL (https://forums.grsecurity.net/viewtopic.php?f=3&t=3940) and marcin1j (https://forums.grsecurity.net/viewtopic.php?f=3&t=3943)

 include/uapi/linux/bcache.h           |    5 ++-
 tools/gcc/size_overflow_hash_aux.data |    9 +++++
 tools/gcc/size_overflow_plugin.c      |   58 ++++++++++++++++++++++++++++++++-
 3 files changed, 69 insertions(+), 3 deletions(-)

commit 30ce6750d8a1cd0484a19bb136baaec0f7780b09
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Apr 17 17:12:50 2014 -0400

    fix an off-by-one triggerable on 32bit kernels with PAX_USERCOPY on
    specific shmemfs reads that end up copying from empty_zero_page,
    which on 32bit x86 has the same address as _etext.  Fix up some
    other harmless instances of this error as well
    
    Thanks to 'jy' from IRC for reporting this

 arch/x86/mm/init_32.c |    6 +++---
 fs/exec.c             |    4 ++--
 2 files changed, 5 insertions(+), 5 deletions(-)

commit b3a6e7d392ea040b10b5d84e21ce3b25964ce6df
Merge: 27bdf99 b377d16
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Apr 14 16:49:55 2014 -0400

    Merge branch 'pax-test' into grsec-test

commit b377d16f0d5b072ef75635ca0d778e2807c20ae8
Merge: fc6d889 f994ec5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Apr 14 16:49:37 2014 -0400

    Merge branch 'linux-3.13.y' into pax-test
    
    Conflicts:
        arch/x86/crypto/ghash-clmulni-intel_asm.S
        kernel/futex.c

commit 27bdf99dcadbe3e4b185aea4f8574a6cadf3cc93
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Apr 13 12:47:57 2014 -0400

    From: Mathias Krause <minipli@googlemail.com>
    [PATCH net] filter: prevent nla extensions to peek beyond the end of
            the message
    
    The BPF_S_ANC_NLATTR and BPF_S_ANC_NLATTR_NEST extensions fail to check
    for a minimal message length before testing the supplied offset to be
    within the bounds of the message. This allows the subtraction of the nla
    header to underflow and therefore -- as the data type is unsigned --
    allowing far to big offset and length values for the search of the
    netlink attribute.
    
    The remainder calculation for the BPF_S_ANC_NLATTR_NEST extension is
    also wrong. It has the minuend und subtrahend mixed up, therefore
    calculates a huge length value, allowing to overrun the end of the
    message while looking for the netlink attribute.
    
    The following three BPF snippets will trigger the bugs when attached to
    a UNIX datagram socket and parsing a message with length 1, 2 or 3.
    
     ,-[ PoC for missing size check in BPF_S_ANC_NLATTR ]--
     | ld   #0x87654321
     | ldx  #42
     | ld   #nla
     | ret  a
     `---
    
     ,-[ PoC for the same bug in BPF_S_ANC_NLATTR_NEST ]--
     | ld   #0x87654321
     | ldx  #42
     | ld   #nlan
     | ret  a
     `---
    
     ,-[ PoC for wrong remainder calculation in BPF_S_ANC_NLATTR_NEST ]--
     | ; (needs a fake netlink header at offset 0)
     | ld   #0
     | ldx  #42
     | ld   #nlan
     | ret  a
     `---
    
    Fix the first issue by ensuring the message length fulfills the minimal
    size constrains of a nla header. Fix the second bug by getting the math
    for the remainder calculation right.
    
    Fixes: 4738c1db15 ("[SKFILTER]: Add SKF_ADF_NLATTR instruction")
    Fixes: d214c7537b ("filter: add SKF_AD_NLATTR_NEST to look for nested..")
    Cc: Patrick McHardy <kaber@trash.net>
    Cc: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Mathias Krause <minipli@googlemail.com>

 net/core/filter.c |   10 +++++++++-
 1 files changed, 9 insertions(+), 1 deletions(-)

commit 397ff885e5d3da96d0f115caa9d4c697895b3281
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date:   Mon Mar 31 12:26:39 2014 +0200

    Upstream commit: 2fec6bb6f484b1a88b4a325724234d6cfd08c918
    
    netfilter: nf_tables: fix wrong format in request_module()
    
    The intended format in request_module is %.*s instead of %*.s.
    
    Reported-by: Florian Westphal <fw@strlen.de>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

 net/netfilter/nf_tables_api.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 4d8b1faffb7cfe526eb20b717cb0b6d59f348108
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date:   Mon Mar 24 15:10:37 2014 +0100

    Upstream commit: a9bdd8365684810e3de804f8c51e52c26a5eccbb
    
    netfilter: nf_tables: set names cannot be larger than 15 bytes
    
    Currently, nf_tables trims off the set name if it exceeeds 15
    bytes, so explicitly reject set names that are too large.
    
    Reported-by: Giuseppe Longo <giuseppelng@gmail.com>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

 net/netfilter/nf_tables_api.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit a99a10ea229b7ae7f6af473949ff5138aef76209
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Apr 11 17:33:00 2014 -0400

    Upstream commit: 5678de3f15010b9022ee45673f33bcfc71d47b60
    
    KVM: ioapic: fix assignment of ioapic->rtc_status.pending_eoi (CVE-2014-0155)
    QE reported that they got the BUG_ON in ioapic_service to trigger.
    I cannot reproduce it, but there are two reasons why this could happen.
    
    The less likely but also easiest one, is when kvm_irq_delivery_to_apic
    does not deliver to any APIC and returns -1.
    
    Because irqe.shorthand == 0, the kvm_for_each_vcpu loop in that
    function is never reached.  However, you can target the similar loop in
    kvm_irq_delivery_to_apic_fast; just program a zero logical destination
    address into the IOAPIC, or an out-of-range physical destination address.
    
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

 virt/kvm/ioapic.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 7c522310c240fa3b1e671066def9fcab1f232f3b
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Tue Apr 8 12:23:09 2014 +0300

    Upstream commit: 7563487cbf865284dcd35e9ef5a95380da046737
    
    isdnloop: several buffer overflows
    
    There are three buffer overflows addressed in this patch.
    
    1) In isdnloop_fake_err() we add an 'E' to a 60 character string and
    then copy it into a 60 character buffer.  I have made the destination
    buffer 64 characters and I'm changed the sprintf() to a snprintf().
    
    2) In isdnloop_parse_cmd(), p points to a 6 characters into a 60
    character buffer so we have 54 characters.  The ->eazlist[] is 11
    characters long.  I have modified the code to return if the source
    buffer is too long.
    
    3) In isdnloop_command() the cbuf[] array was 60 characters long but the
    max length of the string then can be up to 79 characters.  I made the
    cbuf array 80 characters long and changed the sprintf() to snprintf().
    I also removed the temporary "dial" buffer and changed it to use "p"
    directly.
    
    Unfortunately, we pass the "cbuf" string from isdnloop_command() to
    isdnloop_writecmd() which truncates anything over 60 characters to make
    it fit in card->omsg[].  (It can accept values up to 255 characters so
    long as there is a '\n' character every 60 characters).  For now I have
    just fixed the memory corruption bug and left the other problems in this
    driver alone.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/isdn/isdnloop/isdnloop.c |   17 +++++++++--------
 1 files changed, 9 insertions(+), 8 deletions(-)

commit 9b011cba3d245a48139ab05099e6a825956f8056
Author: Andrey Vagin <avagin@openvz.org>
Date:   Fri Mar 28 13:54:32 2014 +0400

    Upstream commit: 223b02d923ecd7c84cf9780bb3686f455d279279
    
    netfilter: nf_conntrack: reserve two bytes for nf_ct_ext->len
    
    "len" contains sizeof(nf_ct_ext) and size of extensions. In a worst
    case it can contain all extensions. Bellow you can find sizes for all
    types of extensions. Their sum is definitely bigger than 256.
    
    nf_ct_ext_types[0]->len = 24
    nf_ct_ext_types[1]->len = 32
    nf_ct_ext_types[2]->len = 24
    nf_ct_ext_types[3]->len = 32
    nf_ct_ext_types[4]->len = 152
    nf_ct_ext_types[5]->len = 2
    nf_ct_ext_types[6]->len = 16
    nf_ct_ext_types[7]->len = 8
    
    I have seen "len" up to 280 and my host has crashes w/o this patch.
    
    The right way to fix this problem is reducing the size of the ecache
    extension (4) and Florian is going to do this, but these changes will
    be quite large to be appropriate for a stable tree.
    
    Fixes: 5b423f6a40a0 (netfilter: nf_conntrack: fix racy timer handling with reliable)
    Cc: Pablo Neira Ayuso <pablo@netfilter.org>
    Cc: Patrick McHardy <kaber@trash.net>
    Cc: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
    Cc: "David S. Miller" <davem@davemloft.net>
    Signed-off-by: Andrey Vagin <avagin@openvz.org>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

 include/net/netfilter/nf_conntrack_extend.h |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit c323aca3431ec956221a0333826a0aebcad6182c
Author: Trond Myklebust <trond.myklebust@primarydata.com>
Date:   Wed Mar 26 13:24:37 2014 -0700

    Upstream commit: e911b8158ee1def8153849b1641b736026b036e0
    
    NFSv4: Fix a use-after-free problem in open()
    
    If we interrupt the nfs4_wait_for_completion_rpc_task() call in
    nfs4_run_open_task(), then we don't prevent the RPC call from
    completing. So freeing up the opendata->f_attr.mdsthreshold
    in the error path in _nfs4_do_open() leads to a use-after-free
    when the XDR decoder tries to decode the mdsthreshold information
    from the server.
    
    Fixes: 82be417aa37c0 (NFSv4.1 cache mdsthreshold values on OPEN)
    Tested-by: Steve Dickson <SteveD@redhat.com>
    Cc: stable@vger.kernel.org # 3.5+
    Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>

 fs/nfs/nfs4proc.c |   19 ++++++++++---------
 1 files changed, 10 insertions(+), 9 deletions(-)

commit afbc7281d89c10419bcaf9cd8f2a34fa1f0dc74a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Apr 11 16:57:17 2014 -0400

    Apply: https://lkml.org/lkml/2014/4/10/736
    
    PAX_REFCOUNT makes this unexploitable, turning it into a harmless memleak

 net/ipv4/ping.c |   11 ++++++++---
 1 files changed, 8 insertions(+), 3 deletions(-)

commit 64688b956632b3165fd8aabb9b143f4d365ba382
Author: H. Peter Anvin <hpa@linux.intel.com>
Date:   Sun Mar 16 15:31:54 2014 -0700

    Upstream commit: b3b42ac2cbae1f3cecbb6229964a4d48af31d382
    
    x86-64, modify_ldt: Ban 16-bit segments on 64-bit kernels
    
    The IRET instruction, when returning to a 16-bit segment, only
    restores the bottom 16 bits of the user space stack pointer.  We have
    a software workaround for that ("espfix") for the 32-bit kernel, but
    it relies on a nonzero stack segment base which is not available in
    32-bit mode.
    
    Since 16-bit support is somewhat crippled anyway on a 64-bit kernel
    (no V86 mode), and most (if not quite all) 64-bit processors support
    virtualization for the users who really need it, simply reject
    attempts at creating a 16-bit segment when running on top of a 64-bit
    kernel.
    
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
    Link: http://lkml.kernel.org/n/tip-kicdm89kzw9lldryb1br9od0@git.kernel.org
    Cc: <stable@vger.kernel.org>
    
    Conflicts:
    
        arch/x86/kernel/ldt.c

 arch/x86/kernel/ldt.c |   11 +++++++++++
 1 files changed, 11 insertions(+), 0 deletions(-)

commit 027b8db0f3266f307c6324f52d19c9425e01a95b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Apr 7 18:41:45 2014 -0400

    Update GRKERNSEC_IO documentation

 grsecurity/Kconfig |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 4ffae780ca4045f1e00c3695a1c67fa7b83e842a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Apr 6 18:59:00 2014 -0400

    add compiler.h to path.h

 include/linux/path.h |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 697d5a873545a0ee00e2bffbf74ba5faae55c286
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Apr 6 18:37:18 2014 -0400

    fix typo

 security/tomoyo/tomoyo.c |    5 -----
 1 files changed, 0 insertions(+), 5 deletions(-)

commit d1a22c83e7a3175d894b8ceb0f01b77fe499db28
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Apr 6 17:58:39 2014 -0400

    fix tomoyo compilation with RANDSTRUCT
    
    Conflicts:
    
        security/tomoyo/tomoyo.c

 security/tomoyo/tomoyo.c |   27 ++++++++++++++++-----------
 1 files changed, 16 insertions(+), 11 deletions(-)

commit 96785c664a95a149773214bed1d7463ffad0441f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Apr 6 17:50:38 2014 -0400

    fix tomoyo compilation with RANDSTRUCT

 security/tomoyo/file.c |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

commit 25475ea5ba7ec539347edb25d8d15eac6a9e65d1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Apr 6 17:43:47 2014 -0400

    Fix tomoyo compilation with RANDSTRUCT

 security/tomoyo/file.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit bd744926b9496053982db351f2b087725e931ce2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Apr 6 17:23:09 2014 -0400

    fix apparmor compilation with RANDSTRUCT

 security/apparmor/file.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 6a70a4ca3f2f5b2f9f2f1c500a3b39813f980091
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Apr 6 17:11:40 2014 -0400

    fix apparmor compilation with RANDSTRUCT

 security/apparmor/lsm.c |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

commit 6d5c843ec117929962b0b5e36b6efe36d7008489
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Apr 6 16:58:35 2014 -0400

    add __randomize_layout to more important structures
    
    Conflicts:
    
        include/linux/filter.h
        include/net/af_unix.h
        include/net/sock.h

 include/linux/binfmts.h    |    4 ++--
 include/linux/path.h       |    2 +-
 include/linux/security.h   |    2 +-
 include/linux/tty_driver.h |    2 +-
 include/net/af_unix.h      |    2 +-
 include/net/sock.h         |    4 ++--
 6 files changed, 8 insertions(+), 8 deletions(-)

commit 2d58b7af7d974cf11c9b6fcaafc098f68925b28d
Merge: f7886f6 fc6d889
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Apr 6 09:10:40 2014 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        tools/gcc/Makefile

commit fc6d8892f8370cc6b246aab23dfe3ce472da9058
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Apr 6 09:06:24 2014 -0400

    Update to pax-linux-3.13.9-test19.patch:
    - updated the hash database for external modules, by Emese
    - fixed regression in gcc plugin compilation when compiling with ccache, reported by ncopa
    - proper fix for 309944be296efbb3ca4737d12ef49d2ba97cbecc upstream
    - fixed plugin compilation under gcc 4.5, reported by Emese Revfy
    - Emese added support for out-of-tree modules for the size overflow plugin, fixes https://bugs.gentoo.org/show_bug.cgi?id=505594

 arch/x86/boot/compressed/misc.c                    |    7 +-
 drivers/md/persistent-data/dm-space-map-metadata.c |    4 +-
 scripts/gcc-plugin.sh                              |    4 +-
 tools/gcc/Makefile                                 |   12 ++-
 tools/gcc/gcc-common.h                             |    1 +
 tools/gcc/generate_size_overflow_hash.sh           |    5 +-
 tools/gcc/size_overflow_hash_aux.data              |   83 ++++++++++++++++++++
 tools/gcc/size_overflow_plugin.c                   |   25 ++++--
 8 files changed, 123 insertions(+), 18 deletions(-)

commit f7886f6633822747782b7206b371ea521eee3f0b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Apr 6 08:34:08 2014 -0400

    This reverts commit 31dee23268ac47eaaafacb186229bc14fb84fa9b.

 net/socket.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 0f1d45357477cb7658e7dc361c7ac67678d7a9b9
Merge: ca30500 6bf7e1d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Apr 5 18:09:10 2014 -0400

    Merge branch 'pax-test' into grsec-test

commit 6bf7e1df5475a7244d717546bd5c0569acdf8215
Merge: 20f0a08 bf061ff
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Apr 5 18:08:56 2014 -0400

    Merge branch 'linux-3.13.y' into pax-test

commit ca305006c767819ee7924d7ea952a8f9c817d2a7
Author: Pablo Neira <pablo@netfilter.org>
Date:   Tue Apr 1 19:38:44 2014 +0200

    Upstream commit: 8b7b932434f5eee495b91a2804f5b64ebb2bc835
    
    netlink: don't compare the nul-termination in nla_strcmp
    
    nla_strcmp compares the string length plus one, so it's implicitly
    including the nul-termination in the comparison.
    
     int nla_strcmp(const struct nlattr *nla, const char *str)
     {
            int len = strlen(str) + 1;
            ...
                    d = memcmp(nla_data(nla), str, len);
    
    However, if NLA_STRING is used, userspace can send us a string without
    the nul-termination. This is a problem since the string
    comparison will not match as the last byte may be not the
    nul-termination.
    
    Fix this by skipping the comparison of the nul-termination if the
    attribute data is nul-terminated. Suggested by Thomas Graf.
    
    Cc: Florian Westphal <fw@strlen.de>
    Cc: Thomas Graf <tgraf@suug.ch>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 lib/nlattr.c |   10 ++++++++--
 1 files changed, 8 insertions(+), 2 deletions(-)

commit 4676a42ce0a63b9713d315c715d6f863d6388bf2
Author: Oleg Nesterov <oleg@redhat.com>
Date:   Wed Apr 2 17:45:05 2014 +0200

    Upstream commit: d23082257d83e4bc89727d5aedee197e907999d2
    
    pid_namespace: pidns_get() should check task_active_pid_ns() != NULL
    
    pidns_get()->get_pid_ns() can hit ns == NULL. This task_struct can't
    go away, but task_active_pid_ns(task) is NULL if release_task(task)
    was already called. Alternatively we could change get_pid_ns(ns) to
    check ns != NULL, but it seems that other callers are fine.
    
    Signed-off-by: Oleg Nesterov <oleg@redhat.com>
    Cc: Eric W. Biederman ebiederm@xmission.com>
    Cc: stable@kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 kernel/pid_namespace.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

commit b2c5c8d231e1749fe42698c6be31a49b46b8eb7e
Author: YOSHIFUJI Hideaki / 吉藤英明 <yoshfuji@linux-ipv6.org>
Date:   Wed Apr 2 12:48:42 2014 +0900

    Upstream commit: 77bc6bed7121936bb2e019a8c336075f4c8eef62
    
    isdnloop: Validate NUL-terminated strings from user.
    
    Return -EINVAL unless all of user-given strings are correctly
    NUL-terminated.
    
    Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/isdn/isdnloop/isdnloop.c |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

commit abceea2065cb053917751b02a02e87134d5af5b0
Author: Wei Liu <wei.liu2@citrix.com>
Date:   Tue Apr 1 12:46:12 2014 +0100

    Upstream commit: e9d8b2c2968499c1f96563e6522c56958d5a1d0d
    
    xen-netback: disable rogue vif in kthread context
    
    When netback discovers frontend is sending malformed packet it will
    disables the interface which serves that frontend.
    
    However disabling a network interface involving taking a mutex which
    cannot be done in softirq context, so we need to defer this process to
    kthread context.
    
    This patch does the following:
    1. introduce a flag to indicate the interface is disabled.
    2. check that flag in TX path, don't do any work if it's true.
    3. check that flag in RX path, turn off that interface if it's true.
    
    The reason to disable it in RX path is because RX uses kthread. After
    this change the behavior of netback is still consistent -- it won't do
    any TX work for a rogue frontend, and the interface will be eventually
    turned off.
    
    Also change a "continue" to "break" after xenvif_fatal_tx_err, as it
    doesn't make sense to continue processing packets if frontend is rogue.
    
    This is a fix for XSA-90.
    
    Reported-by: Török Edwin <edwin@etorok.net>
    Signed-off-by: Wei Liu <wei.liu2@citrix.com>
    Cc: Ian Campbell <ian.campbell@citrix.com>
    Reviewed-by: David Vrabel <david.vrabel@citrix.com>
    Acked-by: Ian Campbell <ian.campbell@citrix.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/xen-netback/common.h    |    5 +++++
 drivers/net/xen-netback/interface.c |   11 +++++++++++
 drivers/net/xen-netback/netback.c   |   16 ++++++++++++++--
 3 files changed, 30 insertions(+), 2 deletions(-)

commit ff438506da3cf85c07f3f3c80429f87138502d82
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Apr 3 11:34:13 2014 -0400

    revert last change

 net/core/filter.c |    5 -----
 1 files changed, 0 insertions(+), 5 deletions(-)

commit aed17226225c496cea10f90db89cb5f505ce5c3a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Apr 3 10:38:55 2014 -0400

    harden non-JIT socket filters against memory corruption occuring after
    check time

 net/core/filter.c |   12 ++++++------
 1 files changed, 6 insertions(+), 6 deletions(-)

commit 8153c4335a8c655d0dc51fb547bf257339faabe3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Apr 3 11:01:13 2014 -0400

    add additional checking, convert WARN to a BUG since we should be able to filter
    out any invalid ops at filter install time -- finding them during runtime is
    a sign of memory corruption
    
    Conflicts:
    
        net/core/filter.c

 net/core/filter.c |    8 +++++++-
 1 files changed, 7 insertions(+), 1 deletions(-)

commit cf4164083c37d1f301ab28f5cf102b875c6a3057
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Apr 3 07:39:34 2014 -0400

    Update documentation on chroot to notify users that chrooting to
    a bind mount of the root filesystem provides no security benefits
    and will not trigger the chroot protections.

 grsecurity/Kconfig |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

commit 809c33c81db39b5e0a2f8b8953f156d3ae2bc9d4
Merge: b224936 20f0a08
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Apr 1 18:41:17 2014 -0400

    Merge branch 'pax-test' into grsec-test

commit 20f0a08510a47d6d31c29da6ff3bd093a62cfdd1
Merge: 6b71ad0 5366635
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Apr 1 18:41:02 2014 -0400

    Merge branch 'linux-3.13.y' into pax-test

commit b224936088e49229a37e4a3b17567598161bb1c0
Author: Sasha Levin <sasha.levin@oracle.com>
Date:   Fri Mar 28 17:38:42 2014 +0100

    Upstream commit: 05efa8c943b1d5d90fa8c8147571837573338bb6
    
    random32: avoid attempt to late reseed if in the middle of seeding
    
    Commit 4af712e8df ("random32: add prandom_reseed_late() and call when
    nonblocking pool becomes initialized") has added a late reseed stage
    that happens as soon as the nonblocking pool is marked as initialized.
    
    This fails in the case that the nonblocking pool gets initialized
    during __prandom_reseed()'s call to get_random_bytes(). In that case
    we'd double back into __prandom_reseed() in an attempt to do a late
    reseed - deadlocking on 'lock' early on in the boot process.
    
    Instead, just avoid even waiting to do a reseed if a reseed is already
    occuring.
    
    Fixes: 4af712e8df99 ("random32: add prandom_reseed_late() and call when nonblocking pool becomes initialized")
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
    Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 lib/random32.c |   13 ++++++++++++-
 1 files changed, 12 insertions(+), 1 deletions(-)

commit 9aa441e0e5aa2480ca073e33fcf6a9f5cdaabc81
Author: Michael S. Tsirkin <mst@redhat.com>
Date:   Thu Mar 27 12:00:26 2014 +0200

    Upstream commit: d8316f3991d207fe32881a9ac20241be8fa2bad0
    
    vhost: fix total length when packets are too short
    
    When mergeable buffers are disabled, and the
    incoming packet is too large for the rx buffer,
    get_rx_bufs returns success.
    
    This was intentional in order for make recvmsg
    truncate the packet and then handle_rx would
    detect err != sock_len and drop it.
    
    Unfortunately we pass the original sock_len to
    recvmsg - which means we use parts of iov not fully
    validated.
    
    Fix this up by detecting this overrun and doing packet drop
    immediately.
    
    CVE-2014-0077
    
    Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/vhost/net.c |   14 ++++++++++++++
 1 files changed, 14 insertions(+), 0 deletions(-)

commit 43ee74030403a780a1e9418ab825f4d675ccdb47
Merge: 9987cd5 6b71ad0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 30 13:28:35 2014 -0400

    Merge branch 'pax-test' into grsec-test

commit 6b71ad024068595a2e4caa3393fbb4d531197e27
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 30 13:27:44 2014 -0400

    Update to pax-linux-3.13.7-test17.patch:
    - fixed a regression in the previous latent entropy plugin change, reported by spender
    - fixed a regression in gcc-plugin.sh that could make cross-compilation fail, reported by Aniem
    - hardened the hyper-v hypercall page access rights (rwx -> r-x), reported and tested by Hunger

 drivers/hv/hv.c                   |    2 +-
 scripts/gcc-plugin.sh             |    4 ++--
 tools/gcc/latent_entropy_plugin.c |    6 +++++-
 3 files changed, 8 insertions(+), 4 deletions(-)

commit 9987cd5663f69ecc4d8bdfe80e46775ec081512c
Author: Wei Liu <wei.liu2@citrix.com>
Date:   Sat Mar 15 16:11:47 2014 +0000

    Upstream commit: 09ed3d5ba06137913960f9c9385f71fc384193ab
    
    xen/balloon: flush persistent kmaps in correct position
    
    Xen balloon driver will update ballooned out pages' P2M entries to point
    to scratch page for PV guests. In 24f69373e2 ("xen/balloon: don't alloc
    page while non-preemptible", kmap_flush_unused was moved after updating
    P2M table. In that case for 32 bit PV guest we might end up with
    
      P2M    X -----> S  (S is mfn of balloon scratch page)
      M2P    Y -----> X  (Y is mfn in persistent kmap entry)
    
    kmap_flush_unused() iterates through all the PTEs in the kmap address
    space, using pte_to_page() to obtain the page. If the p2m and the m2p
    are inconsistent the incorrect page is returned.  This will clear
    page->address on the wrong page which may cause subsequent oopses if
    that page is currently kmap'ed.
    
    Move the flush back between get_page and __set_phys_to_machine to fix
    this.
    
    Signed-off-by: Wei Liu <wei.liu2@citrix.com>
    Signed-off-by: David Vrabel <david.vrabel@citrix.com>
    Cc: stable@vger.kernel.org # 3.12+

 drivers/xen/balloon.c |   24 ++++++++++++++++++------
 1 files changed, 18 insertions(+), 6 deletions(-)

commit f6481e295cb69c34218b694ba5fca6315cc90b71
Author: David Vrabel <david.vrabel@citrix.com>
Date:   Tue Mar 25 10:38:37 2014 +0000

    Upstream commit: 5926f87fdaad4be3ed10cec563bf357915e55a86
    
    Revert "xen: properly account for _PAGE_NUMA during xen pte translations"
    
    This reverts commit a9c8e4beeeb64c22b84c803747487857fe424b68.
    
    PTEs in Xen PV guests must contain machine addresses if _PAGE_PRESENT
    is set and pseudo-physical addresses is _PAGE_PRESENT is clear.
    
    This is because during a domain save/restore (migration) the page
    table entries are "canonicalised" and uncanonicalised". i.e., MFNs are
    converted to PFNs during domain save so that on a restore the page
    table entries may be rewritten with the new MFNs on the destination.
    This canonicalisation is only done for PTEs that are present.
    
    This change resulted in writing PTEs with MFNs if _PAGE_PROTNONE (or
    _PAGE_NUMA) was set but _PAGE_PRESENT was clear.  These PTEs would be
    migrated as-is which would result in unexpected behaviour in the
    destination domain.  Either a) the MFN would be translated to the
    wrong PFN/page; b) setting the _PAGE_PRESENT bit would clear the PTE
    because the MFN is no longer owned by the domain; or c) the present
    bit would not get set.
    
    Symptoms include "Bad page" reports when munmapping after migrating a
    domain.
    
    Signed-off-by: David Vrabel <david.vrabel@citrix.com>
    Acked-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
    Cc: <stable@vger.kernel.org>        [3.12+]

 arch/x86/include/asm/pgtable.h |   14 ++------------
 arch/x86/xen/mmu.c             |    4 ++--
 2 files changed, 4 insertions(+), 14 deletions(-)

commit 29e56c3fdd2ff43c43f31e74bccc164c38ec96b2
Author: Daniel Vetter <daniel.vetter@ffwll.ch>
Date:   Wed Mar 26 20:10:09 2014 +0100

    Upstream commit: 8ee661b505613ef2747b350ca2871a31b3781bee
    
    drm/i915: Undo gtt scratch pte unmapping again
    
    It apparently blows up on some machines. This functionally reverts
    
    commit 828c79087cec61eaf4c76bb32c222fbe35ac3930
    Author: Ben Widawsky <benjamin.widawsky@intel.com>
    Date:   Wed Oct 16 09:21:30 2013 -0700
    
        drm/i915: Disable GGTT PTEs on GEN6+ suspend
    
    Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=64841
    Reported-and-Tested-by: Brad  Jackson <bjackson0971@gmail.com>
    Cc: stable@vger.kernel.org
    Cc: Takashi Iwai <tiwai@suse.de>
    Cc: Paulo Zanoni <paulo.r.zanoni@intel.com>
    Cc: Todd Previte <tprevite@gmail.com>
    Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
    Signed-off-by: Dave Airlie <airlied@redhat.com>

 drivers/gpu/drm/i915/i915_gem_gtt.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit f5fd5843a87569cfd8de8e8843ccb13e9e35afd5
Author: Jan Kara <jack@suse.cz>
Date:   Wed Mar 26 06:20:14 2014 +0100

    Upstream commit: 75c5a52da3fc2a06abb6c6192bdf5d680e56d37d
    
    vfs: Allocate anon_inode_inode in anon_inode_init()
    
    Currently we allocated anon_inode_inode in anon_inodefs_mount. This is
    somewhat fragile as if that function ever gets called again, it will
    overwrite anon_inode_inode pointer. So move the initialization of
    anon_inode_inode to anon_inode_init().
    
    Signed-off-by: Jan Kara <jack@suse.cz>
    [ Further simplified on suggestion from Dave Jones ]
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 fs/anon_inodes.c |   30 ++++++++----------------------
 1 files changed, 8 insertions(+), 22 deletions(-)

commit da2cc3c610141a5f41bd382b5ee7729893e3db12
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 27 21:54:11 2014 -0400

    ignore noreturn functions for now in the latent_entropy plugin

 tools/gcc/latent_entropy_plugin.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

commit 0d1e588588bc19f449d667b69ac76bad0584752d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 27 21:27:56 2014 -0400

    update config help for GRKERNSEC_KMEM to reflect recent change to only deny writes to /dev/cpu/*/msr instead of denying access entirely, allows powertop etc to continue to work while denying/logging the malicious activity

 grsecurity/Kconfig |   12 +++++-------
 1 files changed, 5 insertions(+), 7 deletions(-)

commit 4ad2f9fd7429c81e3b2115227685af06830d05c4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 27 21:24:58 2014 -0400

    Revert "Upstream commit: 2c4a33aba5f9ea3a28f2e40351f078d95f00786b"
    
    This reverts commit b6ab67fc7a47b542601dd116f934d255c9c2c372.

 kernel/trace/trace.c |   27 ++-------------------------
 1 files changed, 2 insertions(+), 25 deletions(-)

commit 1a70975ec716c68b37758fbba95ab9b7b6165c8a
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date:   Tue Mar 25 17:43:34 2014 -0700

    Upstream commit: fce7fc79c8f7188dfc5eafa1b937bcc3c5a4c2f5
    
    fs: remove now stale label in anon_inode_init()
    
    The previous commit removed the register_filesystem() call and the
    associated error handling, but left the label for the error path that no
    longer exists.  Remove that too.
    
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 fs/anon_inodes.c |    1 -
 1 files changed, 0 insertions(+), 1 deletions(-)

commit 6c1ec97bac84bc22b1a37008193643b9bcab1a46
Author: Jan Kara <jack@suse.cz>
Date:   Tue Mar 25 21:37:09 2014 +0100

    Upstream commit: d6f2589ad561aa5fa39f347eca6942668b7560a1
    
    fs: Avoid userspace mounting anon_inodefs filesystem
    
    anon_inodefs filesystem is a kernel internal filesystem userspace
    shouldn't mess with. Remove registration of it so userspace cannot
    even try to mount it (which would fail anyway because the filesystem is
    MS_NOUSER).
    
    This fixes an oops triggered by trinity when it tried mounting
    anon_inodefs which overwrote anon_inode_inode pointer while other CPU
    has been in anon_inode_getfile() between ihold() and d_instantiate().
    Thus effectively creating dentry pointing to an inode without holding a
    reference to it.
    
    Reported-by: Sasha Levin <sasha.levin@oracle.com>
    Signed-off-by: Jan Kara <jack@suse.cz>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 fs/anon_inodes.c |    3 ---
 1 files changed, 0 insertions(+), 3 deletions(-)

commit 1e03cd2f178d167cc13e29836c1cb040aeea8d0f
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Sun Mar 23 00:28:40 2014 -0400

    Upstream commit: e825196d48d2b89a6ec3a8eff280098d2a78207e
    
    make prepend_name() work correctly when called with negative *buflen
    
    In all callchains leading to prepend_name(), the value left in *buflen
    is eventually discarded unused if prepend_name() has returned a negative.
    So we are free to do what prepend() does, and subtract from *buflen
    *before* checking for underflow (which turns into checking the sign
    of subtraction result, of course).
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

 fs/dcache.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 8c174b004c6eed3d46e9888385207f454599aa23
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Thu Mar 20 15:18:22 2014 -0400

    Upstream commit: b37199e626b31e1175fb06764c5d1d687723aac2
    
    rcuwalk: recheck mount_lock after mountpoint crossing attempts
    
    We can get false negative from __lookup_mnt() if an unrelated vfsmount
    gets moved.  In that case legitimize_mnt() is guaranteed to fail,
    and we will fall back to non-RCU walk... unless we end up running
    into a hard error on a filesystem object we wouldn't have reached
    if not for that false negative.  IOW, delaying that check until
    the end of pathname resolution is wrong - we should recheck right
    after we attempt to cross the mountpoint.  We don't need to recheck
    unless we see d_mountpoint() being true - in that case even if
    we have just raced with mount/umount, we can simply go on as if
    we'd come at the moment when the sucker wasn't a mountpoint; if we
    run into a hard error as the result, it was a legitimate outcome.
    __lookup_mnt() returning NULL is different in that respect, since
    it might've happened due to operation on completely unrelated
    mountpoint.
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

 fs/namei.c |   29 +++++++++++++----------------
 1 files changed, 13 insertions(+), 16 deletions(-)

commit b6ab67fc7a47b542601dd116f934d255c9c2c372
Author: Steven Rostedt (Red Hat) <rostedt@goodmis.org>
Date:   Tue Mar 25 23:39:41 2014 -0400

    Upstream commit: 2c4a33aba5f9ea3a28f2e40351f078d95f00786b
    
    tracing: Fix traceon trigger condition to actually turn tracing on
    
    While working on my tutorial for 2014 Linux Collaboration Summit
    I found that the traceon trigger did not work when conditions were
    used. The other triggers worked fine though. Looking into it, it
    is because of the way the triggers use the ring buffer to store
    the fields it will use for the condition. But if tracing is off, nothing
    is stored in the buffer, and the tracepoint exits before calling the
    trigger to test the condition. This is fine for all the triggers that
    only work when tracing is on, but for traceon trigger that is to
    work when tracing is off, nothing happens.
    
    The fix is simple, just use a temp ring buffer to record the event
    if tracing is off and the event has a trace event conditional trigger
    enabled. The rest of the tracepoint code will work just fine, but
    the tracepoint wont be recorded in the other buffers.
    
    Cc: Tom Zanussi <tom.zanussi@linux.intel.com>
    Signed-off-by: Steven Rostedt <rostedt@goodmis.org>

 kernel/trace/trace.c |   27 +++++++++++++++++++++++++--
 1 files changed, 25 insertions(+), 2 deletions(-)

commit 3b8aebe0c4cffda5d5bfc738e7a02fd320184b06
Author: Eric Dumazet <edumazet@google.com>
Date:   Tue Mar 25 18:42:27 2014 -0700

    Upstream commit: de1443916791d75fdd26becb116898277bb0273f
    
    net: unix: non blocking recvmsg() should not return -EINTR
    
    Some applications didn't expect recvmsg() on a non blocking socket
    could return -EINTR. This possibility was added as a side effect
    of commit b3ca9b02b00704 ("net: fix multithreaded signal handling in
    unix recv routines").
    
    To hit this bug, you need to be a bit unlucky, as the u->readlock
    mutex is usually held for very small periods.
    
    Fixes: b3ca9b02b00704 ("net: fix multithreaded signal handling in unix recv routines")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Cc: Rainer Weikusat <rweikusat@mobileactivedefense.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/unix/af_unix.c |   17 ++++++++++++-----
 1 files changed, 12 insertions(+), 5 deletions(-)

commit 1bb09af0e99a5b3f3006e4fedf9bba1c3ed3d9d4
Merge: 5473ce5 0a11cb5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 27 20:00:42 2014 -0400

    Merge branch 'pax-test' into grsec-test

commit 0a11cb57b4afce8c08851aef512f873bdb3d9943
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 27 20:00:02 2014 -0400

    Update to pax-linux-3.13.7-test16.patch:
    - updated the size overflow hast table, by spender
    - fixed the gcc plugin capability detector script for gcc 4.9
    - fixed the latent entropy plugin to use the intended successor blocks instead of what happens to be next in the block list
    - changed the initial task's and the idle tasks' starting stack address to be consistent with the other stacks (top 2 slots are unused)
    - removed the pointless retaddr instrumentation from the low level kernel relocator code

 arch/x86/kernel/head_64.S            |    2 +-
 arch/x86/kernel/relocate_kernel_64.S |    2 --
 arch/x86/kernel/smpboot.c            |    2 +-
 scripts/gcc-plugin.sh                |   17 ++++++++---------
 tools/gcc/latent_entropy_plugin.c    |   10 ++++++----
 tools/gcc/size_overflow_hash.data    |    6 ++++++
 6 files changed, 22 insertions(+), 17 deletions(-)

commit 5473ce509ab763c927aa2639f7db8aee384d3693
Author: Eric Dumazet <edumazet@google.com>
Date:   Wed Mar 19 21:02:21 2014 -0700

    Upstream commit: 632623153196bf183a69686ed9c07eee98ff1bf8
    
    tcp: syncookies: do not use getnstimeofday()
    
    While it is true that getnstimeofday() uses about 40 cycles if TSC
    is available, it can use 1600 cycles if hpet is the clocksource.
    
    Switch to get_jiffies_64(), as this is more than enough, and
    go back to 60 seconds periods.
    
    Fixes: 8c27bd75f04f ("tcp: syncookies: reduce cookie lifetime to 128 seconds")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Cc: Florian Westphal <fw@strlen.de>
    Acked-by: Florian Westphal <fw@strlen.de>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 include/net/tcp.h |   11 ++++++-----
 1 files changed, 6 insertions(+), 5 deletions(-)

commit 580a16424470410a1655dd62f71847725a89e1f0
Author: Dave Kleikamp <dave.kleikamp@oracle.com>
Date:   Fri Mar 14 10:42:01 2014 -0500

    Upstream commit: 1535bd8adbdedd60a0ee62e28fd5225d66434371
    
    sparc64: don't treat 64-bit syscall return codes as 32-bit
    
    When checking a system call return code for an error,
    linux_sparc_syscall was sign-extending the lower 32-bit value and
    comparing it to -ERESTART_RESTARTBLOCK. lseek can return valid return
    codes whose lower 32-bits alone would indicate a failure (such as 4G-1).
    Use the whole 64-bit value to check for errors. Only the 32-bit path
    should sign extend the lower 32-bit value.
    
    Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
    Acked-by: Bob Picco <bob.picco@oracle.com>
    Acked-by: Allen Pais <allen.pais@oracle.com>
    Cc: David S. Miller <davem@davemloft.net>
    Cc: sparclinux@vger.kernel.org
    Signed-off-by: David S. Miller <davem@davemloft.net>

 arch/sparc/kernel/syscalls.S |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 29127b7a71024630e40d98ec08c77e3feb584e7e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 25 17:07:59 2014 -0400

    update size_overflow hash table

 tools/gcc/size_overflow_hash.data |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

commit d42eece8853149008b9645106936f9cd4ddb38bc
Merge: df4b222 cb629d4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 24 19:07:49 2014 -0400

    Merge branch 'pax-test' into grsec-test

commit cb629d4458d7491cc16580860c234f85c463111d
Merge: 3afa257 896c694
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 24 19:07:30 2014 -0400

    Merge branch 'linux-3.13.y' into pax-test
    
    Conflicts:
        arch/x86/kernel/head_32.S
        drivers/cpufreq/intel_pstate.c

commit df4b2229045f125eaa91dd2a696e56c589f8c962
Merge: e440e3a 3afa257
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 24 18:55:45 2014 -0400

    Merge branch 'pax-test' into grsec-test

commit 3afa2576ef64a8266c5a2f142e3cb3c970f21d3c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 24 18:54:38 2014 -0400

    Update to pax-linux-3.13.7-test15.patch:
    - fixed several compilation problems on arm all*configs, by spender
    - small update to gcc-common.h
    - Emese fixed a compile time infinite loop in the size overflow plugin (triggered by the upcoming 3.14 kernel only)

 Makefile                           |    2 +-
 arch/arm/include/asm/uaccess.h     |    1 +
 arch/ia64/include/asm/uaccess.h    |    1 +
 arch/powerpc/include/asm/uaccess.h |    1 +
 arch/powerpc/mm/mmap.c             |    6 +++---
 arch/s390/include/asm/uaccess.h    |    1 +
 arch/x86/include/asm/uaccess.h     |    2 +-
 arch/x86/include/asm/uaccess_64.h  |   12 ++++++------
 8 files changed, 15 insertions(+), 11 deletions(-)

commit e440e3aa4b4662f8d811120a87f51d8ab48d9c90
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 20 23:16:11 2014 -0400

    convert hvc tty driver to proper refcounted atomics on port.count, fixes ppc64 allyesconfig compilation

 drivers/tty/hvc/hvsi.c |   10 +++++-----
 1 files changed, 5 insertions(+), 5 deletions(-)

commit 013c6d73e4a4ae358ee180b40428f3dd04dd3aa8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 20 22:53:31 2014 -0400

    add local_unchecked_t accessors to fix ppc64 compilation

 arch/powerpc/include/asm/local.h |   15 +++++++++++++++
 1 files changed, 15 insertions(+), 0 deletions(-)

commit 1cffa7895513b754c95673b12a8c638797e5b7e2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 20 22:25:47 2014 -0400

    add access_ok_noprefault macro to fix ppc64+kvm compilation, patch
    from pipacs

 arch/arm/include/asm/uaccess.h     |    1 +
 arch/arm64/include/asm/uaccess.h   |    1 +
 arch/ia64/include/asm/uaccess.h    |    1 +
 arch/mips/include/asm/uaccess.h    |    1 +
 arch/powerpc/include/asm/uaccess.h |    1 +
 arch/s390/include/asm/uaccess.h    |    1 +
 arch/x86/include/asm/uaccess.h     |    2 +-
 arch/x86/include/asm/uaccess_64.h  |   12 ++++++------
 arch/x86/mm/gup.c                  |    4 ++--
 virt/kvm/kvm_main.c                |    2 +-
 10 files changed, 16 insertions(+), 10 deletions(-)

commit 58bdcb9b494eb7ab916ead7944e444d0a6af5002
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 20 21:53:32 2014 -0400

    correct function definition for kvm_arch_init() to fix compilation on ppc64

 arch/powerpc/kvm/powerpc.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit e3eb6820bfec5b4a4bfbb0056c057d50b8df4997
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 20 21:47:35 2014 -0400

    fix ppc64 allyesconfig compilation with RANDSTRUCT

 arch/powerpc/platforms/cell/celleb_scc_pciex.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit fb017032977cb38d750fe9b9a11d22fc565e576f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 20 21:36:39 2014 -0400

    use $(LATENT_ENTROPY_PLUGIN_CFLAGS)

 arch/powerpc/kernel/Makefile |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit e795367c8c4d750c3900f6546365ca27b9a8aad5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 20 21:24:01 2014 -0400

    move REMOVE_CFLAGS

 arch/powerpc/kernel/Makefile |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit f80a67cf62542dbab790fcad2395c00e6534c26d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 20 20:30:35 2014 -0400

    fix compilation by removing the latent entropy plugin from prom_init.c -- there's
    a script for ppc64 that checks the object file for a whitelisted set of
    exported symbols, code is very fragile

 arch/powerpc/kernel/Makefile |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit cafe563e6cc19e3510c2f341c12440fdbd77a2aa
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 20 20:28:07 2014 -0400

    export LATENT_ENTROPY_PLUGIN_CFLAGS so we can remove it from prom_init.c on ppc64

 Makefile |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 90330189b37110d8343edd37147bb5c666feede4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 20 20:24:53 2014 -0400

    fix ppc64 compilation, pass mm_struct through from arch_pick_mmap_layout

 arch/powerpc/mm/mmap.c |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

commit 765a84b5300316d57eb9b82f7d941750d9ddf9ec
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 19 21:53:12 2014 -0400

    add ktla_ktva/ktva_ktla to sparc to fix compilation

 arch/sparc/include/asm/pgtable.h |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

commit 896004e18909d7de9ffe295180e12c275a623990
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 19 21:32:20 2014 -0400

    remove __read_mostly on ip_vs_genl_ops[], it's const so the attribute is bogus and causes compilation failure on MIPS

 net/netfilter/ipvs/ip_vs_ctl.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 143dcb4ff8b259163f978c468663dcaebfe573b4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 19 21:18:46 2014 -0400

    Include second patch needed for compilation, not yet included by
    upstream (so MIPS compilation is broken there):
    http://patchwork.linux-mips.org/patch/6585/

 arch/mips/include/asm/ftrace.h |   20 ++++++++++----------
 1 files changed, 10 insertions(+), 10 deletions(-)

commit b464eb7ac1132953ab99ff25826478e32690844f
Author: Markos Chandras <markos.chandras@imgtec.com>
Date:   Wed Jan 22 14:39:57 2014 +0000

    Upstream commit: a8031d2ce15bdb90baeae02d7a231ccece73da8b
    
    MIPS: asm: syscall: Fix copying system call arguments
    
    The syscall_get_arguments function expects the arguments to be copied
    to the '*args' argument but instead a local variable was used to hold
    the system call argument. As a result of which, this variable was
    never passed to the filter and any filter testing the system call
    arguments would fail. This is fixed by passing the '*args' variable
    as the destination memory for the system call arguments.
    
    Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
    Reviewed-by: Paul Burton <paul.burton@imgtec.com>
    Reviewed-by: James Hogan <james.hogan@imgtec.com>
    Cc: linux-mips@linux-mips.org
    Patchwork: https://patchwork.linux-mips.org/patch/6402/
    Signed-off-by: Ralf Baechle <ralf@linux-mips.org>

 arch/mips/include/asm/syscall.h |    3 +--
 1 files changed, 1 insertions(+), 2 deletions(-)

commit b8f9d6f82e2fb814be37391109623d79e297571d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 19 21:01:40 2014 -0400

    add ktla_ktva/ktva_ktla macros to MIPS

 arch/mips/include/asm/pgtable.h |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit f0f660649f3b2cf1d448940ca8b7f4ab4249d8ce
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 19 20:46:38 2014 -0400

    include linux/prefetch.h to fix mips compilation

 grsecurity/gracl.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 514ec7617daa1a925a0ec0fa910335396213ef45
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 19 20:45:59 2014 -0400

    Revert "fix compiler warning in hugetlbfs code"
    
    This reverts commit 2c325ed37fe35aa85b4ca6deb67e6ca091704ed0.

 fs/hugetlbfs/inode.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 6da49b57e2795853a453f596e0b874aece27aa4b
Author: Viller Hsiao <villerhsiao@gmail.com>
Date:   Sat Feb 22 15:46:49 2014 +0800

    Upstream commit: a4671094227d11985c06ee1178d7205c5fd39f8a
    
    MIPS: ftrace: Fix icache flush range error
    
    In 32-bit mode, the start address passed to flush_icache_range is
    shifted by 4 bytes before the second safe_store_code() call.
    
    This causes system crash from time to time because the first 4 bytes
    might not be flushed properly. This bug exists since linux-3.8.
    
    Also remove obsoleted comment while at it.
    
    Signed-off-by: Viller Hsiao <villerhsiao@gmail.com>
    Cc: linux-mips@linux-mips.org
    Cc: rostedt@goodmis.org
    Cc: fweisbec@gmail.com
    Cc: mingo@redhat.com
    Cc: Qais.Yousef@imgtec.com
    Patchwork: https://patchwork.linux-mips.org/patch/6586/
    Signed-off-by: Ralf Baechle <ralf@linux-mips.org>

 arch/mips/kernel/ftrace.c |    5 ++---
 1 files changed, 2 insertions(+), 3 deletions(-)

commit 624ddea7bbda3535b7c9a779b6ff149e93863321
Author: Lars Persson <lars.persson@axis.com>
Date:   Mon Mar 17 12:14:13 2014 +0100

    Upstream commit: 86ca57b5a5525dbf89fc2a3285781fae807276b0
    
    MIPS: Fix syscall tracing interface
    
    Fix pointer computation for stack-based arguments.
    
    Signed-off-by: Lars Persson <larper@axis.com>
    Cc: linux-mips@linux-mips.org
    Patchwork: https://patchwork.linux-mips.org/patch/6620/
    Signed-off-by: Ralf Baechle <ralf@linux-mips.org>

 arch/mips/include/asm/syscall.h |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 7bf3daf307906cd7d03cb6eb64559ee98cdf3182
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 19 20:28:16 2014 -0400

    fix octeon compilation, add __maybe_unused to usp local var

 arch/mips/include/asm/syscall.h |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 2c325ed37fe35aa85b4ca6deb67e6ca091704ed0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 19 19:46:52 2014 -0400

    fix compiler warning in hugetlbfs code

 fs/hugetlbfs/inode.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 43783f55374fe9bafc064ceacf915920ca45a6c5
Merge: e018f0a aae8b87
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 17 19:51:01 2014 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        drivers/gpio/gpio-rcar.c

commit aae8b8720beec7c79d17ddd4f7d55bac0e83d5c6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 17 19:48:43 2014 -0400

    Update to pax-linux-3.13.6-test14.patch:
    - fixed several compilation problems on arm all*configs, by spender
    - small update to gcc-common.h
    - Emese fixed a compile time infinite loop in the size overflow plugin (triggered by the upcoming 3.14 kernel only)

 arch/arm/include/asm/page.h            |    1 +
 drivers/base/power/domain.c            |    4 +-
 drivers/gpio/gpio-em.c                 |    2 +-
 drivers/gpio/gpio-rcar.c               |    2 +-
 drivers/mfd/ab8500-debugfs.c           |    2 +-
 drivers/net/can/Kconfig                |    2 +-
 drivers/staging/imx-drm/imx-drm-core.c |    6 +-
 include/linux/pm_domain.h              |    2 +-
 tools/gcc/gcc-common.h                 |   12 +++
 tools/gcc/size_overflow_plugin.c       |  116 +++++++++++++++++++++++---------
 10 files changed, 106 insertions(+), 43 deletions(-)

commit e018f0a38370496abe4289911eb67f1816cdc65d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 17 19:12:04 2014 -0400

    move the location of the include to suit pipacs' OCD

 arch/arm/include/asm/page.h |    3 +--
 1 files changed, 1 insertions(+), 2 deletions(-)

commit bb6742b0e35d1ee42ec643ea921a340d672ec3bc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 17 18:01:11 2014 -0400

    revert lustre change, we'll include compiler.h from asm/page.h instead

 .../lustre/include/linux/lnet/linux/lib-lnet.h     |    1 -
 1 files changed, 0 insertions(+), 1 deletions(-)

commit a39c965db54a571780b9844d93cfec71265b2c5e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 17 18:00:13 2014 -0400

    fix ARM compilation with constify plugin

 arch/arm/include/asm/page.h |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 721fb83dc182e1442311b8ca3a986963f9cf2b76
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 17 17:18:04 2014 -0400

    move header ordering

 .../lustre/include/linux/lnet/linux/lib-lnet.h     |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 985afa44870e690fce35adf47979a99855db3323
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 17 17:02:24 2014 -0400

    compile fix for lustre on ARM with constify plugin

 .../lustre/include/linux/lnet/linux/lib-lnet.h     |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit e5c4fe3e8fb7e1a64f1ab29887b7f787cc989c24
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 17 16:04:34 2014 -0400

    fix compiler error caused by constify plugin on ARM

 drivers/mfd/ab8500-debugfs.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit b6e2f644cf05a858d3988fb9bb8a8ca6c0beeff4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 17 15:46:53 2014 -0400

    fix more compile errors caused by RANDSTRUCT and constify plugins on ARM

 drivers/base/power/domain.c |    4 ++--
 include/linux/pm_domain.h   |    2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

commit 2d33f0f25f7ee45412728f8bad6ef97b5bf40a66
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 17 15:34:17 2014 -0400

    fix another compile error caused by constify plugin on ARM

 drivers/gpio/gpio-rcar.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 05b33c660567d4dc74ebcd06e996bf0656146757
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 17 15:08:49 2014 -0400

    fix compile error caused by constify plugin on ARM

 drivers/gpio/gpio-em.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit b9c8e0a83ba19e0228317675ffb4e1c1fb175b31
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 16 21:17:20 2014 -0400

    fix allyesconfig compilation with PAX_REFCOUNT

 drivers/staging/imx-drm/imx-drm-core.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

commit b855bafd2e8d4b50c13586e5a00905fb9c03ed5a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 16 21:04:10 2014 -0400

    fix arm allmodconfig

 drivers/net/can/Kconfig |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 611bf735a4def802205cc83a131ec9c77c194662
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 14 20:12:02 2014 -0400

    add /usr/share/apport/apport to the allowed userland exec paths --
    because apparently some distros have no problem just throwing
    critical binaries around anywhere.

 kernel/kmod.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 51692fc9a6be048dd0500f78f97aed4db87bc359
Merge: 54fa0d5 7fcc1d0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 14 20:09:56 2014 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        arch/mips/mm/mmap.c

commit 7fcc1d01537c3e4d4cb3494b4e19890864473376
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 14 20:08:19 2014 -0400

    Update to pax-linux-3.13.6-test13.patch:
    - fixed a few compilation errors on MIPS, by Hinnerk van Bruinehsen <h.v.bruinehsen@fu-berlin.de>

 arch/arm/include/asm/proc-fns.h      |    2 +-
 arch/arm/kernel/setup.c              |    4 ++--
 arch/arm/mm/mmu.c                    |    2 +-
 arch/mips/cavium-octeon/dma-octeon.c |    2 +-
 arch/mips/include/asm/hw_irq.h       |    2 +-
 arch/mips/kernel/i8259.c             |    2 +-
 arch/mips/kernel/irq-gt641xx.c       |    2 +-
 arch/mips/kernel/reset.c             |    4 ++++
 arch/mips/mm/mmap.c                  |    2 +-
 arch/mips/pci/pci-octeon.c           |    4 ++--
 arch/mips/pci/pcie-octeon.c          |   12 ++++++------
 arch/mips/sni/rm200.c                |    2 +-
 arch/mips/vr41xx/common/icu.c        |    2 +-
 arch/mips/vr41xx/common/irq.c        |    4 ++--
 arch/x86/kernel/cpu/common.c         |    2 +-
 drivers/staging/octeon/ethernet-rx.c |    2 +-
 ipc/mq_sysctl.c                      |    2 +-
 kernel/panic.c                       |    2 +-
 18 files changed, 29 insertions(+), 25 deletions(-)

commit 54fa0d51929173d4eb6c060ea966ec5abe32faaf
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 12 22:54:32 2014 -0400

    add support for PAX_EMUTRAMP by default in the autoconfig

 security/Kconfig |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

commit 1a3518d87b5faa66b5684569bfe84024edc955ce
Author: Laura Abbott <lauraa@codeaurora.org>
Date:   Mon Mar 10 15:49:44 2014 -0700

    Upstream commit: 2af120bc040c5ebcda156df6be6a66610ab6957f
    
    mm/compaction: break out of loop on !PageBuddy in isolate_freepages_block
    
    We received several reports of bad page state when freeing CMA pages
    previously allocated with alloc_contig_range:
    
        BUG: Bad page state in process Binder_A  pfn:63202
        page:d21130b0 count:0 mapcount:1 mapping:  (null) index:0x7dfbf
        page flags: 0x40080068(uptodate|lru|active|swapbacked)
    
    Based on the page state, it looks like the page was still in use.  The
    page flags do not make sense for the use case though.  Further debugging
    showed that despite alloc_contig_range returning success, at least one
    page in the range still remained in the buddy allocator.
    
    There is an issue with isolate_freepages_block.  In strict mode (which
    CMA uses), if any pages in the range cannot be isolated,
    isolate_freepages_block should return failure 0.  The current check
    keeps track of the total number of isolated pages and compares against
    the size of the range:
    
            if (strict && nr_strict_required > total_isolated)
                    total_isolated = 0;
    
    After taking the zone lock, if one of the pages in the range is not in
    the buddy allocator, we continue through the loop and do not increment
    total_isolated.  If in the last iteration of the loop we isolate more
    than one page (e.g.  last page needed is a higher order page), the check
    for total_isolated may pass and we fail to detect that a page was
    skipped.  The fix is to bail out if the loop immediately if we are in
    strict mode.  There's no benfit to continuing anyway since we need all
    pages to be isolated.  Additionally, drop the error checking based on
    nr_strict_required and just check the pfn ranges.  This matches with
    what isolate_freepages_range does.
    
    Signed-off-by: Laura Abbott <lauraa@codeaurora.org>
    Acked-by: Minchan Kim <minchan@kernel.org>
    Cc: Mel Gorman <mgorman@suse.de>
    Acked-by: Vlastimil Babka <vbabka@suse.cz>
    Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
    Acked-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
    Acked-by: Michal Nazarewicz <mina86@mina86.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 mm/compaction.c |   20 +++++++++++++-------
 1 files changed, 13 insertions(+), 7 deletions(-)

commit 6c2a0937a7bb61db66b01160334fa83c93c05c7b
Author: Artem Fetishev <artem_fetishev@epam.com>
Date:   Mon Mar 10 15:49:45 2014 -0700

    Upstream commit: 70335abb2689c8cd5df91bf2d95a65649addf50b
    
    fs/proc/base.c: fix GPF in /proc/$PID/map_files
    
    The expected logic of proc_map_files_get_link() is either to return 0
    and initialize 'path' or return an error and leave 'path' uninitialized.
    
    By the time dname_to_vma_addr() returns 0 the corresponding vma may have
    already be gone.  In this case the path is not initialized but the
    return value is still 0.  This results in 'general protection fault'
    inside d_path().
    
    Steps to reproduce:
    
      CONFIG_CHECKPOINT_RESTORE=y
    
        fd = open(...);
        while (1) {
            mmap(fd, ...);
            munmap(fd, ...);
        }
    
      ls -la /proc/$PID/map_files
    
    Addresses https://bugzilla.kernel.org/show_bug.cgi?id=68991
    
    Signed-off-by: Artem Fetishev <artem_fetishev@epam.com>
    Signed-off-by: Aleksandr Terekhov <aleksandr_terekhov@epam.com>
    Reported-by: <wiebittewas@gmail.com>
    Acked-by: Pavel Emelyanov <xemul@parallels.com>
    Acked-by: Cyrill Gorcunov <gorcunov@openvz.org>
    Reviewed-by: "Eric W. Biederman" <ebiederm@xmission.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 fs/proc/base.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 34d22047e821cdae1d31beb2fdda8e6e9fe40cdf
Author: Matthew Leach <matthew.leach@arm.com>
Date:   Tue Mar 11 11:58:27 2014 +0000

    Upstream commit: dbb490b96584d4e958533fb637f08b557f505657
    
    net: socket: error on a negative msg_namelen
    
    When copying in a struct msghdr from the user, if the user has set the
    msg_namelen parameter to a negative value it gets clamped to a valid
    size due to a comparison between signed and unsigned values.
    
    Ensure the syscall errors when the user passes in a negative value.
    
    Signed-off-by: Matthew Leach <matthew.leach@arm.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/socket.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

commit a28f7e3e1ec4d26bf7734c70ca3b6107e54597ca
Author: Alexei Starovoitov <ast@plumgrid.com>
Date:   Mon Mar 10 15:56:51 2014 -0700

    Upstream commit: fdfaf64e75397567257e1051931f9a3377360665
    
    x86: bpf_jit: support negative offsets
    
    Commit a998d4342337 claimed to introduce negative offset support to x86 jit,
    but it couldn't be working, since at the time of the execution
    of LD+ABS or LD+IND instructions via call into
    bpf_internal_load_pointer_neg_helper() the %edx (3rd argument of this func)
    had junk value instead of access size in bytes (1 or 2 or 4).
    
    Store size into %edx instead of %ecx (what original commit intended to do)
    
    Fixes: a998d4342337 ("bpf jit: Let the x86 jit handle negative offsets")
    Signed-off-by: Alexei Starovoitov <ast@plumgrid.com>
    Cc: Jan Seiffert <kaffeemonster@googlemail.com>
    Cc: Eric Dumazet <edumazet@google.com>
    Acked-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 arch/x86/net/bpf_jit.S |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 977ee3909139082a57a04afbb8e9ee202475aa27
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 12 19:21:43 2014 -0400

    Improve GRKERNSEC_JIT_HARDEN against a theoretical attack I dreamed up --
    if an attacker had an arbitrary read vuln and ability to redirect control flow,
    he could, in ~2,000,000,000 attempts have a 50% chance of pre-selecting a
    32bit random key which the attacker has XORed with his desired immediates to
    cause the constant blinding to produce a potentially useful instruction stream
    (which he could verify by abusing the infoleak).  Instead of using one key
    per instruction stream, generate a new key for each instruction using prandom_u32().
    
    The downside is some performance impact during JIT compilation, though this
    shouldn't be so common an event for anyone to notice.

 arch/x86/net/bpf_jit_comp.c |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

commit 1b3f7f8f68d05143c0d55e8ceba0904c21007ad4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 7 20:44:22 2014 -0500

    fix typo

 ipc/mq_sysctl.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 90c31e93dc4eb2045775930cacbb64318cabafad
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 7 20:25:53 2014 -0500

    add no_const to ctl_table located on stack

 ipc/mq_sysctl.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 098fd10b3af4ef61b2edc60314ef18991b2f6f71
Author: Sabrina Dubroca <sd@queasysnail.net>
Date:   Thu Mar 6 17:51:57 2014 +0100

    Upstream commit: c88507fbad8055297c1d1e21e599f46960cbee39
    
    ipv6: don't set DST_NOCOUNT for remotely added routes
    
    DST_NOCOUNT should only be used if an authorized user adds routes
    locally. In case of routes which are added on behalf of router
    advertisments this flag must not get used as it allows an unlimited
    number of routes getting added remotely.
    
    Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
    Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv6/route.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit c4bd306f576cc03b5f0f9e56253e3f0a3be5d3bd
Merge: 71ed8ef a2aac72
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 7 20:10:30 2014 -0500

    Merge branch 'pax-test' into grsec-test

commit a2aac72603c2309d560a606493bb3003e2abe6c7
Merge: 96545e3 404df65
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 7 20:10:13 2014 -0500

    Merge branch 'linux-3.13.y' into pax-test
    
    Conflicts:
        arch/arm/mm/mmu.c
        mm/memory.c

commit 71ed8ef8e7d2ffcc57b5ffacef3a9262ed8781c7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 4 18:08:29 2014 -0500

    Backport security fix: http://seclists.org/oss-sec/2014/q1/477

 net/ipv4/inet_fragment.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit d752f1f1704ddbec282d7eb2150c75e05b9bcdd3
Author: Daniel Borkmann <dborkman@redhat.com>
Date:   Mon Mar 3 17:23:04 2014 +0100

    Upstream commit: ec0223ec48a90cb605244b45f7c62de856403729
    Remote DoS fix
    
    net: sctp: fix sctp_sf_do_5_1D_ce to verify if we/peer is AUTH capable
    
    RFC4895 introduced AUTH chunks for SCTP; during the SCTP
    handshake RANDOM; CHUNKS; HMAC-ALGO are negotiated (CHUNKS
    being optional though):
    
      ---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ---------->
      <------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] ---------
      -------------------- COOKIE-ECHO -------------------->
      <-------------------- COOKIE-ACK ---------------------
    
    A special case is when an endpoint requires COOKIE-ECHO
    chunks to be authenticated:
    
      ---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ---------->
      <------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] ---------
      ------------------ AUTH; COOKIE-ECHO ---------------->
      <-------------------- COOKIE-ACK ---------------------
    
    RFC4895, section 6.3. Receiving Authenticated Chunks says:
    
      The receiver MUST use the HMAC algorithm indicated in
      the HMAC Identifier field. If this algorithm was not
      specified by the receiver in the HMAC-ALGO parameter in
      the INIT or INIT-ACK chunk during association setup, the
      AUTH chunk and all the chunks after it MUST be discarded
      and an ERROR chunk SHOULD be sent with the error cause
      defined in Section 4.1. [...] If no endpoint pair shared
      key has been configured for that Shared Key Identifier,
      all authenticated chunks MUST be silently discarded. [...]
    
      When an endpoint requires COOKIE-ECHO chunks to be
      authenticated, some special procedures have to be followed
      because the reception of a COOKIE-ECHO chunk might result
      in the creation of an SCTP association. If a packet arrives
      containing an AUTH chunk as a first chunk, a COOKIE-ECHO
      chunk as the second chunk, and possibly more chunks after
      them, and the receiver does not have an STCB for that
      packet, then authentication is based on the contents of
      the COOKIE-ECHO chunk. In this situation, the receiver MUST
      authenticate the chunks in the packet by using the RANDOM
      parameters, CHUNKS parameters and HMAC_ALGO parameters
      obtained from the COOKIE-ECHO chunk, and possibly a local
      shared secret as inputs to the authentication procedure
      specified in Section 6.3. If authentication fails, then
      the packet is discarded. If the authentication is successful,
      the COOKIE-ECHO and all the chunks after the COOKIE-ECHO
      MUST be processed. If the receiver has an STCB, it MUST
      process the AUTH chunk as described above using the STCB
      from the existing association to authenticate the
      COOKIE-ECHO chunk and all the chunks after it. [...]
    
    Commit bbd0d59809f9 introduced the possibility to receive
    and verification of AUTH chunk, including the edge case for
    authenticated COOKIE-ECHO. On reception of COOKIE-ECHO,
    the function sctp_sf_do_5_1D_ce() handles processing,
    unpacks and creates a new association if it passed sanity
    checks and also tests for authentication chunks being
    present. After a new association has been processed, it
    invokes sctp_process_init() on the new association and
    walks through the parameter list it received from the INIT
    chunk. It checks SCTP_PARAM_RANDOM, SCTP_PARAM_HMAC_ALGO
    and SCTP_PARAM_CHUNKS, and copies them into asoc->peer
    meta data (peer_random, peer_hmacs, peer_chunks) in case
    sysctl -w net.sctp.auth_enable=1 is set. If in INIT's
    SCTP_PARAM_SUPPORTED_EXT parameter SCTP_CID_AUTH is set,
    peer_random != NULL and peer_hmacs != NULL the peer is to be
    assumed asoc->peer.auth_capable=1, in any other case
    asoc->peer.auth_capable=0.
    
    Now, if in sctp_sf_do_5_1D_ce() chunk->auth_chunk is
    available, we set up a fake auth chunk and pass that on to
    sctp_sf_authenticate(), which at latest in
    sctp_auth_calculate_hmac() reliably dereferences a NULL pointer
    at position 0..0008 when setting up the crypto key in
    crypto_hash_setkey() by using asoc->asoc_shared_key that is
    NULL as condition key_id == asoc->active_key_id is true if
    the AUTH chunk was injected correctly from remote. This
    happens no matter what net.sctp.auth_enable sysctl says.
    
    The fix is to check for net->sctp.auth_enable and for
    asoc->peer.auth_capable before doing any operations like
    sctp_sf_authenticate() as no key is activated in
    sctp_auth_asoc_init_active_key() for each case.
    
    Now as RFC4895 section 6.3 states that if the used HMAC-ALGO
    passed from the INIT chunk was not used in the AUTH chunk, we
    SHOULD send an error; however in this case it would be better
    to just silently discard such a maliciously prepared handshake
    as we didn't even receive a parameter at all. Also, as our
    endpoint has no shared key configured, section 6.3 says that
    MUST silently discard, which we are doing from now onwards.
    
    Before calling sctp_sf_pdiscard(), we need not only to free
    the association, but also the chunk->auth_chunk skb, as
    commit bbd0d59809f9 created a skb clone in that case.
    
    I have tested this locally by using netfilter's nfqueue and
    re-injecting packets into the local stack after maliciously
    modifying the INIT chunk (removing RANDOM; HMAC-ALGO param)
    and the SCTP packet containing the COOKIE_ECHO (injecting
    AUTH chunk before COOKIE_ECHO). Fixed with this patch applied.
    
    Fixes: bbd0d59809f9 ("[SCTP]: Implement the receive and verification of AUTH chunk")
    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
    Cc: Vlad Yasevich <yasevich@gmail.com>
    Cc: Neil Horman <nhorman@tuxdriver.com>
    Acked-by: Vlad Yasevich <vyasevich@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/sctp/sm_statefuns.c |    7 +++++++
 1 files changed, 7 insertions(+), 0 deletions(-)

commit 855c02e8cb1af9b40752258060af547805881899
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 4 18:05:10 2014 -0500

    Backport local DoS fix: http://seclists.org/oss-sec/2014/q1/494

 security/keys/keyring.c |    6 +++++-
 1 files changed, 5 insertions(+), 1 deletions(-)

commit 4877e98529649880ac76ade11e5529403a40ea73
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 3 14:42:58 2014 -0500

    mark 'processor' as __read_only instead of forcing constify on it
    to avoid a GCC constant propagation that will cause a NULL deref on boot
    on ARM MULTI_CPU configs
    
    Thanks to Arnaud Fontaine and Arnaud Ebalard for the report, fix is from
    the PaX Team

 arch/arm/include/asm/proc-fns.h |    2 +-
 arch/arm/kernel/setup.c         |    4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

commit 9c8d2926262f0345af454da45b41c6259bdc89e8
Author: Andrew Honig <ahonig@google.com>
Date:   Thu Feb 27 19:35:14 2014 +0100

    Upstream commit: a08d3b3b99efd509133946056531cdf8f3a0c09b
    
    kvm: x86: fix emulator buffer overflow (CVE-2014-0049)
    
    The problem occurs when the guest performs a pusha with the stack
    address pointing to an mmio address (or an invalid guest physical
    address) to start with, but then extending into an ordinary guest
    physical address.  When doing repeated emulated pushes
    emulator_read_write sets mmio_needed to 1 on the first one.  On a
    later push when the stack points to regular memory,
    mmio_nr_fragments is set to 0, but mmio_is_needed is not set to 0.
    
    As a result, KVM exits to userspace, and then returns to
    complete_emulated_mmio.  In complete_emulated_mmio
    vcpu->mmio_cur_fragment is incremented.  The termination condition of
    vcpu->mmio_cur_fragment == vcpu->mmio_nr_fragments is never achieved.
    The code bounces back and fourth to userspace incrementing
    mmio_cur_fragment past it's buffer.  If the guest does nothing else it
    eventually leads to a a crash on a memcpy from invalid memory address.
    
    However if a guest code can cause the vm to be destroyed in another
    vcpu with excellent timing, then kvm_clear_async_pf_completion_queue
    can be used by the guest to control the data that's pointed to by the
    call to cancel_work_item, which can be used to gain execution.
    
    Fixes: f78146b0f9230765c6315b2e14f56112513389ad
    Signed-off-by: Andrew Honig <ahonig@google.com>
    Cc: stable@vger.kernel.org (3.5+)
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

 arch/x86/kvm/x86.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 40051b60939861d365baf66d95dadd3f090542ac
Author: Mike Pecovnik <mike.pecovnik@gmail.com>
Date:   Mon Feb 24 21:11:16 2014 +0100

    Upstream commit: 46833a86f7ab30101096d81117dd250bfae74c6f
    
    net: Fix permission check in netlink_connect()
    
    netlink_sendmsg() was changed to prevent non-root processes from sending
    messages with dst_pid != 0.
    netlink_connect() however still only checks if nladdr->nl_groups is set.
    This patch modifies netlink_connect() to check for the same condition.
    
    Signed-off-by: Mike Pecovnik <mike.pecovnik@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/netlink/af_netlink.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit a3be34042aa8d3eccb476cb240d8cdc85024b18a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 1 23:17:33 2014 -0500

    Apply role_umask RBAC restrictions to POSIX ACLs as well

 fs/posix_acl.c |    7 +++++--
 fs/xattr_acl.c |    9 +++++++++
 2 files changed, 14 insertions(+), 2 deletions(-)

commit 652b798b80f39815b94fc9b7192d648ad6b6cf64
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 24 21:57:37 2014 -0500

    mention in config help that gcc 4.6.4 or higher is needed for RANDSTRUCT

 grsecurity/Kconfig |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

commit 5ffde76a88cb5dadc307cabc33d7ad253158b608
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 24 18:54:34 2014 -0500

    use current_umask() helper in lustre instead of current->fs->umask

 drivers/staging/lustre/lustre/llite/dir.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 49761e88b63e2771f09aa16cb4e98c681515cf31
Merge: daf0afa 96545e3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 24 17:43:09 2014 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        arch/x86/kernel/cpu/common.c

commit 96545e3f1c4df86c1d9b74a1916d1b712138345f
Merge: 1ea0c4a dc0ead5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 24 17:37:59 2014 -0500

    Update to pax-linux-3.13.5-test11.patch:
    - fixed a mismerge in atomic64_sub_return on arm, reported by Arnaud Fontaine
    - the latent entropy plugin can now initialize structure variables as well
    
    Merge branch 'linux-3.13.y' into pax-test
    
    Conflicts:
        arch/x86/kernel/ftrace.c
        include/linux/compiler-gcc4.h

commit daf0afa64695bd49bf6be19450fea0a533edc3ab
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 24 17:16:47 2014 -0500

    when IPC hardening is disabled via sysctl, we shouldn't be imposing
    any additional restrictions
    thanks to Mathias Krause (minipli) for the report

 grsecurity/grsec_ipc.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 179bf20a88510350fc86383c7d1b8e7d422cc604
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 21 12:06:41 2014 -0500

    add missing return in the ARM refcount code.
    
    Thanks to Arnaud Fontaine for the report and patch!

 arch/arm/include/asm/atomic.h |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 5eecd26548fa8462296745eedf66858bf83532c9
Merge: d32875c 1ea0c4a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 20 21:39:25 2014 -0500

    Merge branch 'pax-test' into grsec-test

commit 1ea0c4ab7114838fb5f7b320c5c4bee6269c2f99
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 20 21:39:02 2014 -0500

    Update to pax-linux-3.13.4-test10.patch

 tools/gcc/latent_entropy_plugin.c |   10 +++++-----
 1 files changed, 5 insertions(+), 5 deletions(-)

commit d32875ccf8800fd9b458907fbd9f08e74847012b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 20 18:42:11 2014 -0500

    work around pipacs' latent_entropy plugin

 tools/gcc/randomize_layout_plugin.c |    6 +++++-
 1 files changed, 5 insertions(+), 1 deletions(-)

commit 91ea54c68a7f728341371d3ca8c6208acc885706
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 20 17:57:36 2014 -0500

    .data takes the address of the ints, not their values

 net/core/neighbour.c |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

commit bc41258c48ca6acae51d191e914556ab37ca7c92
Merge: 3051292 0ce19d4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 20 17:45:07 2014 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        include/linux/compiler-gcc4.h

commit 0ce19d411496f0ab77a86c1c5091b909fd720665
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 20 17:43:26 2014 -0500

    Update to pax-linux-3.13.4-test10.patch:
    - fixed asm goto for all gcc versions, backport from upstream (https://git.kernel.org/linus/a9f180345f5378ac87)
    - fixed a size overflow false positive in the ELF loader (needs a non-0 based PIE to trigger), reported by spender
    - the latent entropy plugin will now insert some entropy at compile time into the random pools

 drivers/char/random.c             |    6 +-
 fs/binfmt_elf.c                   |    2 +-
 include/linux/compiler-gcc4.h     |    4 --
 tools/gcc/gcc-common.h            |   10 ++++-
 tools/gcc/latent_entropy_plugin.c |   84 +++++++++++++++++++++++++++++++++----
 tools/gcc/stackleak_plugin.c      |    5 +-
 6 files changed, 90 insertions(+), 21 deletions(-)

commit 3051292e84bf30c218e447a105ab898e8c509b44
Merge: 71d207d 8a3ecf6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 20 17:19:54 2014 -0500

    Merge branch 'pax-test' into grsec-test

commit 8a3ecf6d2b7e6304d259608e77a7259daeeeab9b
Merge: 98242db 93ee5dc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 20 17:17:30 2014 -0500

    Merge branch 'linux-3.13.y' into pax-test

commit 71d207d2df0cc95b1cf26d1499317d5b010c4033
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 20 16:59:26 2014 -0500

    Fix a 16+ year old hack in Linux that exposed itself when RANDSTRUCT was
    enabled, reported by jacekalex on the forums

 include/net/neighbour.h |    1 -
 net/core/neighbour.c    |    9 +++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

commit 6d3beec0d1c79dfad2ba060c4d06ebf65ce39d15
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 19 22:01:38 2014 -0500

    Backport CIFS vuln fix: http://article.gmane.org/gmane.linux.kernel.cifs/9401

 fs/cifs/file.c |   37 ++++++++++++++++++++++++++++++++++---
 1 files changed, 34 insertions(+), 3 deletions(-)

commit 20eb03803ea2fea3f8c420b69097058122de32f6
Author: Trond Myklebust <trond.myklebust@primarydata.com>
Date:   Tue Feb 11 09:15:54 2014 -0500

    Upstream commit: 06ea0bfe6e6043cb56a78935a19f6f8ebc636226
    
    SUNRPC: Fix races in xs_nospace()
    
    When a send failure occurs due to the socket being out of buffer space,
    we call xs_nospace() in order to have the RPC task wait until the
    socket has drained enough to make it worth while trying again.
    The current patch fixes a race in which the socket is drained before
    we get round to setting up the machinery in xs_nospace(), and which
    is reported to cause hangs.
    
    Link: http://lkml.kernel.org/r/20140210170315.33dfc621@notabene.brown
    Fixes: a9a6b52ee1ba (SUNRPC: Don't start the retransmission timer...)
    Reported-by: Neil Brown <neilb@suse.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>

 net/sunrpc/xprtsock.c |    6 +++++-
 1 files changed, 5 insertions(+), 1 deletions(-)

commit 9fff690287df8c389126420e1dab2608ddb4be75
Author: Trond Myklebust <trond.myklebust@primarydata.com>
Date:   Tue Feb 11 13:56:54 2014 -0500

    Upstream commit: 628356791b04ea988fee070f66a748a823d001bb
    
    SUNRPC: Fix potential memory scribble in xprt_free_bc_request()
    
    The call to xprt_free_allocation() will call list_del() on
    req->rq_bc_pa_list, which is not attached to a list.
    This patch moves the list_del() out of xprt_free_allocation()
    and into those callers that need it.
    
    Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>

 net/sunrpc/backchannel_rqst.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

commit 5382ae56cf22adf34d2dd9da03b3a44af0c846f1
Author: Trond Myklebust <trond.myklebust@primarydata.com>
Date:   Sun Feb 16 12:14:13 2014 -0500

    Upstream commit: 9eb2ddb48ce3a7bd745c14a933112994647fa3cd
    
    SUNRPC: Ensure that gss_auth isn't freed before its upcall messages
    
    Fix a race in which the RPC client is shutting down while the
    gss daemon is processing a downcall. If the RPC client manages to
    shut down before the gss daemon is done, then the struct gss_auth
    used in gss_release_msg() may have already been freed.
    
    Link: http://lkml.kernel.org/r/1392494917.71728.YahooMailNeo@web140002.mail.bf1.yahoo.com
    Reported-by: John <da_audiophile@yahoo.com>
    Reported-by: Borislav Petkov <bp@alien8.de>
    Cc: stable@vger.kernel.org # 3.12+
    Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>

 net/sunrpc/auth_gss/auth_gss.c |   13 +++++++++++--
 1 files changed, 11 insertions(+), 2 deletions(-)

commit 76e2d40cfc26bc44ba2ff4604c1f0ff4821ec13b
Author: Trond Myklebust <trond.myklebust@primarydata.com>
Date:   Sun Feb 16 13:28:01 2014 -0500

    Upstream commit: e9776d0f4adee8877145672f6416b06b57f2dc27
    
    SUNRPC: Fix a pipe_version reference leak
    
    In gss_alloc_msg(), if the call to gss_encode_v1_msg() fails, we
    want to release the reference to the pipe_version that was obtained
    earlier in the function.
    
    Fixes: 9d3a2260f0f4b (SUNRPC: Fix buffer overflow checking in...)
    Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>

 net/sunrpc/auth_gss/auth_gss.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

commit 715c3e4109210d090282b360463aa474c978dcf5
Author: Christoffer Dall <christoffer.dall@linaro.org>
Date:   Sun Feb 2 22:21:31 2014 +0100

    Upstream commit: 4d9c5b89cf3605bbc39c6e274351ff25f0d83e6a
    
    ARM: 7950/1: mm: Fix stage-2 device memory attributes
    
    The stage-2 memory attributes are distinct from the Hyp memory
    attributes and the Stage-1 memory attributes.  We were using the stage-1
    memory attributes for stage-2 mappings causing device mappings to be
    mapped as normal memory.  Add the S2 equivalent defines for memory
    attributes and fix the comments explaining the defines while at it.
    
    Add a prot_pte_s2 field to the mem_type struct and fill out the field
    for device mappings accordingly.
    
    Cc: <stable@vger.kernel.org>        [3.9+]
    Acked-by: Marc Zyngier <marc.zyngier@arm.com>
    Acked-by: Catalin Marinas <catalin.marinas@arm.com>
    Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
    Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
    
    Conflicts:
    
        arch/arm/mm/mmu.c

 arch/arm/include/asm/pgtable-3level.h |   15 +++++++++------
 arch/arm/mm/mm.h                      |    1 +
 arch/arm/mm/mmu.c                     |    7 ++++++-
 3 files changed, 16 insertions(+), 7 deletions(-)

commit 49f25f2842b5e567ca45d5648460ad7cfd2af7ab
Author: Will Deacon <will.deacon@arm.com>
Date:   Fri Feb 7 19:12:20 2014 +0100

    Upstream commit: bae0ca2bc550d1ec6a118fb8f2696f18c4da3d8e
    
    ARM: 7953/1: mm: ensure TLB invalidation is complete before enabling MMU
    
    During __v{6,7}_setup, we invalidate the TLBs since we are about to
    enable the MMU on return to head.S. Unfortunately, without a subsequent
    dsb instruction, the invalidation is not guaranteed to have completed by
    the time we write to the sctlr, potentially exposing us to junk/stale
    translations cached in the TLB.
    
    This patch reworks the init functions so that the dsb used to ensure
    completion of cache/predictor maintenance is also used to ensure
    completion of the TLB invalidation.
    
    Cc: <stable@vger.kernel.org>
    Reported-by: Albin Tonnerre <Albin.Tonnerre@arm.com>
    Signed-off-by: Will Deacon <will.deacon@arm.com>
    Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>

 arch/arm/mm/proc-v6.S |    3 ++-
 arch/arm/mm/proc-v7.S |    2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

commit fa4b67556529451bd4489b07472f58feec35d51d
Author: Will Deacon <will.deacon@arm.com>
Date:   Fri Feb 7 19:12:32 2014 +0100

    Upstream commit: 7c8746a9eb287642deaad0e7c2cdf482dce5e4be
    
    ARM: 7955/1: spinlock: ensure we have a compiler barrier before sev
    
    When unlocking a spinlock, we require the following, strictly ordered
    sequence of events:
    
        <barrier>       /* dmb */
        <unlock>
        <barrier>       /* dsb */
        <sev>
    
    Whilst the code does indeed reflect this in terms of the architecture,
    the final <barrier> + <sev> have been contracted into a single inline
    asm without a "memory" clobber, therefore the compiler is at liberty to
    reorder the unlock to the end of the above sequence. In such a case,
    a waiting CPU may be woken up before the lock has been unlocked, leading
    to extremely poor performance.
    
    This patch reworks the dsb_sev() function to make use of the dsb()
    macro and ensure ordering against the unlock.
    
    Cc: <stable@vger.kernel.org>
    Reported-by: Mark Rutland <mark.rutland@arm.com>
    Signed-off-by: Will Deacon <will.deacon@arm.com>
    Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>

 arch/arm/include/asm/spinlock.h |   15 +++------------
 1 files changed, 3 insertions(+), 12 deletions(-)

commit f3efaba9e0a1d5d96fc0783ae8ec8e733e113bfa
Author: Russell King <rmk+kernel@arm.linux.org.uk>
Date:   Tue Feb 11 17:11:04 2014 +0000

    Upstream commit: e83b366487b5582274374f8226e489cb214ae5a6
    
    Fix uses of dma_max_pfn() when converting to a limiting address
    
    We must use a 64-bit for this, otherwise overflowed bits get lost, and
    that can result in a lower than intended value set.
    
    Fixes: 8e0cb8a1f6ac ("ARM: 7797/1: mmc: Use dma_max_pfn(dev) helper for bounce_limit calculations")
    Fixes: 7d35496dd982 ("ARM: 7796/1: scsi: Use dma_max_pfn(dev) helper for bounce_limit calculations")
    Tested-Acked-by: Santosh Shilimkar <santosh.shilimkar@ti.com>
    Reviewed-by: Ulf Hansson <ulf.hansson@linaro.org>
    Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>

 drivers/mmc/card/queue.c |    2 +-
 drivers/scsi/scsi_lib.c  |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

commit 5a3e8a10d439ba8bcd893bf2159618908fe80384
Author: Vinayak Kale <vkale@apm.com>
Date:   Wed Feb 12 07:30:01 2014 +0100

    Upstream commit: 39544ac9df20f73e49fc6b9ac19ff533388c82c0
    
    ARM: 7957/1: add DSB after icache flush in __flush_icache_all()
    
    Add DSB after icache flush to complete the cache maintenance operation.
    
    Signed-off-by: Vinayak Kale <vkale@apm.com>
    Acked-by: Catalin Marinas <catalin.marinas@arm.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>

 arch/arm/include/asm/cacheflush.h |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 26d22a6946dfbb4f4a760038816c43ba49504863
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date:   Mon Feb 17 12:24:45 2014 -0800

    Upstream commit: e4178d809fdaee32a56833fff1f5056c99e90a1a
    
    printk: fix syslog() overflowing user buffer
    
    This is not a buffer overflow in the traditional sense: we don't
    overflow any *kernel* buffers, but we do mis-count the amount of data we
    copy back to user space for the SYSLOG_ACTION_READ_ALL case.
    
    In particular, if the user buffer is too small to hold everything, and
    *if* there is a continuation line at just the right place, we can end up
    giving the user more data than he asked for.
    
    The reason is that we first count up the number of bytes all the log
    records contains, then we walk the records again until we've skipped the
    records at the beginning that won't fit, and then we walk the rest of
    the records and copy them to the user space buffer.
    
    And in between that "skip the initial records that won't fit" and the
    "copy the records that *will* fit to user space", we reset the 'prev'
    variable that contained the record information for the last record not
    copied.  That meant that when we started copying to user space, we now
    had a different character count than what we had originally calculated
    in the first record walk-through.
    
    The fix is to simply not clear the 'prev' flags value (in both cases
    where we had the same logic: syslog_print_all and kmsg_dump_get_buffer:
    the latter is used for pstore-like dumping)
    
    Reported-and-tested-by: Debabrata Banerjee <dbanerje@akamai.com>
    Acked-by: Kay Sievers <kay@vrfy.org>
    Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Cc: Jeff Mahoney <jeffm@suse.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 kernel/printk/printk.c |    2 --
 1 files changed, 0 insertions(+), 2 deletions(-)

commit 88d5fdac3aa7813d963ab5a3325c2f15c36c97cf
Author: Rafael Aquini <aquini@redhat.com>
Date:   Mon Feb 10 14:25:48 2014 -0800

    Upstream commit: a0b54adda3fe4b4cc6d28f2a9217cd35d1aa888c
    
    mm: fix page leak at nfs_symlink()
    
    Changes in commit a0b8cab3b9b2 ("mm: remove lru parameter from
    __pagevec_lru_add and remove parts of pagevec API") have introduced a
    call to add_to_page_cache_lru() which causes a leak in nfs_symlink() as
    now the page gets an extra refcount that is not dropped.
    
    Jan Stancek observed and reported the leak effect while running test8
    from Connectathon Testsuite.  After several iterations over the test
    case, which creates several symlinks on a NFS mountpoint, the test
    system was quickly getting into an out-of-memory scenario.
    
    This patch fixes the page leak by dropping that extra refcount
    add_to_page_cache_lru() is grabbing.
    
    Signed-off-by: Jan Stancek <jstancek@redhat.com>
    Signed-off-by: Rafael Aquini <aquini@redhat.com>
    Acked-by: Mel Gorman <mgorman@suse.de>
    Acked-by: Rik van Riel <riel@redhat.com>
    Cc: Jeff Layton <jlayton@redhat.com>
    Cc: Trond Myklebust <trond.myklebust@primarydata.com>
    Cc: <stable@vger.kernel.org>        [3.11.x+]
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 fs/nfs/dir.c |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

commit bf53635ba34d0ef231a89dd30aa9954b0fa3d87b
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Mon Feb 17 20:33:01 2014 -0500

    Upstream commit: 92e3b40537707001d17bbad800d150ab04e53bf4
    
    jbd2: fix use after free in jbd2_journal_start_reserved()
    
    If start_this_handle() fails then it leads to a use after free of
    "handle".
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
    Cc: stable@vger.kernel.org

 fs/jbd2/transaction.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

commit 7eb9d6b170b2d83e9a59d8d5e9c3eaec76b3e1a2
Author: Theodore Ts'o <tytso@mit.edu>
Date:   Sat Feb 15 22:42:25 2014 -0500

    Upstream commit: 3d2660d0c9c2f296837078c189b68a47f6b2e3b5
    
    ext4: fix online resize with a non-standard blocks per group setting
    
    The set_flexbg_block_bitmap() function assumed that the number of
    blocks in a blockgroup was sb->blocksize * 8, which is normally true,
    but not always!  Use EXT4_BLOCKS_PER_GROUP(sb) instead, to fix block
    bitmap corruption after:
    
    mke2fs -t ext4 -g 3072 -i 4096 /dev/vdd 1G
    mount -t ext4 /dev/vdd /vdd
    resize2fs /dev/vdd 8G
    
    Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
    Reported-by: Jon Bernard <jbernard@tuxion.com>
    Cc: stable@vger.kernel.org

 fs/ext4/resize.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 588500229af3505116b0fe05c4e54a06cabd64e4
Author: Theodore Ts'o <tytso@mit.edu>
Date:   Sat Feb 15 21:33:13 2014 -0500

    Upstream commit: b93c95353413041a8cebad915a8109619f66bcc6
    
    ext4: fix online resize with very large inode tables
    
    If a file system has a large number of inodes per block group, all of
    the metadata blocks in a flex_bg may be larger than what can fit in a
    single block group.  Unfortunately, ext4_alloc_group_tables() in
    resize.c was never tested to see if it would handle this case
    correctly, and there were a large number of bugs which caused the
    following sequence to result in a BUG_ON:
    
    kernel bug at fs/ext4/resize.c:409!
       ...
    call trace:
     [<ffffffff81256768>] ext4_flex_group_add+0x1448/0x1830
     [<ffffffff81257de2>] ext4_resize_fs+0x7b2/0xe80
     [<ffffffff8123ac50>] ext4_ioctl+0xbf0/0xf00
     [<ffffffff811c111d>] do_vfs_ioctl+0x2dd/0x4b0
     [<ffffffff811b9df2>] ? final_putname+0x22/0x50
     [<ffffffff811c1371>] sys_ioctl+0x81/0xa0
     [<ffffffff81676aa9>] system_call_fastpath+0x16/0x1b
    code: c8 4c 89 df e8 41 96 f8 ff 44 89 e8 49 01 c4 44 29 6d d4 0
    rip  [<ffffffff81254fa1>] set_flexbg_block_bitmap+0x171/0x180
    
    This can be reproduced with the following command sequence:
    
       mke2fs -t ext4 -i 4096 /dev/vdd 1G
       mount -t ext4 /dev/vdd /vdd
       resize2fs /dev/vdd 8G
    
    To fix this, we need to make sure the right thing happens when a block
    group's inode table straddles two block groups, which means the
    following bugs had to be fixed:
    
    1) Not clearing the BLOCK_UNINIT flag in the second block group in
       ext4_alloc_group_tables --- the was proximate cause of the BUG_ON.
    
    2) Incorrectly determining how many block groups contained contiguous
       free blocks in ext4_alloc_group_tables().
    
    3) Incorrectly setting the start of the next block range to be marked
       in use after a discontinuity in setup_new_flex_group_blocks().
    
    Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
    Cc: stable@vger.kernel.org

 fs/ext4/resize.c |   32 ++++++++++++++++++++------------
 1 files changed, 20 insertions(+), 12 deletions(-)

commit dfb5654f8a9946e06f67d0481c907fa9ae4c6b04
Author: Theodore Ts'o <tytso@mit.edu>
Date:   Wed Feb 12 12:16:04 2014 -0500

    Upstream commit: 23301410972330c0ae9a8afc379ba2005e249cc6
    
    ext4: don't try to modify s_flags if the the file system is read-only
    
    If an ext4 file system is created by some tool other than mke2fs
    (perhaps by someone who has a pathalogical fear of the GPL) that
    doesn't set one or the other of the EXT2_FLAGS_{UN}SIGNED_HASH flags,
    and that file system is then mounted read-only, don't try to modify
    the s_flags field.  Otherwise, if dm_verity is in use, the superblock
    will change, causing an dm_verity failure.
    
    Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
    Cc: stable@vger.kernel.org

 fs/ext4/super.c |   20 +++++++++++++-------
 1 files changed, 13 insertions(+), 7 deletions(-)

commit d2a631f973d3cff9a1c015cb64b08bb9cc52de8b
Author: Eric Whitney <enwlinux@gmail.com>
Date:   Wed Feb 12 10:42:45 2014 -0500

    Upstream commit: 15cc17678547676c82a5da9ccf357447333fc342
    
    ext4: fix xfstest generic/299 block validity failures
    
    Commit a115f749c1 (ext4: remove wait for unwritten extent conversion from
    ext4_truncate) exposed a bug in ext4_ext_handle_uninitialized_extents().
    It can be triggered by xfstest generic/299 when run on a test file
    system created without a journal.  This test continuously fallocates and
    truncates files to which random dio/aio writes are simultaneously
    performed by a separate process.  The test completes successfully, but
    if the test filesystem is mounted with the block_validity option, a
    warning message stating that a logical block has been mapped to an
    illegal physical block is posted in the kernel log.
    
    The bug occurs when an extent is being converted to the written state
    by ext4_end_io_dio() and ext4_ext_handle_uninitialized_extents()
    discovers a mapping for an existing uninitialized extent. Although it
    sets EXT4_MAP_MAPPED in map->m_flags, it fails to set map->m_pblk to
    the discovered physical block number.  Because map->m_pblk is not
    otherwise initialized or set by this function or its callers, its
    uninitialized value is returned to ext4_map_blocks(), where it is
    stored as a bogus mapping in the extent status tree.
    
    Since map->m_pblk can accidentally contain illegal values that are
    larger than the physical size of the file system,  calls to
    check_block_validity() in ext4_map_blocks() that are enabled if the
    block_validity mount option is used can fail, resulting in the logged
    warning message.
    
    Signed-off-by: Eric Whitney <enwlinux@gmail.com>
    Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
    Cc: stable@vger.kernel.org  # 3.11+

 fs/ext4/extents.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 7eb52392ee886f01a5c944f35fbe95edc2169877
Author: Zheng Liu <wenqing.lz@taobao.com>
Date:   Wed Feb 12 11:48:31 2014 -0500

    Upstream commit: 30d29b119ef01776e0a301444ab24defe8d8bef3
    
    ext4: fix error paths in swap_inode_boot_loader()
    
    In swap_inode_boot_loader() we forgot to release ->i_mutex and resume
    unlocked dio for inode and inode_bl if there is an error starting the
    journal handle.  This commit fixes this issue.
    
    Reported-by: Ahmed Tamrawi <ahmedtamrawi@gmail.com>
    Cc: Andreas Dilger <adilger.kernel@dilger.ca>
    Cc: Dr. Tilmann Bubeck <t.bubeck@reinform.de>
    Signed-off-by: Zheng Liu <wenqing.lz@taobao.com>
    Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
    Cc: stable@vger.kernel.org  # v3.10+

 fs/ext4/ioctl.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 4dc90c1991032c483b11690717ba07952f4fef07
Author: Theodore Ts'o <tytso@mit.edu>
Date:   Sun Feb 16 19:29:32 2014 -0500

    Upstream commit: 19ea80603715d473600cd993b9987bc97d042e02
    
    ext4: don't leave i_crtime.tv_sec uninitialized
    
    If the i_crtime field is not present in the inode, don't leave the
    field uninitialized.
    
    Fixes: ef7f38359 ("ext4: Add nanosecond timestamps")
    Reported-by: Vegard Nossum <vegard.nossum@oracle.com>
    Tested-by: Vegard Nossum <vegard.nossum@oracle.com>
    Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
    Cc: stable@vger.kernel.org

 fs/ext4/ext4.h |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 9d8aa319cfbfdb4bdf7a5d4adc4b93fe028bec12
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 19 20:39:37 2014 -0500

    While a Xen dom0 is technically a guest, it's perceived as a host by many
    and there's really no Linux "host" for Xen, so allow PARAVIRT to be
    enabled on "host" kernels only when Xen is selected
    
    Thanks to gaima on the forums for the report
    
    Conflicts:
    
        arch/x86/Kconfig

 arch/x86/Kconfig |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 8ef15c34cb044db1ae729a53327e5b848631fbee
Author: Petr Písař <petr.pisar@atlas.cz>
Date:   Thu Feb 6 21:01:23 2014 +0100

    Upstream commit: 0930b0950a8996aa88b0d2ba4bb2bab27cc36bc7
    
    vt: Fix secure clear screen
    
    \E[3J console code (secure clear screen) needs to update_screen(vc)
    in order to write-through blanks into off-screen video memory.
    
    This has been removed accidentally in 3.6 by:
    
    commit 81732c3b2fede049a692e58a7ceabb6d18ffb18c
    Author: Jean-François Moine <moinejf@free.fr>
    Date:   Thu Sep 6 19:24:13 2012 +0200
    
        tty vt: Fix line garbage in virtual console on command line edition
    
    Signed-off-by: Petr Písař <petr.pisar@atlas.cz>
    Cc: stable <stable@vger.kernel.org> # 3.6
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 drivers/tty/vt/vt.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 8568da92bd738464772c24fd68a9b300d22985b5
Author: H. Peter Anvin <hpa@linux.intel.com>
Date:   Thu Feb 13 07:46:04 2014 -0800

    Upstream commit: 4640c7ee9b8953237d05a61ea3ea93981d1bc961
    
    x86, smap: smap_violation() is bogus if CONFIG_X86_SMAP is off
    
    If CONFIG_X86_SMAP is disabled, smap_violation() tests for conditions
    which are incorrect (as the AC flag doesn't matter), causing spurious
    faults.
    
    The dynamic disabling of SMAP (nosmap on the command line) is fine
    because it disables X86_FEATURE_SMAP, therefore causing the
    static_cpu_has() to return false.
    
    Found by Fengguang Wu's test system.
    
    [ v3: move all predicates into smap_violation() ]
    [ v2: use IS_ENABLED() instead of #ifdef ]
    
    Reported-by: Fengguang Wu <fengguang.wu@intel.com>
    Link: http://lkml.kernel.org/r/20140213124550.GA30497@localhost
    Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
    Cc: <stable@vger.kernel.org> # v3.7+

 arch/x86/mm/fault.c |   14 +++++++++-----
 1 files changed, 9 insertions(+), 5 deletions(-)

commit dc68abaa1208e66be3bc07eb57855d4ab413373c
Author: H. Peter Anvin <hpa@linux.intel.com>
Date:   Thu Feb 13 07:34:30 2014 -0800

    Upstream commit: 03bbd596ac04fef47ce93a730b8f086d797c3021
    
    x86, smap: Don't enable SMAP if CONFIG_X86_SMAP is disabled
    
    If SMAP support is not compiled into the kernel, don't enable SMAP in
    CR4 -- in fact, we should clear it, because the kernel doesn't contain
    the proper STAC/CLAC instructions for SMAP support.
    
    Found by Fengguang Wu's test system.
    
    Reported-by: Fengguang Wu <fengguang.wu@intel.com>
    Link: http://lkml.kernel.org/r/20140213124550.GA30497@localhost
    Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
    Cc: <stable@vger.kernel.org> # v3.7+

 arch/x86/kernel/cpu/common.c |    7 ++++++-
 1 files changed, 6 insertions(+), 1 deletions(-)

commit 6d804df770568f2d41f36cc446dc2c4b9ddbdc66
Author: Steven Noonan <steven@uplinklabs.net>
Date:   Wed Feb 12 23:01:07 2014 -0800

    Upstream commit: a9f180345f5378ac87d80ed0bea55ba421d83859
    
    compiler/gcc4: Make quirk for asm_volatile_goto() unconditional
    
    I started noticing problems with KVM guest destruction on Linux
    3.12+, where guest memory wasn't being cleaned up. I bisected it
    down to the commit introducing the new 'asm goto'-based atomics,
    and found this quirk was later applied to those.
    
    Unfortunately, even with GCC 4.8.2 (which ostensibly fixed the
    known 'asm goto' bug) I am still getting some kind of
    miscompilation. If I enable the asm_volatile_goto quirk for my
    compiler, KVM guests are destroyed correctly and the memory is
    cleaned up.
    
    So make the quirk unconditional for now, until bug is found
    and fixed.
    
    Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Steven Noonan <steven@uplinklabs.net>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Steven Rostedt <rostedt@goodmis.org>
    Cc: Jakub Jelinek <jakub@redhat.com>
    Cc: Richard Henderson <rth@twiddle.net>
    Cc: Andrew Morton <akpm@linux-foundation.org>
    Cc: Oleg Nesterov <oleg@redhat.com>
    Cc: <stable@vger.kernel.org>
    Link: http://lkml.kernel.org/r/1392274867-15236-1-git-send-email-steven@uplinklabs.net
    Link: http://gcc.gnu.org/bugzilla/show_bug.cgi?id=58670
    Signed-off-by: Ingo Molnar <mingo@kernel.org>

 include/linux/compiler-gcc4.h |    6 +-----
 1 files changed, 1 insertions(+), 5 deletions(-)

commit df681ad2079c8b443dd98a66daa49a96f6803118
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 15 14:43:58 2014 -0500

    add note on how to disable rate limiting on log messages

 grsecurity/Kconfig |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

commit 247661801d1a9904eac479770aac8c31adfb3a03
Merge: 294e38e 98242db
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 13 20:17:09 2014 -0500

    Merge branch 'pax-test' into grsec-test

commit 98242dba193affafa9996207af8aaee0a58e237c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 13 20:16:39 2014 -0500

    Update to pax-linux-3.13.3-test9.patch:
    - forward port to 3.13.3
    - updated hash table from Emese, missing entries reported by Adam Chyła and Matthew Thode

 kernel/sched/core.c               |    2 +-
 kernel/trace/ftrace.c             |    8 ++++----
 tools/gcc/size_overflow_hash.data |    6 ++++++
 3 files changed, 11 insertions(+), 5 deletions(-)

commit 294e38ee2ac097654f11df09cfe8c5584a573b6c
Merge: d1fd1fc 990a904
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 13 18:11:12 2014 -0500

    Merge branch 'pax-test' into grsec-test

commit 990a9041b296c2afe56f7c5ff4bb2e2e0ed6298f
Merge: d32ab3c 7955a48
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 13 18:11:01 2014 -0500

    Merge branch 'linux-3.13.y' into pax-test
    
    Conflicts:
        kernel/trace/ftrace.c

commit d1fd1fc0d4c9d07cd6f2f2dad040db0f1c433b5d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 13 16:50:39 2014 -0500

    Force off all virtualization guest options if the autoconfig choice
    was not for the kernel to be used for vm guests
    likewise force off Xen if it wasn't mentioned in the autoconfig

 arch/x86/Kconfig     |    1 +
 arch/x86/xen/Kconfig |    1 +
 2 files changed, 2 insertions(+), 0 deletions(-)

commit 6f7fd76856916bda9145d3fb89b3462b18630c75
Merge: 32aa9fa d32ab3c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 13 15:25:21 2014 -0500

    Merge branch 'pax-test' into grsec-test

commit d32ab3c04e157fd34738846fc1cbdbed5eab1147
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 13 15:24:57 2014 -0500

    Update to pax-linux-3.13.2-test9.patch:
    - fixed some gcc plugins to work in low-memory environments as well, reported by many, big thanks to niv <n@e-ix.net> for help

 tools/gcc/Makefile                |    2 +-
 tools/gcc/latent_entropy_plugin.c |   18 +++++++++--
 tools/gcc/size_overflow_plugin.c  |   19 +++++++++--
 tools/gcc/stackleak_plugin.c      |   58 ++++++++++++++++++++++++++++--------
 4 files changed, 76 insertions(+), 21 deletions(-)

commit 32aa9fa0174969476774c472226d304f122291a5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 13 12:35:16 2014 -0500

    add missing header

 grsecurity/grsec_mem.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit d48d8d3b1b527d8dc7a9162bda44d32608906632
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 13 12:04:44 2014 -0500

    export msr_write logging function and convert all exported symbols to EXPORT_SYMBOL_GPL
    
    Conflicts:
    
        grsecurity/gracl.c
        grsecurity/grsec_disabled.c
        grsecurity/grsec_exec.c

 grsecurity/gracl.c          |    8 ++++----
 grsecurity/grsec_chroot.c   |    2 +-
 grsecurity/grsec_disabled.c |    4 ++--
 grsecurity/grsec_exec.c     |    8 ++++----
 grsecurity/grsec_init.c     |    2 +-
 grsecurity/grsec_mem.c      |    1 +
 grsecurity/grsec_sock.c     |   12 ++++++------
 grsecurity/grsec_time.c     |    2 +-
 8 files changed, 20 insertions(+), 19 deletions(-)

commit 3c05c8568522f6a660debeaacf536a99a0212342
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 13 11:28:26 2014 -0500

    add missing header

 arch/x86/kernel/msr.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit e68254d468db8b3a28fa549606136fdba9276a75
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 13 11:12:36 2014 -0500

    fix typo

 arch/x86/kernel/msr.c      |    4 ++--
 include/linux/grsecurity.h |    2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

commit 2845d9e8598070db65f7429ecf2ac1803077ed9e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 13 10:57:06 2014 -0500

    PLUGIN_FINISH_DECL is an enum, so use explicit gcc version checking instead

 tools/gcc/randomize_layout_plugin.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 1cd63e6169739aa7881796ac74b43b83bdbd8626
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 13 09:23:29 2014 -0500

    Relax MSR restrictions under GRKERNSEC_KMEM, allow MSR reads but not writes.  Log all writing attempts.

 arch/x86/Kconfig           |    1 -
 arch/x86/kernel/msr.c      |    9 +++++++++
 grsecurity/grsec_mem.c     |    6 ++++++
 include/linux/grmsg.h      |    1 +
 include/linux/grsecurity.h |    1 +
 5 files changed, 17 insertions(+), 1 deletions(-)

commit a750206a1934759fc0da5ab831852a22ce720862
Author: Richard Yao <ryao@gentoo.org>
Date:   Sat Feb 8 19:32:01 2014 -0500

    Upstream commit: b6f52ae2f0d32387bde2b89883e3b64d88b9bfe8
    
    9p/trans_virtio.c: Fix broken zero-copy on vmalloc() buffers
    
    The 9p-virtio transport does zero copy on things larger than 1024 bytes
    in size. It accomplishes this by returning the physical addresses of
    pages to the virtio-pci device. At present, the translation is usually a
    bit shift.
    
    That approach produces an invalid page address when we read/write to
    vmalloc buffers, such as those used for Linux kernel modules. Any
    attempt to load a Linux kernel module from 9p-virtio produces the
    following stack.
    
    [<ffffffff814878ce>] p9_virtio_zc_request+0x45e/0x510
    [<ffffffff814814ed>] p9_client_zc_rpc.constprop.16+0xfd/0x4f0
    [<ffffffff814839dd>] p9_client_read+0x15d/0x240
    [<ffffffff811c8440>] v9fs_fid_readn+0x50/0xa0
    [<ffffffff811c84a0>] v9fs_file_readn+0x10/0x20
    [<ffffffff811c84e7>] v9fs_file_read+0x37/0x70
    [<ffffffff8114e3fb>] vfs_read+0x9b/0x160
    [<ffffffff81153571>] kernel_read+0x41/0x60
    [<ffffffff810c83ab>] copy_module_from_fd.isra.34+0xfb/0x180
    
    Subsequently, QEMU will die printing:
    
    qemu-system-x86_64: virtio: trying to map MMIO memory
    
    This patch enables 9p-virtio to correctly handle this case. This not
    only enables us to load Linux kernel modules off virtfs, but also
    enables ZFS file-based vdevs on virtfs to be used without killing QEMU.
    
    Special thanks to both Avi Kivity and Alexander Graf for their
    interpretation of QEMU backtraces. Without their guidence, tracking down
    this bug would have taken much longer. Also, special thanks to Linus
    Torvalds for his insightful explanation of why this should use
    is_vmalloc_addr() instead of is_vmalloc_or_module_addr():
    
    https://lkml.org/lkml/2014/2/8/272
    
    Signed-off-by: Richard Yao <ryao@gentoo.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/9p/trans_virtio.c |    5 ++++-
 1 files changed, 4 insertions(+), 1 deletions(-)

commit 6f3de18441f63778b664f2815cfc0d2af0d22f4f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 13 08:38:14 2014 -0500

    rename finish_decl function to fix compat with gcc 4.7.2 that exposed too much of its internals
    add a useful compile error if we try building with < gcc 4.6.4

 tools/gcc/randomize_layout_plugin.c |    8 ++++++--
 1 files changed, 6 insertions(+), 2 deletions(-)

commit 596b24936ed3687455327c3d26a8a820263a1f88
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Feb 11 17:33:49 2014 -0500

    [PATCH] random: fix overflow for big nbits values in credit_entropy_bits()
    
    Commit 30e37ec516ae "random: account for entropy loss due to overwrites"
    introduced an overflow in the arithmetics of credit_entropy_bits() when
    CONFIG_GRKERNSEC_RANDNET is enabled as the latter quadruples the pool
    size and therefore invalidates the assumptions of the "nifty" formula.
    
    Fix the overflow by using 64bit arithmetics.
    
    Reported-by: Torsten Hilbrich <torsten.hilbrich@secunet.com>
    Signed-off-by: Mathias Krause <mathias.krause@secunet.com>
    
    This bug is at worst a privileged DoS -- with RANDNET enabled, an admin
    with CAP_SYS_ADMIN feeding large amounts of entropy into the pool at once
    can cause less than expected entropy to be credited (but this doesn't
    affect how much is actually added).  For specific buffer sizes, this
    can result in 0 entropy being credited and end in a situation in which
    the kernel can't recover, causing future reads from /dev/random to stall.
    
    Many thanks to Torsten and Mathias for the report!

 drivers/char/random.c |    5 +----
 1 files changed, 1 insertions(+), 4 deletions(-)

commit 04f9fc1040b96a623cca444b330a3a96c104d3af
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 9 11:30:53 2014 -0500

    just ignore the seed file, the hash is in a different dir

 tools/gcc/.gitignore |    1 -
 1 files changed, 0 insertions(+), 1 deletions(-)

commit eaddc3f039b57731d04d90e334cf75c6cdde895d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 9 11:27:22 2014 -0500

    Don't pass the hashed seed via build commandline, generate a header to include in vermagic.h instead

 Documentation/dontdiff       |    2 +-
 Makefile                     |    4 +---
 include/linux/vermagic.h     |    1 +
 tools/gcc/.gitignore         |    4 ++--
 tools/gcc/Makefile           |    9 ++++-----
 tools/gcc/gen-random-seed.sh |    3 ++-
 6 files changed, 11 insertions(+), 12 deletions(-)

commit d3fcb6991a09d163867dd6e7e04ad5675f9c3202
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 8 22:03:25 2014 -0500

    update dontdiff and .gitignore to reflect new seed/hash filenames for RANDSTRUCT

 Documentation/dontdiff |    4 ++--
 tools/gcc/.gitignore   |    4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

commit 3e96d2ad6f7e3373a978767099f3b3bb12890644
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 8 20:02:12 2014 -0500

    don't divide cputime by HZ as some architectures can't handle this
    use proper task_cputime and cputime_to_secs wrappers
    Thanks to Michael Tremer for the report

 grsecurity/gracl.c |   23 ++++++++++++-----------
 1 files changed, 12 insertions(+), 11 deletions(-)

commit bff837da26077ae243118561da6e31e8d2ef83b7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 6 21:26:51 2014 -0500

    gcc 4.9 update for RANDSTRUCT plugin part 1

 tools/gcc/randomize_layout_plugin.c |    7 +------
 1 files changed, 1 insertions(+), 6 deletions(-)

commit 58eee46f846245affdc86a1fd057bc7802bfef63
Merge: 954a136 2b56794
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 6 20:36:18 2014 -0500

    Merge branch 'pax-test' into grsec-test

commit 2b56794a375594b35d2984d0950059977624a5ed
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 6 20:35:40 2014 -0500

    Update to pax-linux-3.13.2-test8.patch:
    - fixed compile errors on arm due to constification, reported by Michael Tremer <michael.tremer@ipfire.org>
    - fixed the PLUGIN_START_UNIT callback names in the latent entropy and size overflow plugins, reported by spender
    - added a new header to gcc-common.h, reported by spender
    - some useful backports from upstream 3.14:
      - debug info for .S: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=7db436325db821b400328563ed693b09f8c4c46c
      - make v4 -s handling: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e36aaea28972c57a32a3ba5365e61633739719b9

 Makefile                                    |    8 +++++++-
 arch/arm/mach-omap2/powerdomains43xx_data.c |    5 ++++-
 arch/x86/include/asm/tlbflush.h             |    1 -
 drivers/gpu/drm/armada/armada_drv.c         |   10 +---------
 drivers/gpu/drm/tegra/hdmi.c                |    2 +-
 drivers/misc/eeprom/sunxi_sid.c             |    4 +++-
 drivers/mmc/host/sdhci-esdhc-imx.c          |    7 +++++--
 include/drm/drmP.h                          |    1 +
 include/drm/ttm/ttm_page_alloc.h            |    1 +
 tools/gcc/gcc-common.h                      |    1 +
 10 files changed, 24 insertions(+), 16 deletions(-)

commit 954a136c7f2ce3a76f9a8b148c49614092554b5b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 6 20:20:41 2014 -0500

    Backport SELinux DoS fix from http://marc.info/?l=selinux&m=139110025203759&w=2

 security/selinux/ss/services.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

commit a16066ea179a4f15b368cd5003d9c3638aa7f48e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 6 20:16:57 2014 -0500

    don't pass the seed via build commandline, store it in a header file instead
    and build it into the RANDSTRUCT plugin.
    set up proper dependencies for the generated files used by the RANDSTRUCT plugin,
    fixing some race conditions in the build process
    support O= argument to make and place generated files in the target directory tree
    update RANDSTRUCT documentation

 Makefile                            |    6 ++----
 grsecurity/Kconfig                  |    2 +-
 scripts/gen-random-seed.sh          |    8 --------
 tools/gcc/Makefile                  |   10 +++++++++-
 tools/gcc/gen-random-seed.sh        |    7 +++++++
 tools/gcc/randomize_layout_plugin.c |   23 ++++++++---------------
 6 files changed, 27 insertions(+), 29 deletions(-)

commit 79cb2972d4d5e61a831e8eae996b286f433afd10
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 6 18:15:24 2014 -0500

    make GRKERNSEC_HIDESYM also protect the target directory specified with the O= arg to 'make'

 grsecurity/Makefile |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 10a483b7ae687f15e3836234175920518ec50fa7
Merge: 95e6c94 5a87ea7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 6 17:21:02 2014 -0500

    Merge branch 'pax-test' into grsec-test

commit 5a87ea74aab86c3c211612d1ae7cac26694b736d
Merge: 1554390 fd82174
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 6 17:19:50 2014 -0500

    Merge branch 'linux-3.13.y' into pax-test
    
    Conflicts:
        net/compat.c

commit 95e6c94d6945ce8acfb56997feada8fde8aab8a6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 5 23:43:27 2014 -0500

    avoid printing jibberish in some instances with RANDSTRUCT and modules
    built with other seeds, as the kernel's module loader trusts the
    module layout

 kernel/module.c |   25 +++++++++++++++++++++++++
 1 files changed, 25 insertions(+), 0 deletions(-)

commit 71ff747386915adda2113b08c47b0ccb1683dea5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 5 23:32:26 2014 -0500

    Introduce the non-performance mode -- the performance mode had previously been
    inadvertently forced on regardless of config setting
    
    Resolve an issue with gcc completing declarations for recently finished
    types *before* the plugin's finish_type being called to randomize that structure.
    This resulted in too small a structure size being emitted for this_module
    and generally crashes whenever modules were loaded.

 Makefile                            |    2 +-
 tools/gcc/randomize_layout_plugin.c |   23 +++++++++++++++++++++++
 2 files changed, 24 insertions(+), 1 deletions(-)

commit e17b47e4f837bb769f5159b928f5accce5131514
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 3 17:30:32 2014 -0500

    select DEBUG_KERNEL in addition to DEBUG_LIST

 security/Kconfig |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 1a4fd0231e9cee0203dd7f10faf89d721883b6a4
Merge: 5fb88fe 1554390
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 2 21:25:11 2014 -0500

    Merge branch 'pax-test' into grsec-test

commit 1554390d0c012ebcbe8734216913fcb94681db2b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 2 21:24:45 2014 -0500

    update plugin start_unit names

 tools/gcc/latent_entropy_plugin.c |    2 +-
 tools/gcc/size_overflow_plugin.c  |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

commit 5fb88febacff2f061c9aad406d107177acc3f950
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 2 21:23:30 2014 -0500

    update copyright date

 grsecurity/Makefile |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit f4d392661ab08166ed1aa81d4f1d90fec146f761
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 2 21:23:08 2014 -0500

    update copyright message

 grsecurity/Makefile |   22 ++++++++++++++++------
 1 files changed, 16 insertions(+), 6 deletions(-)

commit 7bd6dcd5823155b1948fe0815a7aa173da6bea35
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 1 19:53:04 2014 -0500

    update RANDSTRUCT plugin to eliminate false posities on struct type mismatches
    resulting from an IS_ERR() sequence
    add checks for bad casts in local and global variable initializers
    use the main variant when comparing types

 tools/gcc/randomize_layout_plugin.c |  150 +++++++++++++++++++++++++++++++++--
 1 files changed, 144 insertions(+), 6 deletions(-)

commit 5349795dd080969318409078672c2c53c0645354
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 1 15:13:06 2014 -0500

    remove unnecessary TODO_* flags for our passive bad cast gimple pass

 tools/gcc/randomize_layout_plugin.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit a22b89b09d12e3db4b464d3b26e45c7b3a65c0ba
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 1 10:55:36 2014 -0500

    fix RANDSTRUCT plugin compatibility with gcc 4.9

 tools/gcc/randomize_layout_plugin.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit b3d5d360931c93bdeaf6fa199e29f47e7f70b17b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 31 21:52:14 2014 -0500

    sanity check to make sure we never randomize a struct in include/uapi/*

 scripts/gen-random-seed.sh          |    2 +-
 tools/gcc/randomize_layout_plugin.c |    7 +++++++
 2 files changed, 8 insertions(+), 1 deletions(-)

commit d2057f02e759a707a700bc9c80d1f7f55afa89f1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 31 18:11:51 2014 -0500

    force on modversion support if RANDSTRUCT is enabled so that we're sure
    no modules can be loaded that were built with a different seed

 grsecurity/Kconfig |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 5e1f8e0b67af1f2876f1906eab828914a1c2670b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jan 30 16:47:31 2014 -0500

    Fix an extremely serious vulnerability (it's nearly an arbitrary write) introduced
    in 3.4 with the addition of X32 support.  Hopefully most users haven't enabled this
    option, but as it's enabled now in some distros (e.g. Ubuntu, which is affected)
    the chance is more likely for those importing base configs from such a distro.
    
    I would recommend you disable X32 support, especially if you're not using it.  As
    this bug could have been discovered with even a completely dumb syscall fuzzer, it
    should be clear what level of testing went into X32 support.
    
    Normally we would have fixed this immediately, announced it, and moved on, but
    this was not my bug and not my choice.  So I got to wait for the likes of linux-distros
    and security@kernel.org to decide when it could be fixed, while I had to continue
    releasing grsecurity patches without the fix for a serious vulnerability I was aware
    of for two days.  I'm not happy at all about this, and this is exactly why I refuse
    to work in any kind of situation where I would become aware of something that I
    couldn't fix immediately.  Hopefully this is the last time this will happen.
    
    Credits to the PaX Team for finding the bug and writing the fix.  This is CVE-2014-0038.

 net/compat.c |    9 ++-------
 1 files changed, 2 insertions(+), 7 deletions(-)

commit 9d599455aa9fb272a7160c3f8276771a5af7c74a
Merge: 6aeb51b f93afd1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 29 21:49:00 2014 -0500

    Merge branch 'pax-test' into grsec-test

commit f93afd1627ef450a96e96bdb2b984aefb66cb531
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 29 21:48:24 2014 -0500

    Update to pax-linux-3.13.1-test6.patch:
    - forward port to 3.13.1
    - fixed a weak UDEREF regression resulting in a kernel hang on boot, reported by Negres

 arch/x86/include/asm/uaccess_64.h |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 18727190851782d5ee2b5fe579e4a4c379303a34
Merge: b9c766b 07ecf16
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 29 21:41:57 2014 -0500

    Merge branch 'linux-3.13.y' into pax-test

commit 6aeb51bccfcad549c3b39235df08aa043cdfa9bc
Author: Weston Andros Adamson <dros@netapp.com>
Date:   Tue Dec 17 12:16:11 2013 -0500

    Upstream commit: 6ff33b7dd0228b7d7ed44791bbbc98b03fd15d9d
    
    sunrpc: Fix infinite loop in RPC state machine
    
    When a task enters call_refreshresult with status 0 from call_refresh and
    !rpcauth_uptodatecred(task) it enters call_refresh again with no rate-limiting
    or max number of retries.
    
    Instead of trying forever, make use of the retry path that other errors use.
    
    This only seems to be possible when the crrefresh callback is gss_refresh_null,
    which only happens when destroying the context.
    
    To reproduce:
    
    1) mount with sec=krb5 (or sec=sys with krb5 negotiated for non FSID specific
       operations).
    
    2) reboot - the client will be stuck and will need to be hard rebooted
    
    BUG: soft lockup - CPU#0 stuck for 22s! [kworker/0:2:46]
    Modules linked in: rpcsec_gss_krb5 nfsv4 nfs fscache ppdev crc32c_intel aesni_intel aes_x86_64 glue_helper lrw gf128mul ablk_helper cryptd serio_raw i2c_piix4 i2c_core e1000 parport_pc parport shpchp nfsd auth_rpcgss oid_registry exportfs nfs_acl lockd sunrpc autofs4 mptspi scsi_transport_spi mptscsih mptbase ata_generic floppy
    irq event stamp: 195724
    hardirqs last  enabled at (195723): [<ffffffff814a925c>] restore_args+0x0/0x30
    hardirqs last disabled at (195724): [<ffffffff814b0a6a>] apic_timer_interrupt+0x6a/0x80
    softirqs last  enabled at (195722): [<ffffffff8103f583>] __do_softirq+0x1df/0x276
    softirqs last disabled at (195717): [<ffffffff8103f852>] irq_exit+0x53/0x9a
    CPU: 0 PID: 46 Comm: kworker/0:2 Not tainted 3.13.0-rc3-branch-dros_testing+ #4
    Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/31/2013
    Workqueue: rpciod rpc_async_schedule [sunrpc]
    task: ffff8800799c4260 ti: ffff880079002000 task.ti: ffff880079002000
    RIP: 0010:[<ffffffffa0064fd4>]  [<ffffffffa0064fd4>] __rpc_execute+0x8a/0x362 [sunrpc]
    RSP: 0018:ffff880079003d18  EFLAGS: 00000246
    RAX: 0000000000000005 RBX: 0000000000000007 RCX: 0000000000000007
    RDX: 0000000000000007 RSI: ffff88007aecbae8 RDI: ffff8800783d8900
    RBP: ffff880079003d78 R08: ffff88006e30e9f8 R09: ffffffffa005a3d7
    R10: ffff88006e30e7b0 R11: ffff8800783d8900 R12: ffffffffa006675e
    R13: ffff880079003ce8 R14: ffff88006e30e7b0 R15: ffff8800783d8900
    FS:  0000000000000000(0000) GS:ffff88007f200000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 00007f3072333000 CR3: 0000000001a0b000 CR4: 00000000001407f0
    Stack:
     ffff880079003d98 0000000000000246 0000000000000000 ffff88007a9a4830
     ffff880000000000 ffffffff81073f47 ffff88007f212b00 ffff8800799c4260
     ffff8800783d8988 ffff88007f212b00 ffffe8ffff604800 0000000000000000
    Call Trace:
     [<ffffffff81073f47>] ? trace_hardirqs_on_caller+0x145/0x1a1
     [<ffffffffa00652d3>] rpc_async_schedule+0x27/0x32 [sunrpc]
     [<ffffffff81052974>] process_one_work+0x211/0x3a5
     [<ffffffff810528d5>] ? process_one_work+0x172/0x3a5
     [<ffffffff81052eeb>] worker_thread+0x134/0x202
     [<ffffffff81052db7>] ? rescuer_thread+0x280/0x280
     [<ffffffff81052db7>] ? rescuer_thread+0x280/0x280
     [<ffffffff810584a0>] kthread+0xc9/0xd1
     [<ffffffff810583d7>] ? __kthread_parkme+0x61/0x61
     [<ffffffff814afd6c>] ret_from_fork+0x7c/0xb0
     [<ffffffff810583d7>] ? __kthread_parkme+0x61/0x61
    Code: e8 87 63 fd e0 c6 05 10 dd 01 00 01 48 8b 43 70 4c 8d 6b 70 45 31 e4 a8 02 0f 85 d5 02 00 00 4c 8b 7b 48 48 c7 43 48 00 00 00 00 <4c> 8b 4b 50 4d 85 ff 75 0c 4d 85 c9 4d 89 cf 0f 84 32 01 00 00
    
    And the output of "rpcdebug -m rpc -s all":
    
    RPC:    61 call_refresh (status 0)
    RPC:    61 call_refresh (status 0)
    RPC:    61 refreshing RPCSEC_GSS cred ffff88007a413cf0
    RPC:    61 refreshing RPCSEC_GSS cred ffff88007a413cf0
    RPC:    61 call_refreshresult (status 0)
    RPC:    61 refreshing RPCSEC_GSS cred ffff88007a413cf0
    RPC:    61 call_refreshresult (status 0)
    RPC:    61 refreshing RPCSEC_GSS cred ffff88007a413cf0
    RPC:    61 call_refresh (status 0)
    RPC:    61 call_refreshresult (status 0)
    RPC:    61 call_refresh (status 0)
    RPC:    61 call_refresh (status 0)
    RPC:    61 refreshing RPCSEC_GSS cred ffff88007a413cf0
    RPC:    61 call_refreshresult (status 0)
    RPC:    61 call_refresh (status 0)
    RPC:    61 refreshing RPCSEC_GSS cred ffff88007a413cf0
    RPC:    61 call_refresh (status 0)
    RPC:    61 refreshing RPCSEC_GSS cred ffff88007a413cf0
    RPC:    61 refreshing RPCSEC_GSS cred ffff88007a413cf0
    RPC:    61 call_refreshresult (status 0)
    RPC:    61 call_refresh (status 0)
    RPC:    61 call_refresh (status 0)
    RPC:    61 call_refresh (status 0)
    RPC:    61 call_refresh (status 0)
    RPC:    61 call_refreshresult (status 0)
    RPC:    61 refreshing RPCSEC_GSS cred ffff88007a413cf0
    
    Signed-off-by: Weston Andros Adamson <dros@netapp.com>
    Cc: stable@vger.kernel.org # 2.6.37+
    Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>

 net/sunrpc/clnt.c |    8 ++++++--
 1 files changed, 6 insertions(+), 2 deletions(-)

commit 9ad04e13872458b4883e9f8f087cad538ae8f3e3
Author: Scott Mayhew <smayhew@redhat.com>
Date:   Fri Jan 17 15:12:05 2014 -0500

    Upstream commit: 263b4509ec4d47e0da3e753f85a39ea12d1eff24
    
    nfs: always make sure page is up-to-date before extending a write to cover the entire page
    
    We should always make sure the cached page is up-to-date when we're
    determining whether we can extend a write to cover the full page -- even
    if we've received a write delegation from the server.
    
    Commit c7559663 added logic to skip this check if we have a write
    delegation, which can lead to data corruption such as the following
    scenario if client B receives a write delegation from the NFS server:
    
    Client A:
        # echo 123456789 > /mnt/file
    
    Client B:
        # echo abcdefghi >> /mnt/file
        # cat /mnt/file
        0�D0�abcdefghi
    
    Just because we hold a write delegation doesn't mean that we've read in
    the entire page contents.
    
    Cc: <stable@vger.kernel.org> # v3.11+
    Signed-off-by: Scott Mayhew <smayhew@redhat.com>
    Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>

 fs/nfs/write.c |   11 ++++++-----
 1 files changed, 6 insertions(+), 5 deletions(-)

commit d6a427afc951e705a45d18fe513b4a9644b54586
Author: Trond Myklebust <trond.myklebust@primarydata.com>
Date:   Fri Jan 17 17:03:41 2014 -0500

    Upstream commit: 64590daa9e0dfb3aad89e3ab9230683b76211d5b
    
    NFSv4.1: Handle errors correctly in nfs41_walk_client_list
    
    Both nfs41_walk_client_list and nfs40_walk_client_list expect the
    'status' variable to be set to the value -NFS4ERR_STALE_CLIENTID
    if the loop fails to find a match.
    The problem is that the 'pos->cl_cons_state > NFS_CS_READY' changes
    the value of 'status', and sets it either to the value '0' (which
    indicates success), or to the value EINTR.
    
    Cc: stable@vger.kernel.org # 3.7.x: 7b1f1fd1842e6: NFSv4/4.1: Fix bugs in
    Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>

 fs/nfs/nfs4client.c |    8 +++++---
 1 files changed, 5 insertions(+), 3 deletions(-)

commit f7c465156fdef12a66d0a59114582dc4d4d7f406
Author: Weston Andros Adamson <dros@primarydata.com>
Date:   Sun Jan 19 22:45:36 2014 -0500

    Upstream commit: abad2fa5ba67725a3f9c376c8cfe76fbe94a3041
    
    nfs4: fix discover_server_trunking use after free
    
    If clp is new (cl_count = 1) and it matches another client in
    nfs4_discover_server_trunking, the nfs_put_client will free clp before
    ->cl_preserve_clid is set.
    
    Cc: stable@vger.kernel.org # 3.7+
    Signed-off-by: Weston Andros Adamson <dros@primarydata.com>
    Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>

 fs/nfs/nfs4client.c |   10 ++++------
 1 files changed, 4 insertions(+), 6 deletions(-)

commit d3737c02af42ac32da97dc30dac94ae7343cec14
Author: Heiko Carstens <heiko.carstens@de.ibm.com>
Date:   Mon Jan 27 17:07:19 2014 -0800

    Upstream commit: 592f6b842f64e416c7598a1b97c649b34241e22d
    
    compat: fix sys_fanotify_mark
    
    Commit 91c2e0bcae72 ("unify compat fanotify_mark(2), switch to
    COMPAT_SYSCALL_DEFINE") added a new unified compat fanotify_mark syscall
    to be used by all architectures.
    
    Unfortunately the unified version merges the split mask parameter in a
    wrong way: the lower and higher word got swapped.
    
    This was discovered with glibc's tst-fanotify test case.
    
    Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
    Reported-by: Andreas Krebbel <krebbel@linux.vnet.ibm.com>
    Cc: "James E.J. Bottomley" <jejb@parisc-linux.org>
    Acked-by: "David S. Miller" <davem@davemloft.net>
    Acked-by: Al Viro <viro@ZenIV.linux.org.uk>
    Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
    Cc: Ingo Molnar <mingo@redhat.com>
    Cc: Ralf Baechle <ralf@linux-mips.org>
    Cc: <stable@vger.kernel.org>        [3.10+]
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 fs/notify/fanotify/fanotify_user.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit ae72596a96d46255c781f07ee2de05abe57d43ff
Merge: 5254ff7 b9c766b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 28 18:23:25 2014 -0500

    Merge branch 'pax-test' into grsec-test

commit b9c766bc9706fcfe5bbe0df099178e8eaa643327
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 28 18:22:46 2014 -0500

    Update to pax-linux-3.13-test6.patch:
    - fixed the TRACE_IRQFLAGS/KERNEXEC problem for real, 3rd time's a charm, by minipli
    - fixed a size overflow false positive in skb_network_offset due to an intentional overflow, by Emese Revfy, reported by Nikita Matovs

 arch/x86/kernel/entry_64.S |   22 ++++++++++++----------
 include/linux/skbuff.h     |    2 +-
 2 files changed, 13 insertions(+), 11 deletions(-)

commit 5254ff73f13759d893213092da5fd654ca22960f
Merge: 7e5aad2 c956349
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jan 27 22:52:22 2014 -0500

    Merge branch 'pax-test' into grsec-test

commit c956349a3335c72308d1bce7524f2e0f521ff709
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jan 27 22:51:57 2014 -0500

    Update to pax-linux-3.13-test5.patch:
    - new size overflow hash table from spender
    - backported http://git.kernel.org/linus/34228d473ef
    - fixed CONFIG_MEM_SOFT_DIRTY interference with _PAGE_NX on x86
    - fixed the size overflow plugin for gcc 4.9, by Emese Revfy

 arch/x86/include/asm/pgtable_types.h |    2 +-
 mm/mmap.c                            |   12 +++++++++-
 tools/gcc/gcc-common.h               |    2 +
 tools/gcc/size_overflow_hash.data    |   33 ++++++++++++++++++++++++++--
 tools/gcc/size_overflow_plugin.c     |   38 +++++++++++++++++-----------------
 5 files changed, 62 insertions(+), 25 deletions(-)

commit 7e5aad2c98c49f82bdd6a6949133c0393b743e4a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jan 27 21:12:59 2014 -0500

    update size_overflow hash table

 tools/gcc/size_overflow_hash.data |    9 +++++++--
 1 files changed, 7 insertions(+), 2 deletions(-)

commit 9583ac30e401a97397c5a4a30564521bc2d8afeb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jan 27 20:33:30 2014 -0500

    Relicense RANDSTRUCT plugin as GPLv2, removing the GPLv3 option

 tools/gcc/randomize_layout_plugin.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit f4afefdb6f09d22d5c0a74cf2a3ff4f44a67a8c8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jan 27 20:30:10 2014 -0500

    Make all grsecurity code GPLv2 only for future releases.  Not really
    important as grsecurity is a derivative work of the Linux kernel and
    thus forced to be GPLv2, the "or higher" was superfluous.

 grsecurity/Makefile |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 718e2b2400f29a7fa414c6c5d383f82658a3457f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 26 22:22:52 2014 -0500

    update size_overflow hash table

 tools/gcc/size_overflow_hash.data |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

commit a4369fd780e658a9d26bedc53415261286caefe5
Merge: c93ceb8 f3b1213
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 26 21:24:43 2014 -0500

    Merge branch 'pax-test' into grsec-test

commit f3b12134d032b0bfc2a9fc2183a50fabcaabdbf5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 26 21:24:17 2014 -0500

    Update to pax-linux-3.13-test4.patch:
    - fixed a constify plugin regression, reported by spender
    - updated gcc-common.h

 tools/gcc/constify_plugin.c |    4 +-
 tools/gcc/gcc-common.h      |   68 +++++++++++++++++++++++++++++++++++++++---
 2 files changed, 65 insertions(+), 7 deletions(-)

commit 962a3acff3d42cf360932f438a666224b8597012
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 26 21:24:01 2014 -0500

    Revert "fix an assert triggering in constify plugin update, real fix coming later"
    
    This reverts commit 899baaf06fdd79f9b9b410a414695ba7b80f6203.

 tools/gcc/constify_plugin.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit c93ceb8d5ed604ddd5580de9a764fc411824c5c0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 26 21:18:31 2014 -0500

    update size_overflow hash table

 tools/gcc/size_overflow_hash.data |   19 ++++++++++++++++++-
 1 files changed, 18 insertions(+), 1 deletions(-)

commit b42c965a52f58915c8fd048749c1dc5bcf373339
Merge: 663306e 899baaf
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 26 20:35:52 2014 -0500

    Merge branch 'pax-test' into grsec-test

commit 899baaf06fdd79f9b9b410a414695ba7b80f6203
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 26 20:34:49 2014 -0500

    fix an assert triggering in constify plugin update, real fix coming later

 tools/gcc/constify_plugin.c |    2 --
 1 files changed, 0 insertions(+), 2 deletions(-)

commit 663306edb8f76d8be46c39ba6aafcdec3e000ab1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 26 18:24:44 2014 -0500

    fix typo

 tools/gcc/randomize_layout_plugin.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 4539e5f2729719d07095cf267ea426524f7dc8f9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 26 18:22:33 2014 -0500

    Update RANDSTRUCT plugin for gcc 4.9 and gcc-common.h

 tools/gcc/randomize_layout_plugin.c |   77 +++++++++++++++++++----------------
 1 files changed, 42 insertions(+), 35 deletions(-)

commit 3344ccde1ca59e4e0a4105f25ffbab561e5ee582
Merge: ff96162 0b83e85
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 26 18:04:38 2014 -0500

    Merge branch 'pax-test' into grsec-test

commit 0b83e85c64c9e6e4328cac45d980cdd7e088f157
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 26 18:03:50 2014 -0500

    Update to pax-linux-3.13-test3.patch:
    - gcc plugin updates
      - ported them to gcc trunk (future 4.9)
      - introduced gcc-common.h to simplify gcc version dependencies
      - updated size overflow hash table from spender
      - fixed kallocstat to detect constant size arguments early
      - fixed constify to preserve type qualifiers on pointer-to-self fields
    - added a few sparse/checker annotations and changes to satisfy gcc's address space logic
    - fixed the TRACE_IRQFLAGS problem reported by minipli again

 arch/x86/ia32/ia32_signal.c                   |    6 +-
 arch/x86/include/asm/uaccess_64.h             |    4 +-
 arch/x86/kernel/entry_64.S                    |  112 ++++----
 arch/x86/kernel/preempt.S                     |    3 +
 arch/x86/kernel/tboot.c                       |    2 +-
 arch/x86/kernel/xsave.c                       |    8 +-
 arch/x86/lib/thunk_64.S                       |    2 +-
 block/compat_ioctl.c                          |    2 +-
 drivers/gpu/drm/drm_crtc.c                    |    2 +-
 drivers/gpu/drm/qxl/qxl_ioctl.c               |    6 +-
 drivers/media/v4l2-core/v4l2-compat-ioctl32.c |   10 +-
 drivers/media/v4l2-core/v4l2-ctrls.c          |    4 +-
 drivers/media/v4l2-core/v4l2-ioctl.c          |    2 +-
 drivers/mmc/card/block.c                      |    2 +-
 drivers/net/macvtap.c                         |    2 +-
 drivers/vhost/vringh.c                        |   18 +-
 drivers/video/fbmem.c                         |    2 +-
 fs/compat_ioctl.c                             |    2 +-
 fs/exec.c                                     |    2 +-
 fs/proc/vmcore.c                              |    4 +-
 include/uapi/linux/videodev2.h                |    2 +-
 ipc/compat.c                                  |    2 +-
 kernel/compat.c                               |    2 +-
 kernel/kmod.c                                 |    4 +-
 net/9p/client.c                               |    6 +-
 net/compat.c                                  |    2 +-
 net/core/filter.c                             |    2 +-
 net/netfilter/nft_compat.c                    |    4 +-
 net/socket.c                                  |    6 +-
 net/tipc/subscr.c                             |    2 +-
 sound/pci/hda/hda_codec.c                     |    2 +-
 tools/gcc/Makefile                            |    2 +-
 tools/gcc/checker_plugin.c                    |   30 +--
 tools/gcc/colorize_plugin.c                   |   62 +++--
 tools/gcc/constify_plugin.c                   |  105 ++++----
 tools/gcc/gcc-common.h                        |  207 +++++++++++++++
 tools/gcc/kallocstat_plugin.c                 |  164 +++++++------
 tools/gcc/kernexec_plugin.c                   |  333 ++++++++++++++----------
 tools/gcc/latent_entropy_plugin.c             |  146 +++++------
 tools/gcc/size_overflow_hash.data             |   68 +++++-
 tools/gcc/size_overflow_plugin.c              |  348 +++++++++++--------------
 tools/gcc/stackleak_plugin.c                  |  236 +++++++++--------
 tools/gcc/structleak_plugin.c                 |   90 +++----
 43 files changed, 1149 insertions(+), 871 deletions(-)

commit ff9616214c2e875db763bd395dce11df378df896
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 26 13:35:44 2014 -0500

    pass hashed seed define as a string

 Makefile |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 39961e3ad1abacccc8a2de280868bcfe52a1edff
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 26 12:44:21 2014 -0500

    add a sha256-hashed version of the seed to modversion to ensure no
    modules compiled with another seed can be loaded

 Documentation/dontdiff     |    1 +
 Makefile                   |    4 +++-
 include/linux/vermagic.h   |    8 +++++++-
 scripts/gen-random-seed.sh |    2 +-
 tools/gcc/.gitignore       |    1 +
 5 files changed, 13 insertions(+), 3 deletions(-)

commit 1df9ff15112f3713997ac10e915b99ad99d2e33a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 26 11:26:44 2014 -0500

    Force HIDESYM on if RANDSTRUCT is used, just in case there is a user
    who already isn't enabling it (to prevent the seed from potentially being
    visible to other users if compiled on the same machine).
    Suggested by minipli

 grsecurity/Kconfig |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 5ee75cac712d37f79de1e6f509a18749258b2085
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 26 01:01:31 2014 -0500

    Update size_overflow hash table

 tools/gcc/size_overflow_hash.data |   19 +++++++++++++++++--
 1 files changed, 17 insertions(+), 2 deletions(-)

commit d87a88e0b3298c9d39bb7b3257dabb8fc17b8e9c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jan 25 22:19:55 2014 -0500

    update to new mount_lock

 grsecurity/gracl.c |   24 +++++++++++-------------
 1 files changed, 11 insertions(+), 13 deletions(-)

commit 677d1d169912d98b7a139563ab7f7fb82ee6c3c5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jan 25 19:05:59 2014 -0500

    compile fix

 init/main.c |    4 ----
 1 files changed, 0 insertions(+), 4 deletions(-)

commit c8496c1e0bb5cbed7aff11ee208a7a89ffd80b40
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jan 25 19:00:50 2014 -0500

    resync random code with 3.13

 include/linux/random.h      |    4 ++++
 include/uapi/linux/random.h |    7 -------
 2 files changed, 4 insertions(+), 7 deletions(-)

commit 3d168ee50cb706276c805ae1d6a5e8417a91067a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jan 25 14:54:11 2014 -0500

    Fix another compiler error caught by RANDSTRUCT
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 sound/isa/sb/emu8000_synth.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit bc4a5595404b985a2b17e84d29765b7af7e968ca
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jan 25 14:34:12 2014 -0500

    Fix another compiler error caught by RANDSTRUCT
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 drivers/net/wan/z85230.c |   24 ++++++++++++------------
 1 files changed, 12 insertions(+), 12 deletions(-)

commit 0f0da7cb40431fe816aa356499bff026452cfc44
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jan 25 14:30:46 2014 -0500

    fix compilation with RANDSTRUCT plugin
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 sound/drivers/opl4/opl4_seq.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 97d6cc865b9cf64fada1fcaabfa923fecee54ef7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jan 25 14:16:18 2014 -0500

    avoid problems by just building our fake field decl node from scratch
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 tools/gcc/randomize_layout_plugin.c |   10 +++++-----
 1 files changed, 5 insertions(+), 5 deletions(-)

commit 6455dfb41e9c0d3f26f00ef2f505bd0f74aa8dca
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jan 25 13:45:18 2014 -0500

    while in non-debug mode, don't emit notes for non-randomized struct types
    
    clear all signs from our fake field decl of being a bitfield
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 tools/gcc/randomize_layout_plugin.c |   11 +++++++++++
 1 files changed, 11 insertions(+), 0 deletions(-)

commit 35909486eebb6c1ab27956ef6cc35e19e19282a2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jan 25 12:56:05 2014 -0500

    revert change to read-only marking of fake struct field
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 tools/gcc/randomize_layout_plugin.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit bbd5d12c912390e0bdb6ddde81279b579fc94edb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jan 25 12:42:48 2014 -0500

    Update RANDSTRUCT plugin help
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 tools/gcc/randomize_layout_plugin.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

commit 0d829e61f501ae59387a6e1d0f9060d5555ac588
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jan 25 12:25:43 2014 -0500

    Introduce GRKERNSEC_RANDSTRUCT: automatic structure layout randomization of pure ops structs randomization of marked sensitive kernel structures
    
    automatically enabled by GRKERNSEC_CONFIG_AUTO
    performance mode is activated if the config priority is set to performance
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 Documentation/dontdiff                          |    1 +
 Makefile                                        |   12 +-
 arch/x86/include/asm/floppy.h                   |   20 +-
 arch/x86/include/asm/paravirt_types.h           |   23 +-
 arch/x86/include/asm/processor.h                |    2 +-
 drivers/acpi/acpica/hwxfsleep.c                 |   11 +-
 drivers/block/cciss.h                           |   30 +-
 drivers/block/drbd/drbd_interval.c              |    6 +-
 drivers/block/smart1,2.h                        |   40 +-
 drivers/gpu/drm/nouveau/nouveau_ttm.c           |   30 +-
 drivers/gpu/drm/ttm/ttm_bo_manager.c            |   10 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_gmrid_manager.c   |   10 +-
 drivers/infiniband/hw/ipath/ipath_dma.c         |   26 +-
 drivers/infiniband/hw/nes/nes_cm.c              |   22 +-
 drivers/isdn/gigaset/bas-gigaset.c              |   32 +-
 drivers/isdn/gigaset/ser-gigaset.c              |   32 +-
 drivers/isdn/gigaset/usb-gigaset.c              |   32 +-
 drivers/isdn/i4l/isdn_concap.c                  |    6 +-
 drivers/isdn/i4l/isdn_x25iface.c                |   16 +-
 drivers/misc/sgi-xp/xp_main.c                   |   12 +-
 drivers/net/ethernet/brocade/bna/bna_enet.c     |    8 +-
 drivers/net/wan/lmc/lmc_media.c                 |   97 ++--
 drivers/scsi/bfa/bfa_fcs.c                      |   19 +-
 drivers/scsi/bfa/bfa_fcs_lport.c                |   29 +-
 drivers/scsi/bfa/bfa_modules.h                  |   12 +-
 drivers/scsi/hpsa.h                             |   20 +-
 drivers/staging/lustre/lustre/ldlm/ldlm_flock.c |    2 +-
 drivers/staging/lustre/lustre/libcfs/module.c   |   10 +-
 drivers/staging/media/solo6x10/solo6x10-g723.c  |    2 +-
 drivers/video/matrox/matroxfb_DAC1064.c         |   10 +-
 drivers/video/matrox/matroxfb_Ti3026.c          |    5 +-
 fs/mount.h                                      |    4 +-
 fs/proc/internal.h                              |    4 +-
 fs/reiserfs/item_ops.c                          |   24 +-
 grsecurity/Kconfig                              |   31 +-
 include/linux/compiler-gcc4.h                   |    5 +
 include/linux/compiler.h                        |    8 +
 include/linux/cred.h                            |    4 +-
 include/linux/dcache.h                          |    2 +-
 include/linux/fs.h                              |   14 +-
 include/linux/fs_struct.h                       |    2 +-
 include/linux/ipc_namespace.h                   |    2 +-
 include/linux/kobject.h                         |    2 +-
 include/linux/mm_types.h                        |    4 +-
 include/linux/module.h                          |    4 +-
 include/linux/mount.h                           |    2 +-
 include/linux/pid_namespace.h                   |    2 +-
 include/linux/proc_ns.h                         |    2 +-
 include/linux/rbtree_augmented.h                |    4 +-
 include/linux/sched.h                           |    6 +-
 include/linux/sysctl.h                          |    2 +-
 include/linux/tty.h                             |    2 +-
 include/linux/tty_driver.h                      |    2 +-
 include/linux/user_namespace.h                  |    2 +-
 include/linux/utsname.h                         |    2 +-
 include/net/neighbour.h                         |    2 +-
 include/net/net_namespace.h                     |    2 +-
 lib/rbtree.c                                    |    4 +-
 net/atm/lec.c                                   |    6 +-
 net/atm/mpoa_caches.c                           |   42 +-
 net/decnet/dn_dev.c                             |    2 +-
 net/vmw_vsock/vmci_transport_notify.c           |   30 +-
 net/vmw_vsock/vmci_transport_notify_qstate.c    |   30 +-
 net/x25/sysctl_net_x25.c                        |    2 +-
 scripts/Makefile                                |    2 +
 scripts/gen-random-seed.sh                      |    8 +
 sound/core/seq/oss/seq_oss.c                    |    4 +-
 sound/core/seq/seq_midi.c                       |    4 +-
 sound/drivers/opl3/opl3_seq.c                   |    4 +-
 sound/pci/emu10k1/emu10k1_synth.c               |    4 +-
 sound/synth/emux/emux_seq.c                     |   14 +-
 tools/gcc/.gitignore                            |    1 +
 tools/gcc/Makefile                              |    2 +
 tools/gcc/randomize_layout_plugin.c             |  726 +++++++++++++++++++++++
 74 files changed, 1222 insertions(+), 390 deletions(-)

commit 301f9fc40e1bed50d31034a192bc95874d5bf3b6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 19 09:00:56 2014 -0500

    compile fix
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 include/linux/random.h      |    4 ----
 include/uapi/linux/random.h |    7 +++++++
 2 files changed, 7 insertions(+), 4 deletions(-)

commit b79910431008b8ce731d45aa3aecc75fe33c928c
Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
Date:   Mon Nov 11 12:20:34 2013 +0100

    Upstream commit: 4af712e8df998475736f3e2727701bd31e3751a9
    
    random32: add prandom_reseed_late() and call when nonblocking pool becomes initialized
    
    The Tausworthe PRNG is initialized at late_initcall time. At that time the
    entropy pool serving get_random_bytes is not filled sufficiently. This
    patch adds an additional reseeding step as soon as the nonblocking pool
    gets marked as initialized.
    
    On some machines it might be possible that late_initcall gets called after
    the pool has been initialized. In this situation we won't reseed again.
    
    (A call to prandom_seed_late blocks later invocations of early reseed
    attempts.)
    
    Joint work with Daniel Borkmann.
    
    Cc: Eric Dumazet <eric.dumazet@gmail.com>
    Cc: Theodore Ts'o <tytso@mit.edu>
    Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
    Acked-by: "Theodore Ts'o" <tytso@mit.edu>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    
    Conflicts:
    
        lib/random32.c
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 drivers/char/random.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 31dee23268ac47eaaafacb186229bc14fb84fa9b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jan 18 20:43:43 2014 -0500

    Since the reworking of recvmsg handlers by Hannes Frederic Sowa, it should be safe to revert our workaround for large number of infoleaks the previous interface made possible, restoring some performance to these syscalls
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 net/socket.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit ffccf022adef560230b6a641c612f33600ce0e6b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 8 20:24:27 2014 -0500

    zeroing out btime from /proc/stat breaks ps aux, it's the seconds of uptime for the system, information which is also available elsewhere (/proc/uptime), so there's no reason to limit it
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 fs/proc/stat.c |    4 +---
 1 files changed, 1 insertions(+), 3 deletions(-)

commit a96a6e3b96ffa8c96fa3939c109dc783de2110e0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 8 18:13:15 2014 -0500

    fix typo
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 mm/vmstat.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 4c084ac8468cdd4bbb8458fae4d0b6d2d1d5afd1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 8 18:06:53 2014 -0500

    provide a zeroed out /proc/vmstat to unprivileged users instead of denied access, some poorly-written desktop apps bail out completely when it can't be opened
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 mm/vmstat.c |   21 +++++++++++++++------
 1 files changed, 15 insertions(+), 6 deletions(-)

commit e0d003dfd4911828f08fa93da2138c9f3be4f352
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 8 17:46:46 2014 -0500

    back out recently-added capability checks to various pci write methods as they break Xorg radeon drivers
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 drivers/pci/pci-sysfs.c |    9 ---------
 drivers/pci/proc.c      |    3 ---
 2 files changed, 0 insertions(+), 12 deletions(-)

commit 0a0823fe85e85b9ad92131a35fe57e9aebc30260
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jan 2 17:05:39 2014 -0500

    add missing #include
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 fs/proc/stat.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 867c7a59c12374d99c59b9c99a1bf8214583baad
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jan 2 17:02:24 2014 -0500

    Back off recent PCI BAR restrictions as they break various existing necessary functionality (Xorg with VMware video driver, etc)
    
    Add CAP_SYS_RAWIO checks instead to code operating off just uid == 0
    checks currently
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 drivers/pci/pci-sysfs.c |   17 +++++++----------
 drivers/pci/proc.c      |   13 ++-----------
 drivers/pci/syscall.c   |    4 ----
 3 files changed, 9 insertions(+), 25 deletions(-)

commit e9075cc0c4bab695e2eea8e8ba8f8acfa3cef2ed
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Dec 31 10:30:20 2013 -0500

    Resolve compatibility with libgtop and recent restriction of /proc/stat, reported by KacKurx. We now provide a properly-formatted but zeroed /proc/stat instead of denying unpriv access to the entry
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 fs/proc/stat.c |   34 ++++++++++++++++++++++++----------
 1 files changed, 24 insertions(+), 10 deletions(-)

commit 7a559ce128070d9d79bf4490a258dba677fa741e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Dec 30 11:19:53 2013 -0500

    Restrict access to /proc/interrupts and /proc/stat as suggested by Vasiliy Kulikov: http://www.openwall.com/lists/kernel-hardening/2011/11/07/1
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 fs/proc/interrupts.c |    4 ++++
 fs/proc/stat.c       |    4 ++++
 2 files changed, 8 insertions(+), 0 deletions(-)

commit 3898c8157466ff87ef613785f207c019ba8174cb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Dec 30 11:13:49 2013 -0500

    Update to phase two of the IPC hardening. I've heard no complaints about the patch I released, but including it here will generate better information.
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/Kconfig     |   16 ++++++++++------
 grsecurity/grsec_ipc.c |   32 +++++++++++++++++++++++++++++---
 include/linux/grmsg.h  |    2 +-
 ipc/util.c             |    3 ++-
 4 files changed, 42 insertions(+), 11 deletions(-)

commit 2a5eb70e0981fd24168be9e5d1c30735a922edca
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 26 19:20:26 2013 -0500

    add missing #include
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/grsec_mount.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 7d66c996e754d41be945e7a2997b364643a13977
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 26 15:51:51 2013 -0500

    Update config help to reflect requirements for proper security, similar to what we mention for GRKERNSEC_KMEM or GRKERNSEC_HIDESYM
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/Kconfig |    7 ++++++-
 1 files changed, 6 insertions(+), 1 deletions(-)

commit bc9b4fe1db97c913b2c1163a90805c52c0f0df65
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 26 15:35:31 2013 -0500

    Whenever we perform checks against block devices we should also test for raw character devices provided by CONFIG_RAW_DRIVER. Unlike other OSes, Linux's raw device support has been obsoleted many years ago and is unlikely to be present in a given kernel config (modulo an allyesconfig).
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl.c       |    2 +-
 grsecurity/grsec_mount.c |    4 +++-
 2 files changed, 4 insertions(+), 2 deletions(-)

commit 2b5ad27e4a323648a0db99a9fa3f27b042dd70f0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Dec 25 16:37:02 2013 -0500

    Add some of the more obscure, config-dependent kernel modification defenses to GRKERNSEC_KMEM, to be split out into a separate option if this causes any compatibility problems. From Matthew Garrett: https://lkml.org/lkml/2013/9/9/532
    
    Also make make hibernation depend on !PAX_MEMORY_SANITIZE and not
    the other way around (to produce more secure settings when distro
    configs are used as a base)
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 drivers/acpi/custom_method.c    |    4 ++++
 drivers/pci/pci-sysfs.c         |   12 ++++++++++++
 drivers/pci/proc.c              |   12 ++++++++++++
 drivers/pci/syscall.c           |    4 ++++
 drivers/platform/x86/asus-wmi.c |   12 ++++++++++++
 kernel/power/Kconfig            |    2 ++
 security/Kconfig                |    1 -
 7 files changed, 46 insertions(+), 1 deletions(-)

commit c70c49f956beb3d785ca20466c4e5c1d84d7356b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Dec 25 15:11:51 2013 -0500

    remove unused 'dentry' variable
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 fs/xattr.c |    1 -
 1 files changed, 0 insertions(+), 1 deletions(-)

commit cb20fb467591aa2a85a8c12a1bc215a01ed75b18
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Dec 25 15:03:13 2013 -0500

    Add RBAC mediation of *removexattr(), as this has security implications in the case of PaX with softmode enabled or the rare case of RBAC+SELinux use.
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 fs/xattr.c                  |   18 +++++++++++-------
 grsecurity/gracl_fs.c       |    6 ++++++
 grsecurity/grsec_disabled.c |    6 ++++++
 include/linux/grmsg.h       |    3 ++-
 include/linux/grsecurity.h  |    2 ++
 5 files changed, 27 insertions(+), 8 deletions(-)

commit 482ec0da63b38a9c20cc2205bc7ea87a3985d164
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Dec 20 20:18:56 2013 -0500

    compile fix
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 fs/stat.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 038cc5994b483905c9c0b9e6259a84f7333becc2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Dec 13 19:39:54 2013 -0500

    Fix a use-after-free on fakefs_obj_rw/fakefs_obj_rwx introduced by the recent atomic reload improvement. These two objects are used only for "files" private to the kernel which don't exist on any mounted filesystem and have no visible path. Only the mode field of these objects is ever used, and we would never attempt to free these objects a second time (due to their being allocated into the memory manager associated with the initial policy)
    
    In practice this causes bogus auditing messages for / and could potentially
    cause a subject without executable shared memory support to permit executable
    shared memory (if PaX is disabled on the binary).
    
    Instead just allocate these two special objects with kzalloc at enable time
    and free them at disable time.
    
    Thanks to nyt@countercultured.net for the report
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl_policy.c |    9 +++++++--
 1 files changed, 7 insertions(+), 2 deletions(-)

commit b67b5e4666934693bb1fc4804ca60724f98a54d7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Dec 4 18:15:02 2013 -0500

    Don't duplicate __get_dumpable, also make sure we check against SUID_DUMP_USER, otherwise we wouldn't trigger suid bruteforcing detection when suid_dumpable was set to 2
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 fs/coredump.c              |    7 +++++--
 grsecurity/grsec_sig.c     |   14 ++------------
 include/linux/grsecurity.h |    2 +-
 3 files changed, 8 insertions(+), 15 deletions(-)

commit ad3f9d56b43c4c448d5ba55d4e073e66a59898d7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Dec 3 19:39:04 2013 -0500

    Update documentation for GRKERNSEC_KMEM and GRKERNSEC_IO, see: http://forums.grsecurity.net/viewtopic.php?f=3&t=3879 The previous info was many years outdated.
    
    Disable KEXEC when GRKERNSEC_KMEM is enabled:
    http://mjg59.dreamwidth.org/28746.html
    
    Also workaround the GRKERNSEC_IO incompatibility with Xorg by returning
    -ENODEV instead of -EPERM in the cases where CAP_SYS_RAWIO is present
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 arch/arm/Kconfig         |    1 +
 arch/ia64/Kconfig        |    1 +
 arch/mips/Kconfig        |    1 +
 arch/powerpc/Kconfig     |    1 +
 arch/tile/Kconfig        |    1 +
 arch/x86/Kconfig         |    1 +
 arch/x86/kernel/ioport.c |   12 ++++++------
 grsecurity/Kconfig       |   27 +++++++++++----------------
 8 files changed, 23 insertions(+), 22 deletions(-)

commit 7044221d2d6e8d8e8fa26d5c30c72bd6e1d9b599
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Nov 26 15:16:48 2013 -0500

    Fix null deref on application of the shutdown role, reported by zakalwe
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl.c        |   58 ++++++++++++++++++++++++++++++++++++++++++++-
 grsecurity/gracl_policy.c |   58 ++++-----------------------------------------
 2 files changed, 62 insertions(+), 54 deletions(-)

commit 1f894d3a1357fa9c7b2f849079546115fc797fd8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Nov 26 13:04:07 2013 -0500

    Add system library paths to allowed areas for usermode helper calls, later we will also add checks to ensure the file is owned by root
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 kernel/kmod.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

commit aa561a3ad4b30e8c03837ff96bbcd868e363cb21
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Nov 26 12:59:00 2013 -0500

    Fix gr_policy_state -> gr_reload_state typo that clobbered the oldalloc pointer causing a NULL deref on RBAC reload, reported by zakalwe
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl_policy.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit b031d4f071e25462e94f742166b0ea6b8874dae4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Nov 25 22:33:33 2013 -0500

    compile fix
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 kernel/kmod.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 00a30755e85c7dbfd1042a0f4c5d911e288c8cc9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Nov 25 12:01:21 2013 -0500

    Conventions exist for a reason -- systemd knows better though and decides to put security-sensitive system administration utilities into /usr/lib/systemd in contrast to *every* other user of usermode helpers. Work around this stupidity
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 kernel/kmod.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 7177ab477fcc5d670718dafba3f6a454ed2e121e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Nov 24 22:49:05 2013 -0500

    Revert "HID: multitouch: validate feature report details"
    
    This reverts commit 8aeb7645473b408fc6b2bd78a72671351fc8e684.
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 drivers/hid/hid-multitouch.c |   25 +++++--------------------
 1 files changed, 5 insertions(+), 20 deletions(-)

commit f0d33fb85de097278d1ae605c3d98fc99b578d56
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Nov 24 22:48:49 2013 -0500

    Revert "HID: lenovo-tpkbd: validate output report details"
    
    This reverts commit 91bfda18a5711db32c984c632f47fa57458d993a.
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 drivers/hid/hid-lenovo-tpkbd.c |    5 -----
 1 files changed, 0 insertions(+), 5 deletions(-)

commit 0c2a1258705b5c90732c2895664965da6a16bebc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Nov 24 22:48:33 2013 -0500

    Revert "HID: steelseries: validate output report details"
    
    This reverts commit 0996966348dc3c3f7515567d3245292785d484fc.
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 drivers/hid/hid-steelseries.c |    5 -----
 1 files changed, 0 insertions(+), 5 deletions(-)

commit b17b436bd1781a43866931ce6b6ba2811882ade5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Nov 24 22:08:33 2013 -0500

    add missing header
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 fs/proc/proc_sysctl.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit 45eefce5c5dc37368ed21d2b22a2d15973b7c06b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Nov 24 22:04:55 2013 -0500

    Replace nsown_capable with an ns_capable check against the user_ns associated with the net namespace
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 fs/proc/proc_sysctl.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 804611c10dcd6e9486cf374fcbfb2053a80f918d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Nov 24 17:50:21 2013 -0500

    remove unnecessary code/comments after new reload method
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl.c        |    4 ----
 grsecurity/gracl_policy.c |   13 -------------
 2 files changed, 0 insertions(+), 17 deletions(-)

commit 4aeb0dc39f03db1c2c55ebc0cb7797289948a872
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Nov 24 16:05:01 2013 -0500

    Version bumped to 3.0 (we'd been on 2.9.1 for way too long and numerous features have been added since then)
    
    Introduce new atomic RBAC reload method, developed as part of sponsorship
    by EIG
    
    This is accompanied by an updated 3.0 gradm which will use the new reload
    method when -R is passed to gradm.  The old method will still be available
    via gradm -r (which is what a 2.9.1 gradm will continue to use).
    
    The new RBAC reload method is atomic in the sense that at no point in the
    reload process will the system not be covered by a coherent full policy.
    In contrast to previous reload behavior, it also preserves inherited subjects
    and special roles.
    
    The old RBAC reload method has also been made atomic.  Both methods have
    been updated to perform role_allowed_ip checks only against the IP tagged
    to the task at the time its role was first applied or changed.  This resolves
    long-standing usability problems with the use of role_allowed_ip and matches
    the policies created by learning.
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/Makefile         |    2 +-
 grsecurity/gracl.c          | 3903 +++++++++++++------------------------------
 grsecurity/gracl_alloc.c    |   42 +-
 grsecurity/gracl_compat.c   |    3 +-
 grsecurity/gracl_policy.c   | 1838 ++++++++++++++++++++
 grsecurity/gracl_segv.c     |   12 +-
 grsecurity/grsec_disabled.c |    7 -
 grsecurity/grsec_init.c     |   15 -
 include/linux/gracl.h       |   43 +-
 include/linux/grinternal.h  |    1 -
 include/linux/grsecurity.h  |    1 -
 include/linux/sched.h       |    2 +
 12 files changed, 3082 insertions(+), 2787 deletions(-)

commit cdfd01e44815f0e0cb700b5597b3b2eb44352903
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Nov 24 15:08:28 2013 -0500

    compile fix for recent GRKERNSEC_CHROOT_INITRD change
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 init/main.c |    8 +++-----
 1 files changed, 3 insertions(+), 5 deletions(-)

commit 3ac09de20b5b3967c77a59ed064cd05e607ecca8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Nov 23 18:27:37 2013 -0500

    Make the recent usermode_helper protection race-free as far as userland is concerned by creating a copy of the path to be executed, then check against that copied path instead of the still-mutable original path
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 include/linux/kmod.h |    3 +++
 kernel/kmod.c        |   13 +++++++++++++
 2 files changed, 16 insertions(+), 0 deletions(-)

commit 7fc979f0a8ffdc501b57e0c9c8b5251b8458d98e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Nov 23 17:20:15 2013 -0500

    Produce a UDEREF message when faulting on kernel access to a non-present page in the userland range. This is purely for consistency of logs, due to there being no domain present to fault based on. An "Unable to handle kernel fault.." oops would already (and still is) generated for these cases, triggering grsec's bruteforce prevention.
    
    Reported by acez on IRC
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 arch/arm/mm/fault.c |   11 ++++++++---
 1 files changed, 8 insertions(+), 3 deletions(-)

commit 9b5ffb45694e2381a73275b029d1cde3ba090555
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Nov 23 16:56:46 2013 -0500

    Make GRKERNSEC_CHROOT_INITRD depend on the correct initrd option, Also make sure we mark init as run if no initrd was used. Though this should already be enforced in grsec_chroot.c, this should future-proof the feature a bit in case userland somehow changes drastically.
    
    Conflicts:
    
        init/main.c
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/Kconfig        |    2 +-
 grsecurity/grsec_chroot.c |    2 +-
 init/main.c               |   15 +++++++++++++++
 3 files changed, 17 insertions(+), 2 deletions(-)

commit 71ea2cc2fb940a4eaa6a4f6e5084efc91197bed1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Nov 23 16:33:20 2013 -0500

    limit all usermode helper binaries to /sbin, all other attempts will be logged and rejected
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 kernel/kmod.c |    8 ++++++++
 1 files changed, 8 insertions(+), 0 deletions(-)

commit 36895fdbcf3b528221475a894076611c6340bc6f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Nov 23 16:02:01 2013 -0500

    perform USERCOPY kernel text checks against the linear mapping on amd64 as well
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 fs/exec.c |    8 ++++++++
 1 files changed, 8 insertions(+), 0 deletions(-)

commit 47474491a88a18956b3c23a0f8ea5a793aeaaf0b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Nov 22 20:31:37 2013 -0500

    Revert "Upstream commit: bceaa90240b6019ed73b49965eac7d167610be69"
    
    This reverts commit 8bb32f2682953e1b748a59c4a4363b237c3510df.
    
    It caused errors with traceroute, reported to upstream and fixed with
    http://patchwork.ozlabs.org/patch/293614/
    But there's no reason for us to maintain this backport as we're
    already impervious to recvmsg/msg_name infoleaks
    
    Conflicts:
    
        net/ipv4/ping.c
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 net/ieee802154/dgram.c |    3 ++-
 net/ipv4/ping.c        |   11 +++++++++--
 net/ipv4/raw.c         |    4 +++-
 net/ipv4/udp.c         |    7 ++++++-
 net/ipv6/raw.c         |    4 +++-
 net/ipv6/udp.c         |    5 ++++-
 net/l2tp/l2tp_ip.c     |    4 +++-
 net/phonet/datagram.c  |    9 +++++----
 8 files changed, 35 insertions(+), 12 deletions(-)

commit 8aeb360164c3165b8d843b90776f92748cb0826f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Nov 14 20:15:51 2013 -0500

    GRKERNSEC_HARDEN_IPC should depend on SYSVIPC
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/Kconfig |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 65982aa12f534a722a92dd211e9b2461cac099cd
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Nov 14 19:07:11 2013 -0500

    Not necessary since CPU_V6 is the only bool that would select CPU_USE_DOMAINS and that depended on !PAX_KERNEXEC && !PAX_MEMORY_UDEREF, but this helps make it more obvious that while we make use of domains, CPU_USE_DOMAINS is disabled as far as the kernel knows
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 arch/arm/mm/Kconfig |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit c07ac5819bfcbb29fe75896f409517acc95f09d0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Nov 14 19:01:59 2013 -0500

    Add a new feature: GRKERNSEC_HARDEN_IPC in response to Tim Brown's research on overly-permissive shared memory found in hundreds of areas in Linux distros: http://labs.portcullis.co.uk/whitepapers/memory-squatting-attacks-on-system-v-shared-memory/
    
    Will let this sit in -test for a while to weed out any app incompatibilities
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/Kconfig         |   17 +++++++++++++++++
 grsecurity/Makefile        |    2 +-
 grsecurity/grsec_init.c    |    4 ++++
 grsecurity/grsec_ipc.c     |   22 ++++++++++++++++++++++
 grsecurity/grsec_sysctl.c  |    9 +++++++++
 include/linux/grinternal.h |    1 +
 include/linux/grmsg.h      |    1 +
 ipc/util.c                 |    5 +++++
 8 files changed, 60 insertions(+), 1 deletions(-)

commit 7a03cf3e714a075ce6d1b1c4e2cbe269968c32d9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Nov 11 10:48:10 2013 -0500

    Fix the overflowable range check just to be correct. Referenced in http://www.x90c.org/advisories/xadv-2013003_linux_kernel.txt but I believe this to be unexploitable due to bounds checks on 'count' from rw_verify_area() in fs/read_write.c
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 drivers/video/arcfb.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 1822dec9af44fef43a2092fbb98d986d40688e92
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Nov 10 22:01:33 2013 -0500

    Add missing include
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 fs/proc/proc_sysctl.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 252aafc936113beb2c4b654c51ca4f69e34e7ece
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Nov 10 17:50:12 2013 -0500

    add an option to handle old ARM userlands to properly toggle the KUSER_HELPERS option: GRKERNSEC_OLD_ARM_USERLAND
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 arch/arm/mm/Kconfig |    2 +-
 grsecurity/Kconfig  |   14 ++++++++++++++
 2 files changed, 15 insertions(+), 1 deletions(-)

commit d91a8c0aac4fd7d52d861fa389d094b0dbe69d8b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Nov 10 15:19:27 2013 -0500

    On ARM (and other arches) we were defaulting mmap_min_addr to 64K if the LSM-based mmap_min_addr was disabled in config. This caused non-root execs to fail in some cases (via SIGKILL during ELF loading). Fix this by setting a proper default on these architectures like set on the LSM-based mmap_min_addr.
    
    Thanks to acez from IRC for debugging.
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 mm/Kconfig |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 521a19248a7f3ae875854835be586208d7e94362
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Nov 10 13:54:25 2013 -0500

    Compatibility fix for LXC: Don't require CAP_SYS_ADMIN to modify our own net namespace's sysctl values, use a CAP_NET_ADMIN check within the user namespace of the process performing the modification CAP_SYS_ADMIN is still required for any other sysctl modification, including modification of sysctls of a net namespace other than our own
    
    This allows for LXC containers to not need CAP_SYS_ADMIN to be able to set up their namespace's
    networking
    
    Thanks to ncopa from IRC for testing
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 fs/proc/proc_sysctl.c |    9 +++++++--
 1 files changed, 7 insertions(+), 2 deletions(-)

commit 88abc9f686cef116d741924e96c8264c6feeb280
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Nov 6 16:23:36 2013 -0500

    Force on DEBUG_LIST so all users can benefit from safe linking/unlinking
    
    Conflicts:
    
        security/Kconfig
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 security/Kconfig |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit ca2e0bc771e1868a1b993013d725ab602d8e0454
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Nov 6 16:19:21 2013 -0500

    change DEBUG_LIST WARNs back to BUGs so they can benefit from the kernel bruteforce deterrence
    
    Conflicts:
    
        lib/list_debug.c
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 lib/list_debug.c |   65 ++++++++++++++++++++++++++++++++++-------------------
 1 files changed, 42 insertions(+), 23 deletions(-)

commit 9f9fda5bdad944095d49943719343439cebceb34
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date:   Tue Oct 29 10:21:34 2013 -0700

    Fixed a little differently than Linus...
    
    Obfuscated upstream security commit: 7314e613d5ff9f0934f7a0f74ed7973b903315d1
    
    Fix a few incorrectly checked [io_]remap_pfn_range() calls
    
    Nico Golde reports a few straggling uses of [io_]remap_pfn_range() that
    really should use the vm_iomap_memory() helper.  This trivially converts
    two of them to the helper, and comments about why the third one really
    needs to continue to use remap_pfn_range(), and adds the missing size
    check.
    
    Reported-by: Nico Golde <nico@ngolde.de>
    Cc: stable@kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org.
    
    Conflicts:
    
        drivers/uio/uio.c
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 drivers/uio/uio.c |    6 +++++-
 1 files changed, 5 insertions(+), 1 deletions(-)

commit 0f332bf501f3c2035c63fc3e58f07be9cc96924b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Sep 27 21:06:17 2013 -0400

    Don't log attempts to create a socket with a family that the kernel doesn't support Further, if the kernel doesn't support the socket family, instead of returning -EACCES, return -EAFNOSUPPORT -- should resolve the need to allow ipv6 sockets in RBAC policy despite a kernel that doesn't support ipv6 observed during a Debian userland update necessitating a policy change
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl_ip.c |    7 +++----
 net/socket.c          |   26 +++++++++++++++-----------
 2 files changed, 18 insertions(+), 15 deletions(-)

commit d6aeef5cb3bbaa011f74eb38133043965302cc32
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Sep 22 18:14:07 2013 -0400

    Revert "Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db"
    
    This reverts commit 7a430f97a2f6538693cb8e354c67c874f24c5ebf.
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 net/netlink/genetlink.c |    7 -------
 1 files changed, 0 insertions(+), 7 deletions(-)

commit 02b18c56607ff93f00659ee100517bba70972aca
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Sep 15 09:19:21 2013 -0400

    remove unnecessary check from when protocol was signed
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 net/phonet/af_phonet.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit c8991fc98b032a2338b9fda708d2dad227fbcd83
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Sep 14 21:12:45 2013 -0400

    Fix invalid dependency causing warning: warning: (DEBUG_WW_MUTEX_SLOWPATH) selects DEBUG_LOCK_ALLOC which has unmet direct dependencies (DEBUG_KERNEL && TRACE_IRQFLAGS_SUPPORT && STACKTRACE_SUPPORT && LOCKDEP_SUPPORT && !PAX_CONSTIFY_PLUGIN)
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 lib/Kconfig.debug |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit c63230b915355cea2649fac21c9469a8c3f88876
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Sep 14 19:16:48 2013 -0400

    Fix a bad git merge, re-applied a previously reverted patch
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 arch/x86/include/asm/processor.h |    4 ++--
 arch/x86/kernel/cpu/common.c     |    2 +-
 arch/x86/kernel/process_64.c     |    2 +-
 arch/x86/kernel/smpboot.c        |    2 +-
 arch/x86/xen/smp.c               |    2 +-
 5 files changed, 6 insertions(+), 6 deletions(-)

commit 0dcfe7e8eac4751d2bbabc48fb63a0118bb353eb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Sep 14 16:56:37 2013 -0400

    finish porting namei.c
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 fs/namei.c |   12 +++++++++++-
 1 files changed, 11 insertions(+), 1 deletions(-)

commit 89d5374f91319363bb79c916764c747f3229759c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Sep 14 16:44:08 2013 -0400

    cred->user -> current_user()
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 fs/exec.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit fefeb37bc66cf8e1b8c32a1f1e9776f6b701b245
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Sep 14 16:36:24 2013 -0400

    Fix GRKERNSEC_DENYUSB dependency as reported by Victor Roman of Funtoo Linux
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/Kconfig |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit e4a184da44ae23ab3ee9e250d4bc38050e4a3533
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Sep 5 19:36:23 2013 -0400

    fix dependencies for GRKERNSEC_ROFS / GRKERNSEC_DENYUSB
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/Kconfig |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit c96e77a4ec0b7045e4e3e8f6d33937c078a79cb6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Sep 5 19:17:02 2013 -0400

    Allow the deny_new_usb sysctl to be toggled off by a user with CAP_SYS_ADMIN. This allows for more inventive uses of the feature that would be impossible otherwise (like toggling it while the screen is locked, etc)
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/grsec_sysctl.c |    4 +---
 1 files changed, 1 insertions(+), 3 deletions(-)

commit 600c8f5a6a7b57e4ecbb16d10eab3bdfae399299
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Sep 5 18:41:49 2013 -0400

    Add a new GRKERNSEC_DENYUSB_FORCE option that achieves what GRKERNSEC_DENYUSB does without the need for a sysctl toggle, for users who know they want the functionality but don't want to bother with modifying init scripts
    
    Also eliminate reset_security_ops() as a ROP target when
    SECURITY_SELINUX_DISABLE is disabled as it's the only user
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/Kconfig        |   17 ++++++++++++++++-
 grsecurity/grsec_init.c   |    3 +++
 grsecurity/grsec_sysctl.c |    2 +-
 3 files changed, 20 insertions(+), 2 deletions(-)

commit 979cb67c276ef34486ed64bb58ed30020bc8a53f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Aug 30 17:11:11 2013 -0400

    fix compilation with GRKERNSEC_DENYUSB as reported by slashbeast
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/grsec_sysctl.c |    7 ++++---
 1 files changed, 4 insertions(+), 3 deletions(-)

commit d259a636db5500db5e3ddacab82857db244bf46f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Aug 28 20:42:39 2013 -0400

    add export of gr_handle_new_usb()
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/grsec_usb.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 73872d212f992833add967be12de9628941bdd5b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Aug 28 19:24:47 2013 -0400

    Add new GRKERNSEC_DENYUSB feature that I've been sitting on for a bit Kees' recent findings are motivation enough to publish it
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 drivers/usb/core/hub.c     |    5 +++++
 grsecurity/Kconfig         |   20 ++++++++++++++++++++
 grsecurity/Makefile        |    3 ++-
 grsecurity/grsec_init.c    |    1 +
 grsecurity/grsec_sysctl.c  |   11 +++++++++++
 grsecurity/grsec_usb.c     |   13 +++++++++++++
 include/linux/grinternal.h |    1 +
 include/linux/grsecurity.h |    2 ++
 8 files changed, 55 insertions(+), 1 deletions(-)

commit 57a621395b231025d33da789f7593da0e9c591a4
Author: Kees Cook <keescook@chromium.org>
Date:   Wed Aug 14 09:14:34 2013 -0700

    HID: steelseries: validate output report details
    
    A HID device could send a malicious output report that would cause the
    steelseries HID driver to write beyond the output report allocation
    during initialization, causing a heap overflow:
    
    [  167.981534] usb 1-1: New USB device found, idVendor=1038, idProduct=1410
    ...
    [  182.050547] BUG kmalloc-256 (Tainted: G        W   ): Redzone overwritten
    
    CVE-2013-2891
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 drivers/hid/hid-steelseries.c |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

commit 6261da1c18366e4b2e0ff28781e0a769a2d31d1b
Author: Kees Cook <keescook@chromium.org>
Date:   Thu Aug 15 23:21:23 2013 -0700

    HID: lenovo-tpkbd: validate output report details
    
    A HID device could send a malicious output report that would cause the
    lenovo-tpkbd HID driver to write just beyond the output report allocation
    during initialization, causing a heap overflow:
    
    [   76.109807] usb 1-1: New USB device found, idVendor=17ef, idProduct=6009
    ...
    [   80.462540] BUG kmalloc-192 (Tainted: G        W   ): Redzone overwritten
    
    CVE-2013-2894
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 drivers/hid/hid-lenovo-tpkbd.c |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

commit 9a7678270debd6b7c14ed1e91fb502d73bfaee08
Author: Kees Cook <keescook@chromium.org>
Date:   Fri Aug 16 00:11:32 2013 -0700

    HID: multitouch: validate feature report details
    
    When working on report indexes, always validate that they are in bounds.
    Without this, a HID device could report a malicious feature report that
    could trick the driver into a heap overflow:
    
    [  634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500
    ...
    [  676.469629] BUG kmalloc-192 (Tainted: G        W   ): Redzone overwritten
    
    CVE-2013-2897
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 drivers/hid/hid-multitouch.c |   25 ++++++++++++++++++++-----
 1 files changed, 20 insertions(+), 5 deletions(-)

commit efb7731d700d5b4568871670ac0841a84f003029
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Aug 19 22:10:04 2013 -0400

    fix bad git merge (call to __cpu_disable_lazy_restore was duplicated) as reported by pipacs
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 arch/x86/kernel/smpboot.c |    3 ---
 1 files changed, 0 insertions(+), 3 deletions(-)

commit 3469d59da7f6bd0c5838764e5b06bad97193f628
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 17 12:00:20 2013 -0400

    make kallsyms_lookup_size_offset available to approved source files
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 include/linux/kallsyms.h |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit 03b91bfc983379670fd439b2b3fbec633ea6468d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 17 11:18:09 2013 -0400

    allow use of kallsyms_lookup_name to approved source files
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 include/linux/kallsyms.h |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 2e9828b85e2ab096affe9e8b52cd68d7a0d8839d
Author: Johannes Berg <johannes.berg@intel.com>
Date:   Tue Aug 13 09:04:05 2013 +0200

    Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db
    
    genetlink: fix family dump race
    
    When dumping generic netlink families, only the first dump call
    is locked with genl_lock(), which protects the list of families,
    and thus subsequent calls can access the data without locking,
    racing against family addition/removal. This can cause a crash.
    Fix it - the locking needs to be conditional because the first
    time around it's already locked.
    
    A similar bug was reported to me on an old kernel (3.4.47) but
    the exact scenario that happened there is no longer possible,
    on those kernels the first round wasn't locked either. Looking
    at the current code I found the race described above, which had
    also existed on the old kernel.
    
    Cc: stable@vger.kernel.org
    Reported-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 net/netlink/genetlink.c |    7 +++++++
 1 files changed, 7 insertions(+), 0 deletions(-)

commit aeddd9080b145f520dfdba52e07ffe7ac5c2940a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 17 08:58:34 2013 -0400

    Fix two harmless compiler warnings
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 arch/arm/kernel/process.c |    4 ++--
 fs/exec.c                 |    2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

commit 8953b010e785f55d35e96de6d7913b7e6791d9f9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Aug 16 22:46:01 2013 -0400

    Fix HIDESYM compatibility with kprobes, as reported by feandil at: http://forums.grsecurity.net/viewtopic.php?t=3701&p=13376#p13376
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 include/linux/kallsyms.h |    2 +-
 kernel/kprobes.c         |    3 +++
 2 files changed, 4 insertions(+), 1 deletions(-)

commit 346b6fb51f351bc8a2e52c158794c863b88c730b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 10 09:41:40 2013 -0400

    propagate the threadstack offset through to the topdown/bottomup allocators on sparc64 hugepages
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 arch/sparc/mm/hugetlbpage.c |   12 ++++++++----
 1 files changed, 8 insertions(+), 4 deletions(-)

commit 5a95c583a8e74e8b980ae810c3755d7490f9f208
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Aug 5 17:58:42 2013 -0400

    Disable RANDKSTACK for a VirtualBox host as mentioned on the gentoo-hardened bugzilla: https://bugs.gentoo.org/show_bug.cgi?id=382793
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 security/Kconfig |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit be64e6e8a615622f5c8b8feefdbae24dfe1eb13a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Aug 5 17:26:40 2013 -0400

    Move user namespace capability check to shared create_user_ns code so we cover unshare() as well.
    
    Also kill a trivial 1-line, 22-character upstream kernel DoS, thanks to
    user namespaces!
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 kernel/fork.c           |   17 -----------------
 kernel/user_namespace.c |   15 +++++++++++++++
 2 files changed, 15 insertions(+), 17 deletions(-)

commit bf41ff82977f5629d76e58b4eec76e78b6e0794c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Aug 5 16:05:41 2013 -0400

    silence a warning on older gcc
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 80c4d845fa846426a226c1807310670fdc3f4fb9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 3 08:31:08 2013 -0400

    we only care about mmaps of the beginning of an ELF, filter out all others as suggested by pipacs
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 mm/mmap.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 29f82c7cc74a11260863cea855cb7bb7b79506db
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Aug 2 23:54:51 2013 -0400

    add include
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/grsec_log.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit b313d3d863fe87ecf4f79f61e9670955df66685e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Aug 2 23:49:13 2013 -0400

    fix compilation
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 include/linux/grinternal.h |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit e0b580d61744ac72ba2275fb5211de2bfc570058
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Aug 2 23:34:35 2013 -0400

    Improve PaX reporting (tells when anon mapping is stack or heap) Remove textrel logging option, combine into rwx logging option Enhance RWX logging option to display when PT_GNU_STACK-enabled library is loaded under an MPROTECTed binary Enhance RWX mprotect logging to display stack/heap instead of just anon mapping
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 fs/binfmt_elf.c            |   37 +++++++++++++++++++++++++++++++++++++
 fs/exec.c                  |    4 ++++
 grsecurity/Kconfig         |   21 +++++----------------
 grsecurity/grsec_init.c    |    4 ----
 grsecurity/grsec_log.c     |   14 ++++++++++++++
 grsecurity/grsec_pax.c     |   19 ++++++++++++++-----
 grsecurity/grsec_sysctl.c  |    9 ---------
 include/linux/binfmts.h    |    1 +
 include/linux/grinternal.h |    2 +-
 include/linux/grmsg.h      |    3 ++-
 include/linux/grsecurity.h |    3 ++-
 mm/mmap.c                  |    7 +++++++
 mm/mprotect.c              |    2 +-
 13 files changed, 88 insertions(+), 38 deletions(-)

commit 2860f00640ffc0745e102fc8eea1b4787747a34f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Aug 1 18:52:02 2013 -0400

    add missing #define
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 271a28185b48e1c659c497837e26350f0b98b56b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Aug 1 18:43:53 2013 -0400

    fix compilation for !COMPAT as reported on the forums
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl.c |  195 ++++++++++++++++++++++++++--------------------------
 1 files changed, 97 insertions(+), 98 deletions(-)

commit c7b8b1a6d33fb9f2f33b6661d98ccf034bc4fa88
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jul 31 17:47:20 2013 -0400

    Revert "revert recent PaX change that causes boot failures with 32bit userland"
    
    This reverts commit 23278a1ee1c7738dd1e7005241394d32b82196e4.
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 arch/x86/include/asm/processor.h |    4 ++--
 arch/x86/kernel/cpu/common.c     |    2 +-
 arch/x86/kernel/process_64.c     |    2 +-
 arch/x86/kernel/smpboot.c        |    2 +-
 arch/x86/xen/smp.c               |    2 +-
 5 files changed, 6 insertions(+), 6 deletions(-)

commit 506d84be8c4e9db0b655d3f6da2cec92482b610f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jul 31 16:26:58 2013 -0400

    compile fix for !COMPAT as mentioned on forums
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 7b7d053d1c9209c6810ee0e82d902d633df55114
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 22:33:14 2013 -0400

    perform compat conversion of rlimit infinity
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl_compat.c |   10 ++++++++--
 1 files changed, 8 insertions(+), 2 deletions(-)

commit f9503913fa6c0b461e5a6c991eb04b8e369e0dd2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 22:21:40 2013 -0400

    remove debugging
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl_compat.c |   44 +++++++++++---------------------------------
 1 files changed, 11 insertions(+), 33 deletions(-)

commit 4d203a112c51248189db81e89926ed2ccbbf3727
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 22:20:32 2013 -0400

    eliminate compat_dev_t
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 include/linux/gracl_compat.h |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 98cc5ab35c0f012765475db240189e0d72e9e936
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 22:13:22 2013 -0400

    fix compat rlimit size
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl_compat.c    |   68 +++++++++++++++++++++++++++++-------------
 include/linux/gracl_compat.h |    4 +-
 2 files changed, 49 insertions(+), 23 deletions(-)

commit aa8d1edbfb648b1b942996d59fa446fd830df989
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 21:20:18 2013 -0400

    compile fix
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 28b7a6a844d93d88bb83383bb6273cdc22c595ad
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 21:14:29 2013 -0400

    copy correct pointer size in new compat code
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl.c        |    8 ++++----
 grsecurity/gracl_compat.c |    4 ++--
 2 files changed, 6 insertions(+), 6 deletions(-)

commit 9490ca70e30846522d28b6f9ca7caf28cdb7b9e3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 19:15:50 2013 -0400

    compile fix
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl_compat.c |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

commit 5f7d6c7e7e4ef41577b73936595ed1f28649e9e9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 19:12:46 2013 -0400

    remove BUILD_BUG_ONs
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl_compat.c |   20 --------------------
 1 files changed, 0 insertions(+), 20 deletions(-)

commit 91c416711e2e713d870dc52ce17af0607a82cb75
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 00:18:36 2013 -0400

    compile fixes
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl_compat.c    |    8 ++++----
 include/linux/gracl_compat.h |    2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

commit 99cad551389634d849387cf5e2054d9aa2c1c1b4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 00:16:42 2013 -0400

    compile fixes
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl.c        |    4 ++--
 grsecurity/gracl_compat.c |    2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

commit 9ec58c4629d5aba15d09d4a740b83bf4cdb6da90
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 00:13:51 2013 -0400

    compile fixes
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl.c |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

commit dd368be2aef36cae4f997fc798087069fb64d442
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 00:11:03 2013 -0400

    compile fixes
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl_compat.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit 8970e77a91e35ddac604cf96462c600651e94baa
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 00:08:21 2013 -0400

    more compile fixes
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl.c |   28 ++++++++++++++--------------
 1 files changed, 14 insertions(+), 14 deletions(-)

commit d5711d44bf668cdc5d29383e5e16ff884f1991ee
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jul 29 23:59:50 2013 -0400

    more compile fixes
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl.c |   10 +++++++++-
 1 files changed, 9 insertions(+), 1 deletions(-)

commit f9bf16c3f73ff249219c1a7d457f10b5f5448da1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jul 29 23:56:47 2013 -0400

    additional compile fixes
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl.c |   59 +++++++++++++++++++++++++++++++++++++++++++--------
 1 files changed, 49 insertions(+), 10 deletions(-)

commit afb88b8065edeb572c4d7992c6916d19a8bbc483
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jul 29 23:47:15 2013 -0400

    fix typo
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 981fbde7260e575f99c7c9fc83239fca752cb543
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jul 29 23:46:59 2013 -0400

    compile fixes
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl.c |   53 ++++++++++++++++++++++++++++++++++++++-------------
 1 files changed, 39 insertions(+), 14 deletions(-)

commit c3ebfc69b7c5c12f54ee8b2c34776c503eb825f5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jul 29 23:22:44 2013 -0400

    Initial commit of compat RBAC loading Permits 32bit gradm to load policy for a 64bit kernel
    
    Also removed code duplication for copying strings into the kernel
    
    Work performed as part of sponsorship
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/Makefile          |    4 +
 grsecurity/gracl.c           |  315 +++++++++++++++++++++++-------------------
 grsecurity/gracl_compat.c    |  270 ++++++++++++++++++++++++++++++++++++
 include/linux/gracl_compat.h |  156 +++++++++++++++++++++
 4 files changed, 603 insertions(+), 142 deletions(-)

commit 5f3672544ae20bb1a595a849b304d1c168254e2b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 16 20:40:24 2013 -0400

    allow viewing of ecryptfs version under SYSFS_RESTRICT
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 fs/sysfs/dir.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit f892f6cf3070e516828ef6b81c39abdec77d7e93
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 14 11:49:17 2013 -0400

    Update PaX fix, just return the error
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 mm/madvise.c |   11 +++++------
 1 files changed, 5 insertions(+), 6 deletions(-)

commit bacca56a4c5ce1734004a310588d710ab642c14d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 14 11:36:00 2013 -0400

    Fix madvise oops reported by Peter Keel
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 mm/madvise.c |   11 ++++++-----
 1 files changed, 6 insertions(+), 5 deletions(-)

commit bb802e55264979a3517687cc4e3ea4043187a4d6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 9 22:04:59 2013 -0400

    compile fixes
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 fs/exec.c |    2 +-
 mm/mmap.c |    4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

commit 80af0d78732fcd1345751765d6bdba75e4453096
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Sep 14 16:15:10 2013 -0400

    Initial port of grsecurity to 3.11 using new git method
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 Documentation/kernel-parameters.txt                |    4 +
 Makefile                                           |    8 +-
 arch/alpha/include/asm/cache.h                     |    4 +-
 arch/alpha/kernel/osf_sys.c                        |   12 +-
 arch/arm/include/asm/thread_info.h                 |    3 +-
 arch/arm/kernel/ptrace.c                           |    9 +
 arch/arm/kernel/traps.c                            |    7 +-
 arch/arm/mm/fault.c                                |   29 +-
 arch/arm/mm/mmap.c                                 |    8 +-
 arch/avr32/include/asm/cache.h                     |    4 +-
 arch/blackfin/include/asm/cache.h                  |    3 +-
 arch/cris/include/arch-v10/arch/cache.h            |    3 +-
 arch/cris/include/arch-v32/arch/cache.h            |    3 +-
 arch/frv/include/asm/cache.h                       |    3 +-
 arch/frv/mm/elf-fdpic.c                            |    4 +-
 arch/hexagon/include/asm/cache.h                   |    6 +-
 arch/ia64/include/asm/cache.h                      |    3 +-
 arch/ia64/kernel/sys_ia64.c                        |    2 +
 arch/ia64/mm/hugetlbpage.c                         |    2 +
 arch/m32r/include/asm/cache.h                      |    4 +-
 arch/m68k/include/asm/cache.h                      |    4 +-
 arch/metag/mm/hugetlbpage.c                        |    1 +
 arch/microblaze/include/asm/cache.h                |    3 +-
 arch/mips/include/asm/cache.h                      |    3 +-
 arch/mips/include/asm/thread_info.h                |    9 +-
 arch/mips/kernel/ptrace.c                          |    9 +
 arch/mips/mm/mmap.c                                |    4 +-
 arch/mn10300/proc-mn103e010/include/proc/cache.h   |    4 +-
 arch/mn10300/proc-mn2ws0050/include/proc/cache.h   |    4 +-
 arch/openrisc/include/asm/cache.h                  |    4 +-
 arch/parisc/include/asm/cache.h                    |    5 +-
 arch/parisc/kernel/sys_parisc.c                    |   13 +-
 arch/powerpc/include/asm/cache.h                   |    3 +-
 arch/powerpc/kernel/process.c                      |   10 +-
 arch/powerpc/kernel/ptrace.c                       |   14 +
 arch/powerpc/kernel/traps.c                        |    5 +
 arch/s390/include/asm/cache.h                      |    4 +-
 arch/score/include/asm/cache.h                     |    4 +-
 arch/sh/include/asm/cache.h                        |    3 +-
 arch/sh/mm/mmap.c                                  |    6 +-
 arch/sparc/include/asm/cache.h                     |    4 +-
 arch/sparc/include/asm/thread_info_64.h            |    9 +-
 arch/sparc/kernel/process_32.c                     |    6 +-
 arch/sparc/kernel/process_64.c                     |    4 +-
 arch/sparc/kernel/ptrace_64.c                      |   14 +
 arch/sparc/kernel/sys_sparc_64.c                   |    8 +-
 arch/sparc/kernel/syscalls.S                       |    8 +-
 arch/sparc/kernel/traps_32.c                       |    8 +-
 arch/sparc/kernel/traps_64.c                       |   28 +-
 arch/sparc/kernel/unaligned_64.c                   |    2 +-
 arch/sparc/mm/fault_64.c                           |    2 +-
 arch/sparc/mm/hugetlbpage.c                        |    3 +-
 arch/tile/include/asm/cache.h                      |    3 +-
 arch/tile/mm/hugetlbpage.c                         |    2 +
 arch/um/include/asm/cache.h                        |    3 +-
 arch/unicore32/include/asm/cache.h                 |    6 +-
 arch/x86/Kconfig                                   |    5 +-
 arch/x86/ia32/ia32_aout.c                          |    2 +
 arch/x86/include/asm/thread_info.h                 |    8 +-
 arch/x86/kernel/dumpstack.c                        |    8 +
 arch/x86/kernel/entry_32.S                         |    2 +-
 arch/x86/kernel/entry_64.S                         |    2 +-
 arch/x86/kernel/ioport.c                           |   13 +
 arch/x86/kernel/ptrace.c                           |   14 +
 arch/x86/kernel/signal.c                           |    9 +-
 arch/x86/kernel/smpboot.c                          |    3 +
 arch/x86/kernel/sys_i386_32.c                      |    9 +-
 arch/x86/kernel/sys_x86_64.c                       |    8 +-
 arch/x86/kernel/verify_cpu.S                       |    1 +
 arch/x86/kernel/vm86_32.c                          |    1 +
 arch/x86/mm/fault.c                                |   12 +-
 arch/x86/mm/hugetlbpage.c                          |   15 +-
 arch/x86/mm/init.c                                 |   66 +-
 arch/x86/net/bpf_jit_comp.c                        |  126 +-
 arch/xtensa/variants/dc232b/include/variant/core.h |    2 +-
 arch/xtensa/variants/fsf/include/variant/core.h    |    3 +-
 arch/xtensa/variants/s6000/include/variant/core.h  |    3 +-
 drivers/cdrom/cdrom.c                              |    2 +-
 drivers/char/Kconfig                               |    4 +-
 drivers/char/genrtc.c                              |    1 +
 drivers/char/mem.c                                 |   17 +
 drivers/char/random.c                              |   14 +
 drivers/gpu/drm/drm_info.c                         |    4 +
 drivers/hid/hid-wiimote-debug.c                    |    2 +-
 drivers/media/radio/radio-cadet.c                  |    2 +-
 drivers/message/fusion/mptbase.c                   |    9 +
 drivers/net/bonding/bond_main.c                    |    1 +
 drivers/net/phy/mdio-bitbang.c                     |    1 +
 drivers/net/wireless/zd1211rw/zd_usb.c             |    2 +-
 drivers/pci/proc.c                                 |    9 +
 drivers/rtc/rtc-dev.c                              |    3 +
 drivers/tty/sysrq.c                                |    2 +-
 drivers/tty/vt/keyboard.c                          |   22 +-
 drivers/video/logo/logo_linux_clut224.ppm          | 2720 ++++++++------------
 drivers/xen/xenfs/xenstored.c                      |    5 +
 fs/attr.c                                          |    1 +
 fs/autofs4/waitq.c                                 |    9 +
 fs/binfmt_aout.c                                   |    7 +
 fs/binfmt_elf.c                                    |    3 +-
 fs/btrfs/ioctl.c                                   |    6 +-
 fs/compat.c                                        |   20 +-
 fs/coredump.c                                      |   11 +-
 fs/debugfs/inode.c                                 |    4 +
 fs/exec.c                                          |  184 ++-
 fs/ext2/balloc.c                                   |    4 +-
 fs/ext3/balloc.c                                   |    4 +-
 fs/fcntl.c                                         |    5 +
 fs/file.c                                          |    4 +
 fs/filesystems.c                                   |    4 +
 fs/fs_struct.c                                     |   13 +-
 fs/hugetlbfs/inode.c                               |    5 +-
 fs/namei.c                                         |  218 ++-
 fs/namespace.c                                     |   16 +
 fs/open.c                                          |   38 +
 fs/proc/Kconfig                                    |   10 +-
 fs/proc/array.c                                    |   59 +-
 fs/proc/base.c                                     |  166 ++-
 fs/proc/cmdline.c                                  |    4 +
 fs/proc/devices.c                                  |    4 +
 fs/proc/fd.c                                       |   17 +-
 fs/proc/inode.c                                    |    4 +
 fs/proc/kcore.c                                    |    3 +
 fs/proc/proc_net.c                                 |   12 +
 fs/proc/proc_sysctl.c                              |   43 +-
 fs/proc/root.c                                     |    8 +
 fs/proc/task_mmu.c                                 |   75 +-
 fs/readdir.c                                       |   19 +
 fs/select.c                                        |    2 +
 fs/seq_file.c                                      |   12 +-
 fs/stat.c                                          |   19 +-
 fs/sysfs/dir.c                                     |   12 +
 fs/utimes.c                                        |    7 +
 fs/xattr.c                                         |   19 +-
 grsecurity/Kconfig                                 |    2 +-
 grsecurity/gracl_fs.c                              |    6 +-
 include/linux/capability.h                         |    5 +
 include/linux/cred.h                               |    3 +
 include/linux/fs.h                                 |   10 +
 include/linux/fsnotify.h                           |    6 +
 include/linux/kallsyms.h                           |   14 +-
 include/linux/kmod.h                               |    2 +
 include/linux/mm.h                                 |    1 +
 include/linux/perf_event.h                         |   13 +-
 include/linux/printk.h                             |    3 +-
 include/linux/sched.h                              |   24 +-
 include/linux/security.h                           |    1 +
 include/linux/seq_file.h                           |    3 +
 include/linux/shm.h                                |    4 +
 include/linux/skbuff.h                             |    3 +
 include/linux/slab.h                               |    9 -
 include/linux/sysctl.h                             |    2 +
 include/linux/thread_info.h                        |    2 +
 include/linux/uidgid.h                             |    5 +
 include/linux/vermagic.h                           |    9 +-
 include/uapi/linux/personality.h                   |    1 +
 init/Kconfig                                       |    3 +-
 init/main.c                                        |   14 +
 ipc/mqueue.c                                       |    1 +
 ipc/shm.c                                          |   28 +
 kernel/capability.c                                |   40 +-
 kernel/cgroup.c                                    |    2 +-
 kernel/compat.c                                    |    1 +
 kernel/configs.c                                   |   11 +
 kernel/cred.c                                      |  110 +-
 kernel/events/core.c                               |   14 +-
 kernel/exit.c                                      |   10 +-
 kernel/fork.c                                      |   41 +-
 kernel/futex.c                                     |    1 +
 kernel/kallsyms.c                                  |    9 +
 kernel/kcmp.c                                      |    4 +
 kernel/kmod.c                                      |   64 +-
 kernel/kprobes.c                                   |    4 +-
 kernel/ksysfs.c                                    |    2 +
 kernel/locking/lockdep_proc.c                      |   10 +-
 kernel/module.c                                    |   81 +-
 kernel/panic.c                                     |    2 +-
 kernel/pid.c                                       |   19 +-
 kernel/posix-timers.c                              |    7 +
 kernel/printk/printk.c                             |    5 +
 kernel/ptrace.c                                    |   20 +-
 kernel/resource.c                                  |   10 +
 kernel/sched/core.c                                |    6 +-
 kernel/signal.c                                    |   37 +-
 kernel/sys.c                                       |   45 +-
 kernel/sysctl.c                                    |   69 +-
 kernel/taskstats.c                                 |    6 +
 kernel/time.c                                      |    5 +
 kernel/time/timekeeping.c                          |    1 +
 kernel/time/timer_list.c                           |   12 +
 kernel/time/timer_stats.c                          |   10 +-
 lib/Kconfig.debug                                  |    5 +-
 lib/is_single_threaded.c                           |    3 +
 mm/Kconfig                                         |    4 +-
 mm/filemap.c                                       |    1 +
 mm/kmemleak.c                                      |    4 +-
 mm/mempolicy.c                                     |   12 +-
 mm/migrate.c                                       |    3 +-
 mm/mlock.c                                         |    3 +
 mm/mmap.c                                          |   63 +-
 mm/mprotect.c                                      |    8 +
 mm/process_vm_access.c                             |    6 +
 mm/slab.c                                          |    2 +-
 mm/slub.c                                          |   14 +-
 mm/vmalloc.c                                       |    4 +
 mm/vmstat.c                                        |   18 +-
 net/core/dev_ioctl.c                               |    4 +
 net/core/sock_diag.c                               |    7 +
 net/ipv4/inet_hashtables.c                         |    5 +
 net/ipv4/ip_sockglue.c                             |    3 +-
 net/ipv4/tcp_input.c                               |    4 +-
 net/ipv4/tcp_ipv4.c                                |   24 +-
 net/ipv4/tcp_minisocks.c                           |    9 +-
 net/ipv4/tcp_timer.c                               |   11 +
 net/ipv4/udp.c                                     |   24 +
 net/ipv6/tcp_ipv6.c                                |   23 +-
 net/ipv6/udp.c                                     |    4 +
 net/netfilter/Kconfig                              |   10 +
 net/netfilter/Makefile                             |    1 +
 net/netfilter/nf_conntrack_core.c                  |    8 +
 net/netrom/af_netrom.c                             |    1 -
 net/phonet/af_phonet.c                             |    2 +-
 net/socket.c                                       |   66 +-
 net/sysctl_net.c                                   |    2 +-
 net/unix/af_unix.c                                 |   31 +-
 security/Kconfig                                   |  341 +++-
 security/commoncap.c                               |   29 +
 security/min_addr.c                                |    2 +
 security/tomoyo/mount.c                            |    4 +
 security/yama/Kconfig                              |    2 +-
 229 files changed, 4100 insertions(+), 2025 deletions(-)

commit 75586073addae35174967d77e1b985e6b534e3f8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 9 20:57:40 2013 -0400

    Commit merge of new files and rejected patches
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 arch/arm/include/asm/thread_info.h     |    6 +-
 arch/arm/kernel/process.c              |    4 +-
 arch/powerpc/include/asm/thread_info.h |    7 +-
 arch/powerpc/mm/slice.c                |    2 +-
 arch/sparc/kernel/process_64.c         |    4 +-
 arch/x86/kernel/vm86_32.c              |   15 +
 fs/coredump.c                          |    1 +
 fs/ext4/balloc.c                       |    4 +-
 fs/namei.c                             |    7 +
 fs/namespace.c                         |    8 +
 fs/pipe.c                              |    2 +-
 fs/proc/inode.c                        |   13 +
 fs/proc/internal.h                     |    3 +
 grsecurity/Kconfig                     | 1054 +++++++++
 grsecurity/Makefile                    |   38 +
 grsecurity/gracl.c                     | 4073 ++++++++++++++++++++++++++++++++
 grsecurity/gracl_alloc.c               |  105 +
 grsecurity/gracl_cap.c                 |  110 +
 grsecurity/gracl_fs.c                  |  431 ++++
 grsecurity/gracl_ip.c                  |  387 +++
 grsecurity/gracl_learn.c               |  207 ++
 grsecurity/gracl_res.c                 |   68 +
 grsecurity/gracl_segv.c                |  305 +++
 grsecurity/gracl_shm.c                 |   40 +
 grsecurity/grsec_chdir.c               |   19 +
 grsecurity/grsec_chroot.c              |  370 +++
 grsecurity/grsec_disabled.c            |  434 ++++
 grsecurity/grsec_exec.c                |  187 ++
 grsecurity/grsec_fifo.c                |   24 +
 grsecurity/grsec_fork.c                |   23 +
 grsecurity/grsec_init.c                |  283 +++
 grsecurity/grsec_link.c                |   58 +
 grsecurity/grsec_log.c                 |  326 +++
 grsecurity/grsec_mem.c                 |   40 +
 grsecurity/grsec_mount.c               |   62 +
 grsecurity/grsec_pax.c                 |   36 +
 grsecurity/grsec_ptrace.c              |   30 +
 grsecurity/grsec_sig.c                 |  246 ++
 grsecurity/grsec_sock.c                |  244 ++
 grsecurity/grsec_sysctl.c              |  469 ++++
 grsecurity/grsec_time.c                |   16 +
 grsecurity/grsec_tpe.c                 |   73 +
 grsecurity/grsum.c                     |   61 +
 include/linux/gracl.h                  |  319 +++
 include/linux/gralloc.h                |    9 +
 include/linux/grdefs.h                 |  140 ++
 include/linux/grinternal.h             |  227 ++
 include/linux/grmsg.h                  |  112 +
 include/linux/grsecurity.h             |  241 ++
 include/linux/grsock.h                 |   19 +
 include/linux/netfilter/xt_gradm.h     |    9 +
 include/linux/proc_fs.h                |   13 +
 include/linux/sched.h                  |   48 +-
 include/trace/events/fs.h              |   53 +
 kernel/kmod.c                          |    7 +-
 kernel/panic.c                         |    2 +-
 kernel/posix-timers.c                  |    1 +
 kernel/time/timekeeping.c              |    2 +
 lib/Kconfig.debug                      |    2 +-
 lib/vsprintf.c                         |   31 +
 localversion-grsec                     |    1 +
 mm/mmap.c                              |   13 +-
 mm/shmem.c                             |    2 +-
 net/core/net-procfs.c                  |    5 +
 net/ipv6/udp.c                         |    3 +
 net/netfilter/xt_gradm.c               |   51 +
 66 files changed, 11184 insertions(+), 21 deletions(-)

commit 0100435c11a01cfbedea13ac5aebd38fb03309b4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jan 25 17:32:18 2014 -0500

    Initial import of pax-linux-3.13-test2.patch

 Documentation/dontdiff                             |   47 +-
 Documentation/kernel-parameters.txt                |   23 +
 Makefile                                           |  102 +-
 arch/alpha/include/asm/atomic.h                    |   10 +
 arch/alpha/include/asm/elf.h                       |    7 +
 arch/alpha/include/asm/pgalloc.h                   |    6 +
 arch/alpha/include/asm/pgtable.h                   |   11 +
 arch/alpha/kernel/module.c                         |    2 +-
 arch/alpha/kernel/osf_sys.c                        |    8 +-
 arch/alpha/mm/fault.c                              |  141 +-
 arch/arm/Kconfig                                   |    2 +-
 arch/arm/include/asm/atomic.h                      |  442 ++-
 arch/arm/include/asm/cache.h                       |    5 +-
 arch/arm/include/asm/cacheflush.h                  |    2 +-
 arch/arm/include/asm/checksum.h                    |   14 +-
 arch/arm/include/asm/cmpxchg.h                     |    2 +
 arch/arm/include/asm/domain.h                      |   33 +-
 arch/arm/include/asm/elf.h                         |   13 +-
 arch/arm/include/asm/fncpy.h                       |    2 +
 arch/arm/include/asm/futex.h                       |   10 +
 arch/arm/include/asm/kmap_types.h                  |    2 +-
 arch/arm/include/asm/mach/dma.h                    |    2 +-
 arch/arm/include/asm/mach/map.h                    |    7 +-
 arch/arm/include/asm/outercache.h                  |    2 +-
 arch/arm/include/asm/page.h                        |    2 +-
 arch/arm/include/asm/pgalloc.h                     |   22 +-
 arch/arm/include/asm/pgtable-2level-hwdef.h        |    5 +
 arch/arm/include/asm/pgtable-2level.h              |    3 +
 arch/arm/include/asm/pgtable-3level-hwdef.h        |    1 +
 arch/arm/include/asm/pgtable-3level.h              |    2 +
 arch/arm/include/asm/pgtable.h                     |   54 +-
 arch/arm/include/asm/proc-fns.h                    |    2 +-
 arch/arm/include/asm/psci.h                        |    2 +-
 arch/arm/include/asm/smp.h                         |    2 +-
 arch/arm/include/asm/thread_info.h                 |    6 +-
 arch/arm/include/asm/uaccess.h                     |   95 +-
 arch/arm/include/uapi/asm/ptrace.h                 |    2 +-
 arch/arm/kernel/armksyms.c                         |    8 +-
 arch/arm/kernel/entry-armv.S                       |  110 +-
 arch/arm/kernel/entry-common.S                     |   40 +-
 arch/arm/kernel/entry-header.S                     |   60 +
 arch/arm/kernel/fiq.c                              |    3 +
 arch/arm/kernel/head.S                             |    6 +-
 arch/arm/kernel/module.c                           |   31 +-
 arch/arm/kernel/patch.c                            |    2 +
 arch/arm/kernel/process.c                          |   42 +-
 arch/arm/kernel/psci.c                             |    2 +-
 arch/arm/kernel/setup.c                            |   22 +-
 arch/arm/kernel/signal.c                           |   35 +-
 arch/arm/kernel/smp.c                              |    2 +-
 arch/arm/kernel/traps.c                            |    8 +-
 arch/arm/kernel/vmlinux.lds.S                      |   24 +-
 arch/arm/kvm/arm.c                                 |    8 +-
 arch/arm/lib/clear_user.S                          |    6 +-
 arch/arm/lib/copy_from_user.S                      |    6 +-
 arch/arm/lib/copy_page.S                           |    1 +
 arch/arm/lib/copy_to_user.S                        |    6 +-
 arch/arm/lib/csumpartialcopyuser.S                 |    4 +-
 arch/arm/lib/delay.c                               |    2 +-
 arch/arm/lib/uaccess_with_memcpy.c                 |    4 +-
 arch/arm/mach-kirkwood/common.c                    |   19 +-
 arch/arm/mach-omap2/board-n8x0.c                   |    2 +-
 arch/arm/mach-omap2/gpmc.c                         |   22 +-
 arch/arm/mach-omap2/omap-mpuss-lowpower.c          |    4 +-
 arch/arm/mach-omap2/omap-wakeupgen.c               |    2 +-
 arch/arm/mach-omap2/omap_device.c                  |    4 +-
 arch/arm/mach-omap2/omap_device.h                  |    4 +-
 arch/arm/mach-omap2/omap_hwmod.c                   |    4 +-
 arch/arm/mach-omap2/wd_timer.c                     |    6 +-
 arch/arm/mach-tegra/cpuidle-tegra20.c              |    2 +-
 arch/arm/mach-ux500/setup.h                        |    7 -
 arch/arm/mm/Kconfig                                |    6 +-
 arch/arm/mm/alignment.c                            |    8 +
 arch/arm/mm/cache-l2x0.c                           |    2 +-
 arch/arm/mm/context.c                              |   10 +-
 arch/arm/mm/fault.c                                |  140 +
 arch/arm/mm/fault.h                                |   12 +
 arch/arm/mm/init.c                                 |   41 +
 arch/arm/mm/ioremap.c                              |    4 +-
 arch/arm/mm/mmap.c                                 |   30 +-
 arch/arm/mm/mmu.c                                  |  185 +-
 arch/arm/plat-omap/sram.c                          |    2 +
 arch/arm/plat-samsung/include/plat/dma-ops.h       |    2 +-
 arch/avr32/include/asm/elf.h                       |    8 +-
 arch/avr32/include/asm/kmap_types.h                |    4 +-
 arch/avr32/mm/fault.c                              |   27 +
 arch/frv/include/asm/atomic.h                      |   10 +
 arch/frv/include/asm/kmap_types.h                  |    2 +-
 arch/frv/mm/elf-fdpic.c                            |    3 +-
 arch/ia64/include/asm/atomic.h                     |   10 +
 arch/ia64/include/asm/elf.h                        |    7 +
 arch/ia64/include/asm/pgalloc.h                    |   12 +
 arch/ia64/include/asm/pgtable.h                    |   13 +-
 arch/ia64/include/asm/spinlock.h                   |    2 +-
 arch/ia64/include/asm/uaccess.h                    |   26 +-
 arch/ia64/kernel/module.c                          |   48 +-
 arch/ia64/kernel/palinfo.c                         |    2 +-
 arch/ia64/kernel/sys_ia64.c                        |    7 +
 arch/ia64/kernel/vmlinux.lds.S                     |    2 +-
 arch/ia64/mm/fault.c                               |   32 +-
 arch/ia64/mm/init.c                                |   13 +
 arch/m32r/lib/usercopy.c                           |    6 +
 arch/mips/include/asm/atomic.h                     |  728 +++-
 arch/mips/include/asm/elf.h                        |   11 +-
 arch/mips/include/asm/exec.h                       |    2 +-
 arch/mips/include/asm/local.h                      |   57 +
 arch/mips/include/asm/page.h                       |    2 +-
 arch/mips/include/asm/pgalloc.h                    |    5 +
 arch/mips/include/asm/smtc_proc.h                  |    2 +-
 arch/mips/kernel/binfmt_elfn32.c                   |    7 +
 arch/mips/kernel/binfmt_elfo32.c                   |    7 +
 arch/mips/kernel/irq.c                             |    6 +-
 arch/mips/kernel/process.c                         |   12 -
 arch/mips/kernel/smtc-proc.c                       |    6 +-
 arch/mips/kernel/smtc.c                            |    2 +-
 arch/mips/kernel/sync-r4k.c                        |   24 +-
 arch/mips/kernel/traps.c                           |   13 +-
 arch/mips/mm/fault.c                               |   25 +
 arch/mips/mm/mmap.c                                |   51 +-
 arch/mips/sgi-ip27/ip27-nmi.c                      |    6 +-
 arch/parisc/include/asm/atomic.h                   |   10 +
 arch/parisc/include/asm/elf.h                      |    7 +
 arch/parisc/include/asm/pgalloc.h                  |    6 +
 arch/parisc/include/asm/pgtable.h                  |   11 +
 arch/parisc/include/asm/uaccess.h                  |    4 +-
 arch/parisc/kernel/module.c                        |   50 +-
 arch/parisc/kernel/sys_parisc.c                    |    9 +-
 arch/parisc/kernel/traps.c                         |    4 +-
 arch/parisc/mm/fault.c                             |  140 +-
 arch/powerpc/include/asm/atomic.h                  |   10 +
 arch/powerpc/include/asm/elf.h                     |   19 +-
 arch/powerpc/include/asm/exec.h                    |    2 +-
 arch/powerpc/include/asm/kmap_types.h              |    2 +-
 arch/powerpc/include/asm/mman.h                    |    2 +-
 arch/powerpc/include/asm/page.h                    |    8 +-
 arch/powerpc/include/asm/page_64.h                 |    7 +-
 arch/powerpc/include/asm/pgalloc-64.h              |    7 +
 arch/powerpc/include/asm/pgtable.h                 |    1 +
 arch/powerpc/include/asm/pte-hash32.h              |    1 +
 arch/powerpc/include/asm/reg.h                     |    1 +
 arch/powerpc/include/asm/smp.h                     |    2 +-
 arch/powerpc/include/asm/uaccess.h                 |  140 +-
 arch/powerpc/kernel/exceptions-64e.S               |    4 +-
 arch/powerpc/kernel/exceptions-64s.S               |    2 +-
 arch/powerpc/kernel/module_32.c                    |   15 +-
 arch/powerpc/kernel/process.c                      |   55 -
 arch/powerpc/kernel/signal_32.c                    |    2 +-
 arch/powerpc/kernel/signal_64.c                    |    2 +-
 arch/powerpc/kernel/vdso.c                         |    5 +-
 arch/powerpc/lib/usercopy_64.c                     |   18 -
 arch/powerpc/mm/fault.c                            |   54 +-
 arch/powerpc/mm/mmap.c                             |   16 +
 arch/powerpc/mm/slice.c                            |   13 +-
 arch/powerpc/platforms/cell/spufs/file.c           |    4 +-
 arch/s390/include/asm/atomic.h                     |   10 +
 arch/s390/include/asm/elf.h                        |   13 +-
 arch/s390/include/asm/exec.h                       |    2 +-
 arch/s390/include/asm/uaccess.h                    |   15 +-
 arch/s390/kernel/module.c                          |   22 +-
 arch/s390/kernel/process.c                         |   36 -
 arch/s390/mm/mmap.c                                |   24 +
 arch/score/include/asm/exec.h                      |    2 +-
 arch/score/kernel/process.c                        |    5 -
 arch/sh/mm/mmap.c                                  |   22 +-
 arch/sparc/include/asm/atomic_64.h                 |  106 +-
 arch/sparc/include/asm/cache.h                     |    2 +-
 arch/sparc/include/asm/elf_32.h                    |    7 +
 arch/sparc/include/asm/elf_64.h                    |    7 +
 arch/sparc/include/asm/pgalloc_32.h                |    1 +
 arch/sparc/include/asm/pgalloc_64.h                |    1 +
 arch/sparc/include/asm/pgtable_32.h                |   15 +-
 arch/sparc/include/asm/pgtsrmmu.h                  |    5 +
 arch/sparc/include/asm/spinlock_64.h               |   35 +-
 arch/sparc/include/asm/thread_info_32.h            |    2 +
 arch/sparc/include/asm/thread_info_64.h            |    2 +
 arch/sparc/include/asm/uaccess.h                   |    1 +
 arch/sparc/include/asm/uaccess_32.h                |   27 +-
 arch/sparc/include/asm/uaccess_64.h                |   19 +-
 arch/sparc/kernel/Makefile                         |    2 +-
 arch/sparc/kernel/prom_common.c                    |    2 +-
 arch/sparc/kernel/smp_64.c                         |   12 +-
 arch/sparc/kernel/sys_sparc_32.c                   |    2 +-
 arch/sparc/kernel/sys_sparc_64.c                   |   52 +-
 arch/sparc/kernel/traps_64.c                       |   27 +-
 arch/sparc/lib/Makefile                            |    2 +-
 arch/sparc/lib/atomic_64.S                         |  136 +-
 arch/sparc/lib/ksyms.c                             |    6 +
 arch/sparc/mm/Makefile                             |    2 +-
 arch/sparc/mm/fault_32.c                           |  292 +
 arch/sparc/mm/fault_64.c                           |  486 ++
 arch/sparc/mm/hugetlbpage.c                        |   21 +-
 arch/sparc/mm/init_64.c                            |   10 +-
 arch/tile/include/asm/atomic_64.h                  |   10 +
 arch/tile/include/asm/uaccess.h                    |    4 +-
 arch/um/Makefile                                   |    4 +
 arch/um/include/asm/kmap_types.h                   |    2 +-
 arch/um/include/asm/page.h                         |    3 +
 arch/um/include/asm/pgtable-3level.h               |    1 +
 arch/um/kernel/process.c                           |   16 -
 arch/x86/Kconfig                                   |   10 +-
 arch/x86/Kconfig.cpu                               |    6 +-
 arch/x86/Kconfig.debug                             |    4 +-
 arch/x86/Makefile                                  |   16 +-
 arch/x86/boot/Makefile                             |    3 +
 arch/x86/boot/bitops.h                             |    4 +-
 arch/x86/boot/boot.h                               |    4 +-
 arch/x86/boot/compressed/Makefile                  |    3 +
 arch/x86/boot/compressed/efi_stub_32.S             |   16 +-
 arch/x86/boot/compressed/head_32.S                 |    2 +-
 arch/x86/boot/compressed/head_64.S                 |    8 +-
 arch/x86/boot/compressed/misc.c                    |    6 +-
 arch/x86/boot/cpucheck.c                           |   28 +-
 arch/x86/boot/header.S                             |    6 +-
 arch/x86/boot/memory.c                             |    2 +-
 arch/x86/boot/video-vesa.c                         |    1 +
 arch/x86/boot/video.c                              |    2 +-
 arch/x86/crypto/aes-x86_64-asm_64.S                |    4 +
 arch/x86/crypto/aesni-intel_asm.S                  |  106 +-
 arch/x86/crypto/blowfish-x86_64-asm_64.S           |    7 +
 arch/x86/crypto/camellia-aesni-avx-asm_64.S        |   10 +
 arch/x86/crypto/camellia-aesni-avx2-asm_64.S       |   10 +
 arch/x86/crypto/camellia-x86_64-asm_64.S           |    7 +
 arch/x86/crypto/cast5-avx-x86_64-asm_64.S          |   51 +-
 arch/x86/crypto/cast6-avx-x86_64-asm_64.S          |   25 +-
 arch/x86/crypto/crc32c-pcl-intel-asm_64.S          |    2 +
 arch/x86/crypto/ghash-clmulni-intel_asm.S          |    5 +
 arch/x86/crypto/salsa20-x86_64-asm_64.S            |    4 +
 arch/x86/crypto/serpent-avx-x86_64-asm_64.S        |    9 +
 arch/x86/crypto/serpent-avx2-asm_64.S              |    9 +
 arch/x86/crypto/serpent-sse2-x86_64-asm_64.S       |    4 +
 arch/x86/crypto/sha1_ssse3_asm.S                   |   10 +-
 arch/x86/crypto/sha256-avx-asm.S                   |    2 +
 arch/x86/crypto/sha256-avx2-asm.S                  |    2 +
 arch/x86/crypto/sha256-ssse3-asm.S                 |    2 +
 arch/x86/crypto/sha512-avx-asm.S                   |    2 +
 arch/x86/crypto/sha512-avx2-asm.S                  |    2 +
 arch/x86/crypto/sha512-ssse3-asm.S                 |    2 +
 arch/x86/crypto/twofish-avx-x86_64-asm_64.S        |   25 +-
 arch/x86/crypto/twofish-x86_64-asm_64-3way.S       |    4 +
 arch/x86/crypto/twofish-x86_64-asm_64.S            |    3 +
 arch/x86/ia32/ia32_signal.c                        |   14 +-
 arch/x86/ia32/ia32entry.S                          |  173 +-
 arch/x86/ia32/sys_ia32.c                           |    4 +-
 arch/x86/include/asm/alternative-asm.h             |   39 +
 arch/x86/include/asm/alternative.h                 |    4 +-
 arch/x86/include/asm/apic.h                        |    2 +-
 arch/x86/include/asm/apm.h                         |    4 +-
 arch/x86/include/asm/atomic.h                      |  269 +-
 arch/x86/include/asm/atomic64_32.h                 |  100 +
 arch/x86/include/asm/atomic64_64.h                 |  166 +-
 arch/x86/include/asm/bitops.h                      |   18 +-
 arch/x86/include/asm/boot.h                        |    7 +-
 arch/x86/include/asm/cache.h                       |    5 +-
 arch/x86/include/asm/cacheflush.h                  |    2 +-
 arch/x86/include/asm/calling.h                     |  118 +-
 arch/x86/include/asm/checksum_32.h                 |   12 +-
 arch/x86/include/asm/cmpxchg.h                     |   35 +
 arch/x86/include/asm/compat.h                      |    2 +-
 arch/x86/include/asm/cpufeature.h                  |   16 +-
 arch/x86/include/asm/desc.h                        |   78 +-
 arch/x86/include/asm/desc_defs.h                   |    6 +
 arch/x86/include/asm/div64.h                       |    2 +-
 arch/x86/include/asm/elf.h                         |   31 +-
 arch/x86/include/asm/emergency-restart.h           |    2 +-
 arch/x86/include/asm/fpu-internal.h                |    8 +-
 arch/x86/include/asm/futex.h                       |   20 +-
 arch/x86/include/asm/hw_irq.h                      |    4 +-
 arch/x86/include/asm/i8259.h                       |    2 +-
 arch/x86/include/asm/io.h                          |   21 +-
 arch/x86/include/asm/irqflags.h                    |    5 +
 arch/x86/include/asm/kprobes.h                     |    9 +-
 arch/x86/include/asm/local.h                       |  106 +-
 arch/x86/include/asm/mman.h                        |   15 +
 arch/x86/include/asm/mmu.h                         |   16 +-
 arch/x86/include/asm/mmu_context.h                 |  136 +-
 arch/x86/include/asm/module.h                      |   17 +-
 arch/x86/include/asm/nmi.h                         |    6 +-
 arch/x86/include/asm/page.h                        |    1 +
 arch/x86/include/asm/page_64.h                     |    4 +-
 arch/x86/include/asm/paravirt.h                    |   46 +-
 arch/x86/include/asm/paravirt_types.h              |   15 +-
 arch/x86/include/asm/pgalloc.h                     |   23 +
 arch/x86/include/asm/pgtable-2level.h              |    2 +
 arch/x86/include/asm/pgtable-3level.h              |    4 +
 arch/x86/include/asm/pgtable.h                     |  124 +-
 arch/x86/include/asm/pgtable_32.h                  |   14 +-
 arch/x86/include/asm/pgtable_32_types.h            |   15 +-
 arch/x86/include/asm/pgtable_64.h                  |   19 +-
 arch/x86/include/asm/pgtable_64_types.h            |    5 +
 arch/x86/include/asm/pgtable_types.h               |   36 +-
 arch/x86/include/asm/preempt.h                     |    2 +-
 arch/x86/include/asm/processor.h                   |   79 +-
 arch/x86/include/asm/ptrace.h                      |   26 +-
 arch/x86/include/asm/realmode.h                    |    4 +-
 arch/x86/include/asm/reboot.h                      |   10 +-
 arch/x86/include/asm/rmwcc.h                       |   84 +-
 arch/x86/include/asm/rwsem.h                       |   60 +-
 arch/x86/include/asm/segment.h                     |   29 +-
 arch/x86/include/asm/smap.h                        |   64 +-
 arch/x86/include/asm/smp.h                         |   14 +-
 arch/x86/include/asm/spinlock.h                    |   36 +-
 arch/x86/include/asm/stackprotector.h              |    4 +-
 arch/x86/include/asm/stacktrace.h                  |   32 +-
 arch/x86/include/asm/switch_to.h                   |    4 +-
 arch/x86/include/asm/thread_info.h                 |   83 +-
 arch/x86/include/asm/tlbflush.h                    |   74 +-
 arch/x86/include/asm/uaccess.h                     |  162 +-
 arch/x86/include/asm/uaccess_32.h                  |   24 +-
 arch/x86/include/asm/uaccess_64.h                  |  177 +-
 arch/x86/include/asm/word-at-a-time.h              |    2 +-
 arch/x86/include/asm/x86_init.h                    |   10 +-
 arch/x86/include/asm/xen/page.h                    |    2 +-
 arch/x86/include/asm/xsave.h                       |   14 +-
 arch/x86/include/uapi/asm/e820.h                   |    2 +-
 arch/x86/include/uapi/asm/ptrace-abi.h             |    1 -
 arch/x86/kernel/Makefile                           |    2 +-
 arch/x86/kernel/acpi/boot.c                        |    4 +-
 arch/x86/kernel/acpi/sleep.c                       |    4 +
 arch/x86/kernel/acpi/wakeup_32.S                   |    6 +-
 arch/x86/kernel/alternative.c                      |   69 +-
 arch/x86/kernel/apic/apic.c                        |    4 +-
 arch/x86/kernel/apic/apic_flat_64.c                |    4 +-
 arch/x86/kernel/apic/apic_noop.c                   |    2 +-
 arch/x86/kernel/apic/bigsmp_32.c                   |    2 +-
 arch/x86/kernel/apic/es7000_32.c                   |    5 +-
 arch/x86/kernel/apic/io_apic.c                     |    8 +-
 arch/x86/kernel/apic/numaq_32.c                    |    3 +-
 arch/x86/kernel/apic/probe_32.c                    |    2 +-
 arch/x86/kernel/apic/summit_32.c                   |    2 +-
 arch/x86/kernel/apic/x2apic_cluster.c              |    4 +-
 arch/x86/kernel/apic/x2apic_phys.c                 |    2 +-
 arch/x86/kernel/apic/x2apic_uv_x.c                 |    2 +-
 arch/x86/kernel/apm_32.c                           |   19 +-
 arch/x86/kernel/asm-offsets.c                      |   20 +
 arch/x86/kernel/asm-offsets_64.c                   |    1 +
 arch/x86/kernel/cpu/Makefile                       |    4 -
 arch/x86/kernel/cpu/amd.c                          |    2 +-
 arch/x86/kernel/cpu/common.c                       |  132 +-
 arch/x86/kernel/cpu/intel_cacheinfo.c              |   48 +-
 arch/x86/kernel/cpu/mcheck/mce.c                   |   31 +-
 arch/x86/kernel/cpu/mcheck/p5.c                    |    3 +
 arch/x86/kernel/cpu/mcheck/winchip.c               |    3 +
 arch/x86/kernel/cpu/mtrr/main.c                    |    2 +-
 arch/x86/kernel/cpu/mtrr/mtrr.h                    |    2 +-
 arch/x86/kernel/cpu/perf_event.c                   |    8 +-
 arch/x86/kernel/cpu/perf_event_amd_iommu.c         |    2 +-
 arch/x86/kernel/cpu/perf_event_intel.c             |    6 +-
 arch/x86/kernel/cpu/perf_event_intel_uncore.c      |    2 +-
 arch/x86/kernel/cpu/perf_event_intel_uncore.h      |    2 +-
 arch/x86/kernel/cpuid.c                            |    2 +-
 arch/x86/kernel/crash.c                            |    4 +-
 arch/x86/kernel/crash_dump_64.c                    |    2 +-
 arch/x86/kernel/doublefault.c                      |    8 +-
 arch/x86/kernel/dumpstack.c                        |   30 +-
 arch/x86/kernel/dumpstack_32.c                     |   34 +-
 arch/x86/kernel/dumpstack_64.c                     |   61 +-
 arch/x86/kernel/e820.c                             |    4 +-
 arch/x86/kernel/early_printk.c                     |    1 +
 arch/x86/kernel/entry_32.S                         |  356 ++-
 arch/x86/kernel/entry_64.S                         |  736 +++-
 arch/x86/kernel/ftrace.c                           |   14 +-
 arch/x86/kernel/head64.c                           |   13 +-
 arch/x86/kernel/head_32.S                          |  228 +-
 arch/x86/kernel/head_64.S                          |  136 +-
 arch/x86/kernel/i386_ksyms_32.c                    |   12 +
 arch/x86/kernel/i387.c                             |    2 +-
 arch/x86/kernel/i8259.c                            |   10 +-
 arch/x86/kernel/io_delay.c                         |    2 +-
 arch/x86/kernel/ioport.c                           |    2 +-
 arch/x86/kernel/irq.c                              |    8 +-
 arch/x86/kernel/irq_32.c                           |   67 +-
 arch/x86/kernel/irq_64.c                           |    2 +-
 arch/x86/kernel/jump_label.c                       |    8 +-
 arch/x86/kernel/kgdb.c                             |   25 +-
 arch/x86/kernel/kprobes/core.c                     |   30 +-
 arch/x86/kernel/kprobes/opt.c                      |   16 +-
 arch/x86/kernel/ldt.c                              |   31 +-
 arch/x86/kernel/machine_kexec_32.c                 |    6 +-
 arch/x86/kernel/microcode_core.c                   |    2 +-
 arch/x86/kernel/microcode_intel.c                  |    4 +-
 arch/x86/kernel/module.c                           |   76 +-
 arch/x86/kernel/msr.c                              |    2 +-
 arch/x86/kernel/nmi.c                              |   19 +-
 arch/x86/kernel/nmi_selftest.c                     |    4 +-
 arch/x86/kernel/paravirt-spinlocks.c               |    2 +-
 arch/x86/kernel/paravirt.c                         |   43 +-
 arch/x86/kernel/pci-calgary_64.c                   |    2 +-
 arch/x86/kernel/pci-iommu_table.c                  |    2 +-
 arch/x86/kernel/pci-swiotlb.c                      |    2 +-
 arch/x86/kernel/process.c                          |   55 +-
 arch/x86/kernel/process_32.c                       |   29 +-
 arch/x86/kernel/process_64.c                       |   20 +-
 arch/x86/kernel/ptrace.c                           |   25 +-
 arch/x86/kernel/pvclock.c                          |    8 +-
 arch/x86/kernel/reboot.c                           |   42 +-
 arch/x86/kernel/reboot_fixups_32.c                 |    2 +-
 arch/x86/kernel/relocate_kernel_64.S               |    5 +-
 arch/x86/kernel/setup.c                            |   63 +-
 arch/x86/kernel/setup_percpu.c                     |   29 +-
 arch/x86/kernel/signal.c                           |   15 +-
 arch/x86/kernel/smp.c                              |    2 +-
 arch/x86/kernel/smpboot.c                          |   28 +-
 arch/x86/kernel/step.c                             |   10 +-
 arch/x86/kernel/sys_i386_32.c                      |  184 +
 arch/x86/kernel/sys_x86_64.c                       |   22 +-
 arch/x86/kernel/tboot.c                            |   12 +-
 arch/x86/kernel/time.c                             |   10 +-
 arch/x86/kernel/tls.c                              |    7 +-
 arch/x86/kernel/tracepoint.c                       |    4 +-
 arch/x86/kernel/traps.c                            |   62 +-
 arch/x86/kernel/uprobes.c                          |    4 +-
 arch/x86/kernel/vm86_32.c                          |    6 +-
 arch/x86/kernel/vmlinux.lds.S                      |  147 +-
 arch/x86/kernel/vsyscall_64.c                      |   12 +-
 arch/x86/kernel/x8664_ksyms_64.c                   |    6 +-
 arch/x86/kernel/x86_init.c                         |    6 +-
 arch/x86/kernel/xsave.c                            |    2 +
 arch/x86/kvm/cpuid.c                               |   21 +-
 arch/x86/kvm/lapic.c                               |    2 +-
 arch/x86/kvm/paging_tmpl.h                         |    2 +-
 arch/x86/kvm/svm.c                                 |    8 +
 arch/x86/kvm/vmx.c                                 |   63 +-
 arch/x86/kvm/x86.c                                 |    8 +-
 arch/x86/lguest/boot.c                             |    3 +-
 arch/x86/lib/atomic64_386_32.S                     |  164 +
 arch/x86/lib/atomic64_cx8_32.S                     |  103 +-
 arch/x86/lib/checksum_32.S                         |  100 +-
 arch/x86/lib/clear_page_64.S                       |    5 +-
 arch/x86/lib/cmpxchg16b_emu.S                      |    2 +
 arch/x86/lib/copy_page_64.S                        |   20 +-
 arch/x86/lib/copy_user_64.S                        |   81 +-
 arch/x86/lib/copy_user_nocache_64.S                |   14 +
 arch/x86/lib/csum-copy_64.S                        |   18 +-
 arch/x86/lib/csum-wrappers_64.c                    |    8 +-
 arch/x86/lib/getuser.S                             |   74 +-
 arch/x86/lib/insn.c                                |    6 +-
 arch/x86/lib/iomap_copy_64.S                       |    2 +
 arch/x86/lib/memcpy_64.S                           |   10 +-
 arch/x86/lib/memmove_64.S                          |    4 +-
 arch/x86/lib/memset_64.S                           |    7 +-
 arch/x86/lib/mmx_32.c                              |  243 +-
 arch/x86/lib/msr-reg.S                             |    2 +
 arch/x86/lib/putuser.S                             |   90 +-
 arch/x86/lib/rwlock.S                              |   42 +
 arch/x86/lib/rwsem.S                               |    6 +-
 arch/x86/lib/thunk_64.S                            |   12 +-
 arch/x86/lib/usercopy_32.c                         |  357 +-
 arch/x86/lib/usercopy_64.c                         |   18 +-
 arch/x86/mm/Makefile                               |    4 +
 arch/x86/mm/extable.c                              |   25 +-
 arch/x86/mm/fault.c                                |  564 ++-
 arch/x86/mm/gup.c                                  |    6 +-
 arch/x86/mm/highmem_32.c                           |    4 +
 arch/x86/mm/hugetlbpage.c                          |   30 +-
 arch/x86/mm/init.c                                 |  101 +-
 arch/x86/mm/init_32.c                              |  111 +-
 arch/x86/mm/init_64.c                              |   45 +-
 arch/x86/mm/iomap_32.c                             |    4 +
 arch/x86/mm/ioremap.c                              |   15 +-
 arch/x86/mm/kmemcheck/kmemcheck.c                  |    4 +-
 arch/x86/mm/mmap.c                                 |   36 +-
 arch/x86/mm/mmio-mod.c                             |   10 +-
 arch/x86/mm/numa.c                                 |    2 +-
 arch/x86/mm/pageattr-test.c                        |    2 +-
 arch/x86/mm/pageattr.c                             |   33 +-
 arch/x86/mm/pat.c                                  |   12 +-
 arch/x86/mm/pat_rbtree.c                           |    2 +-
 arch/x86/mm/pf_in.c                                |   10 +-
 arch/x86/mm/pgtable.c                              |  151 +-
 arch/x86/mm/pgtable_32.c                           |    3 +
 arch/x86/mm/physaddr.c                             |    4 +-
 arch/x86/mm/setup_nx.c                             |    7 +
 arch/x86/mm/tlb.c                                  |    4 +
 arch/x86/mm/uderef_64.c                            |   37 +
 arch/x86/net/bpf_jit.S                             |   14 +
 arch/x86/net/bpf_jit_comp.c                        |   38 +-
 arch/x86/oprofile/backtrace.c                      |    8 +-
 arch/x86/oprofile/nmi_int.c                        |    8 +-
 arch/x86/oprofile/op_model_amd.c                   |    8 +-
 arch/x86/oprofile/op_model_ppro.c                  |    7 +-
 arch/x86/oprofile/op_x86_model.h                   |    2 +-
 arch/x86/pci/intel_mid_pci.c                       |    2 +-
 arch/x86/pci/irq.c                                 |    8 +-
 arch/x86/pci/pcbios.c                              |  144 +-
 arch/x86/platform/efi/efi_32.c                     |   24 +
 arch/x86/platform/efi/efi_64.c                     |   10 +
 arch/x86/platform/efi/efi_stub_32.S                |   64 +-
 arch/x86/platform/efi/efi_stub_64.S                |    8 +
 arch/x86/platform/intel-mid/intel-mid.c            |    3 +-
 arch/x86/platform/olpc/olpc_dt.c                   |    2 +-
 arch/x86/power/cpu.c                               |   11 +-
 arch/x86/realmode/init.c                           |   10 +-
 arch/x86/realmode/rm/Makefile                      |    3 +
 arch/x86/realmode/rm/header.S                      |    4 +-
 arch/x86/realmode/rm/trampoline_32.S               |   12 +-
 arch/x86/realmode/rm/trampoline_64.S               |    3 +-
 arch/x86/tools/Makefile                            |    2 +-
 arch/x86/tools/relocs.c                            |   94 +-
 arch/x86/um/tls_32.c                               |    2 +-
 arch/x86/vdso/Makefile                             |    2 +-
 arch/x86/vdso/vdso32-setup.c                       |   23 +-
 arch/x86/vdso/vma.c                                |   29 +-
 arch/x86/xen/enlighten.c                           |   45 +-
 arch/x86/xen/mmu.c                                 |   11 +-
 arch/x86/xen/smp.c                                 |   21 +-
 arch/x86/xen/xen-asm_32.S                          |   12 +-
 arch/x86/xen/xen-head.S                            |   11 +
 arch/x86/xen/xen-ops.h                             |    2 -
 block/blk-cgroup.c                                 |    4 +-
 block/blk-iopoll.c                                 |    2 +-
 block/blk-map.c                                    |    2 +-
 block/blk-softirq.c                                |    2 +-
 block/bsg.c                                        |   12 +-
 block/compat_ioctl.c                               |    2 +-
 block/genhd.c                                      |    9 +-
 block/partitions/efi.c                             |    8 +-
 block/scsi_ioctl.c                                 |   29 +-
 crypto/cryptd.c                                    |    4 +-
 crypto/pcrypt.c                                    |    2 +-
 drivers/acpi/apei/apei-internal.h                  |    2 +-
 drivers/acpi/apei/ghes.c                           |    4 +-
 drivers/acpi/bgrt.c                                |    6 +-
 drivers/acpi/blacklist.c                           |    4 +-
 drivers/acpi/processor_idle.c                      |    2 +-
 drivers/acpi/sysfs.c                               |    4 +-
 drivers/ata/libahci.c                              |    2 +-
 drivers/ata/libata-core.c                          |   12 +-
 drivers/ata/libata-scsi.c                          |    2 +-
 drivers/ata/libata.h                               |    2 +-
 drivers/ata/pata_arasan_cf.c                       |    4 +-
 drivers/atm/adummy.c                               |    2 +-
 drivers/atm/ambassador.c                           |    8 +-
 drivers/atm/atmtcp.c                               |   14 +-
 drivers/atm/eni.c                                  |   10 +-
 drivers/atm/firestream.c                           |    8 +-
 drivers/atm/fore200e.c                             |   14 +-
 drivers/atm/he.c                                   |   18 +-
 drivers/atm/horizon.c                              |    4 +-
 drivers/atm/idt77252.c                             |   36 +-
 drivers/atm/iphase.c                               |   34 +-
 drivers/atm/lanai.c                                |   12 +-
 drivers/atm/nicstar.c                              |   46 +-
 drivers/atm/solos-pci.c                            |    4 +-
 drivers/atm/suni.c                                 |    4 +-
 drivers/atm/uPD98402.c                             |   16 +-
 drivers/atm/zatm.c                                 |    6 +-
 drivers/base/bus.c                                 |    4 +-
 drivers/base/devtmpfs.c                            |    8 +-
 drivers/base/node.c                                |    2 +-
 drivers/base/power/domain.c                        |    4 +-
 drivers/base/power/sysfs.c                         |    2 +-
 drivers/base/power/wakeup.c                        |    8 +-
 drivers/base/syscore.c                             |    4 +-
 drivers/block/cciss.c                              |   28 +-
 drivers/block/cciss.h                              |    2 +-
 drivers/block/cpqarray.c                           |   28 +-
 drivers/block/cpqarray.h                           |    2 +-
 drivers/block/drbd/drbd_int.h                      |    6 +-
 drivers/block/drbd/drbd_main.c                     |    8 +-
 drivers/block/drbd/drbd_nl.c                       |    4 +-
 drivers/block/drbd/drbd_receiver.c                 |   22 +-
 drivers/block/loop.c                               |    2 +-
 drivers/block/null_blk.c                           |   27 +-
 drivers/block/pktcdvd.c                            |    4 +-
 drivers/bluetooth/btwilink.c                       |    2 +-
 drivers/bus/arm-cci.c                              |    2 +-
 drivers/cdrom/cdrom.c                              |   11 +-
 drivers/cdrom/gdrom.c                              |    1 -
 drivers/char/agp/compat_ioctl.c                    |    2 +-
 drivers/char/agp/frontend.c                        |    4 +-
 drivers/char/hpet.c                                |    2 +-
 drivers/char/hw_random/intel-rng.c                 |    2 +-
 drivers/char/ipmi/ipmi_msghandler.c                |    8 +-
 drivers/char/ipmi/ipmi_si_intf.c                   |    8 +-
 drivers/char/mem.c                                 |   43 +-
 drivers/char/nvram.c                               |    2 +-
 drivers/char/pcmcia/synclink_cs.c                  |   18 +-
 drivers/char/random.c                              |   12 +-
 drivers/char/sonypi.c                              |    9 +-
 drivers/char/tpm/tpm_acpi.c                        |    3 +-
 drivers/char/tpm/tpm_eventlog.c                    |    7 +-
 drivers/char/virtio_console.c                      |    4 +-
 drivers/clk/clk-composite.c                        |    2 +-
 drivers/clk/socfpga/clk.c                          |    9 +-
 drivers/cpufreq/acpi-cpufreq.c                     |   13 +-
 drivers/cpufreq/cpufreq.c                          |   11 +-
 drivers/cpufreq/cpufreq_governor.c                 |    6 +-
 drivers/cpufreq/cpufreq_governor.h                 |    4 +-
 drivers/cpufreq/cpufreq_ondemand.c                 |   10 +-
 drivers/cpufreq/cpufreq_stats.c                    |    2 +-
 drivers/cpufreq/intel_pstate.c                     |   25 +-
 drivers/cpufreq/p4-clockmod.c                      |   12 +-
 drivers/cpufreq/sparc-us3-cpufreq.c                |   70 +-
 drivers/cpufreq/speedstep-centrino.c               |    7 +-
 drivers/cpuidle/driver.c                           |    2 +-
 drivers/cpuidle/governor.c                         |    2 +-
 drivers/cpuidle/sysfs.c                            |    2 +-
 drivers/crypto/hifn_795x.c                         |    4 +-
 drivers/devfreq/devfreq.c                          |    4 +-
 drivers/dma/sh/shdmac.c                            |    2 +-
 drivers/edac/edac_device.c                         |    4 +-
 drivers/edac/edac_mc_sysfs.c                       |   12 +-
 drivers/edac/edac_pci.c                            |    4 +-
 drivers/edac/edac_pci_sysfs.c                      |   22 +-
 drivers/edac/mce_amd.h                             |    2 +-
 drivers/firewire/core-card.c                       |    6 +-
 drivers/firewire/core-device.c                     |    2 +-
 drivers/firewire/core-transaction.c                |    1 +
 drivers/firewire/core.h                            |    1 +
 drivers/firmware/dmi-id.c                          |    2 +-
 drivers/firmware/dmi_scan.c                        |    2 +-
 drivers/firmware/efi/cper.c                        |    8 +-
 drivers/firmware/efi/efi.c                         |   12 +-
 drivers/firmware/efi/efivars.c                     |    2 +-
 drivers/firmware/google/memconsole.c               |    4 +-
 drivers/gpio/gpio-ich.c                            |    2 +-
 drivers/gpio/gpio-vr41xx.c                         |    2 +-
 drivers/gpu/drm/drm_crtc_helper.c                  |    2 +-
 drivers/gpu/drm/drm_drv.c                          |    4 +-
 drivers/gpu/drm/drm_fops.c                         |   12 +-
 drivers/gpu/drm/drm_global.c                       |   14 +-
 drivers/gpu/drm/drm_info.c                         |   14 +-
 drivers/gpu/drm/drm_ioc32.c                        |   13 +-
 drivers/gpu/drm/drm_stub.c                         |    2 +-
 drivers/gpu/drm/drm_sysfs.c                        |    2 +-
 drivers/gpu/drm/i810/i810_drv.h                    |    4 +-
 drivers/gpu/drm/i915/i915_debugfs.c                |    2 +-
 drivers/gpu/drm/i915/i915_dma.c                    |    2 +-
 drivers/gpu/drm/i915/i915_drv.h                    |    2 +-
 drivers/gpu/drm/i915/i915_gem_execbuffer.c         |    4 +-
 drivers/gpu/drm/i915/i915_ioc32.c                  |   11 +-
 drivers/gpu/drm/i915/i915_irq.c                    |   26 +-
 drivers/gpu/drm/i915/intel_display.c               |   26 +-
 drivers/gpu/drm/mga/mga_drv.h                      |    4 +-
 drivers/gpu/drm/mga/mga_ioc32.c                    |   11 +-
 drivers/gpu/drm/mga/mga_irq.c                      |    8 +-
 drivers/gpu/drm/nouveau/nouveau_bios.c             |    2 +-
 drivers/gpu/drm/nouveau/nouveau_drm.h              |    1 -
 drivers/gpu/drm/nouveau/nouveau_ioc32.c            |    2 +-
 drivers/gpu/drm/nouveau/nouveau_vga.c              |    2 +-
 drivers/gpu/drm/qxl/qxl_cmd.c                      |   12 +-
 drivers/gpu/drm/qxl/qxl_debugfs.c                  |    8 +-
 drivers/gpu/drm/qxl/qxl_drv.h                      |    8 +-
 drivers/gpu/drm/qxl/qxl_irq.c                      |   16 +-
 drivers/gpu/drm/qxl/qxl_ttm.c                      |   38 +-
 drivers/gpu/drm/r128/r128_cce.c                    |    2 +-
 drivers/gpu/drm/r128/r128_drv.h                    |    4 +-
 drivers/gpu/drm/r128/r128_ioc32.c                  |   11 +-
 drivers/gpu/drm/r128/r128_irq.c                    |    4 +-
 drivers/gpu/drm/r128/r128_state.c                  |    4 +-
 drivers/gpu/drm/radeon/mkregtable.c                |    4 +-
 drivers/gpu/drm/radeon/radeon_device.c             |    2 +-
 drivers/gpu/drm/radeon/radeon_drv.h                |    2 +-
 drivers/gpu/drm/radeon/radeon_ioc32.c              |   13 +-
 drivers/gpu/drm/radeon/radeon_irq.c                |    6 +-
 drivers/gpu/drm/radeon/radeon_state.c              |    4 +-
 drivers/gpu/drm/radeon/radeon_ttm.c                |   61 +-
 drivers/gpu/drm/tegra/dc.c                         |    2 +-
 drivers/gpu/drm/ttm/ttm_memory.c                   |    4 +-
 drivers/gpu/drm/ttm/ttm_page_alloc.c               |    4 +-
 drivers/gpu/drm/udl/udl_fb.c                       |    1 -
 drivers/gpu/drm/via/via_drv.h                      |    4 +-
 drivers/gpu/drm/via/via_irq.c                      |   18 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_drv.h                |    2 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c               |    8 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c              |    4 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_irq.c                |    4 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_marker.c             |    2 +-
 drivers/gpu/vga/vga_switcheroo.c                   |    4 +-
 drivers/hid/hid-core.c                             |    4 +-
 drivers/hid/uhid.c                                 |    6 +-
 drivers/hv/channel.c                               |    4 +-
 drivers/hv/hv.c                                    |    2 +-
 drivers/hv/hv_balloon.c                            |   18 +-
 drivers/hv/hyperv_vmbus.h                          |    2 +-
 drivers/hv/vmbus_drv.c                             |    4 +-
 drivers/hwmon/acpi_power_meter.c                   |    4 +-
 drivers/hwmon/applesmc.c                           |    2 +-
 drivers/hwmon/asus_atk0110.c                       |   10 +-
 drivers/hwmon/coretemp.c                           |    2 +-
 drivers/hwmon/ibmaem.c                             |    2 +-
 drivers/hwmon/iio_hwmon.c                          |    2 +-
 drivers/hwmon/nct6775.c                            |    6 +-
 drivers/hwmon/pmbus/pmbus_core.c                   |   10 +-
 drivers/hwmon/sht15.c                              |   12 +-
 drivers/hwmon/via-cputemp.c                        |    2 +-
 drivers/i2c/busses/i2c-amd756-s4882.c              |    2 +-
 drivers/i2c/busses/i2c-diolan-u2c.c                |    2 +-
 drivers/i2c/busses/i2c-nforce2-s4985.c             |    2 +-
 drivers/i2c/i2c-dev.c                              |    2 +-
 drivers/ide/ide-cd.c                               |    2 +-
 drivers/iio/industrialio-core.c                    |    2 +-
 drivers/infiniband/core/cm.c                       |   32 +-
 drivers/infiniband/core/fmr_pool.c                 |   20 +-
 drivers/infiniband/hw/cxgb4/mem.c                  |    4 +-
 drivers/infiniband/hw/ipath/ipath_rc.c             |    6 +-
 drivers/infiniband/hw/ipath/ipath_ruc.c            |    6 +-
 drivers/infiniband/hw/mlx4/mad.c                   |    2 +-
 drivers/infiniband/hw/mlx4/mcg.c                   |    2 +-
 drivers/infiniband/hw/mlx4/mlx4_ib.h               |    2 +-
 drivers/infiniband/hw/mthca/mthca_cmd.c            |    8 +-
 drivers/infiniband/hw/mthca/mthca_main.c           |    2 +-
 drivers/infiniband/hw/mthca/mthca_mr.c             |    6 +-
 drivers/infiniband/hw/mthca/mthca_provider.c       |    2 +-
 drivers/infiniband/hw/nes/nes.c                    |    4 +-
 drivers/infiniband/hw/nes/nes.h                    |   40 +-
 drivers/infiniband/hw/nes/nes_cm.c                 |   62 +-
 drivers/infiniband/hw/nes/nes_mgt.c                |    8 +-
 drivers/infiniband/hw/nes/nes_nic.c                |   40 +-
 drivers/infiniband/hw/nes/nes_verbs.c              |   10 +-
 drivers/infiniband/hw/qib/qib.h                    |    1 +
 drivers/input/gameport/gameport.c                  |    4 +-
 drivers/input/input.c                              |    4 +-
 drivers/input/joystick/sidewinder.c                |    1 +
 drivers/input/joystick/xpad.c                      |    4 +-
 drivers/input/misc/ims-pcu.c                       |    4 +-
 drivers/input/mouse/psmouse.h                      |    2 +-
 drivers/input/mousedev.c                           |    2 +-
 drivers/input/serio/serio.c                        |    4 +-
 drivers/input/serio/serio_raw.c                    |    4 +-
 drivers/iommu/iommu.c                              |    2 +-
 drivers/iommu/irq_remapping.c                      |   12 +-
 drivers/irqchip/irq-gic.c                          |    4 +-
 drivers/isdn/capi/capi.c                           |   10 +-
 drivers/isdn/gigaset/interface.c                   |    8 +-
 drivers/isdn/gigaset/usb-gigaset.c                 |    2 +-
 drivers/isdn/hardware/avm/b1.c                     |    4 +-
 drivers/isdn/i4l/isdn_common.c                     |    2 +
 drivers/isdn/i4l/isdn_tty.c                        |   22 +-
 drivers/isdn/icn/icn.c                             |    2 +-
 drivers/isdn/mISDN/dsp_cmx.c                       |    2 +-
 drivers/leds/leds-clevo-mail.c                     |    2 +-
 drivers/leds/leds-ss4200.c                         |    2 +-
 drivers/lguest/core.c                              |   10 +-
 drivers/lguest/page_tables.c                       |    2 +-
 drivers/lguest/x86/core.c                          |   12 +-
 drivers/lguest/x86/switcher_32.S                   |   27 +-
 drivers/md/bcache/closure.h                        |    2 +-
 drivers/md/bitmap.c                                |    2 +-
 drivers/md/dm-ioctl.c                              |    2 +-
 drivers/md/dm-raid1.c                              |   16 +-
 drivers/md/dm-stats.c                              |    6 +-
 drivers/md/dm-stripe.c                             |   10 +-
 drivers/md/dm-table.c                              |    4 +-
 drivers/md/dm-thin-metadata.c                      |    4 +-
 drivers/md/dm.c                                    |   16 +-
 drivers/md/md.c                                    |   26 +-
 drivers/md/md.h                                    |    6 +-
 drivers/md/persistent-data/dm-space-map.h          |    1 +
 drivers/md/raid1.c                                 |    4 +-
 drivers/md/raid10.c                                |   16 +-
 drivers/md/raid5.c                                 |   10 +-
 drivers/media/dvb-core/dvbdev.c                    |    2 +-
 drivers/media/dvb-frontends/dib3000.h              |    2 +-
 drivers/media/pci/cx88/cx88-video.c                |    6 +-
 drivers/media/pci/ivtv/ivtv-driver.c               |    2 +-
 drivers/media/platform/omap/omap_vout.c            |   11 +-
 drivers/media/platform/s5p-tv/mixer.h              |    2 +-
 drivers/media/platform/s5p-tv/mixer_grp_layer.c    |    2 +-
 drivers/media/platform/s5p-tv/mixer_reg.c          |    2 +-
 drivers/media/platform/s5p-tv/mixer_video.c        |   24 +-
 drivers/media/platform/s5p-tv/mixer_vp_layer.c     |    2 +-
 drivers/media/platform/vivi.c                      |    4 +-
 drivers/media/radio/radio-cadet.c                  |    2 +
 drivers/media/radio/radio-maxiradio.c              |    2 +-
 drivers/media/radio/radio-shark.c                  |    2 +-
 drivers/media/radio/radio-shark2.c                 |    2 +-
 drivers/media/radio/radio-si476x.c                 |    2 +-
 drivers/media/rc/rc-main.c                         |    4 +-
 drivers/media/usb/dvb-usb/cxusb.c                  |    2 +-
 drivers/media/usb/dvb-usb/dw2102.c                 |    2 +-
 drivers/media/v4l2-core/v4l2-compat-ioctl32.c      |    6 +-
 drivers/media/v4l2-core/v4l2-device.c              |    4 +-
 drivers/media/v4l2-core/v4l2-ioctl.c               |   11 +-
 drivers/message/fusion/mptsas.c                    |   34 +-
 drivers/message/fusion/mptscsih.c                  |   19 +-
 drivers/message/i2o/i2o_proc.c                     |   67 +-
 drivers/message/i2o/iop.c                          |    8 +-
 drivers/mfd/janz-cmodio.c                          |    1 +
 drivers/mfd/max8925-i2c.c                          |    2 +-
 drivers/mfd/tps65910.c                             |    2 +-
 drivers/mfd/twl4030-irq.c                          |    9 +-
 drivers/misc/c2port/core.c                         |    4 +-
 drivers/misc/kgdbts.c                              |    4 +-
 drivers/misc/lis3lv02d/lis3lv02d.c                 |    8 +-
 drivers/misc/lis3lv02d/lis3lv02d.h                 |    2 +-
 drivers/misc/sgi-gru/gruhandles.c                  |    4 +-
 drivers/misc/sgi-gru/gruprocfs.c                   |    8 +-
 drivers/misc/sgi-gru/grutables.h                   |  154 +-
 drivers/misc/sgi-xp/xp.h                           |    2 +-
 drivers/misc/sgi-xp/xpc.h                          |    3 +-
 drivers/misc/sgi-xp/xpc_main.c                     |    4 +-
 drivers/mmc/core/mmc_ops.c                         |    2 +-
 drivers/mmc/host/dw_mmc.h                          |    2 +-
 drivers/mmc/host/mmci.c                            |    4 +-
 drivers/mmc/host/sdhci-s3c.c                       |    8 +-
 drivers/mtd/chips/cfi_cmdset_0020.c                |    2 +-
 drivers/mtd/nand/denali.c                          |    1 +
 drivers/mtd/nftlmount.c                            |    1 +
 drivers/mtd/sm_ftl.c                               |    2 +-
 drivers/net/bonding/bond_netlink.c                 |    2 +-
 drivers/net/ethernet/8390/ax88796.c                |    4 +-
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h    |    2 +-
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c     |   11 +-
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h     |    3 +-
 drivers/net/ethernet/broadcom/tg3.h                |    1 +
 drivers/net/ethernet/chelsio/cxgb3/l2t.h           |    2 +-
 drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c    |    2 +-
 drivers/net/ethernet/dec/tulip/de4x5.c             |    4 +-
 drivers/net/ethernet/emulex/benet/be_main.c        |    2 +-
 drivers/net/ethernet/faraday/ftgmac100.c           |    2 +
 drivers/net/ethernet/faraday/ftmac100.c            |    2 +
 drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c       |    2 +-
 drivers/net/ethernet/neterion/vxge/vxge-config.c   |    7 +-
 .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c  |    4 +-
 .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c  |   12 +-
 .../net/ethernet/qlogic/qlcnic/qlcnic_minidump.c   |    2 +-
 drivers/net/ethernet/realtek/r8169.c               |    8 +-
 drivers/net/ethernet/sfc/ptp.c                     |    2 +-
 drivers/net/ethernet/stmicro/stmmac/mmc_core.c     |    4 +-
 drivers/net/hyperv/hyperv_net.h                    |    2 +-
 drivers/net/hyperv/rndis_filter.c                  |    4 +-
 drivers/net/ieee802154/fakehard.c                  |    2 +-
 drivers/net/macvlan.c                              |   18 +-
 drivers/net/macvtap.c                              |    2 +-
 drivers/net/ppp/ppp_generic.c                      |    4 +-
 drivers/net/slip/slhc.c                            |    2 +-
 drivers/net/team/team.c                            |    2 +-
 drivers/net/tun.c                                  |    5 +-
 drivers/net/usb/hso.c                              |   23 +-
 drivers/net/usb/sierra_net.c                       |    4 +-
 drivers/net/vxlan.c                                |    2 +-
 drivers/net/wimax/i2400m/rx.c                      |    2 +-
 drivers/net/wireless/airo.c                        |    2 +-
 drivers/net/wireless/at76c50x-usb.c                |    2 +-
 drivers/net/wireless/ath/ath10k/htc.c              |    7 +-
 drivers/net/wireless/ath/ath10k/htc.h              |    4 +-
 drivers/net/wireless/ath/ath9k/ar9002_mac.c        |   30 +-
 drivers/net/wireless/ath/ath9k/ar9003_mac.c        |   58 +-
 drivers/net/wireless/ath/ath9k/hw.h                |    4 +-
 drivers/net/wireless/b43/phy_lp.c                  |    2 +-
 drivers/net/wireless/iwlegacy/3945-mac.c           |    4 +-
 drivers/net/wireless/iwlwifi/dvm/debugfs.c         |   34 +-
 drivers/net/wireless/iwlwifi/dvm/main.c            |    3 +-
 drivers/net/wireless/iwlwifi/pcie/trans.c          |    4 +-
 drivers/net/wireless/mac80211_hwsim.c              |   32 +-
 drivers/net/wireless/rndis_wlan.c                  |    2 +-
 drivers/net/wireless/rt2x00/rt2x00.h               |    2 +-
 drivers/net/wireless/rt2x00/rt2x00queue.c          |    4 +-
 drivers/net/wireless/ti/wl1251/sdio.c              |   12 +-
 drivers/net/wireless/ti/wl12xx/main.c              |    8 +-
 drivers/net/wireless/ti/wl18xx/main.c              |    6 +-
 drivers/nfc/nfcwilink.c                            |    2 +-
 drivers/oprofile/buffer_sync.c                     |    8 +-
 drivers/oprofile/event_buffer.c                    |    2 +-
 drivers/oprofile/oprof.c                           |    2 +-
 drivers/oprofile/oprofile_files.c                  |    2 +-
 drivers/oprofile/oprofile_stats.c                  |   10 +-
 drivers/oprofile/oprofile_stats.h                  |   10 +-
 drivers/oprofile/oprofilefs.c                      |    6 +-
 drivers/oprofile/timer_int.c                       |    2 +-
 drivers/parport/procfs.c                           |    4 +-
 drivers/pci/hotplug/acpiphp_ibm.c                  |    4 +-
 drivers/pci/hotplug/cpcihp_generic.c               |    6 +-
 drivers/pci/hotplug/cpcihp_zt5550.c                |   14 +-
 drivers/pci/hotplug/cpqphp_nvram.c                 |    4 +
 drivers/pci/hotplug/pci_hotplug_core.c             |    6 +-
 drivers/pci/hotplug/pciehp_core.c                  |    2 +-
 drivers/pci/pci-sysfs.c                            |    6 +-
 drivers/pci/pci.h                                  |    2 +-
 drivers/pci/pcie/aspm.c                            |    6 +-
 drivers/pci/probe.c                                |    2 +-
 drivers/platform/chrome/chromeos_laptop.c          |    2 +-
 drivers/platform/x86/msi-laptop.c                  |   14 +-
 drivers/platform/x86/msi-wmi.c                     |    2 +-
 drivers/platform/x86/sony-laptop.c                 |    2 +-
 drivers/platform/x86/thinkpad_acpi.c               |   70 +-
 drivers/pnp/pnpbios/bioscalls.c                    |   14 +-
 drivers/pnp/resource.c                             |    4 +-
 drivers/power/pda_power.c                          |    7 +-
 drivers/power/power_supply.h                       |    4 +-
 drivers/power/power_supply_core.c                  |    7 +-
 drivers/power/power_supply_sysfs.c                 |    6 +-
 drivers/powercap/powercap_sys.c                    |  136 +-
 drivers/regulator/core.c                           |    4 +-
 drivers/regulator/max8660.c                        |    6 +-
 drivers/regulator/max8973-regulator.c              |    8 +-
 drivers/regulator/mc13892-regulator.c              |    6 +-
 drivers/rtc/rtc-cmos.c                             |    4 +-
 drivers/rtc/rtc-ds1307.c                           |    2 +-
 drivers/rtc/rtc-m48t59.c                           |    4 +-
 drivers/scsi/aic7xxx/aic79xx_pci.c                 |   18 +-
 drivers/scsi/bfa/bfa_fcpim.h                       |    2 +-
 drivers/scsi/bfa/bfa_ioc.h                         |    4 +-
 drivers/scsi/fcoe/fcoe_sysfs.c                     |   12 +-
 drivers/scsi/hosts.c                               |    4 +-
 drivers/scsi/hpsa.c                                |   30 +-
 drivers/scsi/hpsa.h                                |    2 +-
 drivers/scsi/libfc/fc_exch.c                       |   50 +-
 drivers/scsi/libsas/sas_ata.c                      |    2 +-
 drivers/scsi/lpfc/lpfc.h                           |    8 +-
 drivers/scsi/lpfc/lpfc_debugfs.c                   |   18 +-
 drivers/scsi/lpfc/lpfc_init.c                      |    6 +-
 drivers/scsi/lpfc/lpfc_scsi.c                      |   16 +-
 drivers/scsi/mpt2sas/mpt2sas_scsih.c               |    8 +-
 drivers/scsi/pmcraid.c                             |   20 +-
 drivers/scsi/pmcraid.h                             |    8 +-
 drivers/scsi/qla2xxx/qla_attr.c                    |    4 +-
 drivers/scsi/qla2xxx/qla_gbl.h                     |    4 +-
 drivers/scsi/qla2xxx/qla_os.c                      |    6 +-
 drivers/scsi/qla4xxx/ql4_def.h                     |    2 +-
 drivers/scsi/qla4xxx/ql4_os.c                      |    6 +-
 drivers/scsi/scsi.c                                |    2 +-
 drivers/scsi/scsi_lib.c                            |    6 +-
 drivers/scsi/scsi_sysfs.c                          |    2 +-
 drivers/scsi/scsi_tgt_lib.c                        |    2 +-
 drivers/scsi/scsi_transport_fc.c                   |    8 +-
 drivers/scsi/scsi_transport_iscsi.c                |    6 +-
 drivers/scsi/scsi_transport_srp.c                  |    6 +-
 drivers/scsi/sd.c                                  |    2 +-
 drivers/scsi/sg.c                                  |    2 +-
 drivers/spi/spi.c                                  |    2 +-
 drivers/staging/android/timed_output.c             |    6 +-
 drivers/staging/gdm724x/gdm_tty.c                  |    2 +-
 drivers/staging/lustre/lnet/selftest/brw_test.c    |   12 +-
 drivers/staging/lustre/lnet/selftest/framework.c   |    4 -
 drivers/staging/lustre/lnet/selftest/ping_test.c   |   14 +-
 drivers/staging/lustre/lustre/include/lustre_dlm.h |    2 +-
 drivers/staging/lustre/lustre/include/obd.h        |    2 +-
 .../lustre/lustre/libcfs/linux/linux-proc.c        |    6 +-
 drivers/staging/media/solo6x10/solo6x10-core.c     |    2 +-
 drivers/staging/media/solo6x10/solo6x10-p2m.c      |    2 +-
 drivers/staging/media/solo6x10/solo6x10.h          |    2 +-
 drivers/staging/octeon/ethernet-rx.c               |   12 +-
 drivers/staging/octeon/ethernet.c                  |    8 +-
 drivers/staging/rtl8188eu/include/hal_intf.h       |    2 +-
 drivers/staging/rtl8188eu/include/rtw_io.h         |    2 +-
 drivers/staging/rtl8712/rtl871x_io.h               |    2 +-
 drivers/staging/sbe-2t3e3/netdev.c                 |    2 +-
 drivers/staging/usbip/vhci.h                       |    2 +-
 drivers/staging/usbip/vhci_hcd.c                   |    6 +-
 drivers/staging/usbip/vhci_rx.c                    |    2 +-
 drivers/staging/vt6655/hostap.c                    |    7 +-
 drivers/staging/vt6656/hostap.c                    |    7 +-
 drivers/target/sbp/sbp_target.c                    |    4 +-
 drivers/target/target_core_device.c                |    2 +-
 drivers/target/target_core_transport.c             |    2 +-
 drivers/tty/cyclades.c                             |    6 +-
 drivers/tty/hvc/hvc_console.c                      |   14 +-
 drivers/tty/hvc/hvcs.c                             |   21 +-
 drivers/tty/hvc/hvsi.c                             |   12 +-
 drivers/tty/hvc/hvsi_lib.c                         |    4 +-
 drivers/tty/ipwireless/tty.c                       |   27 +-
 drivers/tty/moxa.c                                 |    2 +-
 drivers/tty/n_gsm.c                                |    4 +-
 drivers/tty/n_tty.c                                |    5 +-
 drivers/tty/pty.c                                  |    4 +-
 drivers/tty/rocket.c                               |    6 +-
 drivers/tty/serial/ioc4_serial.c                   |    6 +-
 drivers/tty/serial/kgdboc.c                        |   32 +-
 drivers/tty/serial/msm_serial.c                    |    4 +-
 drivers/tty/serial/samsung.c                       |    9 +-
 drivers/tty/serial/serial_core.c                   |    8 +-
 drivers/tty/synclink.c                             |   34 +-
 drivers/tty/synclink_gt.c                          |   28 +-
 drivers/tty/synclinkmp.c                           |   34 +-
 drivers/tty/tty_io.c                               |    2 +-
 drivers/tty/tty_ldisc.c                            |    8 +-
 drivers/tty/tty_port.c                             |   22 +-
 drivers/uio/uio.c                                  |   15 +-
 drivers/usb/atm/cxacru.c                           |    2 +-
 drivers/usb/atm/usbatm.c                           |   24 +-
 drivers/usb/core/devices.c                         |    6 +-
 drivers/usb/core/devio.c                           |   10 +-
 drivers/usb/core/hcd.c                             |    4 +-
 drivers/usb/core/message.c                         |    6 +-
 drivers/usb/core/sysfs.c                           |    2 +-
 drivers/usb/core/usb.c                             |    2 +-
 drivers/usb/dwc3/gadget.c                          |    2 -
 drivers/usb/early/ehci-dbgp.c                      |   16 +-
 drivers/usb/gadget/u_serial.c                      |   22 +-
 drivers/usb/host/ehci-hub.c                        |    4 +-
 drivers/usb/misc/appledisplay.c                    |    4 +-
 drivers/usb/serial/console.c                       |    8 +-
 drivers/usb/storage/usb.h                          |    2 +-
 drivers/usb/wusbcore/wa-hc.h                       |    4 +-
 drivers/usb/wusbcore/wa-xfer.c                     |    2 +-
 drivers/vfio/vfio.c                                |    2 +-
 drivers/vhost/vringh.c                             |    2 +-
 drivers/video/aty/aty128fb.c                       |    2 +-
 drivers/video/aty/atyfb_base.c                     |    8 +-
 drivers/video/aty/mach64_cursor.c                  |    5 +-
 drivers/video/backlight/kb3886_bl.c                |    2 +-
 drivers/video/fb_defio.c                           |    6 +-
 drivers/video/fbmem.c                              |    6 +-
 drivers/video/hyperv_fb.c                          |    4 +-
 drivers/video/i810/i810_accel.c                    |    1 +
 drivers/video/mb862xx/mb862xxfb_accel.c            |   16 +-
 drivers/video/nvidia/nvidia.c                      |   27 +-
 drivers/video/omap2/dss/display.c                  |    8 +-
 drivers/video/s1d13xxxfb.c                         |    6 +-
 drivers/video/smscufx.c                            |    4 +-
 drivers/video/udlfb.c                              |   36 +-
 drivers/video/uvesafb.c                            |   53 +-
 drivers/video/vesafb.c                             |   58 +-
 drivers/video/via/via_clock.h                      |    2 +-
 fs/9p/vfs_addr.c                                   |    2 +-
 fs/9p/vfs_inode.c                                  |    2 +-
 fs/Kconfig.binfmt                                  |    2 +-
 fs/afs/inode.c                                     |    4 +-
 fs/aio.c                                           |    2 +-
 fs/autofs4/waitq.c                                 |    2 +-
 fs/befs/endian.h                                   |    6 +-
 fs/binfmt_aout.c                                   |   23 +-
 fs/binfmt_elf.c                                    |  678 +++-
 fs/binfmt_flat.c                                   |    6 +
 fs/bio.c                                           |    6 +-
 fs/block_dev.c                                     |    2 +-
 fs/btrfs/ctree.c                                   |    9 +-
 fs/btrfs/delayed-inode.c                           |    6 +-
 fs/btrfs/delayed-inode.h                           |    4 +-
 fs/btrfs/super.c                                   |    2 +-
 fs/buffer.c                                        |    2 +-
 fs/cachefiles/bind.c                               |    6 +-
 fs/cachefiles/daemon.c                             |    8 +-
 fs/cachefiles/internal.h                           |   12 +-
 fs/cachefiles/namei.c                              |    2 +-
 fs/cachefiles/proc.c                               |   12 +-
 fs/cachefiles/rdwr.c                               |    2 +-
 fs/ceph/dir.c                                      |    2 +-
 fs/ceph/super.c                                    |    4 +-
 fs/cifs/cifs_debug.c                               |   12 +-
 fs/cifs/cifsfs.c                                   |    8 +-
 fs/cifs/cifsglob.h                                 |   54 +-
 fs/cifs/file.c                                     |   10 +-
 fs/cifs/misc.c                                     |    4 +-
 fs/cifs/smb1ops.c                                  |   80 +-
 fs/cifs/smb2ops.c                                  |   84 +-
 fs/cifs/smb2pdu.c                                  |    3 +-
 fs/coda/cache.c                                    |   10 +-
 fs/compat.c                                        |    4 +-
 fs/compat_binfmt_elf.c                             |    2 +
 fs/compat_ioctl.c                                  |   12 +-
 fs/configfs/dir.c                                  |   10 +-
 fs/coredump.c                                      |   16 +-
 fs/dcache.c                                        |    5 +-
 fs/ecryptfs/inode.c                                |    2 +-
 fs/ecryptfs/miscdev.c                              |    2 +-
 fs/exec.c                                          |  362 ++-
 fs/ext2/xattr.c                                    |    5 +-
 fs/ext3/xattr.c                                    |    5 +-
 fs/ext4/ext4.h                                     |   20 +-
 fs/ext4/mballoc.c                                  |   44 +-
 fs/ext4/mmp.c                                      |    2 +-
 fs/ext4/super.c                                    |    4 +-
 fs/ext4/xattr.c                                    |    5 +-
 fs/fhandle.c                                       |    3 +-
 fs/file.c                                          |    4 +-
 fs/fs_struct.c                                     |    8 +-
 fs/fscache/cookie.c                                |   40 +-
 fs/fscache/internal.h                              |  200 +-
 fs/fscache/object.c                                |   26 +-
 fs/fscache/operation.c                             |   30 +-
 fs/fscache/page.c                                  |  110 +-
 fs/fscache/stats.c                                 |  344 +-
 fs/fuse/cuse.c                                     |   10 +-
 fs/fuse/dev.c                                      |    4 +-
 fs/fuse/dir.c                                      |    2 +-
 fs/hostfs/hostfs_kern.c                            |    2 +-
 fs/hugetlbfs/inode.c                               |   13 +-
 fs/inode.c                                         |    4 +-
 fs/jffs2/erase.c                                   |    3 +-
 fs/jffs2/wbuf.c                                    |    3 +-
 fs/jfs/super.c                                     |    2 +-
 fs/libfs.c                                         |   12 +-
 fs/lockd/clntproc.c                                |    4 +-
 fs/locks.c                                         |    8 +-
 fs/namei.c                                         |   15 +-
 fs/namespace.c                                     |   16 +-
 fs/nfs/callback_xdr.c                              |    2 +-
 fs/nfs/inode.c                                     |    6 +-
 fs/nfsd/nfs4proc.c                                 |    2 +-
 fs/nfsd/nfs4xdr.c                                  |    2 +-
 fs/nfsd/nfscache.c                                 |    9 +-
 fs/nfsd/vfs.c                                      |    6 +-
 fs/nls/nls_base.c                                  |   18 +-
 fs/nls/nls_euc-jp.c                                |    6 +-
 fs/nls/nls_koi8-ru.c                               |    6 +-
 fs/notify/fanotify/fanotify_user.c                 |    4 +-
 fs/notify/notification.c                           |    4 +-
 fs/ntfs/dir.c                                      |    2 +-
 fs/ntfs/file.c                                     |    2 +-
 fs/ntfs/super.c                                    |    6 +-
 fs/ocfs2/localalloc.c                              |    2 +-
 fs/ocfs2/ocfs2.h                                   |   10 +-
 fs/ocfs2/suballoc.c                                |   12 +-
 fs/ocfs2/super.c                                   |   20 +-
 fs/pipe.c                                          |   59 +-
 fs/proc/array.c                                    |   20 +
 fs/proc/base.c                                     |    4 +-
 fs/proc/kcore.c                                    |   32 +-
 fs/proc/meminfo.c                                  |    2 +-
 fs/proc/nommu.c                                    |    2 +-
 fs/proc/proc_sysctl.c                              |   18 +-
 fs/proc/task_mmu.c                                 |   39 +-
 fs/proc/task_nommu.c                               |    4 +-
 fs/proc/vmcore.c                                   |   12 +-
 fs/qnx6/qnx6.h                                     |    4 +-
 fs/quota/netlink.c                                 |    4 +-
 fs/read_write.c                                    |    2 +-
 fs/reiserfs/do_balan.c                             |    2 +-
 fs/reiserfs/procfs.c                               |    2 +-
 fs/reiserfs/reiserfs.h                             |    4 +-
 fs/seq_file.c                                      |    4 +-
 fs/splice.c                                        |   41 +-
 fs/sysfs/dir.c                                     |    2 +-
 fs/sysfs/file.c                                    |   16 +-
 fs/sysfs/symlink.c                                 |    2 +-
 fs/sysv/sysv.h                                     |    2 +-
 fs/ubifs/io.c                                      |    2 +-
 fs/udf/misc.c                                      |    2 +-
 fs/ufs/swab.h                                      |    4 +-
 fs/xattr.c                                         |   21 +
 fs/xattr_acl.c                                     |    4 +-
 fs/xfs/xfs_bmap.c                                  |    2 +-
 fs/xfs/xfs_dir2_readdir.c                          |    7 +-
 fs/xfs/xfs_ioctl.c                                 |    2 +-
 fs/xfs/xfs_iops.c                                  |    2 +-
 include/asm-generic/4level-fixup.h                 |    2 +
 include/asm-generic/atomic-long.h                  |  212 +-
 include/asm-generic/atomic.h                       |    2 +-
 include/asm-generic/atomic64.h                     |   12 +
 include/asm-generic/bitops/__fls.h                 |    2 +-
 include/asm-generic/bitops/fls.h                   |    2 +-
 include/asm-generic/bitops/fls64.h                 |    4 +-
 include/asm-generic/cache.h                        |    4 +-
 include/asm-generic/emergency-restart.h            |    2 +-
 include/asm-generic/kmap_types.h                   |    4 +-
 include/asm-generic/local.h                        |   13 +
 include/asm-generic/pgtable-nopmd.h                |   18 +-
 include/asm-generic/pgtable-nopud.h                |   15 +-
 include/asm-generic/pgtable.h                      |   16 +
 include/asm-generic/uaccess.h                      |   16 +
 include/asm-generic/vmlinux.lds.h                  |   10 +-
 include/crypto/algapi.h                            |    2 +-
 include/drm/drmP.h                                 |   15 +-
 include/drm/drm_crtc_helper.h                      |    2 +-
 include/drm/i915_pciids.h                          |    2 +-
 include/drm/ttm/ttm_memory.h                       |    2 +-
 include/keys/asymmetric-subtype.h                  |    2 +-
 include/linux/atmdev.h                             |    4 +-
 include/linux/audit.h                              |    2 +-
 include/linux/binfmts.h                            |    3 +-
 include/linux/bitops.h                             |    6 +-
 include/linux/blkdev.h                             |    2 +-
 include/linux/blktrace_api.h                       |    2 +-
 include/linux/cache.h                              |    8 +
 include/linux/cdrom.h                              |    1 -
 include/linux/cleancache.h                         |    2 +-
 include/linux/clk-provider.h                       |    1 +
 include/linux/compat.h                             |    4 +-
 include/linux/compiler-gcc4.h                      |   20 +
 include/linux/compiler.h                           |   65 +-
 include/linux/completion.h                         |   12 +-
 include/linux/configfs.h                           |    2 +-
 include/linux/cpufreq.h                            |    3 +-
 include/linux/cpuidle.h                            |    5 +-
 include/linux/cpumask.h                            |   12 +-
 include/linux/crypto.h                             |    6 +-
 include/linux/ctype.h                              |    2 +-
 include/linux/decompress/mm.h                      |    2 +-
 include/linux/devfreq.h                            |    2 +-
 include/linux/device.h                             |    7 +-
 include/linux/dma-mapping.h                        |    2 +-
 include/linux/dmaengine.h                          |    4 +-
 include/linux/efi.h                                |    1 +
 include/linux/elf.h                                |    2 +
 include/linux/err.h                                |    4 +-
 include/linux/extcon.h                             |    2 +-
 include/linux/fb.h                                 |    2 +-
 include/linux/fdtable.h                            |    2 +-
 include/linux/frontswap.h                          |    2 +-
 include/linux/fs.h                                 |    3 +-
 include/linux/fs_struct.h                          |    2 +-
 include/linux/fscache-cache.h                      |    4 +-
 include/linux/fscache.h                            |    2 +-
 include/linux/fsnotify.h                           |    2 +-
 include/linux/genhd.h                              |    4 +-
 include/linux/genl_magic_func.h                    |    2 +-
 include/linux/gfp.h                                |   12 +-
 include/linux/highmem.h                            |   12 +
 include/linux/hwmon-sysfs.h                        |    6 +-
 include/linux/i2c.h                                |    1 +
 include/linux/i2o.h                                |    2 +-
 include/linux/if_pppox.h                           |    2 +-
 include/linux/init.h                               |   12 +-
 include/linux/init_task.h                          |    7 +
 include/linux/interrupt.h                          |    8 +-
 include/linux/iommu.h                              |    2 +-
 include/linux/ioport.h                             |    2 +-
 include/linux/irq.h                                |    3 +-
 include/linux/irqchip/arm-gic.h                    |    4 +-
 include/linux/jiffies.h                            |   12 +-
 include/linux/key-type.h                           |    2 +-
 include/linux/kgdb.h                               |    6 +-
 include/linux/kobject.h                            |    3 +-
 include/linux/kobject_ns.h                         |    2 +-
 include/linux/kref.h                               |    2 +-
 include/linux/kvm_host.h                           |    4 +-
 include/linux/libata.h                             |    2 +-
 include/linux/linkage.h                            |    1 +
 include/linux/list.h                               |   15 +
 include/linux/math64.h                             |   10 +-
 include/linux/mempolicy.h                          |    7 +
 include/linux/mm.h                                 |  118 +-
 include/linux/mm_types.h                           |   20 +
 include/linux/mmiotrace.h                          |    4 +-
 include/linux/mmzone.h                             |    2 +-
 include/linux/mod_devicetable.h                    |    6 +-
 include/linux/module.h                             |   60 +-
 include/linux/moduleloader.h                       |   16 +
 include/linux/moduleparam.h                        |    4 +-
 include/linux/namei.h                              |    6 +-
 include/linux/net.h                                |    2 +-
 include/linux/netdevice.h                          |    3 +-
 include/linux/netfilter.h                          |    2 +-
 include/linux/netfilter/nfnetlink.h                |    2 +-
 include/linux/nls.h                                |    2 +-
 include/linux/notifier.h                           |    3 +-
 include/linux/oprofile.h                           |    4 +-
 include/linux/padata.h                             |    2 +-
 include/linux/pci_hotplug.h                        |    3 +-
 include/linux/perf_event.h                         |   10 +-
 include/linux/pipe_fs_i.h                          |    8 +-
 include/linux/pm.h                                 |    1 +
 include/linux/pm_domain.h                          |    2 +-
 include/linux/pm_runtime.h                         |    2 +-
 include/linux/pnp.h                                |    2 +-
 include/linux/poison.h                             |    4 +-
 include/linux/power/smartreflex.h                  |    2 +-
 include/linux/ppp-comp.h                           |    2 +-
 include/linux/preempt.h                            |   19 +
 include/linux/proc_ns.h                            |    2 +-
 include/linux/quota.h                              |    2 +-
 include/linux/random.h                             |   23 +-
 include/linux/rculist.h                            |   20 +-
 include/linux/reboot.h                             |   14 +-
 include/linux/regset.h                             |    3 +-
 include/linux/relay.h                              |    2 +-
 include/linux/rio.h                                |    2 +-
 include/linux/rmap.h                               |    4 +-
 include/linux/sched.h                              |   68 +-
 include/linux/sched/sysctl.h                       |    1 +
 include/linux/security.h                           |    2 -
 include/linux/semaphore.h                          |    2 +-
 include/linux/seq_file.h                           |    1 +
 include/linux/skbuff.h                             |   12 +-
 include/linux/slab.h                               |   48 +-
 include/linux/slab_def.h                           |   14 +-
 include/linux/slub_def.h                           |    2 +-
 include/linux/smp.h                                |    2 +
 include/linux/sock_diag.h                          |    2 +-
 include/linux/sonet.h                              |    2 +-
 include/linux/sunrpc/addr.h                        |    8 +-
 include/linux/sunrpc/clnt.h                        |    2 +-
 include/linux/sunrpc/svc.h                         |    2 +-
 include/linux/sunrpc/svc_rdma.h                    |   18 +-
 include/linux/sunrpc/svcauth.h                     |    2 +-
 include/linux/swiotlb.h                            |    3 +-
 include/linux/syscalls.h                           |   18 +-
 include/linux/syscore_ops.h                        |    2 +-
 include/linux/sysctl.h                             |    6 +-
 include/linux/sysfs.h                              |    9 +-
 include/linux/sysrq.h                              |    3 +-
 include/linux/thread_info.h                        |    7 +
 include/linux/tty.h                                |    4 +-
 include/linux/tty_driver.h                         |    2 +-
 include/linux/tty_ldisc.h                          |    2 +-
 include/linux/types.h                              |   16 +
 include/linux/uaccess.h                            |    6 +-
 include/linux/unaligned/access_ok.h                |   24 +-
 include/linux/usb.h                                |    4 +-
 include/linux/usb/renesas_usbhs.h                  |    2 +-
 include/linux/vermagic.h                           |   21 +-
 include/linux/vga_switcheroo.h                     |    8 +-
 include/linux/vmalloc.h                            |    7 +-
 include/linux/vmstat.h                             |   24 +-
 include/linux/xattr.h                              |    5 +-
 include/linux/zlib.h                               |    3 +-
 include/media/v4l2-dev.h                           |    2 +-
 include/media/v4l2-device.h                        |    2 +-
 include/net/9p/transport.h                         |    2 +-
 include/net/bluetooth/l2cap.h                      |    2 +-
 include/net/caif/cfctrl.h                          |    6 +-
 include/net/flow.h                                 |    2 +-
 include/net/genetlink.h                            |    2 +-
 include/net/gro_cells.h                            |    2 +-
 include/net/inet_connection_sock.h                 |    2 +-
 include/net/inetpeer.h                             |   17 +-
 include/net/ip.h                                   |    2 +-
 include/net/ip_fib.h                               |    2 +-
 include/net/ip_vs.h                                |    8 +-
 include/net/irda/ircomm_tty.h                      |    1 +
 include/net/iucv/af_iucv.h                         |    2 +-
 include/net/llc_c_ac.h                             |    2 +-
 include/net/llc_c_ev.h                             |    4 +-
 include/net/llc_c_st.h                             |    2 +-
 include/net/llc_s_ac.h                             |    2 +-
 include/net/llc_s_st.h                             |    2 +-
 include/net/mac80211.h                             |    2 +-
 include/net/neighbour.h                            |    2 +-
 include/net/net_namespace.h                        |   20 +-
 include/net/netdma.h                               |    2 +-
 include/net/netlink.h                              |    2 +-
 include/net/netns/conntrack.h                      |    6 +-
 include/net/netns/ipv4.h                           |    4 +-
 include/net/netns/ipv6.h                           |    4 +-
 include/net/ping.h                                 |    2 +-
 include/net/protocol.h                             |    4 +-
 include/net/rtnetlink.h                            |    2 +-
 include/net/sctp/checksum.h                        |    4 +-
 include/net/sctp/sm.h                              |    4 +-
 include/net/sctp/structs.h                         |    2 +-
 include/net/sock.h                                 |    8 +-
 include/net/tcp.h                                  |    8 +-
 include/net/xfrm.h                                 |   13 +-
 include/rdma/iw_cm.h                               |    2 +-
 include/scsi/libfc.h                               |    3 +-
 include/scsi/scsi_device.h                         |    6 +-
 include/scsi/scsi_transport_fc.h                   |    3 +-
 include/sound/compress_driver.h                    |    2 +-
 include/sound/soc.h                                |    4 +-
 include/target/target_core_base.h                  |    2 +-
 include/trace/events/irq.h                         |    4 +-
 include/uapi/linux/a.out.h                         |    8 +
 include/uapi/linux/byteorder/little_endian.h       |   28 +-
 include/uapi/linux/elf.h                           |   28 +
 include/uapi/linux/screen_info.h                   |    3 +-
 include/uapi/linux/swab.h                          |    6 +-
 include/uapi/linux/sysctl.h                        |    2 -
 include/uapi/linux/xattr.h                         |    4 +
 include/video/udlfb.h                              |    8 +-
 include/video/uvesafb.h                            |    1 +
 init/Kconfig                                       |    2 +-
 init/Makefile                                      |    3 +
 init/do_mounts.c                                   |   14 +-
 init/do_mounts.h                                   |    8 +-
 init/do_mounts_initrd.c                            |   30 +-
 init/do_mounts_md.c                                |    6 +-
 init/init_task.c                                   |    4 +
 init/initramfs.c                                   |   42 +-
 init/main.c                                        |   78 +-
 ipc/ipc_sysctl.c                                   |   10 +-
 ipc/mq_sysctl.c                                    |    2 +-
 ipc/msg.c                                          |   11 +-
 ipc/sem.c                                          |   11 +-
 ipc/shm.c                                          |   17 +-
 kernel/acct.c                                      |    2 +-
 kernel/audit.c                                     |   10 +-
 kernel/auditsc.c                                   |    4 +-
 kernel/capability.c                                |    3 +
 kernel/compat.c                                    |   38 +-
 kernel/debug/debug_core.c                          |   16 +-
 kernel/debug/kdb/kdb_main.c                        |    4 +-
 kernel/events/core.c                               |   28 +-
 kernel/events/internal.h                           |   10 +-
 kernel/events/uprobes.c                            |    2 +-
 kernel/exit.c                                      |    4 +-
 kernel/fork.c                                      |  166 +-
 kernel/futex.c                                     |   11 +-
 kernel/futex_compat.c                              |    2 +-
 kernel/gcov/base.c                                 |    7 +-
 kernel/hrtimer.c                                   |    2 +-
 kernel/irq_work.c                                  |    7 +-
 kernel/jump_label.c                                |    5 +
 kernel/kallsyms.c                                  |   39 +-
 kernel/kexec.c                                     |    3 +-
 kernel/kmod.c                                      |    4 +-
 kernel/kprobes.c                                   |    4 +-
 kernel/ksysfs.c                                    |    2 +-
 kernel/locking/lockdep.c                           |    7 +-
 kernel/locking/mutex-debug.c                       |   12 +-
 kernel/locking/mutex-debug.h                       |    4 +-
 kernel/locking/mutex.c                             |   10 +-
 kernel/locking/rtmutex-tester.c                    |   24 +-
 kernel/module.c                                    |  337 +-
 kernel/notifier.c                                  |   17 +-
 kernel/padata.c                                    |    4 +-
 kernel/panic.c                                     |    3 +-
 kernel/pid.c                                       |    2 +-
 kernel/pid_namespace.c                             |    2 +-
 kernel/posix-cpu-timers.c                          |    4 +-
 kernel/posix-timers.c                              |   24 +-
 kernel/power/process.c                             |   12 +-
 kernel/profile.c                                   |   14 +-
 kernel/ptrace.c                                    |    8 +-
 kernel/rcu/srcu.c                                  |    4 +-
 kernel/rcu/tiny.c                                  |    4 +-
 kernel/rcu/torture.c                               |   56 +-
 kernel/rcu/tree.c                                  |   76 +-
 kernel/rcu/tree.h                                  |   26 +-
 kernel/rcu/tree_plugin.h                           |   40 +-
 kernel/rcu/tree_trace.c                            |   22 +-
 kernel/rcu/update.c                                |    4 +-
 kernel/sched/auto_group.c                          |    4 +-
 kernel/sched/completion.c                          |    6 +-
 kernel/sched/core.c                                |   43 +-
 kernel/sched/fair.c                                |    4 +-
 kernel/sched/sched.h                               |    2 +-
 kernel/signal.c                                    |   12 +-
 kernel/smpboot.c                                   |    4 +-
 kernel/softirq.c                                   |   14 +-
 kernel/sys.c                                       |   10 +-
 kernel/sysctl.c                                    |   34 +-
 kernel/time/alarmtimer.c                           |    2 +-
 kernel/time/timer_stats.c                          |   10 +-
 kernel/timer.c                                     |    4 +-
 kernel/trace/blktrace.c                            |    6 +-
 kernel/trace/ftrace.c                              |   18 +-
 kernel/trace/ring_buffer.c                         |   76 +-
 kernel/trace/trace.c                               |    2 +-
 kernel/trace/trace.h                               |    2 +-
 kernel/trace/trace_clock.c                         |    4 +-
 kernel/trace/trace_events.c                        |    1 -
 kernel/trace/trace_mmiotrace.c                     |    8 +-
 kernel/trace/trace_output.c                        |   12 +-
 kernel/trace/trace_stack.c                         |    2 +-
 kernel/user_namespace.c                            |    2 +-
 kernel/utsname_sysctl.c                            |    2 +-
 kernel/watchdog.c                                  |    2 +-
 kernel/workqueue.c                                 |    2 +-
 lib/Kconfig.debug                                  |    8 +-
 lib/Makefile                                       |    2 +-
 lib/bitmap.c                                       |    8 +-
 lib/bug.c                                          |    2 +
 lib/debugobjects.c                                 |    2 +-
 lib/devres.c                                       |    4 +-
 lib/div64.c                                        |    4 +-
 lib/dma-debug.c                                    |    4 +-
 lib/inflate.c                                      |    2 +-
 lib/ioremap.c                                      |    4 +-
 lib/kobject.c                                      |    4 +-
 lib/list_debug.c                                   |  126 +-
 lib/percpu-refcount.c                              |    2 +-
 lib/radix-tree.c                                   |    2 +-
 lib/strncpy_from_user.c                            |    2 +-
 lib/strnlen_user.c                                 |    2 +-
 lib/swiotlb.c                                      |    2 +-
 lib/usercopy.c                                     |    6 +
 lib/vsprintf.c                                     |   12 +-
 mm/Kconfig                                         |    6 +-
 mm/backing-dev.c                                   |    4 +-
 mm/filemap.c                                       |   10 +-
 mm/fremap.c                                        |    5 +
 mm/highmem.c                                       |    7 +-
 mm/hugetlb.c                                       |   70 +-
 mm/internal.h                                      |    3 +-
 mm/maccess.c                                       |    4 +-
 mm/madvise.c                                       |   41 +
 mm/memory-failure.c                                |   28 +-
 mm/memory.c                                        |  424 ++-
 mm/mempolicy.c                                     |   25 +
 mm/mlock.c                                         |   15 +-
 mm/mmap.c                                          |  583 ++-
 mm/mprotect.c                                      |  139 +-
 mm/mremap.c                                        |   44 +-
 mm/nommu.c                                         |   21 +-
 mm/page-writeback.c                                |    2 +-
 mm/page_alloc.c                                    |   42 +-
 mm/page_io.c                                       |    2 +-
 mm/percpu.c                                        |    2 +-
 mm/process_vm_access.c                             |   14 +-
 mm/rmap.c                                          |   44 +-
 mm/shmem.c                                         |   19 +-
 mm/slab.c                                          |  106 +-
 mm/slab.h                                          |   15 +-
 mm/slab_common.c                                   |   60 +-
 mm/slob.c                                          |  206 +-
 mm/slub.c                                          |   88 +-
 mm/sparse-vmemmap.c                                |    4 +-
 mm/sparse.c                                        |    2 +-
 mm/swap.c                                          |    2 +
 mm/swapfile.c                                      |   12 +-
 mm/util.c                                          |    6 +
 mm/vmalloc.c                                       |   75 +-
 mm/vmstat.c                                        |   12 +-
 net/8021q/vlan.c                                   |    5 +-
 net/9p/mod.c                                       |    4 +-
 net/9p/trans_fd.c                                  |    2 +-
 net/atm/atm_misc.c                                 |    8 +-
 net/atm/lec.h                                      |    2 +-
 net/atm/proc.c                                     |    6 +-
 net/atm/resources.c                                |    4 +-
 net/ax25/sysctl_net_ax25.c                         |    2 +-
 net/batman-adv/bat_iv_ogm.c                        |    8 +-
 net/batman-adv/fragmentation.c                     |    2 +-
 net/batman-adv/soft-interface.c                    |    6 +-
 net/batman-adv/types.h                             |    6 +-
 net/bluetooth/hci_sock.c                           |    2 +-
 net/bluetooth/l2cap_core.c                         |    6 +-
 net/bluetooth/l2cap_sock.c                         |   12 +-
 net/bluetooth/rfcomm/sock.c                        |    4 +-
 net/bluetooth/rfcomm/tty.c                         |    4 +-
 net/bridge/netfilter/ebtables.c                    |    6 +-
 net/caif/cfctrl.c                                  |   11 +-
 net/can/af_can.c                                   |    2 +-
 net/can/gw.c                                       |    6 +-
 net/ceph/messenger.c                               |    4 +-
 net/compat.c                                       |   34 +-
 net/core/datagram.c                                |    2 +-
 net/core/dev.c                                     |   16 +-
 net/core/flow.c                                    |    8 +-
 net/core/iovec.c                                   |    4 +-
 net/core/neighbour.c                               |    2 +-
 net/core/net-sysfs.c                               |    2 +-
 net/core/net_namespace.c                           |    8 +-
 net/core/netpoll.c                                 |    4 +-
 net/core/rtnetlink.c                               |   13 +-
 net/core/scm.c                                     |    8 +-
 net/core/skbuff.c                                  |    8 +-
 net/core/sock.c                                    |   28 +-
 net/core/sock_diag.c                               |    9 +-
 net/core/sysctl_net_core.c                         |   20 +-
 net/decnet/af_decnet.c                             |    1 +
 net/decnet/sysctl_net_decnet.c                     |    4 +-
 net/ipv4/af_inet.c                                 |    8 +-
 net/ipv4/devinet.c                                 |   18 +-
 net/ipv4/fib_frontend.c                            |    6 +-
 net/ipv4/fib_semantics.c                           |    2 +-
 net/ipv4/inet_connection_sock.c                    |    2 +-
 net/ipv4/inetpeer.c                                |    4 +-
 net/ipv4/ip_fragment.c                             |   15 +-
 net/ipv4/ip_gre.c                                  |    6 +-
 net/ipv4/ip_sockglue.c                             |    2 +-
 net/ipv4/ip_vti.c                                  |    4 +-
 net/ipv4/ipconfig.c                                |    6 +-
 net/ipv4/ipip.c                                    |    4 +-
 net/ipv4/netfilter/arp_tables.c                    |   12 +-
 net/ipv4/netfilter/ip_tables.c                     |   12 +-
 net/ipv4/ping.c                                    |   14 +-
 net/ipv4/raw.c                                     |   14 +-
 net/ipv4/route.c                                   |   20 +-
 net/ipv4/sysctl_net_ipv4.c                         |   37 +-
 net/ipv4/tcp_input.c                               |    4 +-
 net/ipv4/tcp_probe.c                               |    2 +-
 net/ipv4/udp.c                                     |   10 +-
 net/ipv4/xfrm4_policy.c                            |   18 +-
 net/ipv6/addrconf.c                                |   12 +-
 net/ipv6/af_inet6.c                                |    2 +-
 net/ipv6/datagram.c                                |    2 +-
 net/ipv6/icmp.c                                    |    2 +-
 net/ipv6/ip6_gre.c                                 |    8 +-
 net/ipv6/ip6_tunnel.c                              |    4 +-
 net/ipv6/ip6_vti.c                                 |    4 +-
 net/ipv6/ipv6_sockglue.c                           |    2 +-
 net/ipv6/netfilter/ip6_tables.c                    |   12 +-
 net/ipv6/netfilter/nf_conntrack_reasm.c            |   14 +-
 net/ipv6/output_core.c                             |   15 +-
 net/ipv6/ping.c                                    |   28 +-
 net/ipv6/raw.c                                     |   17 +-
 net/ipv6/reassembly.c                              |   13 +-
 net/ipv6/route.c                                   |    2 +-
 net/ipv6/sit.c                                     |    4 +-
 net/ipv6/sysctl_net_ipv6.c                         |    2 +-
 net/ipv6/udp.c                                     |    6 +-
 net/ipv6/xfrm6_policy.c                            |   17 +-
 net/irda/ircomm/ircomm_tty.c                       |   18 +-
 net/iucv/af_iucv.c                                 |    4 +-
 net/iucv/iucv.c                                    |    2 +-
 net/key/af_key.c                                   |    4 +-
 net/mac80211/cfg.c                                 |    8 +-
 net/mac80211/ieee80211_i.h                         |    3 +-
 net/mac80211/iface.c                               |   16 +-
 net/mac80211/main.c                                |    2 +-
 net/mac80211/pm.c                                  |    6 +-
 net/mac80211/rate.c                                |    2 +-
 net/mac80211/rc80211_pid_debugfs.c                 |    2 +-
 net/mac80211/util.c                                |    4 +-
 net/netfilter/ipset/ip_set_core.c                  |    2 +-
 net/netfilter/ipvs/ip_vs_conn.c                    |    6 +-
 net/netfilter/ipvs/ip_vs_core.c                    |    4 +-
 net/netfilter/ipvs/ip_vs_ctl.c                     |   14 +-
 net/netfilter/ipvs/ip_vs_lblc.c                    |    2 +-
 net/netfilter/ipvs/ip_vs_lblcr.c                   |    2 +-
 net/netfilter/ipvs/ip_vs_sync.c                    |    6 +-
 net/netfilter/ipvs/ip_vs_xmit.c                    |    4 +-
 net/netfilter/nf_conntrack_acct.c                  |    2 +-
 net/netfilter/nf_conntrack_ecache.c                |    2 +-
 net/netfilter/nf_conntrack_helper.c                |    2 +-
 net/netfilter/nf_conntrack_proto.c                 |    2 +-
 net/netfilter/nf_conntrack_proto_dccp.c            |   10 +-
 net/netfilter/nf_conntrack_standalone.c            |    2 +-
 net/netfilter/nf_conntrack_timestamp.c             |    2 +-
 net/netfilter/nf_log.c                             |   10 +-
 net/netfilter/nf_sockopt.c                         |    4 +-
 net/netfilter/nfnetlink_log.c                      |    4 +-
 net/netfilter/xt_statistic.c                       |    8 +-
 net/netlink/af_netlink.c                           |    4 +-
 net/packet/af_packet.c                             |    8 +-
 net/phonet/pep.c                                   |    6 +-
 net/phonet/socket.c                                |    2 +-
 net/phonet/sysctl.c                                |    2 +-
 net/rds/cong.c                                     |    6 +-
 net/rds/ib.h                                       |    2 +-
 net/rds/ib_cm.c                                    |    2 +-
 net/rds/ib_recv.c                                  |    4 +-
 net/rds/iw.h                                       |    2 +-
 net/rds/iw_cm.c                                    |    2 +-
 net/rds/iw_recv.c                                  |    4 +-
 net/rds/rds.h                                      |    2 +-
 net/rds/tcp.c                                      |    2 +-
 net/rds/tcp_send.c                                 |    2 +-
 net/rxrpc/af_rxrpc.c                               |    2 +-
 net/rxrpc/ar-ack.c                                 |   14 +-
 net/rxrpc/ar-call.c                                |    2 +-
 net/rxrpc/ar-connection.c                          |    2 +-
 net/rxrpc/ar-connevent.c                           |    2 +-
 net/rxrpc/ar-input.c                               |    4 +-
 net/rxrpc/ar-internal.h                            |    8 +-
 net/rxrpc/ar-local.c                               |    2 +-
 net/rxrpc/ar-output.c                              |    4 +-
 net/rxrpc/ar-peer.c                                |    2 +-
 net/rxrpc/ar-proc.c                                |    4 +-
 net/rxrpc/ar-transport.c                           |    2 +-
 net/rxrpc/rxkad.c                                  |    4 +-
 net/sctp/ipv6.c                                    |    6 +-
 net/sctp/protocol.c                                |   10 +-
 net/sctp/sm_sideeffect.c                           |    2 +-
 net/sctp/socket.c                                  |   21 +-
 net/sctp/sysctl.c                                  |    8 +-
 net/socket.c                                       |   18 +-
 net/sunrpc/auth_gss/svcauth_gss.c                  |    4 +-
 net/sunrpc/clnt.c                                  |    4 +-
 net/sunrpc/sched.c                                 |    4 +-
 net/sunrpc/svc.c                                   |    4 +-
 net/sunrpc/svcauth_unix.c                          |    4 +-
 net/sunrpc/xprtrdma/svc_rdma.c                     |   38 +-
 net/sunrpc/xprtrdma/svc_rdma_recvfrom.c            |    6 +-
 net/sunrpc/xprtrdma/svc_rdma_sendto.c              |    2 +-
 net/sunrpc/xprtrdma/svc_rdma_transport.c           |   10 +-
 net/tipc/subscr.c                                  |    2 +-
 net/unix/sysctl_net_unix.c                         |    2 +-
 net/wireless/wext-core.c                           |   19 +-
 net/xfrm/xfrm_policy.c                             |   22 +-
 net/xfrm/xfrm_state.c                              |   33 +-
 net/xfrm/xfrm_sysctl.c                             |    2 +-
 scripts/Makefile.build                             |    2 +-
 scripts/Makefile.clean                             |    3 +-
 scripts/Makefile.host                              |   28 +-
 scripts/basic/fixdep.c                             |   12 +-
 scripts/gcc-plugin.sh                              |   17 +
 scripts/headers_install.sh                         |    1 +
 scripts/link-vmlinux.sh                            |    2 +-
 scripts/mod/file2alias.c                           |   14 +-
 scripts/mod/modpost.c                              |   25 +-
 scripts/mod/modpost.h                              |    6 +-
 scripts/mod/sumversion.c                           |    2 +-
 scripts/module-common.lds                          |    4 +
 scripts/package/builddeb                           |    1 +
 scripts/pnmtologo.c                                |    6 +-
 scripts/sortextable.h                              |    6 +-
 security/Kconfig                                   |  689 +++-
 security/apparmor/lsm.c                            |    2 +-
 security/integrity/ima/ima.h                       |    4 +-
 security/integrity/ima/ima_api.c                   |    2 +-
 security/integrity/ima/ima_fs.c                    |    4 +-
 security/integrity/ima/ima_queue.c                 |    2 +-
 security/keys/compat.c                             |    2 +-
 security/keys/internal.h                           |    2 +-
 security/keys/key.c                                |   18 +-
 security/keys/keyctl.c                             |    8 +-
 security/security.c                                |    9 +-
 security/selinux/avc.c                             |    6 +-
 security/selinux/hooks.c                           |   11 +-
 security/selinux/include/xfrm.h                    |    2 +-
 security/smack/smack_lsm.c                         |    2 +-
 security/tomoyo/tomoyo.c                           |    2 +-
 security/yama/yama_lsm.c                           |   22 +-
 sound/aoa/codecs/onyx.c                            |    7 +-
 sound/aoa/codecs/onyx.h                            |    1 +
 sound/core/oss/pcm_oss.c                           |   18 +-
 sound/core/pcm_compat.c                            |    2 +-
 sound/core/pcm_native.c                            |    4 +-
 sound/core/seq/seq_device.c                        |    8 +-
 sound/core/sound.c                                 |    2 +-
 sound/drivers/mts64.c                              |   14 +-
 sound/drivers/opl4/opl4_lib.c                      |    2 +-
 sound/drivers/portman2x4.c                         |    3 +-
 sound/firewire/amdtp.c                             |    4 +-
 sound/firewire/amdtp.h                             |    2 +-
 sound/firewire/isight.c                            |   10 +-
 sound/firewire/scs1x.c                             |    8 +-
 sound/oss/sb_audio.c                               |    2 +-
 sound/oss/swarm_cs4297a.c                          |    6 +-
 sound/pci/hda/hda_codec.c                          |    8 +-
 sound/pci/ymfpci/ymfpci.h                          |    2 +-
 sound/pci/ymfpci/ymfpci_main.c                     |   12 +-
 sound/soc/fsl/fsl_ssi.c                            |    2 +-
 sound/soc/soc-core.c                               |    6 +-
 tools/gcc/.gitignore                               |    1 +
 tools/gcc/Makefile                                 |   45 +
 tools/gcc/checker_plugin.c                         |  172 +
 tools/gcc/colorize_plugin.c                        |  151 +
 tools/gcc/constify_plugin.c                        |  557 ++
 tools/gcc/generate_size_overflow_hash.sh           |   94 +
 tools/gcc/kallocstat_plugin.c                      |  170 +
 tools/gcc/kernexec_plugin.c                        |  474 ++
 tools/gcc/latent_entropy_plugin.c                  |  335 ++
 tools/gcc/size_overflow_hash.data                  | 5618 ++++++++++++++++++++
 tools/gcc/size_overflow_plugin.c                   | 4072 ++++++++++++++
 tools/gcc/stackleak_plugin.c                       |  327 ++
 tools/gcc/structleak_plugin.c                      |  277 +
 tools/lib/lk/Makefile                              |    2 +-
 tools/perf/util/include/asm/alternative-asm.h      |    3 +
 tools/perf/util/include/linux/compiler.h           |    8 +
 virt/kvm/kvm_main.c                                |   44 +-
 1716 files changed, 34523 insertions(+), 8024 deletions(-)
commit 512ab625d6d34c2f8602a044454bb1366b80b98e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jan 25 14:54:11 2014 -0500

    Fix another compiler error caught by RANDSTRUCT

 sound/isa/sb/emu8000_synth.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 43bd0a97d977b78f2a54045bbf98ee967209c144
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jan 25 14:34:12 2014 -0500

    Fix another compiler error caught by RANDSTRUCT

 drivers/net/wan/z85230.c |   24 ++++++++++++------------
 1 files changed, 12 insertions(+), 12 deletions(-)

commit e833f51aa919e2c94bb7ac6979a68cf3f4fcc131
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jan 25 14:30:46 2014 -0500

    fix compilation with RANDSTRUCT plugin

 sound/drivers/opl4/opl4_seq.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 743f2ccb4dc72e6366e0cf0b371d37951c67ce0d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jan 25 14:16:18 2014 -0500

    avoid problems by just building our fake field decl node from scratch

 tools/gcc/randomize_layout_plugin.c |   10 +++++-----
 1 files changed, 5 insertions(+), 5 deletions(-)

commit 9345145bb31148c2fb4918fe989d45bbf1219373
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jan 25 13:45:18 2014 -0500

    while in non-debug mode, don't emit notes for non-randomized struct types
    
    clear all signs from our fake field decl of being a bitfield

 tools/gcc/randomize_layout_plugin.c |   11 +++++++++++
 1 files changed, 11 insertions(+), 0 deletions(-)

commit 946d2d5cafa4f123f6ee36596f67cf8571e461b4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jan 25 12:56:05 2014 -0500

    revert change to read-only marking of fake struct field

 tools/gcc/randomize_layout_plugin.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit c947104c6a4c0e05ed6440287ad8872e2cbdb2f3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jan 25 12:42:48 2014 -0500

    Update RANDSTRUCT plugin help

 tools/gcc/randomize_layout_plugin.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

commit 3757914c9c5d2278f93a3a8dc7d19847c6ee8e3a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jan 25 12:25:43 2014 -0500

    Introduce GRKERNSEC_RANDSTRUCT:
    automatic structure layout randomization of pure ops structs
    randomization of marked sensitive kernel structures
    
    automatically enabled by GRKERNSEC_CONFIG_AUTO
    performance mode is activated if the config priority is set to performance

 Documentation/dontdiff                          |    1 +
 Makefile                                        |   12 +-
 arch/x86/include/asm/floppy.h                   |   20 +-
 arch/x86/include/asm/paravirt_types.h           |   23 +-
 arch/x86/include/asm/processor.h                |    2 +-
 drivers/acpi/acpica/hwxfsleep.c                 |   11 +-
 drivers/block/cciss.h                           |   30 +-
 drivers/block/drbd/drbd_interval.c              |    6 +-
 drivers/block/smart1,2.h                        |   40 +-
 drivers/gpu/drm/nouveau/nouveau_ttm.c           |   30 +-
 drivers/gpu/drm/ttm/ttm_bo_manager.c            |   10 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_gmrid_manager.c   |   10 +-
 drivers/infiniband/hw/ipath/ipath_dma.c         |   26 +-
 drivers/infiniband/hw/nes/nes_cm.c              |   22 +-
 drivers/isdn/gigaset/bas-gigaset.c              |   32 +-
 drivers/isdn/gigaset/ser-gigaset.c              |   32 +-
 drivers/isdn/gigaset/usb-gigaset.c              |   32 +-
 drivers/isdn/i4l/isdn_concap.c                  |    6 +-
 drivers/isdn/i4l/isdn_x25iface.c                |   16 +-
 drivers/misc/sgi-xp/xp_main.c                   |   12 +-
 drivers/net/ethernet/brocade/bna/bna_enet.c     |    8 +-
 drivers/net/wan/lmc/lmc_media.c                 |   97 ++--
 drivers/scsi/bfa/bfa_fcs.c                      |   19 +-
 drivers/scsi/bfa/bfa_fcs_lport.c                |   29 +-
 drivers/scsi/bfa/bfa_modules.h                  |   12 +-
 drivers/scsi/hpsa.h                             |   20 +-
 drivers/staging/lustre/lustre/ldlm/ldlm_flock.c |    2 +-
 drivers/staging/lustre/lustre/libcfs/module.c   |   10 +-
 drivers/staging/media/solo6x10/solo6x10-g723.c  |    2 +-
 drivers/video/matrox/matroxfb_DAC1064.c         |   10 +-
 drivers/video/matrox/matroxfb_Ti3026.c          |    5 +-
 fs/mount.h                                      |    4 +-
 fs/proc/internal.h                              |    4 +-
 fs/reiserfs/item_ops.c                          |   24 +-
 grsecurity/Kconfig                              |   31 +-
 include/linux/compiler-gcc4.h                   |    5 +
 include/linux/compiler.h                        |    8 +
 include/linux/cred.h                            |    4 +-
 include/linux/dcache.h                          |    2 +-
 include/linux/fs.h                              |   14 +-
 include/linux/fs_struct.h                       |    2 +-
 include/linux/ipc_namespace.h                   |    2 +-
 include/linux/kobject.h                         |    2 +-
 include/linux/mm_types.h                        |    4 +-
 include/linux/module.h                          |    4 +-
 include/linux/mount.h                           |    2 +-
 include/linux/pid_namespace.h                   |    2 +-
 include/linux/proc_ns.h                         |    2 +-
 include/linux/rbtree_augmented.h                |    4 +-
 include/linux/sched.h                           |    6 +-
 include/linux/sysctl.h                          |    2 +-
 include/linux/tty.h                             |    2 +-
 include/linux/tty_driver.h                      |    2 +-
 include/linux/user_namespace.h                  |    2 +-
 include/linux/utsname.h                         |    2 +-
 include/net/neighbour.h                         |    2 +-
 include/net/net_namespace.h                     |    2 +-
 lib/rbtree.c                                    |    4 +-
 net/atm/lec.c                                   |    6 +-
 net/atm/mpoa_caches.c                           |   42 +-
 net/decnet/dn_dev.c                             |    2 +-
 net/vmw_vsock/vmci_transport_notify.c           |   30 +-
 net/vmw_vsock/vmci_transport_notify_qstate.c    |   30 +-
 net/x25/sysctl_net_x25.c                        |    2 +-
 scripts/Makefile                                |    2 +
 scripts/gen-random-seed.sh                      |    8 +
 sound/core/seq/oss/seq_oss.c                    |    4 +-
 sound/core/seq/seq_midi.c                       |    4 +-
 sound/drivers/opl3/opl3_seq.c                   |    4 +-
 sound/pci/emu10k1/emu10k1_synth.c               |    4 +-
 sound/synth/emux/emux_seq.c                     |   14 +-
 tools/gcc/.gitignore                            |    1 +
 tools/gcc/Makefile                              |    2 +
 tools/gcc/randomize_layout_plugin.c             |  726 +++++++++++++++++++++++
 74 files changed, 1222 insertions(+), 390 deletions(-)

commit 44ebc77fd9886fdebf8e3942a935cbe2f3272c3d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 19 09:27:31 2014 -0500

    add PRNG self-tests

 lib/random32.c |  207 +++++++++++++++++++++++++++++++++++++++++++++++++++++---
 1 files changed, 197 insertions(+), 10 deletions(-)

commit 7780c290ada57bac294c5a7e5b0286dd604920c5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 19 09:00:56 2014 -0500

    compile fix

 include/linux/random.h      |    4 ----
 include/uapi/linux/random.h |    2 +-
 2 files changed, 1 insertions(+), 5 deletions(-)

commit 4c4359a96c7b208513eb3563c90558cd5d2ca1a0
Author: Daniel Borkmann <dborkman@redhat.com>
Date:   Mon Nov 11 12:20:36 2013 +0100

    Upstream commit: a98814cef87946d2708812ad9f8b1e03b8366b6f
    
    random32: upgrade taus88 generator to taus113 from errata paper
    
    Since we use prandom*() functions quite often in networking code
    i.e. in UDP port selection, netfilter code, etc, upgrade the PRNG
    from Pierre L'Ecuyer's original paper "Maximally Equidistributed
    Combined Tausworthe Generators", Mathematics of Computation, 65,
    213 (1996), 203--213 to the version published in his errata paper [1].
    
    The Tausworthe generator is a maximally-equidistributed generator,
    that is fast and has good statistical properties [1].
    
    The version presented there upgrades the 3 state LFSR to a 4 state
    LFSR with increased periodicity from about 2^88 to 2^113. The
    algorithm is presented in [1] by the very same author who also
    designed the original algorithm in [2].
    
    Also, by increasing the state, we make it a bit harder for attackers
    to "guess" the PRNGs internal state. See also discussion in [3].
    
    Now, as we use this sort of weak initialization discussed in [3]
    only between core_initcall() until late_initcall() time [*] for
    prandom32*() users, namely in prandom_init(), it is less relevant
    from late_initcall() onwards as we overwrite seeds through
    prandom_reseed() anyways with a seed source of higher entropy, that
    is, get_random_bytes(). In other words, a exhaustive keysearch of
    96 bit would be needed. Now, with the help of this patch, this
    state-search increases further to 128 bit. Initialization needs
    to make sure that s1 > 1, s2 > 7, s3 > 15, s4 > 127.
    
    taus88 and taus113 algorithm is also part of GSL. I added a test
    case in the next patch to verify internal behaviour of this patch
    with GSL and ran tests with the dieharder 3.31.1 RNG test suite:
    
    $ dieharder -g 052 -a -m 10 -s 1 -S 4137730333 #taus88
    $ dieharder -g 054 -a -m 10 -s 1 -S 4137730333 #taus113
    
    With this seed configuration, in order to compare both, we get
    the following differences:
    
    algorithm                 taus88           taus113
    rands/second [**]         1.61e+08         1.37e+08
    sts_serial(4, 1st run)    WEAK             PASSED
    sts_serial(9, 2nd run)    WEAK             PASSED
    rgb_lagged_sum(31)        WEAK             PASSED
    
    We took out diehard_sums test as according to the authors it is
    considered broken and unusable [4]. Despite that and the slight
    decrease in performance (which is acceptable), taus113 here passes
    all 113 tests (only rgb_minimum_distance_5 in WEAK, the rest PASSED).
    In general, taus/taus113 is considered "very good" by the authors
    of dieharder [5].
    
    The papers [1][2] states a single warm-up step is sufficient by
    running quicktaus once on each state to ensure proper initialization
    of ~s_{0}:
    
    Our selection of (s) according to Table 1 of [1] row 1 holds the
    condition L - k <= r - s, that is,
    
      (32 32 32 32) - (31 29 28 25) <= (25 27 15 22) - (18 2 7 13)
    
    with r = k - q and q = (6 2 13 3) as also stated by the paper.
    So according to [2] we are safe with one round of quicktaus for
    initialization. However we decided to include the warm-up phase
    of the PRNG as done in GSL in every case as a safety net. We also
    use the warm up phase to make the output of the RNG easier to
    verify by the GSL output.
    
    In prandom_init(), we also mix random_get_entropy() into it, just
    like drivers/char/random.c does it, jiffies ^ random_get_entropy().
    random-get_entropy() is get_cycles(). xor is entropy preserving so
    it is fine if it is not implemented by some architectures.
    
    Note, this PRNG is *not* used for cryptography in the kernel, but
    rather as a fast PRNG for various randomizations i.e. in the
    networking code, or elsewhere for debugging purposes, for example.
    
    [*]: In order to generate some "sort of pseduo-randomness", since
    get_random_bytes() is not yet available for us, we use jiffies and
    initialize states s1 - s3 with a simple linear congruential generator
    (LCG), that is x <- x * 69069; and derive s2, s3, from the 32bit
    initialization from s1. So the above quote from [3] accounts only
    for the time from core to late initcall, not afterwards.
    [**] Single threaded run on MacBook Air w/ Intel Core i5-3317U
    
     [1] http://www.iro.umontreal.ca/~lecuyer/myftp/papers/tausme2.ps
     [2] http://www.iro.umontreal.ca/~lecuyer/myftp/papers/tausme.ps
     [3] http://thread.gmane.org/gmane.comp.encryption.general/12103/
     [4] http://code.google.com/p/dieharder/source/browse/trunk/libdieharder/diehard_sums.c?spec=svn490&r=490#20
     [5] http://www.phy.duke.edu/~rgb/General/dieharder.php
    
    Joint work with Hannes Frederic Sowa.
    
    Cc: Florian Weimer <fweimer@redhat.com>
    Cc: Theodore Ts'o <tytso@mit.edu>
    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
    Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    
    Conflicts:
    
        include/linux/random.h

 include/linux/random.h |   13 +++++--
 lib/random32.c         |   80 +++++++++++++++++++++++++++--------------------
 2 files changed, 55 insertions(+), 38 deletions(-)

commit 53dd59a26859c9b98cadcad65791c951b162e91e
Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
Date:   Mon Nov 11 12:20:33 2013 +0100

    Upstream commit: 6d31920246a9fc80be4f16acd27c0bbe8d7b8494
    
    random32: add periodic reseeding
    
    The current Tausworthe PRNG is never reseeded with truly random data after
    the first attempt in late_initcall. As this PRNG is used for some critical
    random data as e.g. UDP port randomization we should try better and reseed
    the PRNG once in a while with truly random data from get_random_bytes().
    
    When we reseed with prandom_seed we now make also sure to throw the first
    output away. This suffices the reseeding procedure.
    
    The delay calculation is based on a proposal from Eric Dumazet.
    
    Joint work with Daniel Borkmann.
    
    Cc: Eric Dumazet <eric.dumazet@gmail.com>
    Cc: Theodore Ts'o <tytso@mit.edu>
    Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    
    Conflicts:
    
        lib/random32.c

 lib/random32.c |   22 ++++++++++++++++++++++
 1 files changed, 22 insertions(+), 0 deletions(-)

commit 9deef5d021000495e04a730ba1880fb4b8951d45
Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
Date:   Mon Nov 11 12:20:34 2013 +0100

    Upstream commit: 4af712e8df998475736f3e2727701bd31e3751a9
    
    random32: add prandom_reseed_late() and call when nonblocking pool becomes initialized
    
    The Tausworthe PRNG is initialized at late_initcall time. At that time the
    entropy pool serving get_random_bytes is not filled sufficiently. This
    patch adds an additional reseeding step as soon as the nonblocking pool
    gets marked as initialized.
    
    On some machines it might be possible that late_initcall gets called after
    the pool has been initialized. In this situation we won't reseed again.
    
    (A call to prandom_seed_late blocks later invocations of early reseed
    attempts.)
    
    Joint work with Daniel Borkmann.
    
    Cc: Eric Dumazet <eric.dumazet@gmail.com>
    Cc: Theodore Ts'o <tytso@mit.edu>
    Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
    Acked-by: "Theodore Ts'o" <tytso@mit.edu>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    
    Conflicts:
    
        lib/random32.c

 drivers/char/random.c  |    5 ++++-
 include/linux/random.h |    1 +
 lib/random32.c         |   24 +++++++++++++++++++++++-
 3 files changed, 28 insertions(+), 2 deletions(-)

commit 7445d45f81df0b84bbb7fc6cc598e6b70522c286
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jan 18 20:43:43 2014 -0500

    Since the reworking of recvmsg handlers by Hannes Frederic Sowa,
    it should be safe to revert our workaround for large number of
    infoleaks the previous interface made possible, restoring some
    performance to these syscalls

 net/socket.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 2c18c01da2a59df2cdaa0d99e0ed2f781c3cbf4e
Author: Eric Dumazet <edumazet@google.com>
Date:   Wed Jan 15 06:50:07 2014 -0800

    Upstream commit: aee636c4809fa54848ff07a899b326eb1f9987a2
    
    bpf: do not use reciprocal divide
    
    At first Jakub Zawadzki noticed that some divisions by reciprocal_divide
    were not correct. (off by one in some cases)
    http://www.wireshark.org/~darkjames/reciprocal-buggy.c
    
    He could also show this with BPF:
    http://www.wireshark.org/~darkjames/set-and-dump-filter-k-bug.c
    
    The reciprocal divide in linux kernel is not generic enough,
    lets remove its use in BPF, as it is not worth the pain with
    current cpus.
    
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Reported-by: Jakub Zawadzki <darkjames-ws@darkjames.pl>
    Cc: Mircea Gherzan <mgherzan@gmail.com>
    Cc: Daniel Borkmann <dxchgb@gmail.com>
    Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Cc: Matt Evans <matt@ozlabs.org>
    Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
    Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
    Cc: David S. Miller <davem@davemloft.net>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    
    Conflicts:
    
        arch/x86/net/bpf_jit_comp.c

 arch/arm/net/bpf_jit_32.c       |    6 +++---
 arch/powerpc/net/bpf_jit_comp.c |    7 ++++---
 arch/s390/net/bpf_jit_comp.c    |   17 ++++++++++++-----
 arch/sparc/net/bpf_jit_comp.c   |   17 ++++++++++++++---
 arch/x86/net/bpf_jit_comp.c     |   16 ++++++++++------
 net/core/filter.c               |   30 ++----------------------------
 6 files changed, 45 insertions(+), 48 deletions(-)

commit 6986871c84f81084d5c8723538ccefc5c401b31c
Author: Jie Liu <jeff.liu@oracle.com>
Date:   Wed Jan 1 19:28:03 2014 +0800

    Upstream commit: bba719b5004234e55737e7074b81b337210c511d
    
    xfs: fix off-by-one error in xfs_attr3_rmt_verify
    
    With CRC check is enabled, if trying to set an attributes value just
    equal to the maximum size of XATTR_SIZE_MAX would cause the v3 remote
    attr write verification procedure failure, which would yield the back
    trace like below:
    
    <snip>
    XFS (sda7): Internal error xfs_attr3_rmt_write_verify at line 191 of file fs/xfs/xfs_attr_remote.c
    <snip>
    Call Trace:
    [<ffffffff816f0042>] dump_stack+0x45/0x56
    [<ffffffffa0d99c8b>] xfs_error_report+0x3b/0x40 [xfs]
    [<ffffffffa0d96edd>] ? _xfs_buf_ioapply+0x6d/0x390 [xfs]
    [<ffffffffa0d99ce5>] xfs_corruption_error+0x55/0x80 [xfs]
    [<ffffffffa0dbef6b>] xfs_attr3_rmt_write_verify+0x14b/0x1a0 [xfs]
    [<ffffffffa0d96edd>] ? _xfs_buf_ioapply+0x6d/0x390 [xfs]
    [<ffffffffa0d97315>] ? xfs_bdstrat_cb+0x55/0xb0 [xfs]
    [<ffffffffa0d96edd>] _xfs_buf_ioapply+0x6d/0x390 [xfs]
    [<ffffffff81184cda>] ? vm_map_ram+0x31a/0x460
    [<ffffffff81097230>] ? wake_up_state+0x20/0x20
    [<ffffffffa0d97315>] ? xfs_bdstrat_cb+0x55/0xb0 [xfs]
    [<ffffffffa0d9726b>] xfs_buf_iorequest+0x6b/0xc0 [xfs]
    [<ffffffffa0d97315>] xfs_bdstrat_cb+0x55/0xb0 [xfs]
    [<ffffffffa0d97906>] xfs_bwrite+0x46/0x80 [xfs]
    [<ffffffffa0dbfa94>] xfs_attr_rmtval_set+0x334/0x490 [xfs]
    [<ffffffffa0db84aa>] xfs_attr_leaf_addname+0x24a/0x410 [xfs]
    [<ffffffffa0db8893>] xfs_attr_set_int+0x223/0x470 [xfs]
    [<ffffffffa0db8b76>] xfs_attr_set+0x96/0xb0 [xfs]
    [<ffffffffa0db13b2>] xfs_xattr_set+0x42/0x70 [xfs]
    [<ffffffff811df9b2>] generic_setxattr+0x62/0x80
    [<ffffffff811e0213>] __vfs_setxattr_noperm+0x63/0x1b0
    [<ffffffff81307afe>] ? evm_inode_setxattr+0xe/0x10
    [<ffffffff811e0415>] vfs_setxattr+0xb5/0xc0
    [<ffffffff811e054e>] setxattr+0x12e/0x1c0
    [<ffffffff811c6e82>] ? final_putname+0x22/0x50
    [<ffffffff811c708b>] ? putname+0x2b/0x40
    [<ffffffff811cc4bf>] ? user_path_at_empty+0x5f/0x90
    [<ffffffff811bdfd9>] ? __sb_start_write+0x49/0xe0
    [<ffffffff81168589>] ? vm_mmap_pgoff+0x99/0xc0
    [<ffffffff811e07df>] SyS_setxattr+0x8f/0xe0
    [<ffffffff81700c2d>] system_call_fastpath+0x1a/0x1f
    
    Tests:
        setfattr -n user.longxattr -v `perl -e 'print "A"x65536'` testfile
    
    This patch fix it to check the remote EA size is greater than the
    XATTR_SIZE_MAX rather than more than or equal to it, because it's
    valid if the specified EA value size is equal to the limitation as
    per VFS setxattr interface.
    
    Signed-off-by: Jie Liu <jeff.liu@oracle.com>
    Reviewed-by: Mark Tinguely <tinguely@sgi.com>
    Signed-off-by: Ben Myers <bpm@sgi.com>
    
    (cherry picked from commit 85dd0707f0cad26d60f2dc574d17a5ab948d10f7)

 fs/xfs/xfs_attr_remote.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit e8aa7f8223cf2bc0893c6bec7ada0b13edc07703
Author: Steven Rostedt <rostedt@goodmis.org>
Date:   Thu Jan 9 21:46:34 2014 -0500

    Upstream commit: 3dc91d4338d698ce77832985f9cb183d8eeaf6be
    
    SELinux: Fix possible NULL pointer dereference in selinux_inode_permission()
    
    While running stress tests on adding and deleting ftrace instances I hit
    this bug:
    
      BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
      IP: selinux_inode_permission+0x85/0x160
      PGD 63681067 PUD 7ddbe067 PMD 0
      Oops: 0000 [#1] PREEMPT
      CPU: 0 PID: 5634 Comm: ftrace-test-mki Not tainted 3.13.0-rc4-test-00033-gd2a6dde-dirty #20
      Hardware name:                  /DG965MQ, BIOS MQ96510J.86A.0372.2006.0605.1717 06/05/2006
      task: ffff880078375800 ti: ffff88007ddb0000 task.ti: ffff88007ddb0000
      RIP: 0010:[<ffffffff812d8bc5>]  [<ffffffff812d8bc5>] selinux_inode_permission+0x85/0x160
      RSP: 0018:ffff88007ddb1c48  EFLAGS: 00010246
      RAX: 0000000000000000 RBX: 0000000000800000 RCX: ffff88006dd43840
      RDX: 0000000000000001 RSI: 0000000000000081 RDI: ffff88006ee46000
      RBP: ffff88007ddb1c88 R08: 0000000000000000 R09: ffff88007ddb1c54
      R10: 6e6576652f6f6f66 R11: 0000000000000003 R12: 0000000000000000
      R13: 0000000000000081 R14: ffff88006ee46000 R15: 0000000000000000
      FS:  00007f217b5b6700(0000) GS:ffffffff81e21000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033^M
      CR2: 0000000000000020 CR3: 000000006a0fe000 CR4: 00000000000007f0
      Call Trace:
        security_inode_permission+0x1c/0x30
        __inode_permission+0x41/0xa0
        inode_permission+0x18/0x50
        link_path_walk+0x66/0x920
        path_openat+0xa6/0x6c0
        do_filp_open+0x43/0xa0
        do_sys_open+0x146/0x240
        SyS_open+0x1e/0x20
        system_call_fastpath+0x16/0x1b
      Code: 84 a1 00 00 00 81 e3 00 20 00 00 89 d8 83 c8 02 40 f6 c6 04 0f 45 d8 40 f6 c6 08 74 71 80 cf 02 49 8b 46 38 4c 8d 4d cc 45 31 c0 <0f> b7 50 20 8b 70 1c 48 8b 41 70 89 d9 8b 78 04 e8 36 cf ff ff
      RIP  selinux_inode_permission+0x85/0x160
      CR2: 0000000000000020
    
    Investigating, I found that the inode->i_security was NULL, and the
    dereference of it caused the oops.
    
    in selinux_inode_permission():
    
        isec = inode->i_security;
    
        rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
    
    Note, the crash came from stressing the deletion and reading of debugfs
    files.  I was not able to recreate this via normal files.  But I'm not
    sure they are safe.  It may just be that the race window is much harder
    to hit.
    
    What seems to have happened (and what I have traced), is the file is
    being opened at the same time the file or directory is being deleted.
    As the dentry and inode locks are not held during the path walk, nor is
    the inodes ref counts being incremented, there is nothing saving these
    structures from being discarded except for an rcu_read_lock().
    
    The rcu_read_lock() protects against freeing of the inode, but it does
    not protect freeing of the inode_security_struct.  Now if the freeing of
    the i_security happens with a call_rcu(), and the i_security field of
    the inode is not changed (it gets freed as the inode gets freed) then
    there will be no issue here.  (Linus Torvalds suggested not setting the
    field to NULL such that we do not need to check if it is NULL in the
    permission check).
    
    Note, this is a hack, but it fixes the problem at hand.  A real fix is
    to restructure the destroy_inode() to call all the destructor handlers
    from the RCU callback.  But that is a major job to do, and requires a
    lot of work.  For now, we just band-aid this bug with this fix (it
    works), and work on a more maintainable solution in the future.
    
    Link: http://lkml.kernel.org/r/20140109101932.0508dec7@gandalf.local.home
    Link: http://lkml.kernel.org/r/20140109182756.17abaaa8@gandalf.local.home
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 security/selinux/hooks.c          |   20 ++++++++++++++++++--
 security/selinux/include/objsec.h |    5 ++++-
 2 files changed, 22 insertions(+), 3 deletions(-)

commit e19ed2ef10ac8fb5539ff49890f149230ba504a2
Author: Hugh Dickins <hughd@google.com>
Date:   Sun Jan 12 01:25:21 2014 -0800

    Upstream commit: eecc1e426d681351a6026a7d3e7d225f38955b6c
    
    thp: fix copy_page_rep GPF by testing is_huge_zero_pmd once only
    
    We see General Protection Fault on RSI in copy_page_rep: that RSI is
    what you get from a NULL struct page pointer.
    
      RIP: 0010:[<ffffffff81154955>]  [<ffffffff81154955>] copy_page_rep+0x5/0x10
      RSP: 0000:ffff880136e15c00  EFLAGS: 00010286
      RAX: ffff880000000000 RBX: ffff880136e14000 RCX: 0000000000000200
      RDX: 6db6db6db6db6db7 RSI: db73880000000000 RDI: ffff880dd0c00000
      RBP: ffff880136e15c18 R08: 0000000000000200 R09: 000000000005987c
      R10: 000000000005987c R11: 0000000000000200 R12: 0000000000000001
      R13: ffffea00305aa000 R14: 0000000000000000 R15: 0000000000000000
      FS:  00007f195752f700(0000) GS:ffff880c7fc20000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000000093010000 CR3: 00000001458e1000 CR4: 00000000000027e0
      Call Trace:
        copy_user_huge_page+0x93/0xab
        do_huge_pmd_wp_page+0x710/0x815
        handle_mm_fault+0x15d8/0x1d70
        __do_page_fault+0x14d/0x840
        do_page_fault+0x2f/0x90
        page_fault+0x22/0x30
    
    do_huge_pmd_wp_page() tests is_huge_zero_pmd(orig_pmd) four times: but
    since shrink_huge_zero_page() can free the huge_zero_page, and we have
    no hold of our own on it here (except where the fourth test holds
    page_table_lock and has checked pmd_same), it's possible for it to
    answer yes the first time, but no to the second or third test.  Change
    all those last three to tests for NULL page.
    
    (Note: this is not the same issue as trinity's DEBUG_PAGEALLOC BUG
    in copy_page_rep with RSI: ffff88009c422000, reported by Sasha Levin
    in https://lkml.org/lkml/2013/3/29/103.  I believe that one is due
    to the source page being split, and a tail page freed, while copy
    is in progress; and not a problem without DEBUG_PAGEALLOC, since
    the pmd_same check will prevent a miscopy from being made visible.)
    
    Fixes: 97ae17497e99 ("thp: implement refcounting for huge zero page")
    Signed-off-by: Hugh Dickins <hughd@google.com>
    Cc: stable@vger.kernel.org # v3.10 v3.11 v3.12
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 mm/huge_memory.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

commit 49bf1cc12db4954afc0a3e9a4506325a53259c13
Author: Christian Engelmayer <cengelma@gmx.at>
Date:   Sat Jan 11 22:19:30 2014 +0100

    Upstream commit: 267d29a69c6af39445f36102a832b25ed483f299
    
    ieee802154: Fix memory leak in ieee802154_add_iface()
    
    Fix a memory leak in the ieee802154_add_iface() error handling path.
    Detected by Coverity: CID 710490.
    
    Signed-off-by: Christian Engelmayer <cengelma@gmx.at>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ieee802154/nl-phy.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

commit 4e2493507f0d3a43a3c9562a4e75ae806f993d84
Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
Date:   Mon Jan 13 02:45:22 2014 +0100

    Upstream commit: 95f4a45de1a0f172b35451fc52283290adb21f6e
    
    net: avoid reference counter overflows on fib_rules in multicast forwarding
    
    Bob Falken reported that after 4G packets, multicast forwarding stopped
    working. This was because of a rule reference counter overflow which
    freed the rule as soon as the overflow happend.
    
    This patch solves this by adding the FIB_LOOKUP_NOREF flag to
    fib_rules_lookup calls. This is safe even from non-rcu locked sections
    as in this case the flag only implies not taking a reference to the rule,
    which we don't need at all.
    
    Rules only hold references to the namespace, which are guaranteed to be
    available during the call of the non-rcu protected function reg_vif_xmit
    because of the interface reference which itself holds a reference to
    the net namespace.
    
    Fixes: f0ad0860d01e47 ("ipv4: ipmr: support multiple tables")
    Fixes: d1db275dd3f6e4 ("ipv6: ip6mr: support multiple tables")
    Reported-by: Bob Falken <NetFestivalHaveFun@gmx.com>
    Cc: Patrick McHardy <kaber@trash.net>
    Cc: Thomas Graf <tgraf@suug.ch>
    Cc: Julian Anastasov <ja@ssi.bg>
    Cc: Eric Dumazet <eric.dumazet@gmail.com>
    Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Acked-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/ipmr.c  |    7 +++++--
 net/ipv6/ip6mr.c |    7 +++++--
 2 files changed, 10 insertions(+), 4 deletions(-)

commit 427e1a47ccd092da8d3834ec889bbf899bf02994
Author: NeilBrown <neilb@suse.de>
Date:   Mon Jan 6 10:35:34 2014 +1100

    Upstream commit: e8b849158508565e0cd6bc80061124afc5879160
    
    md/raid10: fix bug when raid10 recovery fails to recover a block.
    
    commit e875ecea266a543e643b19e44cf472f1412708f9
        md/raid10 record bad blocks as needed during recovery.
    
    added code to the "cannot recover this block" path to record a bad
    block rather than fail the whole recovery.
    Unfortunately this new case was placed *after* r10bio was freed rather
    than *before*, yet it still uses r10bio.
    This is will crash with a null dereference.
    
    So move the freeing of r10bio down where it is safe.
    
    Cc: stable@vger.kernel.org (v3.1+)
    Fixes: e875ecea266a543e643b19e44cf472f1412708f9
    Reported-by: Damian Nowak <spam@nowaker.net>
    URL: https://bugzilla.kernel.org/show_bug.cgi?id=68181
    Signed-off-by: NeilBrown <neilb@suse.de>

 drivers/md/raid10.c |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

commit 528bc79bf4b9414269c3468527a1fb93992888ec
Author: NeilBrown <neilb@suse.de>
Date:   Mon Jan 6 13:19:42 2014 +1100

    Upstream commit: 1cc03eb93245e63b0b7a7832165efdc52e25b4e6
    
    md/raid5: Fix possible confusion when multiple write errors occur.
    
    commit 5d8c71f9e5fbdd95650be00294d238e27a363b5c
        md: raid5 crash during degradation
    
    Fixed a crash in an overly simplistic way which could leave
    R5_WriteError or R5_MadeGood set in the stripe cache for devices
    for which it is no longer relevant.
    When those devices are removed and spares added the flags are still
    set and can cause incorrect behaviour.
    
    commit 14a75d3e07c784c004b4b44b34af996b8e4ac453
        md/raid5: preferentially read from replacement device if possible.
    
    Fixed the same bug if a more effective way, so we can now revert
    the original commit.
    
    Reported-and-tested-by: Alexander Lyakas <alex.bolshoy@gmail.com>
    Cc: stable@vger.kernel.org (3.2+ - 3.2 will need a different fix though)
    Fixes: 5d8c71f9e5fbdd95650be00294d238e27a363b5c
    Signed-off-by: NeilBrown <neilb@suse.de>

 drivers/md/raid5.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 65e365f661bcc034ce8da73be4521dde4088cbc6
Author: NeilBrown <neilb@suse.de>
Date:   Tue Jan 14 10:38:09 2014 +1100

    Upstream commit: b50c259e25d9260b9108dc0c2964c26e5ecbe1c1
    
    md/raid10: fix two bugs in handling of known-bad-blocks.
    
    If we discover a bad block when reading we split the request and
    potentially read some of it from a different device.
    
    The code path of this has two bugs in RAID10.
    1/ we get a spin_lock with _irq, but unlock without _irq!!
    2/ The calculation of 'sectors_handled' is wrong, as can be clearly
       seen by comparison with raid1.c
    
    This leads to at least 2 warnings and a probable crash is a RAID10
    ever had known bad blocks.
    
    Cc: stable@vger.kernel.org (v3.1+)
    Fixes: 856e08e23762dfb92ffc68fd0a8d228f9e152160
    Reported-by: Damian Nowak <spam@nowaker.net>
    URL: https://bugzilla.kernel.org/show_bug.cgi?id=68181
    Signed-off-by: NeilBrown <neilb@suse.de>

 drivers/md/raid10.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 648634ea6eaa98407d5cee468eea365addf784d7
Author: Andreas Rohner <andreas.rohner@gmx.net>
Date:   Tue Jan 14 17:56:36 2014 -0800

    Upstream commit: 70f2fe3a26248724d8a5019681a869abdaf3e89a
    
    nilfs2: fix segctor bug that causes file system corruption
    
    There is a bug in the function nilfs_segctor_collect, which results in
    active data being written to a segment, that is marked as clean.  It is
    possible, that this segment is selected for a later segment
    construction, whereby the old data is overwritten.
    
    The problem shows itself with the following kernel log message:
    
      nilfs_sufile_do_cancel_free: segment 6533 must be clean
    
    Usually a few hours later the file system gets corrupted:
    
      NILFS: bad btree node (blocknr=8748107): level = 0, flags = 0x0, nchildren = 0
      NILFS error (device sdc1): nilfs_bmap_last_key: broken bmap (inode number=114660)
    
    The issue can be reproduced with a file system that is nearly full and
    with the cleaner running, while some IO intensive task is running.
    Although it is quite hard to reproduce.
    
    This is what happens:
    
     1. The cleaner starts the segment construction
     2. nilfs_segctor_collect is called
     3. sc_stage is on NILFS_ST_SUFILE and segments are freed
     4. sc_stage is on NILFS_ST_DAT current segment is full
     5. nilfs_segctor_extend_segments is called, which
        allocates a new segment
     6. The new segment is one of the segments freed in step 3
     7. nilfs_sufile_cancel_freev is called and produces an error message
     8. Loop around and the collection starts again
     9. sc_stage is on NILFS_ST_SUFILE and segments are freed
        including the newly allocated segment, which will contain active
        data and can be allocated at a later time
    10. A few hours later another segment construction allocates the
        segment and causes file system corruption
    
    This can be prevented by simply reordering the statements.  If
    nilfs_sufile_cancel_freev is called before nilfs_segctor_extend_segments
    the freed segments are marked as dirty and cannot be allocated any more.
    
    Signed-off-by: Andreas Rohner <andreas.rohner@gmx.net>
    Reviewed-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
    Tested-by: Andreas Rohner <andreas.rohner@gmx.net>
    Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 fs/nilfs2/segment.c |   10 ++++++----
 1 files changed, 6 insertions(+), 4 deletions(-)

commit 380b201967bbe5769291311e5195a603006d391c
Author: Mikulas Patocka <mpatocka@redhat.com>
Date:   Tue Jan 14 17:56:40 2014 -0800

    Upstream commit: 03e5ac2fc3bf6f4140db0371e8bb4243b24e3e02
    
    mm: fix crash when using XFS on loopback
    
    Commit 8456a648cf44 ("slab: use struct page for slab management") causes
    a crash in the LVM2 testsuite on PA-RISC (the crashing test is
    fsadm.sh).  The testsuite doesn't crash on 3.12, crashes on 3.13-rc1 and
    later.
    
     Bad Address (null pointer deref?): Code=15 regs=000000413edd89a0 (Addr=000006202224647d)
     CPU: 3 PID: 24008 Comm: loop0 Not tainted 3.13.0-rc6 #5
     task: 00000001bf3c0048 ti: 000000413edd8000 task.ti: 000000413edd8000
    
          YZrvWESTHLNXBCVMcbcbcbcbOGFRQPDI
     PSW: 00001000000001101111100100001110 Not tainted
     r00-03  000000ff0806f90e 00000000405c8de0 000000004013e6c0 000000413edd83f0
     r04-07  00000000405a95e0 0000000000000200 00000001414735f0 00000001bf349e40
     r08-11  0000000010fe3d10 0000000000000001 00000040829c7778 000000413efd9000
     r12-15  0000000000000000 000000004060d800 0000000010fe3000 0000000010fe3000
     r16-19  000000413edd82a0 00000041078ddbc0 0000000000000010 0000000000000001
     r20-23  0008f3d0d83a8000 0000000000000000 00000040829c7778 0000000000000080
     r24-27  00000001bf349e40 00000001bf349e40 202d66202224640d 00000000405a95e0
     r28-31  202d662022246465 000000413edd88f0 000000413edd89a0 0000000000000001
     sr00-03  000000000532c000 0000000000000000 0000000000000000 000000000532c000
     sr04-07  0000000000000000 0000000000000000 0000000000000000 0000000000000000
    
     IASQ: 0000000000000000 0000000000000000 IAOQ: 00000000401fe42c 00000000401fe430
      IIR: 539c0030    ISR: 00000000202d6000  IOR: 000006202224647d
      CPU:        3   CR30: 000000413edd8000 CR31: 0000000000000000
      ORIG_R28: 00000000405a95e0
      IAOQ[0]: vma_interval_tree_iter_first+0x14/0x48
      IAOQ[1]: vma_interval_tree_iter_first+0x18/0x48
      RP(r2): flush_dcache_page+0x128/0x388
     Backtrace:
       flush_dcache_page+0x128/0x388
       lo_splice_actor+0x90/0x148 [loop]
       splice_from_pipe_feed+0xc0/0x1d0
       __splice_from_pipe+0xac/0xc0
       lo_direct_splice_actor+0x1c/0x70 [loop]
       splice_direct_to_actor+0xec/0x228
       lo_receive+0xe4/0x298 [loop]
       loop_thread+0x478/0x640 [loop]
       kthread+0x134/0x168
       end_fault_vector+0x20/0x28
       xfs_setsize_buftarg+0x0/0x90 [xfs]
    
     Kernel panic - not syncing: Bad Address (null pointer deref?)
    
    Commit 8456a648cf44 changes the page structure so that the slab
    subsystem reuses the page->mapping field.
    
    The crash happens in the following way:
     * XFS allocates some memory from slab and issues a bio to read data
       into it.
     * the bio is sent to the loopback device.
     * lo_receive creates an actor and calls splice_direct_to_actor.
     * lo_splice_actor copies data to the target page.
     * lo_splice_actor calls flush_dcache_page because the page may be
       mapped by userspace.  In that case we need to flush the kernel cache.
     * flush_dcache_page asks for the list of userspace mappings, however
       that page->mapping field is reused by the slab subsystem for a
       different purpose.  This causes the crash.
    
    Note that other architectures without coherent caches (sparc, arm, mips)
    also call page_mapping from flush_dcache_page, so they may crash in the
    same way.
    
    This patch fixes this bug by testing if the page is a slab page in
    page_mapping and returning NULL if it is.
    
    The patch also fixes VM_BUG_ON(PageSlab(page)) that could happen in
    earlier kernels in the same scenario on architectures without cache
    coherence when CONFIG_DEBUG_VM is enabled - so it should be backported
    to stable kernels.
    
    In the old kernels, the function page_mapping is placed in
    include/linux/mm.h, so you should modify the patch accordingly when
    backporting it.
    
    Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
    Cc: John David Anglin <dave.anglin@bell.net>]
    Cc: Andi Kleen <ak@linux.intel.com>
    Cc: Christoph Lameter <cl@linux.com>
    Acked-by: Pekka Enberg <penberg@kernel.org>
    Reviewed-by: Joonsoo Kim <iamjoonsoo.kim@lge.com>
    Cc: Helge Deller <deller@gmx.de>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 mm/util.c |    5 ++++-
 1 files changed, 4 insertions(+), 1 deletions(-)

commit e71bfbceaa0246366fe3753a893c660f22568bb9
Merge: 83b84f4 e8219cf
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jan 18 17:30:14 2014 -0500

    Merge branch 'pax-test' into grsec-test

commit 83b84f4f7b950eeddc319df9dabeca8df99c19e7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jan 18 17:30:05 2014 -0500

    Revert "Revert recent PaX marking change that broke a significant number"
    
    This reverts commit 59672b779a7ef3857bb9335c668f671ea04c8a19.

 fs/binfmt_elf.c |   53 ++++++++++++++++++++++++++++++-----------------------
 1 files changed, 30 insertions(+), 23 deletions(-)

commit e8219cf65fbb6e3763c4298831239929d1c1f9fa
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jan 18 17:29:19 2014 -0500

    Update to pax-linux-3.12.8-test15.patch:
    - reworked the interaction between the various PaX control flag mechanisms for better consistency
    - fixed type attribute handling in the constify plugin, reported by spender

 fs/binfmt_elf.c             |  144 +++++++++++++++++++++++-------------------
 include/linux/sched.h       |    1 +
 include/uapi/linux/sysctl.h |    6 --
 tools/gcc/constify_plugin.c |   20 +++---
 4 files changed, 89 insertions(+), 82 deletions(-)

commit 88474da15f3f3f5d93848102d03bb4983b9a0b78
Merge: 59672b7 dbe1b0b28
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jan 16 07:00:51 2014 -0500

    Merge branch 'pax-test' into grsec-test

commit dbe1b0b28973953b8919fbfc479054d527066737
Merge: 229fa99 97f15f1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jan 16 07:00:16 2014 -0500

    Update to pax-linux-3.12.8-test14.patch:
    - added a generated file to dontdiff, reported by Emese
    - removed duplicated code due to a mismerge
    
    Merge branch 'linux-3.12.y' into pax-test
    
    Conflicts:
        arch/x86/include/asm/fpu-internal.h

commit 59672b779a7ef3857bb9335c668f671ea04c8a19
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 26 19:23:25 2013 -0500

    Revert recent PaX marking change that broke a significant number
    of existing systems.  The marking system will be revamped in a later
    patch to fix softmode support while making XT markings more usable.

 fs/binfmt_elf.c |   53 +++++++++++++++++++++++------------------------------
 1 files changed, 23 insertions(+), 30 deletions(-)

commit 528d5554e49536241bdf98c59ac3daedf2855a11
Merge: f17b6ff 229fa99
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 12 07:56:10 2014 -0500

    Merge branch 'pax-test' into grsec-test

commit 229fa990d096324284db79ed69b336d19df28afb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 12 07:55:36 2014 -0500

    update to newer size_overflow hash table

 tools/gcc/size_overflow_hash.data |  150 +++++++++++++++++++++----------------
 1 files changed, 84 insertions(+), 66 deletions(-)

commit f17b6ff4817c57c0aaae76c2c1cf2ee759773292
Merge: 93e7728 6e027b9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jan 11 17:38:57 2014 -0500

    Merge branch 'pax-test' into grsec-test

commit 6e027b9f1196ed76313c256f8f962afd334d999f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jan 11 17:38:28 2014 -0500

    Update to pax-linux-3.12.7-test12.patch:
    - new size overflow plugin and hash table from Emese, should really fix the canon_copy_from_read_buf problem
    - fixed incorrent module parameter type in vivi, caught by the size overflow plugin

 drivers/media/platform/vivi.c     |    4 +-
 tools/gcc/size_overflow_hash.data |  120 ++++++++++++++++++------------------
 tools/gcc/size_overflow_plugin.c  |   64 +++++++++++++-------
 3 files changed, 105 insertions(+), 83 deletions(-)

commit 93e7728fe0c37e00421e82cc43f8d467d5161751
Merge: 41ac3ff eadfb9b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jan 9 17:47:29 2014 -0500

    Merge branch 'pax-test' into grsec-test

commit eadfb9b1066d32ee537369fd67683297eb791ed0
Merge: bccc569 4301b7a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jan 9 17:46:48 2014 -0500

    Update to pax-linux-3.12.7-test11.patch:
    - fixed powerpc compilation, by Purushothama Siddaiah <psiddaiah@mvista.com>
    - updated size overflow hash table from Emese, reported by Brian Haslett
    
    Merge branch 'linux-3.12.y' into pax-test
    
    Conflicts:
        include/linux/reboot.h
        mm/fremap.c
        mm/memory-failure.c
        scripts/link-vmlinux.sh

commit 41ac3ff0c57f5b8bc2e32fd6ee58d618a6c8feec
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 8 20:24:27 2014 -0500

    zeroing out btime from /proc/stat breaks ps aux, it's the seconds of
    uptime for the system, information which is also available elsewhere
    (/proc/uptime), so there's no reason to limit it

 fs/proc/stat.c |    4 +---
 1 files changed, 1 insertions(+), 3 deletions(-)

commit a1c966be13a8cfa254a6814c8a79caed3b421f0a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 8 18:13:15 2014 -0500

    fix typo

 mm/vmstat.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit f1b3c3eec89cd91474518f7fbd6ffe11c0cf22c7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 8 18:06:53 2014 -0500

    provide a zeroed out /proc/vmstat to unprivileged users instead of
    denied access, some poorly-written desktop apps bail out completely
    when it can't be opened

 mm/vmstat.c |   21 +++++++++++++++------
 1 files changed, 15 insertions(+), 6 deletions(-)

commit 4e7ac33a7cf3cb6387d69a4d9ba248a2a2c95c52
Merge: ecdc265 bccc569
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 8 17:55:50 2014 -0500

    Merge branch 'pax-test' into grsec-test

commit bccc5691fbe71245abd1e39c4387c1c0146bb3fd
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 8 17:55:08 2014 -0500

    Update to pax-linux-3.12.6-test10.patch:
    - removed config reference to EXT4_FS_XATTR, reported by x14sg1 (http://forums.grsecurity.net/viewtopic.php?f=3&t=3904)
    - Emese worked around a few intentional overflows that triggered the size overflow plugin
      - in cpuset_common_file_read, reported by Alexander Tsoy (https://bugs.gentoo.org/show_bug.cgi?id=496490) and boris64 (http://forums.grsecurity.net/viewtopic.php?f=3&t=3907)
      - in canon_copy_from_read_buf, reported by dwokfur (http://forums.grsecurity.net/viewtopic.php?f=3&t=3905)

 drivers/tty/n_tty.c              |    2 +-
 drivers/usb/core/devio.c         |    2 +-
 security/Kconfig                 |    1 -
 tools/gcc/size_overflow_plugin.c |  173 ++++++++++++++++++++++++++++++++------
 4 files changed, 150 insertions(+), 28 deletions(-)

commit ecdc2658f89f545acbfddbcef93c04a5bd3c9ce2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 8 17:46:46 2014 -0500

    back out recently-added capability checks to various pci write methods
    as they break Xorg radeon drivers

 drivers/pci/pci-sysfs.c |    9 ---------
 drivers/pci/proc.c      |    3 ---
 2 files changed, 0 insertions(+), 12 deletions(-)

commit 3b9532bcc2f2fda37c6316047764e65d05cfc0d7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jan 2 17:05:39 2014 -0500

    add missing #include

 fs/proc/stat.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 44c29b5b08a4475bcd7ca653abe5ed172fa1f8a0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jan 2 17:02:24 2014 -0500

    Back off recent PCI BAR restrictions as they break various existing
    necessary functionality (Xorg with VMware video driver, etc)
    
    Add CAP_SYS_RAWIO checks instead to code operating off just uid == 0
    checks currently

 drivers/pci/pci-sysfs.c |   17 +++++++----------
 drivers/pci/proc.c      |   13 ++-----------
 drivers/pci/syscall.c   |    4 ----
 3 files changed, 9 insertions(+), 25 deletions(-)

commit 5d6ce67e5ed3913c105cf2fc7c9db1d6e2a9f84a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Dec 31 10:30:20 2013 -0500

    Resolve compatibility with libgtop and recent restriction of
    /proc/stat, reported by KacKurx.  We now provide a properly-formatted
    but zeroed /proc/stat instead of denying unpriv access to the entry

 fs/proc/stat.c |   34 ++++++++++++++++++++++++----------
 1 files changed, 24 insertions(+), 10 deletions(-)

commit fb5263307b4892bbaefc83427412b54c12a4e422
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Dec 30 11:19:53 2013 -0500

    Restrict access to /proc/interrupts and /proc/stat as suggested by Vasiliy
    Kulikov:
    http://www.openwall.com/lists/kernel-hardening/2011/11/07/1

 fs/proc/interrupts.c |    4 ++++
 fs/proc/stat.c       |    4 ++++
 2 files changed, 8 insertions(+), 0 deletions(-)

commit e5f67af1a42dbde9aae812c25e2498b908919689
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Dec 30 11:13:49 2013 -0500

    Update to phase two of the IPC hardening.  I've heard no complaints about
    the patch I released, but including it here will generate better information.

 grsecurity/Kconfig     |   16 ++++++++++------
 grsecurity/grsec_ipc.c |   32 +++++++++++++++++++++++++++++---
 include/linux/grmsg.h  |    2 +-
 ipc/util.c             |    3 ++-
 4 files changed, 42 insertions(+), 11 deletions(-)

commit a5a7395ebf9054496b21fd84978daba0a9bfde5d
Merge: b07a1fc bfce0d4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 26 19:24:39 2013 -0500

    Merge branch 'pax-test' into grsec-test

commit bfce0d4c8f94977de165b9a559c531759d031b4b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 26 19:23:25 2013 -0500

    Revert recent PaX marking change that broke a significant number
    of existing systems.  The marking system will be revamped in a later
    patch to fix softmode support while making XT markings more usable.

 fs/binfmt_elf.c |   53 +++++++++++++++++++++++------------------------------
 1 files changed, 23 insertions(+), 30 deletions(-)

commit b07a1fc3ab37cf27f8e7b56193a08adfadd569b6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 26 19:20:26 2013 -0500

    add missing #include

 grsecurity/grsec_mount.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 5fbe9de8e020fdf6b911a2368e41ba88df554343
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 26 15:51:51 2013 -0500

    Update config help to reflect requirements for proper security, similar
    to what we mention for GRKERNSEC_KMEM or GRKERNSEC_HIDESYM

 grsecurity/Kconfig |    7 ++++++-
 1 files changed, 6 insertions(+), 1 deletions(-)

commit d26ce94a15a14d44494fd3e307baebc2511a09b8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 26 15:35:31 2013 -0500

    Whenever we perform checks against block devices we should also test for
    raw character devices provided by CONFIG_RAW_DRIVER.  Unlike other OSes,
    Linux's raw device support has been obsoleted many years ago and is unlikely
    to be present in a given kernel config (modulo an allyesconfig).

 grsecurity/gracl.c       |    2 +-
 grsecurity/grsec_mount.c |    4 +++-
 2 files changed, 4 insertions(+), 2 deletions(-)

commit 4bbb922e6241dad03e37919f66e9f422743f5b5e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Dec 25 16:37:02 2013 -0500

    Add some of the more obscure, config-dependent kernel modification
    defenses to GRKERNSEC_KMEM, to be split out into a separate option
    if this causes any compatibility problems.  From Matthew Garrett:
    https://lkml.org/lkml/2013/9/9/532
    
    Also make make hibernation depend on !PAX_MEMORY_SANITIZE and not
    the other way around (to produce more secure settings when distro
    configs are used as a base)

 drivers/acpi/custom_method.c    |    4 ++++
 drivers/pci/pci-sysfs.c         |   12 ++++++++++++
 drivers/pci/proc.c              |   12 ++++++++++++
 drivers/pci/syscall.c           |    4 ++++
 drivers/platform/x86/asus-wmi.c |   12 ++++++++++++
 kernel/power/Kconfig            |    2 ++
 security/Kconfig                |    1 -
 7 files changed, 46 insertions(+), 1 deletions(-)

commit 3ae9170407e5782e6a7b2bd796b60149864e6c3e
Author: Chad Hanson <chanson@trustedcs.com>
Date:   Mon Dec 23 17:45:01 2013 -0500

    Upstream commit: 46d01d63221c3508421dd72ff9c879f61053cffc
    
    selinux: fix broken peer recv check
    
    Fix a broken networking check. Return an error if peer recv fails.  If
    secmark is active and the packet recv succeeds the peer recv error is
    ignored.
    
    Signed-off-by: Chad Hanson <chanson@trustedcs.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Paul Moore <pmoore@redhat.com>

 security/selinux/hooks.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

commit c870e769c2d34bff7a0eba239c092bb115bb9d71
Author: Oleg Nesterov <oleg@redhat.com>
Date:   Mon Dec 23 17:45:01 2013 -0500

    Upstream commit: c0c1439541f5305b57a83d599af32b74182933fe
    
    selinux: selinux_setprocattr()->ptrace_parent() needs rcu_read_lock()
    
    selinux_setprocattr() does ptrace_parent(p) under task_lock(p),
    but task_struct->alloc_lock doesn't pin ->parent or ->ptrace,
    this looks confusing and triggers the "suspicious RCU usage"
    warning because ptrace_parent() does rcu_dereference_check().
    
    And in theory this is wrong, spin_lock()->preempt_disable()
    doesn't necessarily imply rcu_read_lock() we need to access
    the ->parent.
    
    Reported-by: Evan McNabb <emcnabb@redhat.com>
    Signed-off-by: Oleg Nesterov <oleg@redhat.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Paul Moore <pmoore@redhat.com>

 security/selinux/hooks.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 717544da98db68da8cf1b902e33eefc098170128
Author: Benjamin LaHaise <bcrl@kvack.org>
Date:   Sat Dec 21 15:49:28 2013 -0500

    Upstream commit: 1881686f842065d2f92ec9c6424830ffc17d23b0
    
    aio: fix kioctx leak introduced by "aio: Fix a trinity splat"
    
    e34ecee2ae791df674dfb466ce40692ca6218e43 reworked the percpu reference
    counting to correct a bug trinity found.  Unfortunately, the change lead
    to kioctxes being leaked because there was no final reference count to
    put.  Add that reference count back in to fix things.
    
    Signed-off-by: Benjamin LaHaise <bcrl@kvack.org>
    Cc: stable@vger.kernel.org

 fs/aio.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 21649f0e322166802adf5872f2affc38a0d6eb18
Author: Jianguo Wu <wujianguo@huawei.com>
Date:   Wed Dec 18 17:08:59 2013 -0800

    Upstream commit: 98398c32f6687ee1e1f3ae084effb4b75adb0747
    
    mm/hugetlb: check for pte NULL pointer in __page_check_address()
    
    In __page_check_address(), if address's pud is not present,
    huge_pte_offset() will return NULL, we should check the return value.
    
    Signed-off-by: Jianguo Wu <wujianguo@huawei.com>
    Cc: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
    Cc: Mel Gorman <mgorman@suse.de>
    Cc: qiuxishi <qiuxishi@huawei.com>
    Cc: Hanjun Guo <guohanjun@huawei.com>
    Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    Conflicts:
    
        mm/rmap.c

 mm/rmap.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

commit 184b047d4bc06f058aadb07393270e5d972af3aa
Author: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Date:   Fri Dec 20 15:10:03 2013 +0200

    Upstream commit: ee53664bda169f519ce3c6a22d378f0b946c8178
    
    mm: Fix NULL pointer dereference in madvise(MADV_WILLNEED) support
    
    Sasha Levin found a NULL pointer dereference that is due to a missing
    page table lock, which in turn is due to the pmd entry in question being
    a transparent huge-table entry.
    
    The code - introduced in commit 1998cc048901 ("mm: make
    madvise(MADV_WILLNEED) support swap file prefetch") - correctly checks
    for this situation using pmd_none_or_trans_huge_or_clear_bad(), but it
    turns out that that function doesn't work correctly.
    
    pmd_none_or_trans_huge_or_clear_bad() expected that pmd_bad() would
    trigger if the transparent hugepage bit was set, but it doesn't do that
    if pmd_numa() is also set. Note that the NUMA bit only gets set on real
    NUMA machines, so people trying to reproduce this on most normal
    development systems would never actually trigger this.
    
    Fix it by removing the very subtle (and subtly incorrect) expectation,
    and instead just checking pmd_trans_huge() explicitly.
    
    Reported-by: Sasha Levin <sasha.levin@oracle.com>
    Acked-by: Andrea Arcangeli <aarcange@redhat.com>
    [ Additionally remove the now stale test for pmd_trans_huge() inside the
      pmd_bad() case - Linus ]
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 include/asm-generic/pgtable.h |    5 ++---
 1 files changed, 2 insertions(+), 3 deletions(-)

commit 1d769ef5d57f3bb616929c7e3c600852e20d575e
Author: Daniel Borkmann <dborkman@redhat.com>
Date:   Tue Dec 17 00:38:39 2013 +0100

    Upstream commit: b1aac815c0891fe4a55a6b0b715910142227700f
    
    net: inet_diag: zero out uninitialized idiag_{src,dst} fields
    
    Jakub reported while working with nlmon netlink sniffer that parts of
    the inet_diag_sockid are not initialized when r->idiag_family != AF_INET6.
    That is, fields of r->id.idiag_src[1 ... 3], r->id.idiag_dst[1 ... 3].
    
    In fact, it seems that we can leak 6 * sizeof(u32) byte of kernel [slab]
    memory through this. At least, in udp_dump_one(), we allocate a skb in ...
    
      rep = nlmsg_new(sizeof(struct inet_diag_msg) + ..., GFP_KERNEL);
    
    ... and then pass that to inet_sk_diag_fill() that puts the whole struct
    inet_diag_msg into the skb, where we only fill out r->id.idiag_src[0],
    r->id.idiag_dst[0] and leave the rest untouched:
    
      r->id.idiag_src[0] = inet->inet_rcv_saddr;
      r->id.idiag_dst[0] = inet->inet_daddr;
    
    struct inet_diag_msg embeds struct inet_diag_sockid that is correctly /
    fully filled out in IPv6 case, but for IPv4 not.
    
    So just zero them out by using plain memset (for this little amount of
    bytes it's probably not worth the extra check for idiag_family == AF_INET).
    
    Similarly, fix also other places where we fill that out.
    
    Reported-by: Jakub Zawadzki <darkjames-ws@darkjames.pl>
    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    
    Conflicts:
    
        net/ipv4/inet_diag.c

 net/ipv4/inet_diag.c |   16 ++++++++++++++++
 1 files changed, 16 insertions(+), 0 deletions(-)

commit 11093b2d02f7bba2c9085b2d2d020b9ee34f8737
Author: Wenliang Fan <fanwlexca@gmail.com>
Date:   Tue Dec 17 11:25:28 2013 +0800

    Upstream commit: e9db5c21d3646a6454fcd04938dd215ac3ab620a
    
    drivers/net/hamradio: Integer overflow in hdlcdrv_ioctl()
    
    The local variable 'bi' comes from userspace. If userspace passed a
    large number to 'bi.data.calibrate', there would be an integer overflow
    in the following line:
        s->hdlctx.calibrate = bi.data.calibrate * s->par.bitrate / 16;
    
    Signed-off-by: Wenliang Fan <fanwlexca@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/hamradio/hdlcdrv.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit e162be84a9971452943c1d85a59c866a5486222b
Author: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Date:   Mon Dec 23 18:49:30 2013 +0100

    Upstream commit: f60900f2609e893c7f8d0bccc7ada4947dac4cd5
    
    auxvec.h: account for AT_HWCAP2 in AT_VECTOR_SIZE_BASE
    
    Commit 2171364d1a92 ("powerpc: Add HWCAP2 aux entry") introduced a new
    AT_ auxv entry type AT_HWCAP2 but failed to update AT_VECTOR_SIZE_BASE
    accordingly.
    
    Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
    Fixes: 2171364d1a92 (powerpc: Add HWCAP2 aux entry)
    Cc: stable@vger.kernel.org
    Acked-by: Michael Neuling <michael@neuling.org>
    Cc: Nishanth Aravamudan <nacc@linux.vnet.ibm.com>
    Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 include/linux/auxvec.h |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit a60029d4fb8d62b6dd3617a8ab4031fd79b89fe3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Dec 25 15:11:51 2013 -0500

    remove unused 'dentry' variable

 fs/xattr.c |    1 -
 1 files changed, 0 insertions(+), 1 deletions(-)

commit d6e290d23c8c47c19536ed84f403eb81f224ed67
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Dec 25 15:03:13 2013 -0500

    Add RBAC mediation of *removexattr(), as this has security implications
    in the case of PaX with softmode enabled or the rare case of RBAC+SELinux
    use.

 fs/xattr.c                  |   18 +++++++++++-------
 grsecurity/gracl_fs.c       |    6 ++++++
 grsecurity/grsec_disabled.c |    6 ++++++
 include/linux/grmsg.h       |    3 ++-
 include/linux/grsecurity.h  |    2 ++
 5 files changed, 27 insertions(+), 8 deletions(-)

commit 848b9c1e52382f446a2db679d6ee68c0a8cbc52e
Merge: e45d1dd 846d19a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 22 10:36:48 2013 -0500

    Merge branch 'pax-test' into grsec-test

commit 846d19aa4207282ce5ac54237517e54324eda092
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 22 10:35:16 2013 -0500

    Update to pax-linux-3.12.6-test9.patch:
    - updated size overflow hash table from spender
    - fixed silly code in kvm_clear_guest_page detected by USERCOPY, reported by remnix (http://forums.grsecurity.net/viewtopic.php?f=3&t=3899)

 virt/kvm/kvm_main.c |   13 +++++++++++--
 1 files changed, 11 insertions(+), 2 deletions(-)

commit e45d1ddcd3c8005889acc55fbf9e57171339fbb4
Merge: b5c87f6 6754393
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Dec 21 07:53:42 2013 -0500

    Merge branch 'pax-test' into grsec-test

commit 6754393ea42b9fb1d6d8e4635e8364674cee2bbd
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Dec 21 07:53:22 2013 -0500

    Update size_overflow hash table

 tools/gcc/size_overflow_hash.data |  119 +++++++++++++++++++------------------
 1 files changed, 60 insertions(+), 59 deletions(-)

commit b5c87f632d1cf19639a94c36276f96955221c77a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Dec 20 20:18:56 2013 -0500

    compile fix

 fs/stat.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 47618a93b003d648b5704040d1e502f76de07093
Merge: ba0eeed 37eeb47
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Dec 20 20:18:18 2013 -0500

    Merge branch 'pax-test' into grsec-test

commit 37eeb473486a08e3beae62841b19169aef36564d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Dec 20 20:17:46 2013 -0500

    Update to pax-linux-3.12.6-test8.patch:
    - fixed an inconsistency in handling softmode and user.pax.flags, reported by jacekalex (http://forums.grsecurity.net/viewtopic.php?f=3&t=3877)
    - updated size overflow hash table from spender

 fs/binfmt_elf.c |   53 ++++++++++++++++++++++++++++++-----------------------
 1 files changed, 30 insertions(+), 23 deletions(-)

commit ba0eeed0532b602905d87e9bf25aad3664c3f36b
Merge: 453a7f1 9dda34c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Dec 20 19:17:33 2013 -0500

    Merge branch 'pax-test' into grsec-test

commit 9dda34cba200c6eadcbbbccbb4729627fd82e6be
Merge: 63ebe2d2 d0266db
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Dec 20 19:17:18 2013 -0500

    Merge branch 'linux-3.12.y' into pax-test
    
    Conflicts:
        arch/x86/boot/Makefile

commit 453a7f1e18d89056fa27a9fdc777cea1a6fd7fe5
Merge: bb777f5 63ebe2d2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 19 22:48:02 2013 -0500

    Merge branch 'pax-test' into grsec-test

commit 63ebe2d2adf8f5ebc1639c1b8d8577fbe5813fcd
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 19 22:47:35 2013 -0500

    add 42 functions to the size_overflow hash table

 tools/gcc/size_overflow_hash.data |   59 +++++++++++++++++++++++++++++-------
 1 files changed, 47 insertions(+), 12 deletions(-)

commit bb777f517e6c2a53909351245d7d2009d8ad4c5b
Merge: cc59b1f a03d29c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 19 17:12:01 2013 -0500

    Merge branch 'pax-test' into grsec-test

commit a03d29c1eead36d4f9eac27b3a5d4b4266360a81
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 19 17:11:19 2013 -0500

    Update to pax-linux-3.12.5-test7.patch:
    - fixed some more size overflow reports
      - gratuitous int/uint conversion in expand_files and expand_fdtable, reported by wizeman (http://forums.grsecurity.net/viewtopic.php?f=3&t=3898)
      - better fix for the gcc induced intentional overflow in usbdev_read

 arch/x86/include/asm/atomic.h      |    6 +++---
 arch/x86/include/asm/atomic64_32.h |    2 +-
 arch/x86/include/asm/atomic64_64.h |    2 +-
 drivers/usb/core/devio.c           |    2 +-
 fs/file.c                          |    4 ++--
 include/asm-generic/atomic-long.h  |    2 +-
 tools/gcc/size_overflow_hash.data  |    3 ---
 7 files changed, 9 insertions(+), 12 deletions(-)

commit cc59b1fbe8989a6f99d229b34653e40a84d871f4
Merge: 44842d2 6ffdbdf
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 15 10:40:14 2013 -0500

    Merge branch 'pax-test' into grsec-test

commit 6ffdbdf295f56e22ce8626b555a03e4d2b8c6a61
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 15 10:38:59 2013 -0500

    Update to pax-linux-3.12.5-test6.patch:
    - Emese fixed a bug in the size overflow plugin resulting in false positives on downcasts from 64 bit variables on i386, reported by Huub Reuver

 tools/gcc/size_overflow_plugin.c |   11 ++++++++---
 1 files changed, 8 insertions(+), 3 deletions(-)

commit 44842d2f32b7fd6f325a90b15bd0a094f08feab9
Merge: c2c9b35 f85d978
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Dec 14 10:58:46 2013 -0500

    Merge branch 'pax-test' into grsec-test

commit f85d978a63b7388c6ab97b54808992fe2ee4ac8c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Dec 14 10:58:14 2013 -0500

    Update to pax-linux-3.12.5-test5.patch:
    - properly fix the use-after-free in sys_remap_file_pages, by Rik van Riel (http://www.spinics.net/lists/linux-mm/msg66710.html)

 mm/fremap.c |   10 +++++-----
 1 files changed, 5 insertions(+), 5 deletions(-)

commit c2c9b35fca510f7e29f80efa2999695448083b52
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date:   Thu Dec 12 09:38:42 2013 -0800

    Upstream commit: f12d5bfceb7e1f9051563381ec047f7f13956c3c
    
    futex: fix handling of read-only-mapped hugepages
    
    The hugepage code had the exact same bug that regular pages had in
    commit 7485d0d3758e ("futexes: Remove rw parameter from
    get_futex_key()").
    
    The regular page case was fixed by commit 9ea71503a8ed ("futex: Fix
    regression with read only mappings"), but the transparent hugepage case
    (added in a5b338f2b0b1: "thp: update futex compound knowledge") case
    remained broken.
    
    Found by Dave Jones and his trinity tool.
    
    Reported-and-tested-by: Dave Jones <davej@fedoraproject.org>
    Cc: stable@kernel.org # v2.6.38+
    Acked-by: Thomas Gleixner <tglx@linutronix.de>
    Cc: Mel Gorman <mgorman@suse.de>
    Cc: Darren Hart <dvhart@linux.intel.com>
    Cc: Andrea Arcangeli <aarcange@redhat.com>
    Cc: Oleg Nesterov <oleg@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 kernel/futex.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 7fe4be2ce4c49484298f71455cdcac08149985cb
Author: Andy Honig <ahonig@google.com>
Date:   Mon Nov 18 16:09:22 2013 -0800

    Upstream commit: 338c7dbadd2671189cec7faf64c84d01071b3f96
    
    KVM: Improve create VCPU parameter (CVE-2013-4587)
    
    In multiple functions the vcpu_id is used as an offset into a bitfield.  Ag
    malicious user could specify a vcpu_id greater than 255 in order to set or
    clear bits in kernel memory.  This could be used to elevate priveges in the
    kernel.  This patch verifies that the vcpu_id provided is less than 255.
    The api documentation already specifies that the vcpu_id must be less than
    max_vcpus, but this is currently not checked.
    
    Reported-by: Andrew Honig <ahonig@google.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Andrew Honig <ahonig@google.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

 virt/kvm/kvm_main.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit e3a3b7a0010abaf6f28afb8521fcb29cee6b3c4c
Author: Andy Honig <ahonig@google.com>
Date:   Tue Nov 19 14:12:18 2013 -0800

    Upstream commit: b963a22e6d1a266a67e9eecc88134713fd54775c
    
    KVM: x86: Fix potential divide by 0 in lapic (CVE-2013-6367)
    
    Under guest controllable circumstances apic_get_tmcct will execute a
    divide by zero and cause a crash.  If the guest cpuid support
    tsc deadline timers and performs the following sequence of requests
    the host will crash.
    - Set the mode to periodic
    - Set the TMICT to 0
    - Set the mode bits to 11 (neither periodic, nor one shot, nor tsc deadline)
    - Set the TMICT to non-zero.
    Then the lapic_timer.period will be 0, but the TMICT will not be.  If the
    guest then reads from the TMCCT then the host will perform a divide by 0.
    
    This patch ensures that if the lapic_timer.period is 0, then the division
    does not occur.
    
    Reported-by: Andrew Honig <ahonig@google.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Andrew Honig <ahonig@google.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

 arch/x86/kvm/lapic.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 2b8e6adf070a8938133e318e9a6e2f633095f038
Author: Andy Honig <ahonig@google.com>
Date:   Wed Nov 20 10:23:22 2013 -0800

    Upstream commit: fda4e2e85589191b123d31cdc21fd33ee70f50fd
    
    KVM: x86: Convert vapic synchronization to _cached functions (CVE-2013-6368)
    
    In kvm_lapic_sync_from_vapic and kvm_lapic_sync_to_vapic there is the
    potential to corrupt kernel memory if userspace provides an address that
    is at the end of a page.  This patches concerts those functions to use
    kvm_write_guest_cached and kvm_read_guest_cached.  It also checks the
    vapic_address specified by userspace during ioctl processing and returns
    an error to userspace if the address is not a valid GPA.
    
    This is generally not guest triggerable, because the required write is
    done by firmware that runs before the guest.  Also, it only affects AMD
    processors and oldish Intel that do not have the FlexPriority feature
    (unless you disable FlexPriority, of course; then newer processors are
    also affected).
    
    Fixes: b93463aa59d6 ('KVM: Accelerated apic support')
    
    Reported-by: Andrew Honig <ahonig@google.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Andrew Honig <ahonig@google.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

 arch/x86/kvm/lapic.c |   27 +++++++++++++++------------
 arch/x86/kvm/lapic.h |    4 ++--
 arch/x86/kvm/x86.c   |   40 +---------------------------------------
 3 files changed, 18 insertions(+), 53 deletions(-)

commit 6261a034c2cc7f34b4c7663ace10d74f9c1fe479
Author: Gleb Natapov <gleb@redhat.com>
Date:   Thu Dec 12 21:20:08 2013 +0100

    Upstream commit: 17d68b763f09a9ce824ae23eb62c9efc57b69271
    
    KVM: x86: fix guest-initiated crash with x2apic (CVE-2013-6376)
    
    A guest can cause a BUG_ON() leading to a host kernel crash.
    When the guest writes to the ICR to request an IPI, while in x2apic
    mode the following things happen, the destination is read from
    ICR2, which is a register that the guest can control.
    
    kvm_irq_delivery_to_apic_fast uses the high 16 bits of ICR2 as the
    cluster id.  A BUG_ON is triggered, which is a protection against
    accessing map->logical_map with an out-of-bounds access and manages
    to avoid that anything really unsafe occurs.
    
    The logic in the code is correct from real HW point of view. The problem
    is that KVM supports only one cluster with ID 0 in clustered mode, but
    the code that has the bug does not take this into account.
    
    Reported-by: Lars Bull <larsbull@google.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Gleb Natapov <gleb@redhat.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

 arch/x86/kvm/lapic.c |    5 ++++-
 1 files changed, 4 insertions(+), 1 deletions(-)

commit beb27f127ef300b52f8c20402d053b05bab7f4e3
Merge: 82c673f b8daf53
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Dec 13 20:11:22 2013 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        arch/parisc/kernel/sys_parisc.c

commit b8daf537ab923daf14f38d283ca5361424154fa8
Merge: 7689612 156c758
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Dec 13 20:07:08 2013 -0500

    Update to pax-linux-3.12.5-test4.patch:
    - fixed 32 bit apps executing certain 64 bit ones, reported by Ronny Meeus
    - fixed underallocation in __d_alloc that would cause an out-of-bounds read later, reported by Dmitry Vyukov and Kees Cook, not understood by Al Viro
      (http://lkml.org/lkml/2013/10/3/493 and http://lkml.org/lkml/2013/10/11/293)
    - fixed use-after-free in sys_remap_file_pages, reported by Dmitry Vyukov (http://lkml.org/lkml/2013/9/17/30)
    - updated size oveflow plugin from Emese, fixes some false positives reported by Tim Harman and Huub Reuver
    - fixed a btrfs bug caught by the size overflow plugin, reported by Jens Binnewies (http://forums.grsecurity.net/viewtopic.php?f=1&t=3887)
      turns out that it was fixed upstream already but never marked for stable backport:
      - https://bugzilla.kernel.org/show_bug.cgi?id=66661
      - https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/fs/btrfs/tree-log.c?id=ed9e8af88e2551aaa6bf51d8063a2493e2d71597
    - fixed bad interactions between the KERNEXEC plugin and some gcc features, reported by Amadeusz Sławiński (https://bugs.gentoo.org/show_bug.cgi?id=487938)
      - the mask register has been changed from r10 (used by DRAP) to r12
      - all kernel entry points now allocate a full pt_regs area (it required some non-trivial surgery, some fallout is possible)
    
    Merge branch 'linux-3.12.y' into pax-test
    
    Conflicts:
        arch/parisc/kernel/sys_parisc.c
        fs/pipe.c

commit 82c673fdfd9925cda2e94b67f775be70b8ef4cca
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Dec 13 19:39:54 2013 -0500

    Fix a use-after-free on fakefs_obj_rw/fakefs_obj_rwx introduced by the recent
    atomic reload improvement.  These two objects are used only for "files" private
    to the kernel which don't exist on any mounted filesystem and have no visible
    path.  Only the mode field of these objects is ever used, and we would never
    attempt to free these objects a second time (due to their being allocated
    into the memory manager associated with the initial policy)
    
    In practice this causes bogus auditing messages for / and could potentially
    cause a subject without executable shared memory support to permit executable
    shared memory (if PaX is disabled on the binary).
    
    Instead just allocate these two special objects with kzalloc at enable time
    and free them at disable time.
    
    Thanks to nyt@countercultured.net for the report

 grsecurity/gracl_policy.c |    9 +++++++--
 1 files changed, 7 insertions(+), 2 deletions(-)

commit b0be33b9efb31e2cb745d1b33eee4f89b315d5bf
Merge: 4c60da7 7689612
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 8 17:07:04 2013 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        net/ipv4/ping.c

commit 7689612bef2f353f37a2fe94ff0ef8c72634b522
Merge: 2f004b8 289b6c7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 8 17:05:58 2013 -0500

    Merge branch 'linux-3.12.y' into pax-test
    
    Conflicts:
        net/compat.c
        net/ipv4/ping.c
        net/ipv6/sit.c
        net/socket.c

commit 4c60da771d2fba442fe7831d590277e6fe80e908
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 8 16:12:01 2013 -0500

    Backport of:
    
    If we allocate less than sizeof(struct attrlist) then we end up
    corrupting memory or doing a ZERO_PTR_SIZE dereference.
    
    This can only be triggered with CAP_SYS_ADMIN.
    
    Reported-by: Nico Golde <nico@xxxxxxxxx>
    Reported-by: Fabian Yamaguchi <fabs@xxxxxxxxx>
    Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>

 fs/xfs/xfs_ioctl.c   |    3 ++-
 fs/xfs/xfs_ioctl32.c |    3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

commit bd50af2c306bfe6287631e0e1745cc5d2fbad0c2
Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
Date:   Thu Dec 5 23:29:19 2013 +0100

    Upstream commit: 239c78db9c41a8f524cce60507440d72229d73bc
    
    net: clear local_df when passing skb between namespaces
    
    We must clear local_df when passing the skb between namespaces as the
    packet is not local to the new namespace any more and thus may not get
    fragmented by local rules. Fred Templin noticed that other namespaces
    do fragment IPv6 packets while forwarding. Instead they should have send
    back a PTB.
    
    The same problem should be present when forwarding DF-IPv4 packets
    between namespaces.
    
    Reported-by: Templin, Fred L <Fred.L.Templin@boeing.com>
    Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/core/skbuff.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 7803212c99050491bd0a2618e039f62c825f82e5
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date:   Mon Dec 2 11:50:37 2013 -0800

    Upstream commit: b65502879556d041b45104c6a35abbbba28c8f2d
    
    uio: we cannot mmap unaligned page contents
    
    In commit 7314e613d5ff ("Fix a few incorrectly checked
    [io_]remap_pfn_range() calls") the uio driver started more properly
    checking the passed-in user mapping arguments against the size of the
    actual uio driver data.
    
    That in turn exposed that some driver authors apparently didn't realize
    that mmap can only work on a page granularity, and had tried to use it
    with smaller mappings, with the new size check catching that out.
    
    So since it's not just the user mmap() arguments that can be confused,
    make the uio mmap code also verify that the uio driver has the memory
    allocated at page boundaries in order for mmap to work.  If the device
    memory isn't properly aligned, we return
    
      [ENODEV]
        The fildes argument refers to a file whose type is not supported by mmap().
    
    as per the open group documentation on mmap.
    
    Reported-by: Holger Brunck <holger.brunck@keymile.com>
    Acked-by: Greg KH <gregkh@linuxfoundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 drivers/uio/uio.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit e5fb91d26cb825c36042d62373c0a32a176cfe2d
Merge: 6b9d9e2 2f004b8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 8 10:18:49 2013 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        mm/mmap.c

commit 2f004b87204d113e467ba360ac8b0a9cbfcf01cb
Merge: c04a09b 81605d3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 8 10:16:53 2013 -0500

    Update to pax-linux-3.12.3-test2.patch:
    - forward port to 3.12.3
    - fixed incorrect ACCESS_ONCE accessors in rcutree, reported by mcp
    - fixed the usual arm/CONSTIFY fallout, reported by Michael Tremer <michael.tremer@ipfire.org>
    - changed the constify plugin to give better error messages
    - worked around a gcc induced intentional integer overflow in usbdev_read, reported by quasar366 (http://forums.grsecurity.net/viewtopic.php?f=3&t=3889)
    - better fix for http://forums.grsecurity.net/viewtopic.php?f=3&t=3885
    - fixed crash under qemu when INVPCID was enabled (say, on -cpu Haswell) but PCID itself wasn't, reported by spender
    - updated size overflow plugin from Emese, coverage will increase further
    
    Merge branch 'linux-3.12.y' into pax-test
    
    Conflicts:
        kernel/trace/ftrace.c
        mm/mmap.c

commit 6b9d9e2fe7cd30598a4c22c159ff3b06339e23c8
Author: David Herrmann <dh.herrmann@gmail.com>
Date:   Tue Nov 26 13:58:18 2013 +0100

    Upstream commit: 80897aa787ecd58eabb29deab7cbec9249c9b7e6
    
    HID: uhid: fix leak for 64/32 UHID_CREATE
    
    UHID allows short writes so user-space can omit unused fields. We
    automatically set them to 0 in the kernel. However, the 64/32 bit
    compat-handler didn't do that in the UHID_CREATE fallback. This will
    reveal random kernel heap data (of random size, even) to user-space.
    
    Fixes: befde0226a59 ('HID: uhid: make creating devices work on 64/32 systems')
    
    Reported-by: Ben Hutchings <ben@decadent.org.uk>
    Signed-off-by: David Herrmann <dh.herrmann@gmail.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Jiri Kosina <jkosina@suse.cz>

 drivers/hid/uhid.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit a06981f0117d614ba4d30f6b5dd6eff7d418ffae
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Dec 4 18:15:02 2013 -0500

    Don't duplicate __get_dumpable, also make sure we check against
    SUID_DUMP_USER, otherwise we wouldn't trigger suid bruteforcing
    detection when suid_dumpable was set to 2

 fs/coredump.c              |    7 +++++--
 grsecurity/grsec_sig.c     |   14 ++------------
 include/linux/grsecurity.h |    2 +-
 3 files changed, 8 insertions(+), 15 deletions(-)

commit fc706a922b49e3157cac848fb0c8d1dcf4f360bb
Merge: 0f023d5 c04a09b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Dec 3 21:41:57 2013 -0500

    Merge branch 'pax-test' into grsec-test

commit c04a09b7dbfafdbee85e09c224e90ebc665ce4f5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Dec 3 21:41:20 2013 -0500

    fix up ACCESS_ONCE -> ACCESS_ONCE_RW, as reported by mcp

 kernel/rcutree_plugin.h |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

commit 0f023d59d361b9880155dd8ddb0c1e19a48437c6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Dec 3 19:39:04 2013 -0500

    Update documentation for GRKERNSEC_KMEM and GRKERNSEC_IO,
    see: http://forums.grsecurity.net/viewtopic.php?f=3&t=3879
    The previous info was many years outdated.
    
    Disable KEXEC when GRKERNSEC_KMEM is enabled:
    http://mjg59.dreamwidth.org/28746.html
    
    Also workaround the GRKERNSEC_IO incompatibility with Xorg by returning
    -ENODEV instead of -EPERM in the cases where CAP_SYS_RAWIO is present

 arch/arm/Kconfig         |    1 +
 arch/ia64/Kconfig        |    1 +
 arch/mips/Kconfig        |    1 +
 arch/powerpc/Kconfig     |    1 +
 arch/tile/Kconfig        |    1 +
 arch/x86/Kconfig         |    1 +
 arch/x86/kernel/ioport.c |   12 ++++++------
 grsecurity/Kconfig       |   27 +++++++++++----------------
 8 files changed, 23 insertions(+), 22 deletions(-)

commit 9f610c9c398e7e61183feb7fec6b91b9f2223b61
Merge: fed624e 1395b8f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Dec 2 17:33:01 2013 -0500

    Merge branch 'pax-test' into grsec-test

commit 1395b8f8832d179a0c73e890754534c9d5442201
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Dec 2 17:31:35 2013 -0500

    Forward-ported the following fix from 3.2:
    - worked around a false positive int truncation in xlog_grant_push_ail, reported by jorgus (http://forums.grsecurity.net/viewtopic.php?f=3&t=3885)
    
    This caused filesystem corruption in the reported XFS case, problem
    introduced with Nov 24th patch (IPA-based size overflow plugin)

 arch/x86/include/asm/atomic64_32.h |    2 +-
 arch/x86/include/asm/atomic64_64.h |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

commit fed624ebfd1d08ee6db247733cdb44df0e1be8b0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Dec 2 17:20:00 2013 -0500

    Fix qemu -cpu Haswell booting with pax_nouderef on the kernel cmdline

 init/main.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit a72ed588cbbda00d356529507b6bdca56c19d4c3
Merge: 3f201fe db6d69f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Nov 30 10:46:15 2013 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        fs/dcache.c
        ipc/shm.c
        net/sunrpc/clnt.c

commit db6d69f61412f929242423f92d52f4c2c74bab5d
Merge: 1f411d7 050dcf4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Nov 30 10:40:33 2013 -0500

    Merge branch 'linux-3.12.y' into pax-test

commit 3f201fe9a368a4b0339a2f3cf1259b785ae8374c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Nov 26 15:16:48 2013 -0500

    Fix null deref on application of the shutdown role, reported by zakalwe

 grsecurity/gracl.c        |   58 ++++++++++++++++++++++++++++++++++++++++++++-
 grsecurity/gracl_policy.c |   58 ++++-----------------------------------------
 2 files changed, 62 insertions(+), 54 deletions(-)

commit f5648d16a7cc79abe6de7ae62e284fa511bb750a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Nov 26 13:04:07 2013 -0500

    Add system library paths to allowed areas for usermode helper calls,
    later we will also add checks to ensure the file is owned by root

 kernel/kmod.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

commit c610c1f0f580069a1dc9d58c0eb0bddd33cbc25c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Nov 26 12:59:00 2013 -0500

    Fix gr_policy_state -> gr_reload_state typo that clobbered the oldalloc pointer
    causing a NULL deref on RBAC reload, reported by zakalwe

 grsecurity/gracl_policy.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 4026c926f19d7642c1f89895b556fe2addaef239
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Wed Nov 13 07:45:40 2013 -0500

    Upstream commit: ede4cebce16f5643c61aedd6d88d9070a1d23a68
    
    prepend_path() needs to reinitialize dentry/vfsmount/mnt on restarts
    
    ... and equivalent is needed in 3.12; it's broken there as well
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    
    Conflicts:
    
        fs/dcache.c

 fs/dcache.c |   10 +++++++---
 1 files changed, 7 insertions(+), 3 deletions(-)

commit c68d27fa66951166bff79a5c1bcc26985ac3f8bc
Merge: 94b560b 1f411d7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Nov 25 23:09:47 2013 -0500

    Merge branch 'pax-test' into grsec-test

commit 1f411d73c56904d2be9cde1f78aaec7f4554dab1
Merge: 5f17cd8 6beb1be
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Nov 25 23:09:34 2013 -0500

    Merge branch 'linux-3.12.y' into pax-test

commit 94b560b0163a20b9eab9ec77b83f0bff853fe601
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Nov 25 22:33:33 2013 -0500

    compile fix

 kernel/kmod.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 58c014d37769d384c2e3c06ce5f60fe54f855b24
Merge: 48ac6ac 5f17cd8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Nov 25 22:27:00 2013 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        arch/arm/mm/fault.c

commit 5f17cd87d5c7faf606255f061dd394f6761e38df
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Nov 25 22:25:42 2013 -0500

    Update to pax-linux-3.12.1-test2.patch:
    - made arm/UDEREF violation reports more consistent, reported by acez and spender
    - added a bit more amd64 kernel page table hardening
    - fixed some constify related compiler errors
    - fixed stack trace reports under i386/KERNEXEC, reported by ncopa and minipli
    - updated the size overflow hash table

 arch/arm/mm/fault.c                                |   16 ++-
 arch/x86/include/asm/paravirt_types.h              |    2 +-
 arch/x86/kernel/head_64.S                          |   18 ++-
 drivers/gpu/drm/radeon/radeon_ttm.c                |    2 +-
 drivers/gpu/vga/vga_switcheroo.c                   |    4 +-
 drivers/hwmon/nct6775.c                            |    6 +-
 drivers/staging/lustre/lnet/selftest/brw_test.c    |   12 +-
 drivers/staging/lustre/lnet/selftest/framework.c   |    4 -
 drivers/staging/lustre/lnet/selftest/ping_test.c   |   14 +-
 drivers/staging/lustre/lustre/include/lustre_dlm.h |    2 +-
 drivers/staging/lustre/lustre/include/obd.h        |    2 +-
 .../lustre/lustre/libcfs/linux/linux-proc.c        |    6 +-
 drivers/staging/rtl8188eu/include/hal_intf.h       |    2 +-
 drivers/staging/rtl8188eu/include/rtw_io.h         |    2 +-
 include/linux/hwmon-sysfs.h                        |    1 +
 include/linux/pm.h                                 |    1 +
 include/linux/vga_switcheroo.h                     |    8 +-
 net/core/sysctl_net_core.c                         |    2 +-
 scripts/link-vmlinux.sh                            |    4 +-
 sound/soc/soc-core.c                               |    6 +-
 tools/gcc/size_overflow_hash.data                  |  142 ++++++++++++--------
 21 files changed, 145 insertions(+), 111 deletions(-)

commit 48ac6ac8a1fd55f2b276bf5326ce52782b7c554f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Nov 25 12:01:21 2013 -0500

    Conventions exist for a reason -- systemd knows better though
    and decides to put security-sensitive system administration utilities
    into /usr/lib/systemd in contrast to *every* other user of usermode
    helpers.  Work around this stupidity

 kernel/kmod.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 9ed081196dcaa72bae91d5a31329e35bd480d92b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Nov 24 22:49:05 2013 -0500

    Revert "HID: multitouch: validate feature report details"
    
    This reverts commit 8aeb7645473b408fc6b2bd78a72671351fc8e684.

 drivers/hid/hid-multitouch.c |   25 +++++--------------------
 1 files changed, 5 insertions(+), 20 deletions(-)

commit 801d69b26655ea7240df45ad14f96054e4d9803a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Nov 24 22:48:49 2013 -0500

    Revert "HID: lenovo-tpkbd: validate output report details"
    
    This reverts commit 91bfda18a5711db32c984c632f47fa57458d993a.

 drivers/hid/hid-lenovo-tpkbd.c |    5 -----
 1 files changed, 0 insertions(+), 5 deletions(-)

commit 1f70f596dd47ca9467a06b19ffc341c147ea4a23
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Nov 24 22:48:33 2013 -0500

    Revert "HID: steelseries: validate output report details"
    
    This reverts commit 0996966348dc3c3f7515567d3245292785d484fc.

 drivers/hid/hid-steelseries.c |    5 -----
 1 files changed, 0 insertions(+), 5 deletions(-)

commit 8101ee4167c83f850cc2366088e3f60d01dcb9f7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Nov 24 22:22:03 2013 -0500

    remove __no_const from pv_lock_ops as it's not constified by the plugin

 arch/x86/include/asm/paravirt_types.h |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit a94e46e08a9d8236544f881faa9cccecfe9c702b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Nov 24 22:08:33 2013 -0500

    add missing header

 fs/proc/proc_sysctl.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit f0018c34f5ef840fffac10eb60fed9048317832f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Nov 24 22:04:55 2013 -0500

    Replace nsown_capable with an ns_capable check against the user_ns associated with the net namespace

 fs/proc/proc_sysctl.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 99a6a515bf625395fa31892f46311c3877a3fa93
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Nov 24 17:50:21 2013 -0500

    remove unnecessary code/comments after new reload method
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl.c        |    4 ----
 grsecurity/gracl_policy.c |   13 -------------
 2 files changed, 0 insertions(+), 17 deletions(-)

commit 10b6650a259b9a5911a33fc9aaf6677920830eee
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Nov 24 16:05:01 2013 -0500

    Version bumped to 3.0 (we'd been on 2.9.1 for way too long and numerous features have been added since then)
    
    Introduce new atomic RBAC reload method, developed as part of sponsorship
    by EIG
    
    This is accompanied by an updated 3.0 gradm which will use the new reload
    method when -R is passed to gradm.  The old method will still be available
    via gradm -r (which is what a 2.9.1 gradm will continue to use).
    
    The new RBAC reload method is atomic in the sense that at no point in the
    reload process will the system not be covered by a coherent full policy.
    In contrast to previous reload behavior, it also preserves inherited subjects
    and special roles.
    
    The old RBAC reload method has also been made atomic.  Both methods have
    been updated to perform role_allowed_ip checks only against the IP tagged
    to the task at the time its role was first applied or changed.  This resolves
    long-standing usability problems with the use of role_allowed_ip and matches
    the policies created by learning.
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/Makefile         |    2 +-
 grsecurity/gracl.c          | 3903 +++++++++++++------------------------------
 grsecurity/gracl_alloc.c    |   42 +-
 grsecurity/gracl_compat.c   |    3 +-
 grsecurity/gracl_policy.c   | 1838 ++++++++++++++++++++
 grsecurity/gracl_segv.c     |   12 +-
 grsecurity/grsec_disabled.c |    7 -
 grsecurity/grsec_init.c     |   15 -
 include/linux/gracl.h       |   43 +-
 include/linux/grinternal.h  |    1 -
 include/linux/grsecurity.h  |    1 -
 include/linux/sched.h       |    2 +
 12 files changed, 3082 insertions(+), 2787 deletions(-)

commit b035ba537ccc7dc58b9643ab58a2f5a7b4e6738e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Nov 24 15:08:28 2013 -0500

    compile fix for recent GRKERNSEC_CHROOT_INITRD change
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 init/main.c |   12 +++---------
 1 files changed, 3 insertions(+), 9 deletions(-)

commit a898fff136a97e265c63375a2a03ebd91c9c1286
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Nov 23 18:27:37 2013 -0500

    Make the recent usermode_helper protection race-free as far as userland is concerned by creating a copy of the path to be executed, then check against that copied path instead of the still-mutable original path
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 include/linux/kmod.h |    3 +++
 kernel/kmod.c        |   13 +++++++++++++
 2 files changed, 16 insertions(+), 0 deletions(-)

commit 1ae8347eb782c4e961210052e2de554bfdb52980
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Nov 23 17:20:15 2013 -0500

    Produce a UDEREF message when faulting on kernel access to a non-present page in the userland range. This is purely for consistency of logs, due to there being no domain present to fault based on. An "Unable to handle kernel fault.." oops would already (and still is) generated for these cases, triggering grsec's bruteforce prevention.
    
    Reported by acez on IRC
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 arch/arm/mm/fault.c |   11 +++++++++++
 1 files changed, 11 insertions(+), 0 deletions(-)

commit 71643b46e6b67e76e52153559d0dc4004c402141
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Nov 23 16:56:46 2013 -0500

    Make GRKERNSEC_CHROOT_INITRD depend on the correct initrd option, Also make sure we mark init as run if no initrd was used. Though this should already be enforced in grsec_chroot.c, this should future-proof the feature a bit in case userland somehow changes drastically.
    
    Conflicts:
    
        init/main.c
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/Kconfig        |    2 +-
 grsecurity/grsec_chroot.c |    2 +-
 init/main.c               |   15 +++++++++++++++
 3 files changed, 17 insertions(+), 2 deletions(-)

commit e357e72d769e5c35167e2bf934c722fc825ee2cd
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Nov 23 16:33:20 2013 -0500

    limit all usermode helper binaries to /sbin, all other attempts will be logged and rejected
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 kernel/kmod.c |    8 ++++++++
 1 files changed, 8 insertions(+), 0 deletions(-)

commit 4ed2dc55aa2344b9ade6cddbe5ee8b51b6239c54
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Nov 23 16:02:01 2013 -0500

    perform USERCOPY kernel text checks against the linear mapping on amd64 as well
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 fs/exec.c |    8 ++++++++
 1 files changed, 8 insertions(+), 0 deletions(-)

commit 211bbd408a1d7bc2e9ef72df07aa7ce0cbd6c49d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Nov 22 20:31:37 2013 -0500

    Revert "Upstream commit: bceaa90240b6019ed73b49965eac7d167610be69"
    
    This reverts commit 8bb32f2682953e1b748a59c4a4363b237c3510df.
    
    It caused errors with traceroute, reported to upstream and fixed with
    http://patchwork.ozlabs.org/patch/293614/
    But there's no reason for us to maintain this backport as we're
    already impervious to recvmsg/msg_name infoleaks
    
    Conflicts:
    
        net/ipv4/ping.c
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 net/ieee802154/dgram.c |    3 ++-
 net/ipv4/ping.c        |   11 +++++++++--
 net/ipv4/raw.c         |    4 +++-
 net/ipv4/udp.c         |    7 ++++++-
 net/ipv6/raw.c         |    4 +++-
 net/ipv6/udp.c         |    5 ++++-
 net/l2tp/l2tp_ip.c     |    4 +++-
 net/phonet/datagram.c  |    9 +++++----
 8 files changed, 35 insertions(+), 12 deletions(-)

commit 4bd8414bb148cf8681c8f1d2deda5739cafb6917
Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
Date:   Mon Nov 18 07:07:45 2013 +0100

    Upstream commit: cf970c002d270c36202bd5b9c2804d3097a52da0
    
    ping: prevent NULL pointer dereference on write to msg_name
    
    A plain read() on a socket does set msg->msg_name to NULL. So check for
    NULL pointer first.
    
    Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 net/ipv4/ping.c |   34 +++++++++++++++++++---------------
 1 files changed, 19 insertions(+), 15 deletions(-)

commit ccc6e0dd63fc36c5c7fd1bbe4f8fed6533d188a1
Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
Date:   Mon Nov 18 04:20:45 2013 +0100

    Upstream commit: bceaa90240b6019ed73b49965eac7d167610be69
    
    inet: prevent leakage of uninitialized memory to user in recv syscalls
    
    Only update *addr_len when we actually fill in sockaddr, otherwise we
    can return uninitialized memory from the stack to the caller in the
    recvfrom, recvmmsg and recvmsg syscalls. Drop the the (addr_len == NULL)
    checks because we only get called with a valid addr_len pointer either
    from sock_common_recvmsg or inet_recvmsg.
    
    If a blocking read waits on a socket which is concurrently shut down we
    now return zero and set msg_msgnamelen to 0.
    
    Reported-by: mpb <mpb.mail@gmail.com>
    Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
    Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 net/ieee802154/dgram.c |    3 +--
 net/ipv4/ping.c        |   19 +++++++------------
 net/ipv4/raw.c         |    4 +---
 net/ipv4/udp.c         |    7 +------
 net/ipv6/raw.c         |    4 +---
 net/ipv6/udp.c         |    5 +----
 net/l2tp/l2tp_ip.c     |    4 +---
 net/phonet/datagram.c  |    9 ++++-----
 8 files changed, 17 insertions(+), 38 deletions(-)

commit 0db1e136415d5696b2342b953361ef7c3017247d
Author: Jeff Layton <jlayton@redhat.com>
Date:   Wed Nov 13 09:08:21 2013 -0500

    Upstream commit: 6d769f1e1420179d1f83cf1a9cdc585b46c28545
    
    nfs: don't retry detect_trunking with RPC_AUTH_UNIX more than once
    
    Currently, when we try to mount and get back NFS4ERR_CLID_IN_USE or
    NFS4ERR_WRONGSEC, we create a new rpc_clnt and then try the call again.
    There is no guarantee that doing so will work however, so we can end up
    retrying the call in an infinite loop.
    
    Worse yet, we create the new client using rpc_clone_client_set_auth,
    which creates the new client as a child of the old one. Thus, we can end
    up with a *very* long lineage of rpc_clnts. When we go to put all of the
    references to them, we can end up with a long call chain that can smash
    the stack as each rpc_free_client() call can recurse back into itself.
    
    This patch fixes this by simply ensuring that the SETCLIENTID call will
    only be retried in this situation if the last attempt did not use
    RPC_AUTH_UNIX.
    
    Note too that with this change, we don't need the (i > 2) check in the
    -EACCES case since we now have a more reliable test as to whether we
    should reattempt.
    
    Cc: stable@vger.kernel.org # v3.10+
    Cc: Chuck Lever <chuck.lever@oracle.com>
    Tested-by/Acked-by: Weston Andros Adamson <dros@netapp.com>
    Signed-off-by: Jeff Layton <jlayton@redhat.com>
    Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 fs/nfs/nfs4state.c |    7 ++++++-
 1 files changed, 6 insertions(+), 1 deletions(-)

commit 74d59ef1b28635f588c47b270777cd69b0e8291f
Author: Trond Myklebust <Trond.Myklebust@netapp.com>
Date:   Tue Nov 12 17:24:36 2013 -0500

    Upstream commit: d07ba8422f1e58be94cc98a1f475946dc1b89f1b
    
    SUNRPC: Avoid deep recursion in rpc_release_client
    
    In cases where an rpc client has a parent hierarchy, then
    rpc_free_client may end up calling rpc_release_client() on the
    parent, thus recursing back into rpc_free_client. If the hierarchy
    is deep enough, then we can get into situations where the stack
    simply overflows.
    
    The fix is to have rpc_release_client() loop so that it can take
    care of the parent rpc client hierarchy without needing to
    recurse.
    
    Reported-by: Jeff Layton <jlayton@redhat.com>
    Reported-by: Weston Andros Adamson <dros@netapp.com>
    Reported-by: Bruce Fields <bfields@fieldses.org>
    Link: http://lkml.kernel.org/r/2C73011F-0939-434C-9E4D-13A1EB1403D7@netapp.com
    Cc: stable@vger.kernel.org
    Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 net/sunrpc/clnt.c |   29 +++++++++++++++++------------
 1 files changed, 17 insertions(+), 12 deletions(-)

commit 8ae59cf66f3a302d45578171337df2d8fe35458c
Author: Trond Myklebust <Trond.Myklebust@netapp.com>
Date:   Fri Nov 8 16:03:50 2013 -0500

    Upstream commit: a6b31d18b02ff9d7915c5898c9b5ca41a798cd73
    
    SUNRPC: Fix a data corruption issue when retransmitting RPC calls
    
    The following scenario can cause silent data corruption when doing
    NFS writes. It has mainly been observed when doing database writes
    using O_DIRECT.
    
    1) The RPC client uses sendpage() to do zero-copy of the page data.
    2) Due to networking issues, the reply from the server is delayed,
       and so the RPC client times out.
    
    3) The client issues a second sendpage of the page data as part of
       an RPC call retransmission.
    
    4) The reply to the first transmission arrives from the server
       _before_ the client hardware has emptied the TCP socket send
       buffer.
    5) After processing the reply, the RPC state machine rules that
       the call to be done, and triggers the completion callbacks.
    6) The application notices the RPC call is done, and reuses the
       pages to store something else (e.g. a new write).
    
    7) The client NIC drains the TCP socket send buffer. Since the
       page data has now changed, it reads a corrupted version of the
       initial RPC call, and puts it on the wire.
    
    This patch fixes the problem in the following manner:
    
    The ordering guarantees of TCP ensure that when the server sends a
    reply, then we know that the _first_ transmission has completed. Using
    zero-copy in that situation is therefore safe.
    If a time out occurs, we then send the retransmission using sendmsg()
    (i.e. no zero-copy), We then know that the socket contains a full copy of
    the data, and so it will retransmit a faithful reproduction even if the
    RPC call completes, and the application reuses the O_DIRECT buffer in
    the meantime.
    
    Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 net/sunrpc/xprtsock.c |   28 +++++++++++++++++++++-------
 1 files changed, 21 insertions(+), 7 deletions(-)

commit 1a40aeaa23860a26df02c9c8729937b6da2bcdd6
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Thu Nov 14 11:21:10 2013 +0300

    Upstream commit: f9a23c84486ed350cce7bb1b2828abd1f6658796
    
    isdnloop: use strlcpy() instead of strcpy()
    
    These strings come from a copy_from_user() and there is no way to be
    sure they are NUL terminated.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 drivers/isdn/isdnloop/isdnloop.c |    8 +++++---
 1 files changed, 5 insertions(+), 3 deletions(-)

commit a7a1549064b332e878efa22fdebed32035cc8f07
Author: Eric Dumazet <edumazet@google.com>
Date:   Thu Nov 14 13:37:54 2013 -0800

    Upstream commit: c9e9042994d37cbc1ee538c500e9da1bb9d1bcdf
    
    ipv4: fix possible seqlock deadlock
    
    ip4_datagram_connect() being called from process context,
    it should use IP_INC_STATS() instead of IP_INC_STATS_BH()
    otherwise we can deadlock on 32bit arches, or get corruptions of
    SNMP counters.
    
    Fixes: 584bdf8cbdf6 ("[IPV4]: Fix "ipOutNoRoutes" counter error for TCP and UDP")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Reported-by: Dave Jones <davej@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 net/ipv4/datagram.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 96b7719c933229c8619f8ad207c141dcc70d546e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Nov 14 20:15:51 2013 -0500

    GRKERNSEC_HARDEN_IPC should depend on SYSVIPC
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/Kconfig |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 0001071fa9ff6ef9370a370bea51bef2f1e3c2ab
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Nov 14 19:07:11 2013 -0500

    Not necessary since CPU_V6 is the only bool that would select CPU_USE_DOMAINS and that depended on !PAX_KERNEXEC && !PAX_MEMORY_UDEREF, but this helps make it more obvious that while we make use of domains, CPU_USE_DOMAINS is disabled as far as the kernel knows
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 arch/arm/mm/Kconfig |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 05ae94add600530e3ae98f9a153cb6423b91e46a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Nov 14 19:01:59 2013 -0500

    Add a new feature: GRKERNSEC_HARDEN_IPC in response to Tim Brown's research on overly-permissive shared memory found in hundreds of areas in Linux distros: http://labs.portcullis.co.uk/whitepapers/memory-squatting-attacks-on-system-v-shared-memory/
    
    Will let this sit in -test for a while to weed out any app incompatibilities
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/Kconfig         |   17 +++++++++++++++++
 grsecurity/Makefile        |    2 +-
 grsecurity/grsec_init.c    |    4 ++++
 grsecurity/grsec_ipc.c     |   22 ++++++++++++++++++++++
 grsecurity/grsec_sysctl.c  |    9 +++++++++
 include/linux/grinternal.h |    1 +
 include/linux/grmsg.h      |    1 +
 ipc/util.c                 |    5 +++++
 8 files changed, 60 insertions(+), 1 deletions(-)

commit f5be6d902d5b36c0fb40aabb61f686e510a2d887
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Nov 11 10:48:10 2013 -0500

    Fix the overflowable range check just to be correct. Referenced in http://www.x90c.org/advisories/xadv-2013003_linux_kernel.txt but I believe this to be unexploitable due to bounds checks on 'count' from rw_verify_area() in fs/read_write.c
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 drivers/video/arcfb.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit e60c412c422f72a52c819465db8b81991d861390
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Nov 10 22:01:33 2013 -0500

    Add missing include
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 fs/proc/proc_sysctl.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 17d5ff67a76aab404c8cbe13576d492a7a8b342a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Nov 10 17:50:12 2013 -0500

    add an option to handle old ARM userlands to properly toggle the KUSER_HELPERS option: GRKERNSEC_OLD_ARM_USERLAND
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 arch/arm/mm/Kconfig |    2 +-
 grsecurity/Kconfig  |   14 ++++++++++++++
 2 files changed, 15 insertions(+), 1 deletions(-)

commit b4aa2136272e6b1cdbb285a74ee17471dd679dfa
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Nov 10 15:19:27 2013 -0500

    On ARM (and other arches) we were defaulting mmap_min_addr to 64K if the LSM-based mmap_min_addr was disabled in config. This caused non-root execs to fail in some cases (via SIGKILL during ELF loading). Fix this by setting a proper default on these architectures like set on the LSM-based mmap_min_addr.
    
    Thanks to acez from IRC for debugging.
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 mm/Kconfig |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 197a69f1783917091d60db2a3ffd7ff14d41489d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Nov 10 13:54:25 2013 -0500

    Compatibility fix for LXC: Don't require CAP_SYS_ADMIN to modify our own net namespace's sysctl values, use a CAP_NET_ADMIN check within the user namespace of the process performing the modification CAP_SYS_ADMIN is still required for any other sysctl modification, including modification of sysctls of a net namespace other than our own
    
    This allows for LXC containers to not need CAP_SYS_ADMIN to be able to set up their namespace's
    networking
    
    Thanks to ncopa from IRC for testing
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 fs/proc/proc_sysctl.c |    9 +++++++--
 1 files changed, 7 insertions(+), 2 deletions(-)

commit 010702a965acb2aea4d81510f99d788ab6564123
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Nov 6 16:23:36 2013 -0500

    Force on DEBUG_LIST so all users can benefit from safe linking/unlinking
    
    Conflicts:
    
        security/Kconfig
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 security/Kconfig |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 09ce0d45a4fc86ca1389260bf28a62f98ccff362
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Nov 6 16:19:21 2013 -0500

    change DEBUG_LIST WARNs back to BUGs so they can benefit from the kernel bruteforce deterrence
    
    Conflicts:
    
        lib/list_debug.c
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 lib/list_debug.c |   65 ++++++++++++++++++++++++++++++++++-------------------
 1 files changed, 42 insertions(+), 23 deletions(-)

commit 60a1f79d72bdfc2c6aed1be9537559959a0b8b55
Author: Jason Wang <jasowang@redhat.com>
Date:   Fri Nov 1 15:01:10 2013 +0800

    Upstream commit: 6f092343855a71e03b8d209815d8c45bf3a27fcd
    
    net: flow_dissector: fail on evil iph->ihl
    
    We don't validate iph->ihl which may lead a dead loop if we meet a IPIP
    skb whose iph->ihl is zero. Fix this by failing immediately when iph->ihl
    is evil (less than 5).
    
    This issue were introduced by commit ec5efe7946280d1e84603389a1030ccec0a767ae
    (rps: support IPIP encapsulation).
    
    Cc: Eric Dumazet <edumazet@google.com>
    Cc: Petr Matousek <pmatouse@redhat.com>
    Cc: Michael S. Tsirkin <mst@redhat.com>
    Cc: Daniel Borkmann <dborkman@redhat.com>
    Signed-off-by: Jason Wang <jasowang@redhat.com>
    Acked-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 net/core/flow_dissector.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 9743a1eca0b0172da4ec07bc07fa30fcccb9fba7
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date:   Tue Oct 29 10:21:34 2013 -0700

    Fixed a little differently than Linus...
    
    Obfuscated upstream security commit: 7314e613d5ff9f0934f7a0f74ed7973b903315d1
    
    Fix a few incorrectly checked [io_]remap_pfn_range() calls
    
    Nico Golde reports a few straggling uses of [io_]remap_pfn_range() that
    really should use the vm_iomap_memory() helper.  This trivially converts
    two of them to the helper, and comments about why the third one really
    needs to continue to use remap_pfn_range(), and adds the missing size
    check.
    
    Reported-by: Nico Golde <nico@ngolde.de>
    Cc: stable@kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org.
    
    Conflicts:
    
        drivers/uio/uio.c
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 drivers/uio/uio.c |    6 +++++-
 1 files changed, 5 insertions(+), 1 deletions(-)

commit 187b4936fbaaafd087556919bae3b719e67536b8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Oct 16 18:36:25 2013 -0400

    From: Mathias Krause <minipli@googlemail.com> To: linux-audit@redhat.com Cc: Mathias Krause <minipli@googlemail.com>, Al Viro <viro@zeniv.linux.org.uk>, Eric Paris <eparis@redhat.com> Subject: [PATCH 1/2] audit: fix info leak in AUDIT_GET requests
    
    We leak 4 bytes of kernel stack in response to an AUDIT_GET request as
    we miss to initialize the mask member of status_set. Fix that.
    
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: Eric Paris <eparis@redhat.com>
    Cc: stable@vger.kernel.org  # v2.6.6+
    Signed-off-by: Mathias Krause <minipli@googlemail.com>
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 kernel/audit.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 0e48ab30113de43958987e9f0d20fb816892c090
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Oct 16 19:02:32 2013 -0400

    add 2nd chunk of audit nlmsg_len() fix from minipli
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 kernel/audit.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit b5e6b4bcb3a38c94605e9fa68d6c5936438fb0d8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Oct 16 18:37:59 2013 -0400

    From: Mathias Krause <minipli@googlemail.com> To: linux-audit@redhat.com Cc: Mathias Krause <minipli@googlemail.com>, Al Viro <viro@zeniv.linux.org.uk>, Eric Paris <eparis@redhat.com> Subject: [PATCH 2/2] audit: use nlmsg_len() to get message payload length
    
    Using the nlmsg_len member of the netlink header to test if the message
    is valid is wrong as it includes the size of the netlink header itself.
    Thereby allowing to send short netlink messages that pass those checks.
    
    Use nlmsg_len() instead to test for the right message length. The result
    of nlmsg_len() is guaranteed to be non-negative as the netlink message
    already passed the checks of nlmsg_ok().
    
    Also switch to min_t() to please checkpatch.pl.
    
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: Eric Paris <eparis@redhat.com>
    Cc: stable@vger.kernel.org  # v2.6.6+ for the 1st hunk, v2.6.23+ for the 2nd
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 kernel/audit.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit dfb491ad409ee7efadcb00041cd31e9e411efebb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Oct 16 18:41:01 2013 -0400

    From: Mathias Krause <minipli@googlemail.com> To: netfilter-devel@vger.kernel.org Cc: Mathias Krause <minipli@googlemail.com>, Pablo Neira Ayuso <pablo@netfilter.org>, Patrick McHardy <kaber@trash.net>, Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>, Bart De Schuymer <bart.de.schuymer@pandora.be> Subject: [PATCH 1/2] netfilter: ebt_ulog: fix info leaks
    
    The ulog messages leak heap bytes by the means of padding bytes and
    incompletely filled string arrays. Fix those by memset(0)'ing the
    whole struct before filling it.
    
    Cc: Bart De Schuymer <bart.de.schuymer@pandora.be>
    Signed-off-by: Mathias Krause <minipli@googlemail.com>
    
    Conflicts:
    
        net/bridge/netfilter/ebt_ulog.c
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 net/bridge/netfilter/ebt_ulog.c |    9 +++------
 1 files changed, 3 insertions(+), 6 deletions(-)

commit 637ef6f911201af0136b794b5b602eb14efb6b7c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Oct 16 18:43:01 2013 -0400

    From: Mathias Krause <minipli@googlemail.com> To: netfilter-devel@vger.kernel.org Cc: Mathias Krause <minipli@googlemail.com>, Pablo Neira Ayuso <pablo@netfilter.org>, Patrick McHardy <kaber@trash.net>, Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Subject: [PATCH 2/2] netfilter: ipt_ULOG: fix info leaks
    
    The ulog messages leak heap bytes by the means of padding bytes and
    incompletely filled string arrays. Fix those by memset(0)'ing the
    whole struct before filling it.
    
    Cc: Pablo Neira Ayuso <pablo@netfilter.org>
    Cc: Patrick McHardy <kaber@trash.net>
    Cc: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
    Signed-off-by: Mathias Krause <minipli@googlemail.com>
    
    Conflicts:
    
        net/ipv4/netfilter/ipt_ULOG.c
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 net/ipv4/netfilter/ipt_ULOG.c |    7 +------
 1 files changed, 1 insertions(+), 6 deletions(-)

commit 103af82880576436f1fceafec93da69f0d55d019
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Sep 27 21:06:17 2013 -0400

    Don't log attempts to create a socket with a family that the kernel doesn't support Further, if the kernel doesn't support the socket family, instead of returning -EACCES, return -EAFNOSUPPORT -- should resolve the need to allow ipv6 sockets in RBAC policy despite a kernel that doesn't support ipv6 observed during a Debian userland update necessitating a policy change
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl_ip.c |    7 +++----
 net/socket.c          |   26 +++++++++++++++-----------
 2 files changed, 18 insertions(+), 15 deletions(-)

commit 7749496c3667613ea505823948c0f4f4d9c1d90c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Sep 22 18:14:07 2013 -0400

    Revert "Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db"
    
    This reverts commit 7a430f97a2f6538693cb8e354c67c874f24c5ebf.
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 net/netlink/genetlink.c |    7 -------
 1 files changed, 0 insertions(+), 7 deletions(-)

commit 4463e68a60d4fb557d37f993f42e3039041550fc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Sep 15 09:19:21 2013 -0400

    remove unnecessary check from when protocol was signed
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 net/phonet/af_phonet.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit efafe8039b3287f73e0abcb4f7be18e83a5c9a2e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Sep 15 08:53:27 2013 -0400

    resync with PaX
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 security/selinux/hooks.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 79b41d988ecb86d7dd46f3319b50f4c4d46e65a7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Sep 14 21:12:45 2013 -0400

    Fix invalid dependency causing warning: warning: (DEBUG_WW_MUTEX_SLOWPATH) selects DEBUG_LOCK_ALLOC which has unmet direct dependencies (DEBUG_KERNEL && TRACE_IRQFLAGS_SUPPORT && STACKTRACE_SUPPORT && LOCKDEP_SUPPORT && !PAX_CONSTIFY_PLUGIN)
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 lib/Kconfig.debug |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 0f3840d1103e4bf77d4e2098afc4750bb6440ecc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Sep 14 19:16:48 2013 -0400

    Fix a bad git merge, re-applied a previously reverted patch
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 arch/x86/include/asm/processor.h |    4 ++--
 arch/x86/kernel/cpu/common.c     |    2 +-
 arch/x86/kernel/process_64.c     |    2 +-
 arch/x86/kernel/smpboot.c        |    2 +-
 arch/x86/xen/smp.c               |    2 +-
 5 files changed, 6 insertions(+), 6 deletions(-)

commit c5f66cfeabad4b64a521d1442f7ea9149c011320
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Sep 14 16:56:37 2013 -0400

    finish porting namei.c
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 fs/namei.c |   50 +++++++++++---------------------------------------
 1 files changed, 11 insertions(+), 39 deletions(-)

commit c264c5b4c33c462b41d224091602fe5c9acb163b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Sep 14 16:44:08 2013 -0400

    cred->user -> current_user()
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 fs/exec.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit af7bdc7d41a1a8b631802772088968ceacd0d6b4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Sep 14 16:36:24 2013 -0400

    Fix GRKERNSEC_DENYUSB dependency as reported by Victor Roman of Funtoo Linux
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/Kconfig |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 00eb4028fcc737e2451332e3177705913c9b1bb1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Sep 5 19:36:23 2013 -0400

    fix dependencies for GRKERNSEC_ROFS / GRKERNSEC_DENYUSB
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/Kconfig |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 7adc4a28e2a0ef38f89bbd648a2e1ba70cad852e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Sep 5 19:17:02 2013 -0400

    Allow the deny_new_usb sysctl to be toggled off by a user with CAP_SYS_ADMIN. This allows for more inventive uses of the feature that would be impossible otherwise (like toggling it while the screen is locked, etc)
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/grsec_sysctl.c |    4 +---
 1 files changed, 1 insertions(+), 3 deletions(-)

commit 472e0e1d1516b3002ce1e256dfcd58701358d5f8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Sep 5 18:41:49 2013 -0400

    Add a new GRKERNSEC_DENYUSB_FORCE option that achieves what GRKERNSEC_DENYUSB does without the need for a sysctl toggle, for users who know they want the functionality but don't want to bother with modifying init scripts
    
    Also eliminate reset_security_ops() as a ROP target when
    SECURITY_SELINUX_DISABLE is disabled as it's the only user
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/Kconfig        |   17 ++++++++++++++++-
 grsecurity/grsec_init.c   |    3 +++
 grsecurity/grsec_sysctl.c |    2 +-
 3 files changed, 20 insertions(+), 2 deletions(-)

commit 92745146ec948d5761ac00f98c4a1612c8e6037e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Aug 30 17:11:11 2013 -0400

    fix compilation with GRKERNSEC_DENYUSB as reported by slashbeast
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/grsec_sysctl.c |    7 ++++---
 1 files changed, 4 insertions(+), 3 deletions(-)

commit eac5b7076235de7b21757cab257415ab779cc7c8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Aug 28 20:42:39 2013 -0400

    add export of gr_handle_new_usb()
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/grsec_usb.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 8e4ea40613a9763d1dc128fdf29c0279001b5e04
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Aug 28 19:24:47 2013 -0400

    Add new GRKERNSEC_DENYUSB feature that I've been sitting on for a bit Kees' recent findings are motivation enough to publish it
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 drivers/usb/core/hub.c     |    5 +++++
 grsecurity/Kconfig         |   20 ++++++++++++++++++++
 grsecurity/Makefile        |    3 ++-
 grsecurity/grsec_init.c    |    1 +
 grsecurity/grsec_sysctl.c  |   11 +++++++++++
 grsecurity/grsec_usb.c     |   13 +++++++++++++
 include/linux/grinternal.h |    1 +
 include/linux/grsecurity.h |    2 ++
 8 files changed, 55 insertions(+), 1 deletions(-)

commit 0996966348dc3c3f7515567d3245292785d484fc
Author: Kees Cook <keescook@chromium.org>
Date:   Wed Aug 14 09:14:34 2013 -0700

    HID: steelseries: validate output report details
    
    A HID device could send a malicious output report that would cause the
    steelseries HID driver to write beyond the output report allocation
    during initialization, causing a heap overflow:
    
    [  167.981534] usb 1-1: New USB device found, idVendor=1038, idProduct=1410
    ...
    [  182.050547] BUG kmalloc-256 (Tainted: G        W   ): Redzone overwritten
    
    CVE-2013-2891
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 drivers/hid/hid-steelseries.c |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

commit 91bfda18a5711db32c984c632f47fa57458d993a
Author: Kees Cook <keescook@chromium.org>
Date:   Thu Aug 15 23:21:23 2013 -0700

    HID: lenovo-tpkbd: validate output report details
    
    A HID device could send a malicious output report that would cause the
    lenovo-tpkbd HID driver to write just beyond the output report allocation
    during initialization, causing a heap overflow:
    
    [   76.109807] usb 1-1: New USB device found, idVendor=17ef, idProduct=6009
    ...
    [   80.462540] BUG kmalloc-192 (Tainted: G        W   ): Redzone overwritten
    
    CVE-2013-2894
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 drivers/hid/hid-lenovo-tpkbd.c |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

commit 8aeb7645473b408fc6b2bd78a72671351fc8e684
Author: Kees Cook <keescook@chromium.org>
Date:   Fri Aug 16 00:11:32 2013 -0700

    HID: multitouch: validate feature report details
    
    When working on report indexes, always validate that they are in bounds.
    Without this, a HID device could report a malicious feature report that
    could trick the driver into a heap overflow:
    
    [  634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500
    ...
    [  676.469629] BUG kmalloc-192 (Tainted: G        W   ): Redzone overwritten
    
    CVE-2013-2897
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 drivers/hid/hid-multitouch.c |   25 ++++++++++++++++++++-----
 1 files changed, 20 insertions(+), 5 deletions(-)

commit 1a624940a4733c04c0f997820c1dcd1eebfcd5bc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Aug 19 22:10:04 2013 -0400

    fix bad git merge (call to __cpu_disable_lazy_restore was duplicated) as reported by pipacs
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 arch/x86/kernel/smpboot.c |    3 ---
 1 files changed, 0 insertions(+), 3 deletions(-)

commit acca67efb4aeee03672b5d2947da311dcfc2a1d6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 17 12:00:20 2013 -0400

    make kallsyms_lookup_size_offset available to approved source files
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 include/linux/kallsyms.h |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit cb33df1c5ce5f74fcb7d4a2f5b2d07d54d4e1fd8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 17 11:18:09 2013 -0400

    allow use of kallsyms_lookup_name to approved source files
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 include/linux/kallsyms.h |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 72e55282becb58c925f9034fe717cad96f7fc51d
Author: Johannes Berg <johannes.berg@intel.com>
Date:   Tue Aug 13 09:04:05 2013 +0200

    Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db
    
    genetlink: fix family dump race
    
    When dumping generic netlink families, only the first dump call
    is locked with genl_lock(), which protects the list of families,
    and thus subsequent calls can access the data without locking,
    racing against family addition/removal. This can cause a crash.
    Fix it - the locking needs to be conditional because the first
    time around it's already locked.
    
    A similar bug was reported to me on an old kernel (3.4.47) but
    the exact scenario that happened there is no longer possible,
    on those kernels the first round wasn't locked either. Looking
    at the current code I found the race described above, which had
    also existed on the old kernel.
    
    Cc: stable@vger.kernel.org
    Reported-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 net/netlink/genetlink.c |    7 +++++++
 1 files changed, 7 insertions(+), 0 deletions(-)

commit 2f8d8b1de901cce7ac5a5dc4f3b8731ba58653d9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 17 08:58:34 2013 -0400

    Fix two harmless compiler warnings
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 arch/arm/kernel/process.c |    4 ++--
 fs/exec.c                 |    2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

commit c414e04ef91fca7dfd260ae307272b1b9a29d1bd
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Aug 16 22:46:01 2013 -0400

    Fix HIDESYM compatibility with kprobes, as reported by feandil at: http://forums.grsecurity.net/viewtopic.php?t=3701&p=13376#p13376
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 include/linux/kallsyms.h |    2 +-
 kernel/kprobes.c         |    3 +++
 2 files changed, 4 insertions(+), 1 deletions(-)

commit b11ccf0d90b1244a91e0422ecd1a1b4918384ff7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 10 09:41:40 2013 -0400

    propagate the threadstack offset through to the topdown/bottomup allocators on sparc64 hugepages
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 arch/sparc/mm/hugetlbpage.c |   12 ++++++++----
 1 files changed, 8 insertions(+), 4 deletions(-)

commit 81c244a4d186918eb5bde824945878803fb5aeeb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Aug 5 17:58:42 2013 -0400

    Disable RANDKSTACK for a VirtualBox host as mentioned on the gentoo-hardened bugzilla: https://bugs.gentoo.org/show_bug.cgi?id=382793
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 security/Kconfig |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 0f32f992d91442e87628fa805f488c2431930df7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Aug 5 17:26:40 2013 -0400

    Move user namespace capability check to shared create_user_ns code so we cover unshare() as well.
    
    Also kill a trivial 1-line, 22-character upstream kernel DoS, thanks to
    user namespaces!
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 kernel/fork.c           |   17 -----------------
 kernel/user_namespace.c |   15 +++++++++++++++
 2 files changed, 15 insertions(+), 17 deletions(-)

commit b570e8d61ff1670d0737acd9919316ac32fce732
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Aug 5 16:05:41 2013 -0400

    silence a warning on older gcc
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit f580da3b1ddbecc3f65a7957986742bea34c5851
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 3 08:31:08 2013 -0400

    we only care about mmaps of the beginning of an ELF, filter out all others as suggested by pipacs
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 mm/mmap.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit a2b23c36d322e9ebea5621652b77ad2569a3826d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Aug 2 23:54:51 2013 -0400

    add include
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/grsec_log.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit ecb7724fd1bcd4fa57059d6297d4f74d4ec93fe6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Aug 2 23:49:13 2013 -0400

    fix compilation
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 include/linux/grinternal.h |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit a2d7b00383303a5d537e64519dbd31d51645d28e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Aug 2 23:34:35 2013 -0400

    Improve PaX reporting (tells when anon mapping is stack or heap) Remove textrel logging option, combine into rwx logging option Enhance RWX logging option to display when PT_GNU_STACK-enabled library is loaded under an MPROTECTed binary Enhance RWX mprotect logging to display stack/heap instead of just anon mapping
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 fs/binfmt_elf.c            |   37 +++++++++++++++++++++++++++++++++++++
 fs/exec.c                  |    4 ++++
 grsecurity/Kconfig         |   21 +++++----------------
 grsecurity/grsec_init.c    |    4 ----
 grsecurity/grsec_log.c     |   14 ++++++++++++++
 grsecurity/grsec_pax.c     |   19 ++++++++++++++-----
 grsecurity/grsec_sysctl.c  |    9 ---------
 include/linux/binfmts.h    |    1 +
 include/linux/grinternal.h |    2 +-
 include/linux/grmsg.h      |    3 ++-
 include/linux/grsecurity.h |    3 ++-
 mm/mmap.c                  |    7 +++++++
 mm/mprotect.c              |    2 +-
 13 files changed, 88 insertions(+), 38 deletions(-)

commit 9513c974076339e5b4ba8974b50fd3e9fe18a0d8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Aug 1 18:52:02 2013 -0400

    add missing #define
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 97af65d0dbfaf8680a7f9a17c45a10892fe907d0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Aug 1 18:43:53 2013 -0400

    fix compilation for !COMPAT as reported on the forums
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl.c |  195 ++++++++++++++++++++++++++--------------------------
 1 files changed, 97 insertions(+), 98 deletions(-)

commit b2362a07aecb8b86d3dd5e0696ea6dc546ea3144
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jul 31 17:47:20 2013 -0400

    Revert "revert recent PaX change that causes boot failures with 32bit userland"
    
    This reverts commit 23278a1ee1c7738dd1e7005241394d32b82196e4.
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 arch/x86/include/asm/processor.h |    4 ++--
 arch/x86/kernel/cpu/common.c     |    2 +-
 arch/x86/kernel/process_64.c     |    2 +-
 arch/x86/kernel/smpboot.c        |    2 +-
 arch/x86/xen/smp.c               |    2 +-
 5 files changed, 6 insertions(+), 6 deletions(-)

commit 9c0a788e099e0a78bb83961bf02d82ac2c32e21c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jul 31 16:26:58 2013 -0400

    compile fix for !COMPAT as mentioned on forums
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 1975575638ae15faba25f749a9040345a73e12e1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 22:33:14 2013 -0400

    perform compat conversion of rlimit infinity
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl_compat.c |   10 ++++++++--
 1 files changed, 8 insertions(+), 2 deletions(-)

commit 1282e76e8da58821760a5519cd7bd2510ad7deaf
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 22:21:40 2013 -0400

    remove debugging
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl_compat.c |   44 +++++++++++---------------------------------
 1 files changed, 11 insertions(+), 33 deletions(-)

commit 6aa728a7c77d5fe62dd0b731e76b518f85db7808
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 22:20:32 2013 -0400

    eliminate compat_dev_t
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 include/linux/gracl_compat.h |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 176f65b9498eb83576294934d94bb80f3830e99a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 22:13:22 2013 -0400

    fix compat rlimit size
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl_compat.c    |   68 +++++++++++++++++++++++++++++-------------
 include/linux/gracl_compat.h |    4 +-
 2 files changed, 49 insertions(+), 23 deletions(-)

commit f039eddf22e143d336421325eb689a76227956b3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 21:20:18 2013 -0400

    compile fix
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 4594be163c41c9a400f0b377e6c35d8fb5599387
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 21:14:29 2013 -0400

    copy correct pointer size in new compat code
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl.c        |    8 ++++----
 grsecurity/gracl_compat.c |    4 ++--
 2 files changed, 6 insertions(+), 6 deletions(-)

commit 54a18c9ea152b14381ed3fb4b0a86ef78bd611af
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 19:15:50 2013 -0400

    compile fix
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl_compat.c |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

commit 166e0c9ff369a931bec65abda32811bb0b548506
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 19:12:46 2013 -0400

    remove BUILD_BUG_ONs
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl_compat.c |   20 --------------------
 1 files changed, 0 insertions(+), 20 deletions(-)

commit ee1e4712f5b32f43da0130efedbeb158d7f63562
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 00:18:36 2013 -0400

    compile fixes
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl_compat.c    |    8 ++++----
 include/linux/gracl_compat.h |    2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

commit a629a151f557380fed415b226fe5e0e234a285eb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 00:16:42 2013 -0400

    compile fixes
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl.c        |    4 ++--
 grsecurity/gracl_compat.c |    2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

commit 218c33ffd6a34fe09037784138dda02b817c1c20
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 00:13:51 2013 -0400

    compile fixes
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl.c |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

commit e7291feaff2e3dd3d4d01016419cc1dd16ab9658
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 00:11:03 2013 -0400

    compile fixes
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl_compat.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit 527c8e008b6729ad595c652119128c0a858c0f7e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 00:08:21 2013 -0400

    more compile fixes
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl.c |   28 ++++++++++++++--------------
 1 files changed, 14 insertions(+), 14 deletions(-)

commit 0a6c24237be46318780bd5aa0a0c37837336e40a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jul 29 23:59:50 2013 -0400

    more compile fixes
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl.c |   10 +++++++++-
 1 files changed, 9 insertions(+), 1 deletions(-)

commit 0c11bf85db37db5667cfb61caf0c72e8437e4197
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jul 29 23:56:47 2013 -0400

    additional compile fixes
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl.c |   59 +++++++++++++++++++++++++++++++++++++++++++--------
 1 files changed, 49 insertions(+), 10 deletions(-)

commit c32fb26e578c2b1b98654e72ceeafc58906acf06
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jul 29 23:47:15 2013 -0400

    fix typo
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 80bb153435dac25476b0da4a61238b229ba2b631
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jul 29 23:46:59 2013 -0400

    compile fixes
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl.c |   53 ++++++++++++++++++++++++++++++++++++++-------------
 1 files changed, 39 insertions(+), 14 deletions(-)

commit d7f8a40e0fc1dc1466a271ac33074b6f90226a1a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jul 29 23:22:44 2013 -0400

    Initial commit of compat RBAC loading Permits 32bit gradm to load policy for a 64bit kernel
    
    Also removed code duplication for copying strings into the kernel
    
    Work performed as part of sponsorship
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/Makefile          |    4 +
 grsecurity/gracl.c           |  315 +++++++++++++++++++++++-------------------
 grsecurity/gracl_compat.c    |  270 ++++++++++++++++++++++++++++++++++++
 include/linux/gracl_compat.h |  156 +++++++++++++++++++++
 4 files changed, 603 insertions(+), 142 deletions(-)

commit 00e035016762dfa49b15cf310ab57fc7011fb4dd
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 16 20:40:24 2013 -0400

    allow viewing of ecryptfs version under SYSFS_RESTRICT
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 fs/sysfs/dir.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit a144fc9f2f2f6a1d5999b6bd226d964b8b551e31
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 14 11:49:17 2013 -0400

    Update PaX fix, just return the error
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 mm/madvise.c |   11 +++++------
 1 files changed, 5 insertions(+), 6 deletions(-)

commit 26dd795769f903add193b605f051bed55bf95507
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 14 11:36:00 2013 -0400

    Fix madvise oops reported by Peter Keel
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 mm/madvise.c |   11 ++++++-----
 1 files changed, 6 insertions(+), 5 deletions(-)

commit c441e54c74284d2dac3aaaf282391f6572239e24
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 9 22:04:59 2013 -0400

    compile fixes
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 fs/exec.c |    2 +-
 mm/mmap.c |    4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

commit ecea885713f4d818032182d839c86dc74ac95b04
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Sep 14 16:15:10 2013 -0400

    Initial port of grsecurity to 3.11 using new git method
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 Documentation/kernel-parameters.txt                |    4 +
 Makefile                                           |    8 +-
 arch/alpha/include/asm/cache.h                     |    4 +-
 arch/alpha/kernel/osf_sys.c                        |   12 +-
 arch/arm/include/asm/thread_info.h                 |    3 +-
 arch/arm/kernel/ptrace.c                           |    9 +
 arch/arm/kernel/traps.c                            |    7 +-
 arch/arm/mm/fault.c                                |   29 +-
 arch/arm/mm/mmap.c                                 |    8 +-
 arch/avr32/include/asm/cache.h                     |    4 +-
 arch/blackfin/include/asm/cache.h                  |    3 +-
 arch/cris/include/arch-v10/arch/cache.h            |    3 +-
 arch/cris/include/arch-v32/arch/cache.h            |    3 +-
 arch/frv/include/asm/cache.h                       |    3 +-
 arch/frv/mm/elf-fdpic.c                            |    4 +-
 arch/hexagon/include/asm/cache.h                   |    6 +-
 arch/ia64/include/asm/cache.h                      |    3 +-
 arch/ia64/kernel/sys_ia64.c                        |    2 +
 arch/ia64/mm/hugetlbpage.c                         |    2 +
 arch/m32r/include/asm/cache.h                      |    4 +-
 arch/m68k/include/asm/cache.h                      |    4 +-
 arch/metag/mm/hugetlbpage.c                        |    1 +
 arch/microblaze/include/asm/cache.h                |    3 +-
 arch/mips/include/asm/cache.h                      |    3 +-
 arch/mips/include/asm/thread_info.h                |   12 +-
 arch/mips/kernel/ptrace.c                          |    9 +
 arch/mips/mm/mmap.c                                |    4 +-
 arch/mn10300/proc-mn103e010/include/proc/cache.h   |    4 +-
 arch/mn10300/proc-mn2ws0050/include/proc/cache.h   |    4 +-
 arch/openrisc/include/asm/cache.h                  |    4 +-
 arch/parisc/include/asm/cache.h                    |    5 +-
 arch/parisc/kernel/sys_parisc.c                    |   17 +-
 arch/powerpc/include/asm/cache.h                   |    3 +-
 arch/powerpc/kernel/process.c                      |   10 +-
 arch/powerpc/kernel/ptrace.c                       |   14 +
 arch/powerpc/kernel/traps.c                        |    5 +
 arch/s390/include/asm/cache.h                      |    4 +-
 arch/score/include/asm/cache.h                     |    4 +-
 arch/sh/include/asm/cache.h                        |    3 +-
 arch/sh/mm/mmap.c                                  |    6 +-
 arch/sparc/include/asm/cache.h                     |    4 +-
 arch/sparc/include/asm/thread_info_64.h            |    9 +-
 arch/sparc/kernel/process_32.c                     |    6 +-
 arch/sparc/kernel/process_64.c                     |    4 +-
 arch/sparc/kernel/ptrace_64.c                      |   14 +
 arch/sparc/kernel/sys_sparc_64.c                   |    8 +-
 arch/sparc/kernel/syscalls.S                       |    8 +-
 arch/sparc/kernel/traps_32.c                       |    8 +-
 arch/sparc/kernel/traps_64.c                       |   28 +-
 arch/sparc/kernel/unaligned_64.c                   |    2 +-
 arch/sparc/mm/fault_64.c                           |    2 +-
 arch/sparc/mm/hugetlbpage.c                        |    3 +-
 arch/tile/include/asm/cache.h                      |    3 +-
 arch/tile/mm/hugetlbpage.c                         |    2 +
 arch/um/defconfig                                  |    1 -
 arch/um/include/asm/cache.h                        |    3 +-
 arch/unicore32/include/asm/cache.h                 |    6 +-
 arch/x86/Kconfig                                   |    5 +-
 arch/x86/ia32/ia32_aout.c                          |    2 +
 arch/x86/include/asm/thread_info.h                 |    8 +-
 arch/x86/kernel/dumpstack.c                        |    8 +
 arch/x86/kernel/entry_32.S                         |    2 +-
 arch/x86/kernel/entry_64.S                         |    2 +-
 arch/x86/kernel/ioport.c                           |   13 +
 arch/x86/kernel/ptrace.c                           |   14 +
 arch/x86/kernel/signal.c                           |    9 +-
 arch/x86/kernel/smpboot.c                          |    3 +
 arch/x86/kernel/sys_i386_32.c                      |    9 +-
 arch/x86/kernel/sys_x86_64.c                       |    8 +-
 arch/x86/kernel/verify_cpu.S                       |    1 +
 arch/x86/kernel/vm86_32.c                          |    1 +
 arch/x86/mm/fault.c                                |   12 +-
 arch/x86/mm/hugetlbpage.c                          |   15 +-
 arch/x86/mm/init.c                                 |   66 +-
 arch/x86/net/bpf_jit_comp.c                        |  128 +-
 arch/xtensa/variants/dc232b/include/variant/core.h |    2 +-
 arch/xtensa/variants/fsf/include/variant/core.h    |    3 +-
 arch/xtensa/variants/s6000/include/variant/core.h  |    3 +-
 drivers/cdrom/cdrom.c                              |    2 +-
 drivers/char/Kconfig                               |    4 +-
 drivers/char/genrtc.c                              |    1 +
 drivers/char/mem.c                                 |   17 +
 drivers/char/random.c                              |   12 +
 drivers/gpu/drm/drm_info.c                         |    4 +
 drivers/hid/hid-wiimote-debug.c                    |    2 +-
 drivers/media/radio/radio-cadet.c                  |    2 +-
 drivers/message/fusion/mptbase.c                   |    9 +
 drivers/net/bonding/bond_main.c                    |    2 +-
 drivers/net/phy/mdio-bitbang.c                     |    1 +
 drivers/net/wireless/zd1211rw/zd_usb.c             |    2 +-
 drivers/pci/proc.c                                 |    9 +
 drivers/rtc/rtc-dev.c                              |    3 +
 drivers/tty/sysrq.c                                |    2 +-
 drivers/tty/vt/keyboard.c                          |   22 +-
 drivers/video/logo/logo_linux_clut224.ppm          | 2720 ++++++++------------
 drivers/xen/xenfs/xenstored.c                      |    5 +
 fs/attr.c                                          |    1 +
 fs/autofs4/waitq.c                                 |    9 +
 fs/binfmt_aout.c                                   |    7 +
 fs/binfmt_elf.c                                    |    8 +-
 fs/btrfs/ioctl.c                                   |    6 +-
 fs/compat.c                                        |   20 +-
 fs/coredump.c                                      |    9 +-
 fs/debugfs/inode.c                                 |    4 +
 fs/exec.c                                          |  184 ++-
 fs/ext2/balloc.c                                   |    4 +-
 fs/ext3/balloc.c                                   |    4 +-
 fs/fcntl.c                                         |    5 +
 fs/file.c                                          |    4 +
 fs/filesystems.c                                   |    4 +
 fs/fs_struct.c                                     |   13 +-
 fs/hugetlbfs/inode.c                               |    5 +-
 fs/namei.c                                         |  256 ++-
 fs/namespace.c                                     |   16 +
 fs/open.c                                          |   38 +
 fs/proc/Kconfig                                    |   10 +-
 fs/proc/array.c                                    |   59 +-
 fs/proc/base.c                                     |  166 ++-
 fs/proc/cmdline.c                                  |    4 +
 fs/proc/devices.c                                  |    4 +
 fs/proc/fd.c                                       |   17 +-
 fs/proc/inode.c                                    |    4 +
 fs/proc/kcore.c                                    |    3 +
 fs/proc/proc_net.c                                 |   12 +
 fs/proc/proc_sysctl.c                              |   43 +-
 fs/proc/root.c                                     |    8 +
 fs/proc/task_mmu.c                                 |   75 +-
 fs/readdir.c                                       |   19 +
 fs/select.c                                        |    2 +
 fs/seq_file.c                                      |   12 +-
 fs/stat.c                                          |   19 +-
 fs/sysfs/dir.c                                     |   12 +
 fs/utimes.c                                        |    7 +
 fs/xattr.c                                         |   19 +-
 include/linux/capability.h                         |    5 +
 include/linux/cred.h                               |    3 +
 include/linux/fs.h                                 |   10 +
 include/linux/fsnotify.h                           |    6 +
 include/linux/kallsyms.h                           |   14 +-
 include/linux/kmod.h                               |    2 +
 include/linux/mm.h                                 |    1 +
 include/linux/perf_event.h                         |   13 +-
 include/linux/printk.h                             |    3 +-
 include/linux/sched.h                              |   24 +-
 include/linux/security.h                           |    1 +
 include/linux/seq_file.h                           |    3 +
 include/linux/shm.h                                |    4 +
 include/linux/skbuff.h                             |    3 +
 include/linux/slab.h                               |    9 -
 include/linux/sysctl.h                             |    2 +
 include/linux/thread_info.h                        |    2 +
 include/linux/uidgid.h                             |    5 +
 include/linux/vermagic.h                           |    9 +-
 include/uapi/linux/personality.h                   |    1 +
 init/Kconfig                                       |    3 +-
 init/main.c                                        |   14 +
 ipc/mqueue.c                                       |    1 +
 ipc/shm.c                                          |   29 +
 kernel/capability.c                                |   40 +-
 kernel/cgroup.c                                    |    2 +-
 kernel/compat.c                                    |    1 +
 kernel/configs.c                                   |   11 +
 kernel/cred.c                                      |  110 +-
 kernel/events/core.c                               |   14 +-
 kernel/exit.c                                      |   10 +-
 kernel/fork.c                                      |   41 +-
 kernel/futex.c                                     |    1 +
 kernel/kallsyms.c                                  |    9 +
 kernel/kcmp.c                                      |    4 +
 kernel/kmod.c                                      |   64 +-
 kernel/kprobes.c                                   |    4 +-
 kernel/ksysfs.c                                    |    2 +
 kernel/lockdep_proc.c                              |   10 +-
 kernel/module.c                                    |   81 +-
 kernel/panic.c                                     |    2 +-
 kernel/pid.c                                       |   19 +-
 kernel/posix-timers.c                              |    7 +
 kernel/printk/printk.c                             |    5 +
 kernel/ptrace.c                                    |   20 +-
 kernel/resource.c                                  |   10 +
 kernel/sched/core.c                                |    6 +-
 kernel/signal.c                                    |   37 +-
 kernel/sys.c                                       |   45 +-
 kernel/sysctl.c                                    |   69 +-
 kernel/taskstats.c                                 |    6 +
 kernel/time.c                                      |    5 +
 kernel/time/timekeeping.c                          |    1 +
 kernel/time/timer_list.c                           |   12 +
 kernel/time/timer_stats.c                          |   10 +-
 lib/Kconfig.debug                                  |    5 +-
 lib/is_single_threaded.c                           |    3 +
 mm/Kconfig                                         |    4 +-
 mm/filemap.c                                       |    1 +
 mm/kmemleak.c                                      |    4 +-
 mm/mempolicy.c                                     |   12 +-
 mm/migrate.c                                       |    3 +-
 mm/mlock.c                                         |    3 +
 mm/mmap.c                                          |   63 +-
 mm/mprotect.c                                      |    8 +
 mm/process_vm_access.c                             |    6 +
 mm/slab.c                                          |    2 +-
 mm/slub.c                                          |   14 +-
 mm/vmalloc.c                                       |    4 +
 mm/vmstat.c                                        |   18 +-
 net/core/dev_ioctl.c                               |    4 +
 net/core/sock_diag.c                               |    7 +
 net/ipv4/inet_hashtables.c                         |    5 +
 net/ipv4/ip_sockglue.c                             |    3 +-
 net/ipv4/tcp_input.c                               |    4 +-
 net/ipv4/tcp_ipv4.c                                |   24 +-
 net/ipv4/tcp_minisocks.c                           |    9 +-
 net/ipv4/tcp_timer.c                               |   11 +
 net/ipv4/udp.c                                     |   24 +
 net/ipv6/tcp_ipv6.c                                |   23 +-
 net/ipv6/udp.c                                     |    4 +
 net/netfilter/Kconfig                              |   10 +
 net/netfilter/Makefile                             |    1 +
 net/netfilter/nf_conntrack_core.c                  |    8 +
 net/netrom/af_netrom.c                             |    1 -
 net/phonet/af_phonet.c                             |    2 +-
 net/socket.c                                       |   66 +-
 net/sysctl_net.c                                   |    2 +-
 net/unix/af_unix.c                                 |   31 +-
 security/Kconfig                                   |  341 +++-
 security/commoncap.c                               |   29 +
 security/min_addr.c                                |    2 +
 security/tomoyo/mount.c                            |    4 +
 security/yama/Kconfig                              |    2 +-
 228 files changed, 4141 insertions(+), 2027 deletions(-)

commit 62c18efae524d4cd41939c1d63989d3582b1131a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 9 20:57:40 2013 -0400

    Commit merge of new files and rejected patches
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 arch/arm/include/asm/thread_info.h     |    6 +-
 arch/arm/kernel/process.c              |    4 +-
 arch/powerpc/include/asm/thread_info.h |    7 +-
 arch/powerpc/mm/slice.c                |    2 +-
 arch/sparc/kernel/process_64.c         |    4 +-
 arch/x86/kernel/vm86_32.c              |   15 +
 fs/coredump.c                          |    1 +
 fs/ext4/balloc.c                       |    4 +-
 fs/namei.c                             |    7 +
 fs/namespace.c                         |    8 +
 fs/pipe.c                              |    2 +-
 fs/proc/inode.c                        |   13 +
 fs/proc/internal.h                     |    3 +
 grsecurity/Kconfig                     | 1054 +++++++++
 grsecurity/Makefile                    |   38 +
 grsecurity/gracl.c                     | 4073 ++++++++++++++++++++++++++++++++
 grsecurity/gracl_alloc.c               |  105 +
 grsecurity/gracl_cap.c                 |  110 +
 grsecurity/gracl_fs.c                  |  431 ++++
 grsecurity/gracl_ip.c                  |  387 +++
 grsecurity/gracl_learn.c               |  207 ++
 grsecurity/gracl_res.c                 |   68 +
 grsecurity/gracl_segv.c                |  305 +++
 grsecurity/gracl_shm.c                 |   40 +
 grsecurity/grsec_chdir.c               |   19 +
 grsecurity/grsec_chroot.c              |  370 +++
 grsecurity/grsec_disabled.c            |  434 ++++
 grsecurity/grsec_exec.c                |  187 ++
 grsecurity/grsec_fifo.c                |   24 +
 grsecurity/grsec_fork.c                |   23 +
 grsecurity/grsec_init.c                |  283 +++
 grsecurity/grsec_link.c                |   58 +
 grsecurity/grsec_log.c                 |  326 +++
 grsecurity/grsec_mem.c                 |   40 +
 grsecurity/grsec_mount.c               |   62 +
 grsecurity/grsec_pax.c                 |   36 +
 grsecurity/grsec_ptrace.c              |   30 +
 grsecurity/grsec_sig.c                 |  246 ++
 grsecurity/grsec_sock.c                |  244 ++
 grsecurity/grsec_sysctl.c              |  469 ++++
 grsecurity/grsec_time.c                |   16 +
 grsecurity/grsec_tpe.c                 |   73 +
 grsecurity/grsum.c                     |   61 +
 include/linux/gracl.h                  |  319 +++
 include/linux/gralloc.h                |    9 +
 include/linux/grdefs.h                 |  140 ++
 include/linux/grinternal.h             |  227 ++
 include/linux/grmsg.h                  |  112 +
 include/linux/grsecurity.h             |  241 ++
 include/linux/grsock.h                 |   19 +
 include/linux/netfilter/xt_gradm.h     |    9 +
 include/linux/proc_fs.h                |   13 +
 include/linux/sched.h                  |   48 +-
 include/trace/events/fs.h              |   53 +
 kernel/kmod.c                          |    7 +-
 kernel/panic.c                         |    2 +-
 kernel/posix-timers.c                  |    1 +
 kernel/time/timekeeping.c              |    2 +
 lib/Kconfig.debug                      |    2 +-
 lib/vsprintf.c                         |   31 +
 localversion-grsec                     |    1 +
 mm/mmap.c                              |   13 +-
 mm/shmem.c                             |    2 +-
 net/core/net-procfs.c                  |    5 +
 net/ipv6/udp.c                         |    3 +
 net/netfilter/xt_gradm.c               |   51 +
 66 files changed, 11184 insertions(+), 21 deletions(-)

commit 718ed34658f4e4716ff3c9e6d098552d357d19f1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Nov 24 20:58:05 2013 -0500

    Initial import of pax-linux-3.12.1-test1.patch

 Documentation/dontdiff                             |   46 +-
 Documentation/kernel-parameters.txt                |   23 +
 Makefile                                           |  100 +-
 arch/alpha/include/asm/atomic.h                    |   10 +
 arch/alpha/include/asm/elf.h                       |    7 +
 arch/alpha/include/asm/pgalloc.h                   |    6 +
 arch/alpha/include/asm/pgtable.h                   |   11 +
 arch/alpha/kernel/module.c                         |    2 +-
 arch/alpha/kernel/osf_sys.c                        |    8 +-
 arch/alpha/mm/fault.c                              |  141 +-
 arch/arm/Kconfig                                   |    2 +-
 arch/arm/include/asm/atomic.h                      |  444 ++-
 arch/arm/include/asm/cache.h                       |    5 +-
 arch/arm/include/asm/cacheflush.h                  |    2 +-
 arch/arm/include/asm/checksum.h                    |   14 +-
 arch/arm/include/asm/cmpxchg.h                     |    2 +
 arch/arm/include/asm/domain.h                      |   33 +-
 arch/arm/include/asm/elf.h                         |   13 +-
 arch/arm/include/asm/fncpy.h                       |    2 +
 arch/arm/include/asm/futex.h                       |   10 +
 arch/arm/include/asm/kmap_types.h                  |    2 +-
 arch/arm/include/asm/mach/dma.h                    |    2 +-
 arch/arm/include/asm/mach/map.h                    |    7 +-
 arch/arm/include/asm/outercache.h                  |    2 +-
 arch/arm/include/asm/page.h                        |    2 +-
 arch/arm/include/asm/pgalloc.h                     |   22 +-
 arch/arm/include/asm/pgtable-2level-hwdef.h        |    5 +
 arch/arm/include/asm/pgtable-2level.h              |    3 +
 arch/arm/include/asm/pgtable-3level-hwdef.h        |    1 +
 arch/arm/include/asm/pgtable-3level.h              |    2 +
 arch/arm/include/asm/pgtable.h                     |   54 +-
 arch/arm/include/asm/proc-fns.h                    |    2 +-
 arch/arm/include/asm/psci.h                        |    2 +-
 arch/arm/include/asm/smp.h                         |    2 +-
 arch/arm/include/asm/thread_info.h                 |    6 +-
 arch/arm/include/asm/uaccess.h                     |   95 +-
 arch/arm/include/uapi/asm/ptrace.h                 |    2 +-
 arch/arm/kernel/armksyms.c                         |    8 +-
 arch/arm/kernel/entry-armv.S                       |  110 +-
 arch/arm/kernel/entry-common.S                     |   40 +-
 arch/arm/kernel/entry-header.S                     |   60 +
 arch/arm/kernel/fiq.c                              |    3 +
 arch/arm/kernel/head.S                             |    6 +-
 arch/arm/kernel/module.c                           |   31 +-
 arch/arm/kernel/patch.c                            |    2 +
 arch/arm/kernel/process.c                          |   42 +-
 arch/arm/kernel/psci.c                             |    2 +-
 arch/arm/kernel/setup.c                            |   22 +-
 arch/arm/kernel/signal.c                           |   35 +-
 arch/arm/kernel/smp.c                              |    2 +-
 arch/arm/kernel/traps.c                            |    8 +-
 arch/arm/kernel/vmlinux.lds.S                      |   24 +-
 arch/arm/kvm/arm.c                                 |    8 +-
 arch/arm/lib/clear_user.S                          |    6 +-
 arch/arm/lib/copy_from_user.S                      |    6 +-
 arch/arm/lib/copy_page.S                           |    1 +
 arch/arm/lib/copy_to_user.S                        |    6 +-
 arch/arm/lib/csumpartialcopyuser.S                 |    4 +-
 arch/arm/lib/delay.c                               |    2 +-
 arch/arm/lib/uaccess_with_memcpy.c                 |    4 +-
 arch/arm/mach-kirkwood/common.c                    |   19 +-
 arch/arm/mach-omap2/board-n8x0.c                   |    2 +-
 arch/arm/mach-omap2/gpmc.c                         |   22 +-
 arch/arm/mach-omap2/omap-mpuss-lowpower.c          |    4 +-
 arch/arm/mach-omap2/omap-wakeupgen.c               |    2 +-
 arch/arm/mach-omap2/omap_device.c                  |    4 +-
 arch/arm/mach-omap2/omap_device.h                  |    4 +-
 arch/arm/mach-omap2/omap_hwmod.c                   |    4 +-
 arch/arm/mach-omap2/wd_timer.c                     |    6 +-
 arch/arm/mach-tegra/cpuidle-tegra20.c              |    2 +-
 arch/arm/mach-ux500/setup.h                        |    7 -
 arch/arm/mm/Kconfig                                |    6 +-
 arch/arm/mm/alignment.c                            |    8 +
 arch/arm/mm/context.c                              |   10 +-
 arch/arm/mm/fault.c                                |  134 +
 arch/arm/mm/fault.h                                |   12 +
 arch/arm/mm/init.c                                 |   41 +
 arch/arm/mm/ioremap.c                              |    4 +-
 arch/arm/mm/mmap.c                                 |   30 +-
 arch/arm/mm/mmu.c                                  |  185 +-
 arch/arm/plat-omap/sram.c                          |    2 +
 arch/arm/plat-samsung/include/plat/dma-ops.h       |    2 +-
 arch/avr32/include/asm/elf.h                       |    8 +-
 arch/avr32/include/asm/kmap_types.h                |    4 +-
 arch/avr32/mm/fault.c                              |   27 +
 arch/frv/include/asm/atomic.h                      |   10 +
 arch/frv/include/asm/kmap_types.h                  |    2 +-
 arch/frv/mm/elf-fdpic.c                            |    3 +-
 arch/ia64/include/asm/atomic.h                     |   10 +
 arch/ia64/include/asm/elf.h                        |    7 +
 arch/ia64/include/asm/pgalloc.h                    |   12 +
 arch/ia64/include/asm/pgtable.h                    |   13 +-
 arch/ia64/include/asm/spinlock.h                   |    2 +-
 arch/ia64/include/asm/uaccess.h                    |   26 +-
 arch/ia64/kernel/module.c                          |   48 +-
 arch/ia64/kernel/palinfo.c                         |    2 +-
 arch/ia64/kernel/sys_ia64.c                        |    7 +
 arch/ia64/kernel/vmlinux.lds.S                     |    2 +-
 arch/ia64/mm/fault.c                               |   32 +-
 arch/ia64/mm/init.c                                |   13 +
 arch/m32r/lib/usercopy.c                           |    6 +
 arch/mips/include/asm/atomic.h                     |  728 ++-
 arch/mips/include/asm/elf.h                        |   11 +-
 arch/mips/include/asm/exec.h                       |    2 +-
 arch/mips/include/asm/local.h                      |   57 +
 arch/mips/include/asm/page.h                       |    2 +-
 arch/mips/include/asm/pgalloc.h                    |    5 +
 arch/mips/include/asm/smtc_proc.h                  |    2 +-
 arch/mips/kernel/binfmt_elfn32.c                   |    7 +
 arch/mips/kernel/binfmt_elfo32.c                   |    7 +
 arch/mips/kernel/irq.c                             |    6 +-
 arch/mips/kernel/process.c                         |   12 -
 arch/mips/kernel/smtc-proc.c                       |    6 +-
 arch/mips/kernel/smtc.c                            |    2 +-
 arch/mips/kernel/sync-r4k.c                        |   24 +-
 arch/mips/kernel/traps.c                           |   13 +-
 arch/mips/mm/fault.c                               |   25 +
 arch/mips/mm/mmap.c                                |   51 +-
 arch/mips/sgi-ip27/ip27-nmi.c                      |    6 +-
 arch/parisc/include/asm/atomic.h                   |   10 +
 arch/parisc/include/asm/elf.h                      |    7 +
 arch/parisc/include/asm/pgalloc.h                  |    6 +
 arch/parisc/include/asm/pgtable.h                  |   11 +
 arch/parisc/include/asm/uaccess.h                  |    4 +-
 arch/parisc/kernel/module.c                        |   50 +-
 arch/parisc/kernel/sys_parisc.c                    |    9 +-
 arch/parisc/kernel/traps.c                         |    4 +-
 arch/parisc/mm/fault.c                             |  140 +-
 arch/powerpc/include/asm/atomic.h                  |   10 +
 arch/powerpc/include/asm/elf.h                     |   19 +-
 arch/powerpc/include/asm/exec.h                    |    2 +-
 arch/powerpc/include/asm/kmap_types.h              |    2 +-
 arch/powerpc/include/asm/mman.h                    |    2 +-
 arch/powerpc/include/asm/page.h                    |    8 +-
 arch/powerpc/include/asm/page_64.h                 |    7 +-
 arch/powerpc/include/asm/pgalloc-64.h              |    7 +
 arch/powerpc/include/asm/pgtable.h                 |    1 +
 arch/powerpc/include/asm/pte-hash32.h              |    1 +
 arch/powerpc/include/asm/reg.h                     |    1 +
 arch/powerpc/include/asm/smp.h                     |    2 +-
 arch/powerpc/include/asm/uaccess.h                 |  140 +-
 arch/powerpc/kernel/exceptions-64e.S               |    4 +-
 arch/powerpc/kernel/exceptions-64s.S               |    2 +-
 arch/powerpc/kernel/module_32.c                    |   13 +-
 arch/powerpc/kernel/process.c                      |   55 -
 arch/powerpc/kernel/signal_32.c                    |    2 +-
 arch/powerpc/kernel/signal_64.c                    |    2 +-
 arch/powerpc/kernel/vdso.c                         |    5 +-
 arch/powerpc/lib/usercopy_64.c                     |   18 -
 arch/powerpc/mm/fault.c                            |   54 +-
 arch/powerpc/mm/mmap.c                             |   16 +
 arch/powerpc/mm/slice.c                            |   13 +-
 arch/powerpc/platforms/cell/spufs/file.c           |    4 +-
 arch/s390/include/asm/atomic.h                     |   10 +
 arch/s390/include/asm/elf.h                        |   13 +-
 arch/s390/include/asm/exec.h                       |    2 +-
 arch/s390/include/asm/uaccess.h                    |   15 +-
 arch/s390/kernel/module.c                          |   22 +-
 arch/s390/kernel/process.c                         |   36 -
 arch/s390/mm/mmap.c                                |   24 +
 arch/score/include/asm/exec.h                      |    2 +-
 arch/score/kernel/process.c                        |    5 -
 arch/sh/mm/mmap.c                                  |   22 +-
 arch/sparc/include/asm/atomic_64.h                 |  106 +-
 arch/sparc/include/asm/cache.h                     |    2 +-
 arch/sparc/include/asm/elf_32.h                    |    7 +
 arch/sparc/include/asm/elf_64.h                    |    7 +
 arch/sparc/include/asm/pgalloc_32.h                |    1 +
 arch/sparc/include/asm/pgalloc_64.h                |    1 +
 arch/sparc/include/asm/pgtable_32.h                |   15 +-
 arch/sparc/include/asm/pgtsrmmu.h                  |    5 +
 arch/sparc/include/asm/spinlock_64.h               |   35 +-
 arch/sparc/include/asm/thread_info_32.h            |    2 +
 arch/sparc/include/asm/thread_info_64.h            |    2 +
 arch/sparc/include/asm/uaccess.h                   |    1 +
 arch/sparc/include/asm/uaccess_32.h                |   27 +-
 arch/sparc/include/asm/uaccess_64.h                |   19 +-
 arch/sparc/kernel/Makefile                         |    2 +-
 arch/sparc/kernel/prom_common.c                    |    2 +-
 arch/sparc/kernel/smp_64.c                         |   12 +-
 arch/sparc/kernel/sys_sparc_32.c                   |    2 +-
 arch/sparc/kernel/sys_sparc_64.c                   |   52 +-
 arch/sparc/kernel/traps_64.c                       |   27 +-
 arch/sparc/lib/Makefile                            |    2 +-
 arch/sparc/lib/atomic_64.S                         |  136 +-
 arch/sparc/lib/ksyms.c                             |    6 +
 arch/sparc/mm/Makefile                             |    2 +-
 arch/sparc/mm/fault_32.c                           |  292 +
 arch/sparc/mm/fault_64.c                           |  486 ++
 arch/sparc/mm/hugetlbpage.c                        |   21 +-
 arch/sparc/mm/init_64.c                            |   10 +-
 arch/tile/include/asm/atomic_64.h                  |   10 +
 arch/tile/include/asm/uaccess.h                    |    4 +-
 arch/um/Makefile                                   |    4 +
 arch/um/include/asm/kmap_types.h                   |    2 +-
 arch/um/include/asm/page.h                         |    3 +
 arch/um/include/asm/pgtable-3level.h               |    1 +
 arch/um/kernel/process.c                           |   16 -
 arch/x86/Kconfig                                   |   10 +-
 arch/x86/Kconfig.cpu                               |    6 +-
 arch/x86/Kconfig.debug                             |    4 +-
 arch/x86/Makefile                                  |   16 +-
 arch/x86/boot/Makefile                             |    3 +
 arch/x86/boot/bitops.h                             |    4 +-
 arch/x86/boot/boot.h                               |    4 +-
 arch/x86/boot/compressed/Makefile                  |    3 +
 arch/x86/boot/compressed/eboot.c                   |    2 -
 arch/x86/boot/compressed/efi_stub_32.S             |   16 +-
 arch/x86/boot/compressed/head_32.S                 |    2 +-
 arch/x86/boot/compressed/head_64.S                 |    8 +-
 arch/x86/boot/compressed/misc.c                    |    6 +-
 arch/x86/boot/cpucheck.c                           |   28 +-
 arch/x86/boot/header.S                             |    6 +-
 arch/x86/boot/memory.c                             |    2 +-
 arch/x86/boot/video-vesa.c                         |    1 +
 arch/x86/boot/video.c                              |    2 +-
 arch/x86/crypto/aes-x86_64-asm_64.S                |    4 +
 arch/x86/crypto/aesni-intel_asm.S                  |   22 +
 arch/x86/crypto/blowfish-x86_64-asm_64.S           |    7 +
 arch/x86/crypto/camellia-aesni-avx-asm_64.S        |   10 +
 arch/x86/crypto/camellia-aesni-avx2-asm_64.S       |   10 +
 arch/x86/crypto/camellia-x86_64-asm_64.S           |    7 +
 arch/x86/crypto/cast5-avx-x86_64-asm_64.S          |    7 +
 arch/x86/crypto/cast6-avx-x86_64-asm_64.S          |    9 +
 arch/x86/crypto/crc32c-pcl-intel-asm_64.S          |    2 +
 arch/x86/crypto/ghash-clmulni-intel_asm.S          |    5 +
 arch/x86/crypto/salsa20-x86_64-asm_64.S            |    4 +
 arch/x86/crypto/serpent-avx-x86_64-asm_64.S        |    9 +
 arch/x86/crypto/serpent-avx2-asm_64.S              |    9 +
 arch/x86/crypto/serpent-sse2-x86_64-asm_64.S       |    4 +
 arch/x86/crypto/sha1_ssse3_asm.S                   |    2 +
 arch/x86/crypto/sha256-avx-asm.S                   |    2 +
 arch/x86/crypto/sha256-avx2-asm.S                  |    2 +
 arch/x86/crypto/sha256-ssse3-asm.S                 |    2 +
 arch/x86/crypto/sha512-avx-asm.S                   |    2 +
 arch/x86/crypto/sha512-avx2-asm.S                  |    2 +
 arch/x86/crypto/sha512-ssse3-asm.S                 |    2 +
 arch/x86/crypto/twofish-avx-x86_64-asm_64.S        |    9 +
 arch/x86/crypto/twofish-x86_64-asm_64-3way.S       |    4 +
 arch/x86/crypto/twofish-x86_64-asm_64.S            |    3 +
 arch/x86/ia32/ia32_signal.c                        |   14 +-
 arch/x86/ia32/ia32entry.S                          |  157 +-
 arch/x86/ia32/sys_ia32.c                           |    4 +-
 arch/x86/include/asm/alternative-asm.h             |   39 +
 arch/x86/include/asm/alternative.h                 |    4 +-
 arch/x86/include/asm/apic.h                        |    2 +-
 arch/x86/include/asm/apm.h                         |    4 +-
 arch/x86/include/asm/atomic.h                      |  307 +-
 arch/x86/include/asm/atomic64_32.h                 |  100 +
 arch/x86/include/asm/atomic64_64.h                 |  202 +-
 arch/x86/include/asm/bitops.h                      |    8 +-
 arch/x86/include/asm/boot.h                        |    7 +-
 arch/x86/include/asm/cache.h                       |    5 +-
 arch/x86/include/asm/cacheflush.h                  |    2 +-
 arch/x86/include/asm/checksum_32.h                 |   12 +-
 arch/x86/include/asm/cmpxchg.h                     |   35 +
 arch/x86/include/asm/compat.h                      |    2 +-
 arch/x86/include/asm/cpufeature.h                  |   16 +-
 arch/x86/include/asm/desc.h                        |   74 +-
 arch/x86/include/asm/desc_defs.h                   |    6 +
 arch/x86/include/asm/div64.h                       |    2 +-
 arch/x86/include/asm/elf.h                         |   31 +-
 arch/x86/include/asm/emergency-restart.h           |    2 +-
 arch/x86/include/asm/fpu-internal.h                |    8 +-
 arch/x86/include/asm/futex.h                       |   20 +-
 arch/x86/include/asm/hw_irq.h                      |    4 +-
 arch/x86/include/asm/i8259.h                       |    2 +-
 arch/x86/include/asm/io.h                          |   21 +-
 arch/x86/include/asm/irqflags.h                    |    5 +
 arch/x86/include/asm/kprobes.h                     |    9 +-
 arch/x86/include/asm/local.h                       |  142 +-
 arch/x86/include/asm/mman.h                        |   15 +
 arch/x86/include/asm/mmu.h                         |   16 +-
 arch/x86/include/asm/mmu_context.h                 |  136 +-
 arch/x86/include/asm/module.h                      |   17 +-
 arch/x86/include/asm/nmi.h                         |    6 +-
 arch/x86/include/asm/page.h                        |    1 +
 arch/x86/include/asm/page_64.h                     |    4 +-
 arch/x86/include/asm/paravirt.h                    |   46 +-
 arch/x86/include/asm/paravirt_types.h              |   17 +-
 arch/x86/include/asm/pgalloc.h                     |   23 +
 arch/x86/include/asm/pgtable-2level.h              |    2 +
 arch/x86/include/asm/pgtable-3level.h              |    4 +
 arch/x86/include/asm/pgtable.h                     |  124 +-
 arch/x86/include/asm/pgtable_32.h                  |   14 +-
 arch/x86/include/asm/pgtable_32_types.h            |   15 +-
 arch/x86/include/asm/pgtable_64.h                  |   19 +-
 arch/x86/include/asm/pgtable_64_types.h            |    5 +
 arch/x86/include/asm/pgtable_types.h               |   36 +-
 arch/x86/include/asm/processor.h                   |   79 +-
 arch/x86/include/asm/ptrace.h                      |   26 +-
 arch/x86/include/asm/realmode.h                    |    4 +-
 arch/x86/include/asm/reboot.h                      |   10 +-
 arch/x86/include/asm/rwsem.h                       |   60 +-
 arch/x86/include/asm/segment.h                     |   29 +-
 arch/x86/include/asm/smap.h                        |   64 +-
 arch/x86/include/asm/smp.h                         |   14 +-
 arch/x86/include/asm/spinlock.h                    |   36 +-
 arch/x86/include/asm/stackprotector.h              |    4 +-
 arch/x86/include/asm/stacktrace.h                  |   32 +-
 arch/x86/include/asm/switch_to.h                   |    4 +-
 arch/x86/include/asm/thread_info.h                 |   83 +-
 arch/x86/include/asm/tlbflush.h                    |   74 +-
 arch/x86/include/asm/uaccess.h                     |  108 +-
 arch/x86/include/asm/uaccess_32.h                  |   96 +-
 arch/x86/include/asm/uaccess_64.h                  |  232 +-
 arch/x86/include/asm/word-at-a-time.h              |    2 +-
 arch/x86/include/asm/x86_init.h                    |   10 +-
 arch/x86/include/asm/xen/page.h                    |    2 +-
 arch/x86/include/asm/xsave.h                       |   14 +-
 arch/x86/include/uapi/asm/e820.h                   |    2 +-
 arch/x86/kernel/Makefile                           |    2 +-
 arch/x86/kernel/acpi/boot.c                        |    4 +-
 arch/x86/kernel/acpi/sleep.c                       |    4 +
 arch/x86/kernel/acpi/wakeup_32.S                   |    6 +-
 arch/x86/kernel/alternative.c                      |   69 +-
 arch/x86/kernel/apic/apic.c                        |    4 +-
 arch/x86/kernel/apic/apic_flat_64.c                |    4 +-
 arch/x86/kernel/apic/apic_noop.c                   |    2 +-
 arch/x86/kernel/apic/bigsmp_32.c                   |    2 +-
 arch/x86/kernel/apic/es7000_32.c                   |    5 +-
 arch/x86/kernel/apic/io_apic.c                     |    8 +-
 arch/x86/kernel/apic/numaq_32.c                    |    3 +-
 arch/x86/kernel/apic/probe_32.c                    |    2 +-
 arch/x86/kernel/apic/summit_32.c                   |    2 +-
 arch/x86/kernel/apic/x2apic_cluster.c              |    4 +-
 arch/x86/kernel/apic/x2apic_phys.c                 |    2 +-
 arch/x86/kernel/apic/x2apic_uv_x.c                 |    2 +-
 arch/x86/kernel/apm_32.c                           |   19 +-
 arch/x86/kernel/asm-offsets.c                      |   20 +
 arch/x86/kernel/asm-offsets_64.c                   |    1 +
 arch/x86/kernel/cpu/Makefile                       |    4 -
 arch/x86/kernel/cpu/amd.c                          |    2 +-
 arch/x86/kernel/cpu/common.c                       |  130 +-
 arch/x86/kernel/cpu/intel_cacheinfo.c              |   48 +-
 arch/x86/kernel/cpu/mcheck/mce.c                   |   31 +-
 arch/x86/kernel/cpu/mcheck/p5.c                    |    3 +
 arch/x86/kernel/cpu/mcheck/winchip.c               |    3 +
 arch/x86/kernel/cpu/mtrr/main.c                    |    2 +-
 arch/x86/kernel/cpu/mtrr/mtrr.h                    |    2 +-
 arch/x86/kernel/cpu/perf_event.c                   |    8 +-
 arch/x86/kernel/cpu/perf_event_amd_iommu.c         |    2 +-
 arch/x86/kernel/cpu/perf_event_intel.c             |    6 +-
 arch/x86/kernel/cpu/perf_event_intel_uncore.c      |    2 +-
 arch/x86/kernel/cpu/perf_event_intel_uncore.h      |    2 +-
 arch/x86/kernel/cpuid.c                            |    2 +-
 arch/x86/kernel/crash.c                            |    4 +-
 arch/x86/kernel/crash_dump_64.c                    |    2 +-
 arch/x86/kernel/doublefault.c                      |    8 +-
 arch/x86/kernel/dumpstack.c                        |   30 +-
 arch/x86/kernel/dumpstack_32.c                     |   34 +-
 arch/x86/kernel/dumpstack_64.c                     |   61 +-
 arch/x86/kernel/e820.c                             |    4 +-
 arch/x86/kernel/early_printk.c                     |    1 +
 arch/x86/kernel/entry_32.S                         |  356 +-
 arch/x86/kernel/entry_64.S                         |  666 ++-
 arch/x86/kernel/ftrace.c                           |   14 +-
 arch/x86/kernel/head64.c                           |   13 +-
 arch/x86/kernel/head_32.S                          |  228 +-
 arch/x86/kernel/head_64.S                          |  138 +-
 arch/x86/kernel/i386_ksyms_32.c                    |   12 +
 arch/x86/kernel/i387.c                             |    2 +-
 arch/x86/kernel/i8259.c                            |   10 +-
 arch/x86/kernel/io_delay.c                         |    2 +-
 arch/x86/kernel/ioport.c                           |    2 +-
 arch/x86/kernel/irq.c                              |    8 +-
 arch/x86/kernel/irq_32.c                           |   67 +-
 arch/x86/kernel/irq_64.c                           |    2 +-
 arch/x86/kernel/jump_label.c                       |    6 +-
 arch/x86/kernel/kgdb.c                             |   25 +-
 arch/x86/kernel/kprobes/core.c                     |   30 +-
 arch/x86/kernel/kprobes/opt.c                      |   16 +-
 arch/x86/kernel/ldt.c                              |   31 +-
 arch/x86/kernel/machine_kexec_32.c                 |    6 +-
 arch/x86/kernel/microcode_core.c                   |    2 +-
 arch/x86/kernel/microcode_intel.c                  |    4 +-
 arch/x86/kernel/module.c                           |   76 +-
 arch/x86/kernel/msr.c                              |    2 +-
 arch/x86/kernel/nmi.c                              |   19 +-
 arch/x86/kernel/nmi_selftest.c                     |    4 +-
 arch/x86/kernel/paravirt-spinlocks.c               |    2 +-
 arch/x86/kernel/paravirt.c                         |   43 +-
 arch/x86/kernel/pci-calgary_64.c                   |    2 +-
 arch/x86/kernel/pci-iommu_table.c                  |    2 +-
 arch/x86/kernel/pci-swiotlb.c                      |    2 +-
 arch/x86/kernel/process.c                          |   55 +-
 arch/x86/kernel/process_32.c                       |   29 +-
 arch/x86/kernel/process_64.c                       |   20 +-
 arch/x86/kernel/ptrace.c                           |   25 +-
 arch/x86/kernel/pvclock.c                          |    8 +-
 arch/x86/kernel/reboot.c                           |   42 +-
 arch/x86/kernel/reboot_fixups_32.c                 |    2 +-
 arch/x86/kernel/relocate_kernel_64.S               |    5 +-
 arch/x86/kernel/setup.c                            |   63 +-
 arch/x86/kernel/setup_percpu.c                     |   29 +-
 arch/x86/kernel/signal.c                           |   15 +-
 arch/x86/kernel/smp.c                              |    2 +-
 arch/x86/kernel/smpboot.c                          |   28 +-
 arch/x86/kernel/step.c                             |   10 +-
 arch/x86/kernel/sys_i386_32.c                      |  184 +
 arch/x86/kernel/sys_x86_64.c                       |   22 +-
 arch/x86/kernel/tboot.c                            |   12 +-
 arch/x86/kernel/time.c                             |   10 +-
 arch/x86/kernel/tls.c                              |    7 +-
 arch/x86/kernel/tracepoint.c                       |    4 +-
 arch/x86/kernel/traps.c                            |   62 +-
 arch/x86/kernel/uprobes.c                          |    4 +-
 arch/x86/kernel/vm86_32.c                          |    6 +-
 arch/x86/kernel/vmlinux.lds.S                      |  147 +-
 arch/x86/kernel/vsyscall_64.c                      |   12 +-
 arch/x86/kernel/x8664_ksyms_64.c                   |    6 +-
 arch/x86/kernel/x86_init.c                         |    6 +-
 arch/x86/kernel/xsave.c                            |    2 +
 arch/x86/kvm/cpuid.c                               |   21 +-
 arch/x86/kvm/lapic.c                               |    2 +-
 arch/x86/kvm/paging_tmpl.h                         |    2 +-
 arch/x86/kvm/svm.c                                 |    8 +
 arch/x86/kvm/vmx.c                                 |   63 +-
 arch/x86/kvm/x86.c                                 |    8 +-
 arch/x86/lguest/boot.c                             |    3 +-
 arch/x86/lib/atomic64_386_32.S                     |  164 +
 arch/x86/lib/atomic64_cx8_32.S                     |  103 +-
 arch/x86/lib/checksum_32.S                         |  100 +-
 arch/x86/lib/clear_page_64.S                       |    5 +-
 arch/x86/lib/cmpxchg16b_emu.S                      |    2 +
 arch/x86/lib/copy_page_64.S                        |   24 +-
 arch/x86/lib/copy_user_64.S                        |   89 +-
 arch/x86/lib/copy_user_nocache_64.S                |   22 +-
 arch/x86/lib/csum-copy_64.S                        |    2 +
 arch/x86/lib/csum-wrappers_64.c                    |    8 +-
 arch/x86/lib/getuser.S                             |   74 +-
 arch/x86/lib/insn.c                                |    6 +-
 arch/x86/lib/iomap_copy_64.S                       |    2 +
 arch/x86/lib/memcpy_64.S                           |   22 +-
 arch/x86/lib/memmove_64.S                          |   36 +-
 arch/x86/lib/memset_64.S                           |   11 +-
 arch/x86/lib/mmx_32.c                              |  243 +-
 arch/x86/lib/msr-reg.S                             |   18 +-
 arch/x86/lib/putuser.S                             |   90 +-
 arch/x86/lib/rwlock.S                              |   42 +
 arch/x86/lib/rwsem.S                               |    6 +-
 arch/x86/lib/thunk_64.S                            |    2 +
 arch/x86/lib/usercopy_32.c                         |  359 +-
 arch/x86/lib/usercopy_64.c                         |   18 +-
 arch/x86/mm/Makefile                               |    4 +
 arch/x86/mm/extable.c                              |   25 +-
 arch/x86/mm/fault.c                                |  564 ++-
 arch/x86/mm/gup.c                                  |    2 +-
 arch/x86/mm/highmem_32.c                           |    4 +
 arch/x86/mm/hugetlbpage.c                          |   30 +-
 arch/x86/mm/init.c                                 |  101 +-
 arch/x86/mm/init_32.c                              |  111 +-
 arch/x86/mm/init_64.c                              |   45 +-
 arch/x86/mm/iomap_32.c                             |    4 +
 arch/x86/mm/ioremap.c                              |   15 +-
 arch/x86/mm/kmemcheck/kmemcheck.c                  |    4 +-
 arch/x86/mm/mmap.c                                 |   36 +-
 arch/x86/mm/mmio-mod.c                             |   10 +-
 arch/x86/mm/numa.c                                 |    2 +-
 arch/x86/mm/pageattr-test.c                        |    2 +-
 arch/x86/mm/pageattr.c                             |   33 +-
 arch/x86/mm/pat.c                                  |   12 +-
 arch/x86/mm/pat_rbtree.c                           |    2 +-
 arch/x86/mm/pf_in.c                                |   10 +-
 arch/x86/mm/pgtable.c                              |  139 +-
 arch/x86/mm/pgtable_32.c                           |    3 +
 arch/x86/mm/physaddr.c                             |    4 +-
 arch/x86/mm/setup_nx.c                             |    7 +
 arch/x86/mm/tlb.c                                  |    4 +
 arch/x86/mm/uderef_64.c                            |   37 +
 arch/x86/net/bpf_jit.S                             |   14 +
 arch/x86/net/bpf_jit_comp.c                        |   38 +-
 arch/x86/oprofile/backtrace.c                      |    8 +-
 arch/x86/oprofile/nmi_int.c                        |    8 +-
 arch/x86/oprofile/op_model_amd.c                   |    8 +-
 arch/x86/oprofile/op_model_ppro.c                  |    7 +-
 arch/x86/oprofile/op_x86_model.h                   |    2 +-
 arch/x86/pci/irq.c                                 |    8 +-
 arch/x86/pci/mrst.c                                |    4 +-
 arch/x86/pci/pcbios.c                              |  144 +-
 arch/x86/platform/efi/efi_32.c                     |   24 +
 arch/x86/platform/efi/efi_64.c                     |   10 +
 arch/x86/platform/efi/efi_stub_32.S                |   64 +-
 arch/x86/platform/efi/efi_stub_64.S                |    8 +
 arch/x86/platform/mrst/mrst.c                      |    6 +-
 arch/x86/platform/olpc/olpc_dt.c                   |    2 +-
 arch/x86/power/cpu.c                               |   11 +-
 arch/x86/realmode/init.c                           |   10 +-
 arch/x86/realmode/rm/Makefile                      |    3 +
 arch/x86/realmode/rm/header.S                      |    4 +-
 arch/x86/realmode/rm/trampoline_32.S               |   12 +-
 arch/x86/realmode/rm/trampoline_64.S               |    3 +-
 arch/x86/tools/Makefile                            |    2 +-
 arch/x86/tools/relocs.c                            |   94 +-
 arch/x86/um/tls_32.c                               |    2 +-
 arch/x86/vdso/Makefile                             |    2 +-
 arch/x86/vdso/vdso32-setup.c                       |   23 +-
 arch/x86/vdso/vma.c                                |   29 +-
 arch/x86/xen/enlighten.c                           |   45 +-
 arch/x86/xen/mmu.c                                 |   11 +-
 arch/x86/xen/smp.c                                 |   21 +-
 arch/x86/xen/xen-asm_32.S                          |   12 +-
 arch/x86/xen/xen-head.S                            |   11 +
 arch/x86/xen/xen-ops.h                             |    2 -
 block/blk-cgroup.c                                 |    4 +-
 block/blk-iopoll.c                                 |    2 +-
 block/blk-map.c                                    |    2 +-
 block/blk-softirq.c                                |    2 +-
 block/bsg.c                                        |   12 +-
 block/compat_ioctl.c                               |    2 +-
 block/genhd.c                                      |    9 +-
 block/partitions/efi.c                             |    8 +-
 block/scsi_ioctl.c                                 |   29 +-
 crypto/cryptd.c                                    |    4 +-
 crypto/pcrypt.c                                    |    2 +-
 drivers/acpi/apei/apei-internal.h                  |    2 +-
 drivers/acpi/apei/cper.c                           |    8 +-
 drivers/acpi/apei/ghes.c                           |    4 +-
 drivers/acpi/bgrt.c                                |    6 +-
 drivers/acpi/blacklist.c                           |    4 +-
 drivers/acpi/processor_idle.c                      |    2 +-
 drivers/acpi/sysfs.c                               |    4 +-
 drivers/ata/libahci.c                              |    2 +-
 drivers/ata/libata-core.c                          |   12 +-
 drivers/ata/libata-scsi.c                          |    2 +-
 drivers/ata/libata.h                               |    2 +-
 drivers/ata/pata_arasan_cf.c                       |    4 +-
 drivers/atm/adummy.c                               |    2 +-
 drivers/atm/ambassador.c                           |    8 +-
 drivers/atm/atmtcp.c                               |   14 +-
 drivers/atm/eni.c                                  |   10 +-
 drivers/atm/firestream.c                           |    8 +-
 drivers/atm/fore200e.c                             |   14 +-
 drivers/atm/he.c                                   |   18 +-
 drivers/atm/horizon.c                              |    4 +-
 drivers/atm/idt77252.c                             |   36 +-
 drivers/atm/iphase.c                               |   34 +-
 drivers/atm/lanai.c                                |   12 +-
 drivers/atm/nicstar.c                              |   46 +-
 drivers/atm/solos-pci.c                            |    4 +-
 drivers/atm/suni.c                                 |    4 +-
 drivers/atm/uPD98402.c                             |   16 +-
 drivers/atm/zatm.c                                 |    6 +-
 drivers/base/bus.c                                 |    4 +-
 drivers/base/devtmpfs.c                            |    8 +-
 drivers/base/node.c                                |    2 +-
 drivers/base/power/domain.c                        |    4 +-
 drivers/base/power/sysfs.c                         |    2 +-
 drivers/base/power/wakeup.c                        |    8 +-
 drivers/base/syscore.c                             |    4 +-
 drivers/block/cciss.c                              |   28 +-
 drivers/block/cciss.h                              |    2 +-
 drivers/block/cpqarray.c                           |   28 +-
 drivers/block/cpqarray.h                           |    2 +-
 drivers/block/drbd/drbd_int.h                      |    6 +-
 drivers/block/drbd/drbd_main.c                     |    8 +-
 drivers/block/drbd/drbd_nl.c                       |    4 +-
 drivers/block/drbd/drbd_receiver.c                 |   22 +-
 drivers/block/loop.c                               |    2 +-
 drivers/block/pktcdvd.c                            |    4 +-
 drivers/bluetooth/btwilink.c                       |    2 +-
 drivers/bus/arm-cci.c                              |    2 +-
 drivers/cdrom/cdrom.c                              |   11 +-
 drivers/cdrom/gdrom.c                              |    1 -
 drivers/char/agp/compat_ioctl.c                    |    2 +-
 drivers/char/agp/frontend.c                        |    4 +-
 drivers/char/hpet.c                                |    2 +-
 drivers/char/hw_random/intel-rng.c                 |    2 +-
 drivers/char/ipmi/ipmi_msghandler.c                |    8 +-
 drivers/char/ipmi/ipmi_si_intf.c                   |    8 +-
 drivers/char/mem.c                                 |   43 +-
 drivers/char/nvram.c                               |    2 +-
 drivers/char/pcmcia/synclink_cs.c                  |   18 +-
 drivers/char/random.c                              |   10 +-
 drivers/char/sonypi.c                              |    9 +-
 drivers/char/tpm/tpm_acpi.c                        |    3 +-
 drivers/char/tpm/tpm_eventlog.c                    |    7 +-
 drivers/char/virtio_console.c                      |    4 +-
 drivers/clk/clk-composite.c                        |    2 +-
 drivers/clk/socfpga/clk.c                          |    9 +-
 drivers/cpufreq/acpi-cpufreq.c                     |   13 +-
 drivers/cpufreq/cpufreq.c                          |    9 +-
 drivers/cpufreq/cpufreq_governor.c                 |    6 +-
 drivers/cpufreq/cpufreq_governor.h                 |    4 +-
 drivers/cpufreq/cpufreq_ondemand.c                 |   10 +-
 drivers/cpufreq/cpufreq_stats.c                    |    2 +-
 drivers/cpufreq/p4-clockmod.c                      |   12 +-
 drivers/cpufreq/sparc-us3-cpufreq.c                |   67 +-
 drivers/cpufreq/speedstep-centrino.c               |    7 +-
 drivers/cpuidle/cpuidle.c                          |    2 +-
 drivers/cpuidle/governor.c                         |    4 +-
 drivers/cpuidle/sysfs.c                            |    2 +-
 drivers/crypto/hifn_795x.c                         |    4 +-
 drivers/devfreq/devfreq.c                          |    4 +-
 drivers/dma/sh/shdmac.c                            |    2 +-
 drivers/edac/edac_device.c                         |    4 +-
 drivers/edac/edac_mc_sysfs.c                       |   12 +-
 drivers/edac/edac_pci.c                            |    4 +-
 drivers/edac/edac_pci_sysfs.c                      |   22 +-
 drivers/edac/mce_amd.h                             |    2 +-
 drivers/firewire/core-card.c                       |    6 +-
 drivers/firewire/core-device.c                     |    2 +-
 drivers/firewire/core-transaction.c                |    1 +
 drivers/firewire/core.h                            |    1 +
 drivers/firmware/dmi-id.c                          |    2 +-
 drivers/firmware/dmi_scan.c                        |    2 +-
 drivers/firmware/efi/efi.c                         |   12 +-
 drivers/firmware/efi/efivars.c                     |    2 +-
 drivers/firmware/google/memconsole.c               |    4 +-
 drivers/gpio/gpio-ich.c                            |    2 +-
 drivers/gpio/gpio-vr41xx.c                         |    2 +-
 drivers/gpu/drm/drm_crtc_helper.c                  |    2 +-
 drivers/gpu/drm/drm_drv.c                          |    8 +-
 drivers/gpu/drm/drm_fops.c                         |   16 +-
 drivers/gpu/drm/drm_global.c                       |   14 +-
 drivers/gpu/drm/drm_info.c                         |   14 +-
 drivers/gpu/drm/drm_ioc32.c                        |   13 +-
 drivers/gpu/drm/drm_lock.c                         |    4 +-
 drivers/gpu/drm/drm_stub.c                         |    2 +-
 drivers/gpu/drm/drm_sysfs.c                        |    2 +-
 drivers/gpu/drm/i810/i810_dma.c                    |    8 +-
 drivers/gpu/drm/i810/i810_drv.h                    |    4 +-
 drivers/gpu/drm/i915/i915_debugfs.c                |    2 +-
 drivers/gpu/drm/i915/i915_dma.c                    |    2 +-
 drivers/gpu/drm/i915/i915_drv.h                    |    2 +-
 drivers/gpu/drm/i915/i915_gem_execbuffer.c         |    4 +-
 drivers/gpu/drm/i915/i915_ioc32.c                  |   11 +-
 drivers/gpu/drm/i915/i915_irq.c                    |   20 +-
 drivers/gpu/drm/i915/intel_display.c               |   26 +-
 drivers/gpu/drm/mga/mga_drv.h                      |    4 +-
 drivers/gpu/drm/mga/mga_ioc32.c                    |   11 +-
 drivers/gpu/drm/mga/mga_irq.c                      |    8 +-
 drivers/gpu/drm/nouveau/nouveau_bios.c             |    2 +-
 drivers/gpu/drm/nouveau/nouveau_drm.h              |    1 -
 drivers/gpu/drm/nouveau/nouveau_ioc32.c            |    2 +-
 drivers/gpu/drm/nouveau/nouveau_vga.c              |    2 +-
 drivers/gpu/drm/qxl/qxl_cmd.c                      |   12 +-
 drivers/gpu/drm/qxl/qxl_debugfs.c                  |    8 +-
 drivers/gpu/drm/qxl/qxl_drv.h                      |    8 +-
 drivers/gpu/drm/qxl/qxl_irq.c                      |   16 +-
 drivers/gpu/drm/qxl/qxl_ttm.c                      |   38 +-
 drivers/gpu/drm/r128/r128_cce.c                    |    2 +-
 drivers/gpu/drm/r128/r128_drv.h                    |    4 +-
 drivers/gpu/drm/r128/r128_ioc32.c                  |   11 +-
 drivers/gpu/drm/r128/r128_irq.c                    |    4 +-
 drivers/gpu/drm/r128/r128_state.c                  |    4 +-
 drivers/gpu/drm/radeon/mkregtable.c                |    4 +-
 drivers/gpu/drm/radeon/radeon_device.c             |    2 +-
 drivers/gpu/drm/radeon/radeon_drv.h                |    2 +-
 drivers/gpu/drm/radeon/radeon_ioc32.c              |   13 +-
 drivers/gpu/drm/radeon/radeon_irq.c                |    6 +-
 drivers/gpu/drm/radeon/radeon_state.c              |    4 +-
 drivers/gpu/drm/radeon/radeon_ttm.c                |   57 +-
 drivers/gpu/drm/radeon/rs690.c                     |    4 +-
 drivers/gpu/drm/ttm/ttm_memory.c                   |    4 +-
 drivers/gpu/drm/ttm/ttm_page_alloc.c               |    4 +-
 drivers/gpu/drm/udl/udl_fb.c                       |    1 -
 drivers/gpu/drm/via/via_drv.h                      |    4 +-
 drivers/gpu/drm/via/via_irq.c                      |   18 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_drv.h                |    2 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c               |    8 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c              |    4 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_irq.c                |    4 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_marker.c             |    2 +-
 drivers/gpu/host1x/drm/dc.c                        |    2 +-
 drivers/hid/hid-core.c                             |    4 +-
 drivers/hid/uhid.c                                 |    6 +-
 drivers/hv/channel.c                               |    4 +-
 drivers/hv/hv.c                                    |    2 +-
 drivers/hv/hv_balloon.c                            |   18 +-
 drivers/hv/hyperv_vmbus.h                          |    2 +-
 drivers/hv/vmbus_drv.c                             |    4 +-
 drivers/hwmon/acpi_power_meter.c                   |    4 +-
 drivers/hwmon/applesmc.c                           |    2 +-
 drivers/hwmon/asus_atk0110.c                       |   10 +-
 drivers/hwmon/coretemp.c                           |    2 +-
 drivers/hwmon/ibmaem.c                             |    2 +-
 drivers/hwmon/iio_hwmon.c                          |    2 +-
 drivers/hwmon/pmbus/pmbus_core.c                   |   10 +-
 drivers/hwmon/sht15.c                              |   12 +-
 drivers/hwmon/via-cputemp.c                        |    2 +-
 drivers/i2c/busses/i2c-amd756-s4882.c              |    2 +-
 drivers/i2c/busses/i2c-diolan-u2c.c                |    2 +-
 drivers/i2c/busses/i2c-nforce2-s4985.c             |    2 +-
 drivers/i2c/i2c-dev.c                              |    2 +-
 drivers/ide/ide-cd.c                               |    2 +-
 drivers/iio/industrialio-core.c                    |    2 +-
 drivers/infiniband/core/cm.c                       |   32 +-
 drivers/infiniband/core/fmr_pool.c                 |   20 +-
 drivers/infiniband/hw/cxgb4/mem.c                  |    4 +-
 drivers/infiniband/hw/ipath/ipath_rc.c             |    6 +-
 drivers/infiniband/hw/ipath/ipath_ruc.c            |    6 +-
 drivers/infiniband/hw/mlx4/mad.c                   |    2 +-
 drivers/infiniband/hw/mlx4/mcg.c                   |    2 +-
 drivers/infiniband/hw/mlx4/mlx4_ib.h               |    2 +-
 drivers/infiniband/hw/mthca/mthca_cmd.c            |    8 +-
 drivers/infiniband/hw/mthca/mthca_main.c           |    2 +-
 drivers/infiniband/hw/mthca/mthca_mr.c             |    6 +-
 drivers/infiniband/hw/mthca/mthca_provider.c       |    2 +-
 drivers/infiniband/hw/nes/nes.c                    |    4 +-
 drivers/infiniband/hw/nes/nes.h                    |   40 +-
 drivers/infiniband/hw/nes/nes_cm.c                 |   62 +-
 drivers/infiniband/hw/nes/nes_mgt.c                |    8 +-
 drivers/infiniband/hw/nes/nes_nic.c                |   40 +-
 drivers/infiniband/hw/nes/nes_verbs.c              |   10 +-
 drivers/infiniband/hw/qib/qib.h                    |    1 +
 drivers/input/gameport/gameport.c                  |    4 +-
 drivers/input/input.c                              |    4 +-
 drivers/input/joystick/sidewinder.c                |    1 +
 drivers/input/joystick/xpad.c                      |    4 +-
 drivers/input/misc/ims-pcu.c                       |    4 +-
 drivers/input/mouse/psmouse.h                      |    2 +-
 drivers/input/mousedev.c                           |    2 +-
 drivers/input/serio/serio.c                        |    4 +-
 drivers/input/serio/serio_raw.c                    |    4 +-
 drivers/iommu/iommu.c                              |    2 +-
 drivers/iommu/irq_remapping.c                      |   12 +-
 drivers/irqchip/irq-gic.c                          |    4 +-
 drivers/isdn/capi/capi.c                           |   10 +-
 drivers/isdn/gigaset/interface.c                   |    8 +-
 drivers/isdn/gigaset/usb-gigaset.c                 |    2 +-
 drivers/isdn/hardware/avm/b1.c                     |    4 +-
 drivers/isdn/i4l/isdn_common.c                     |    2 +
 drivers/isdn/i4l/isdn_tty.c                        |   22 +-
 drivers/isdn/icn/icn.c                             |    2 +-
 drivers/isdn/mISDN/dsp_cmx.c                       |    2 +-
 drivers/leds/leds-clevo-mail.c                     |    2 +-
 drivers/leds/leds-ss4200.c                         |    2 +-
 drivers/lguest/core.c                              |   10 +-
 drivers/lguest/page_tables.c                       |    2 +-
 drivers/lguest/x86/core.c                          |   12 +-
 drivers/lguest/x86/switcher_32.S                   |   27 +-
 drivers/md/bcache/closure.h                        |    2 +-
 drivers/md/bcache/super.c                          |    2 +-
 drivers/md/bitmap.c                                |    2 +-
 drivers/md/dm-ioctl.c                              |    2 +-
 drivers/md/dm-raid1.c                              |   16 +-
 drivers/md/dm-stats.c                              |    6 +-
 drivers/md/dm-stripe.c                             |   10 +-
 drivers/md/dm-table.c                              |    4 +-
 drivers/md/dm-thin-metadata.c                      |    4 +-
 drivers/md/dm.c                                    |   16 +-
 drivers/md/md.c                                    |   26 +-
 drivers/md/md.h                                    |    6 +-
 drivers/md/persistent-data/dm-space-map.h          |    1 +
 drivers/md/raid1.c                                 |    4 +-
 drivers/md/raid10.c                                |   16 +-
 drivers/md/raid5.c                                 |   10 +-
 drivers/media/dvb-core/dvbdev.c                    |    2 +-
 drivers/media/dvb-frontends/dib3000.h              |    2 +-
 drivers/media/pci/cx88/cx88-video.c                |    6 +-
 drivers/media/pci/ivtv/ivtv-driver.c               |    2 +-
 drivers/media/platform/omap/omap_vout.c            |   11 +-
 drivers/media/platform/s5p-tv/mixer.h              |    2 +-
 drivers/media/platform/s5p-tv/mixer_grp_layer.c    |    2 +-
 drivers/media/platform/s5p-tv/mixer_reg.c          |    2 +-
 drivers/media/platform/s5p-tv/mixer_video.c        |   24 +-
 drivers/media/platform/s5p-tv/mixer_vp_layer.c     |    2 +-
 drivers/media/radio/radio-cadet.c                  |    2 +
 drivers/media/radio/radio-maxiradio.c              |    2 +-
 drivers/media/radio/radio-shark.c                  |    2 +-
 drivers/media/radio/radio-shark2.c                 |    2 +-
 drivers/media/radio/radio-si476x.c                 |    2 +-
 drivers/media/rc/rc-main.c                         |    4 +-
 drivers/media/usb/dvb-usb/cxusb.c                  |    2 +-
 drivers/media/usb/dvb-usb/dw2102.c                 |    2 +-
 drivers/media/v4l2-core/v4l2-compat-ioctl32.c      |    6 +-
 drivers/media/v4l2-core/v4l2-device.c              |    4 +-
 drivers/media/v4l2-core/v4l2-ioctl.c               |   11 +-
 drivers/message/fusion/mptsas.c                    |   34 +-
 drivers/message/fusion/mptscsih.c                  |   19 +-
 drivers/message/i2o/i2o_proc.c                     |   67 +-
 drivers/message/i2o/iop.c                          |    8 +-
 drivers/mfd/janz-cmodio.c                          |    1 +
 drivers/mfd/max8925-i2c.c                          |    2 +-
 drivers/mfd/tps65910.c                             |    2 +-
 drivers/mfd/twl4030-irq.c                          |    9 +-
 drivers/misc/c2port/core.c                         |    4 +-
 drivers/misc/kgdbts.c                              |    4 +-
 drivers/misc/lis3lv02d/lis3lv02d.c                 |    8 +-
 drivers/misc/lis3lv02d/lis3lv02d.h                 |    2 +-
 drivers/misc/sgi-gru/gruhandles.c                  |    4 +-
 drivers/misc/sgi-gru/gruprocfs.c                   |    8 +-
 drivers/misc/sgi-gru/grutables.h                   |  154 +-
 drivers/misc/sgi-xp/xp.h                           |    2 +-
 drivers/misc/sgi-xp/xpc.h                          |    3 +-
 drivers/misc/sgi-xp/xpc_main.c                     |    4 +-
 drivers/mmc/core/mmc_ops.c                         |    2 +-
 drivers/mmc/host/dw_mmc.h                          |    2 +-
 drivers/mmc/host/mmci.c                            |    4 +-
 drivers/mmc/host/sdhci-s3c.c                       |    8 +-
 drivers/mtd/chips/cfi_cmdset_0020.c                |    2 +-
 drivers/mtd/nand/denali.c                          |    1 +
 drivers/mtd/nftlmount.c                            |    1 +
 drivers/mtd/sm_ftl.c                               |    2 +-
 drivers/net/bonding/bond_main.c                    |    2 +-
 drivers/net/ethernet/8390/ax88796.c                |    4 +-
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h    |    2 +-
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c     |   11 +-
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h     |    3 +-
 drivers/net/ethernet/broadcom/tg3.h                |    1 +
 drivers/net/ethernet/chelsio/cxgb3/l2t.h           |    2 +-
 drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c    |    2 +-
 drivers/net/ethernet/dec/tulip/de4x5.c             |    4 +-
 drivers/net/ethernet/emulex/benet/be_main.c        |    2 +-
 drivers/net/ethernet/faraday/ftgmac100.c           |    2 +
 drivers/net/ethernet/faraday/ftmac100.c            |    2 +
 drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c       |    2 +-
 drivers/net/ethernet/neterion/vxge/vxge-config.c   |    7 +-
 .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c  |    4 +-
 .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c  |   12 +-
 .../net/ethernet/qlogic/qlcnic/qlcnic_minidump.c   |    2 +-
 drivers/net/ethernet/realtek/r8169.c               |    8 +-
 drivers/net/ethernet/sfc/ptp.c                     |    2 +-
 drivers/net/ethernet/stmicro/stmmac/mmc_core.c     |    4 +-
 drivers/net/hyperv/hyperv_net.h                    |    2 +-
 drivers/net/hyperv/rndis_filter.c                  |    4 +-
 drivers/net/ieee802154/fakehard.c                  |    2 +-
 drivers/net/macvlan.c                              |   18 +-
 drivers/net/macvtap.c                              |    2 +-
 drivers/net/ppp/ppp_generic.c                      |    4 +-
 drivers/net/slip/slhc.c                            |    2 +-
 drivers/net/team/team.c                            |    2 +-
 drivers/net/tun.c                                  |    5 +-
 drivers/net/usb/hso.c                              |   23 +-
 drivers/net/usb/sierra_net.c                       |    4 +-
 drivers/net/vxlan.c                                |    2 +-
 drivers/net/wimax/i2400m/rx.c                      |    2 +-
 drivers/net/wireless/airo.c                        |    2 +-
 drivers/net/wireless/at76c50x-usb.c                |    2 +-
 drivers/net/wireless/ath/ath10k/htc.c              |    7 +-
 drivers/net/wireless/ath/ath10k/htc.h              |    4 +-
 drivers/net/wireless/ath/ath9k/ar9002_mac.c        |   30 +-
 drivers/net/wireless/ath/ath9k/ar9003_mac.c        |   58 +-
 drivers/net/wireless/ath/ath9k/hw.h                |    4 +-
 drivers/net/wireless/b43/phy_lp.c                  |    2 +-
 drivers/net/wireless/iwlegacy/3945-mac.c           |    4 +-
 drivers/net/wireless/iwlwifi/dvm/debugfs.c         |   34 +-
 drivers/net/wireless/iwlwifi/dvm/main.c            |    3 +-
 drivers/net/wireless/iwlwifi/pcie/trans.c          |    4 +-
 drivers/net/wireless/mac80211_hwsim.c              |   32 +-
 drivers/net/wireless/rndis_wlan.c                  |    2 +-
 drivers/net/wireless/rt2x00/rt2x00.h               |    2 +-
 drivers/net/wireless/rt2x00/rt2x00queue.c          |    4 +-
 drivers/net/wireless/ti/wl1251/sdio.c              |   12 +-
 drivers/net/wireless/ti/wl12xx/main.c              |    8 +-
 drivers/net/wireless/ti/wl18xx/main.c              |    6 +-
 drivers/nfc/nfcwilink.c                            |    2 +-
 drivers/oprofile/buffer_sync.c                     |    8 +-
 drivers/oprofile/event_buffer.c                    |    2 +-
 drivers/oprofile/oprof.c                           |    2 +-
 drivers/oprofile/oprofile_files.c                  |    2 +-
 drivers/oprofile/oprofile_stats.c                  |   10 +-
 drivers/oprofile/oprofile_stats.h                  |   10 +-
 drivers/oprofile/oprofilefs.c                      |    6 +-
 drivers/oprofile/timer_int.c                       |    2 +-
 drivers/parport/procfs.c                           |    4 +-
 drivers/pci/hotplug/acpiphp_ibm.c                  |    4 +-
 drivers/pci/hotplug/cpcihp_generic.c               |    6 +-
 drivers/pci/hotplug/cpcihp_zt5550.c                |   14 +-
 drivers/pci/hotplug/cpqphp_nvram.c                 |    4 +
 drivers/pci/hotplug/pci_hotplug_core.c             |    6 +-
 drivers/pci/hotplug/pciehp_core.c                  |    2 +-
 drivers/pci/pci-sysfs.c                            |    6 +-
 drivers/pci/pci.h                                  |    2 +-
 drivers/pci/pcie/aspm.c                            |    6 +-
 drivers/pci/probe.c                                |    2 +-
 drivers/platform/x86/chromeos_laptop.c             |    2 +-
 drivers/platform/x86/msi-laptop.c                  |   14 +-
 drivers/platform/x86/msi-wmi.c                     |    2 +-
 drivers/platform/x86/sony-laptop.c                 |    2 +-
 drivers/platform/x86/thinkpad_acpi.c               |   70 +-
 drivers/pnp/pnpbios/bioscalls.c                    |   14 +-
 drivers/pnp/resource.c                             |    4 +-
 drivers/power/pda_power.c                          |    7 +-
 drivers/power/power_supply.h                       |    4 +-
 drivers/power/power_supply_core.c                  |    7 +-
 drivers/power/power_supply_sysfs.c                 |    6 +-
 drivers/regulator/core.c                           |    4 +-
 drivers/regulator/max8660.c                        |    6 +-
 drivers/regulator/max8973-regulator.c              |    8 +-
 drivers/regulator/mc13892-regulator.c              |    6 +-
 drivers/rtc/rtc-cmos.c                             |    4 +-
 drivers/rtc/rtc-ds1307.c                           |    2 +-
 drivers/rtc/rtc-m48t59.c                           |    4 +-
 drivers/scsi/aic7xxx/aic79xx_pci.c                 |   18 +-
 drivers/scsi/bfa/bfa_fcpim.h                       |    2 +-
 drivers/scsi/bfa/bfa_ioc.h                         |    4 +-
 drivers/scsi/fcoe/fcoe_sysfs.c                     |   12 +-
 drivers/scsi/hosts.c                               |    4 +-
 drivers/scsi/hpsa.c                                |   30 +-
 drivers/scsi/hpsa.h                                |    2 +-
 drivers/scsi/libfc/fc_exch.c                       |   50 +-
 drivers/scsi/libsas/sas_ata.c                      |    2 +-
 drivers/scsi/lpfc/lpfc.h                           |    8 +-
 drivers/scsi/lpfc/lpfc_debugfs.c                   |   18 +-
 drivers/scsi/lpfc/lpfc_init.c                      |    6 +-
 drivers/scsi/lpfc/lpfc_scsi.c                      |   16 +-
 drivers/scsi/mpt2sas/mpt2sas_scsih.c               |    8 +-
 drivers/scsi/pmcraid.c                             |   20 +-
 drivers/scsi/pmcraid.h                             |    8 +-
 drivers/scsi/qla2xxx/qla_attr.c                    |    4 +-
 drivers/scsi/qla2xxx/qla_gbl.h                     |    4 +-
 drivers/scsi/qla2xxx/qla_os.c                      |    6 +-
 drivers/scsi/qla4xxx/ql4_def.h                     |    2 +-
 drivers/scsi/qla4xxx/ql4_os.c                      |    6 +-
 drivers/scsi/scsi.c                                |    2 +-
 drivers/scsi/scsi_lib.c                            |    6 +-
 drivers/scsi/scsi_sysfs.c                          |    2 +-
 drivers/scsi/scsi_tgt_lib.c                        |    2 +-
 drivers/scsi/scsi_transport_fc.c                   |    8 +-
 drivers/scsi/scsi_transport_iscsi.c                |    6 +-
 drivers/scsi/scsi_transport_srp.c                  |    6 +-
 drivers/scsi/sd.c                                  |    2 +-
 drivers/scsi/sg.c                                  |    2 +-
 drivers/spi/spi.c                                  |    2 +-
 drivers/staging/android/timed_output.c             |    6 +-
 drivers/staging/gdm724x/gdm_tty.c                  |    2 +-
 drivers/staging/media/solo6x10/solo6x10-core.c     |    2 +-
 drivers/staging/media/solo6x10/solo6x10-p2m.c      |    2 +-
 drivers/staging/media/solo6x10/solo6x10.h          |    2 +-
 drivers/staging/octeon/ethernet-rx.c               |   12 +-
 drivers/staging/octeon/ethernet.c                  |    8 +-
 drivers/staging/rtl8712/rtl871x_io.h               |    2 +-
 drivers/staging/sbe-2t3e3/netdev.c                 |    2 +-
 drivers/staging/usbip/vhci.h                       |    2 +-
 drivers/staging/usbip/vhci_hcd.c                   |    6 +-
 drivers/staging/usbip/vhci_rx.c                    |    2 +-
 drivers/staging/vt6655/hostap.c                    |    7 +-
 drivers/staging/vt6656/hostap.c                    |    7 +-
 drivers/target/sbp/sbp_target.c                    |    4 +-
 drivers/target/target_core_device.c                |    2 +-
 drivers/target/target_core_transport.c             |    2 +-
 drivers/tty/cyclades.c                             |    6 +-
 drivers/tty/hvc/hvc_console.c                      |   14 +-
 drivers/tty/hvc/hvcs.c                             |   21 +-
 drivers/tty/hvc/hvsi.c                             |   12 +-
 drivers/tty/hvc/hvsi_lib.c                         |    6 +-
 drivers/tty/ipwireless/tty.c                       |   27 +-
 drivers/tty/moxa.c                                 |    2 +-
 drivers/tty/n_gsm.c                                |    4 +-
 drivers/tty/n_tty.c                                |    3 +-
 drivers/tty/pty.c                                  |    4 +-
 drivers/tty/rocket.c                               |    6 +-
 drivers/tty/serial/ioc4_serial.c                   |    6 +-
 drivers/tty/serial/kgdboc.c                        |   32 +-
 drivers/tty/serial/msm_serial.c                    |    4 +-
 drivers/tty/serial/samsung.c                       |    9 +-
 drivers/tty/serial/serial_core.c                   |    8 +-
 drivers/tty/synclink.c                             |   34 +-
 drivers/tty/synclink_gt.c                          |   28 +-
 drivers/tty/synclinkmp.c                           |   34 +-
 drivers/tty/tty_io.c                               |    2 +-
 drivers/tty/tty_ldisc.c                            |    8 +-
 drivers/tty/tty_port.c                             |   22 +-
 drivers/uio/uio.c                                  |   15 +-
 drivers/usb/atm/cxacru.c                           |    2 +-
 drivers/usb/atm/usbatm.c                           |   24 +-
 drivers/usb/core/devices.c                         |    6 +-
 drivers/usb/core/hcd.c                             |    4 +-
 drivers/usb/core/message.c                         |    6 +-
 drivers/usb/core/sysfs.c                           |    2 +-
 drivers/usb/core/usb.c                             |    2 +-
 drivers/usb/dwc3/gadget.c                          |    2 -
 drivers/usb/early/ehci-dbgp.c                      |   16 +-
 drivers/usb/gadget/u_serial.c                      |   22 +-
 drivers/usb/host/ehci-hub.c                        |    4 +-
 drivers/usb/misc/appledisplay.c                    |    4 +-
 drivers/usb/serial/console.c                       |    8 +-
 drivers/usb/storage/usb.h                          |    2 +-
 drivers/usb/wusbcore/wa-hc.h                       |    4 +-
 drivers/usb/wusbcore/wa-xfer.c                     |    2 +-
 drivers/vfio/vfio.c                                |    2 +-
 drivers/vhost/vringh.c                             |    2 +-
 drivers/video/aty/aty128fb.c                       |    2 +-
 drivers/video/aty/atyfb_base.c                     |    8 +-
 drivers/video/aty/mach64_cursor.c                  |    5 +-
 drivers/video/backlight/kb3886_bl.c                |    2 +-
 drivers/video/fb_defio.c                           |    6 +-
 drivers/video/fbmem.c                              |    6 +-
 drivers/video/hyperv_fb.c                          |    4 +-
 drivers/video/i810/i810_accel.c                    |    1 +
 drivers/video/mb862xx/mb862xxfb_accel.c            |   16 +-
 drivers/video/nvidia/nvidia.c                      |   27 +-
 drivers/video/s1d13xxxfb.c                         |    6 +-
 drivers/video/smscufx.c                            |    4 +-
 drivers/video/udlfb.c                              |   36 +-
 drivers/video/uvesafb.c                            |   53 +-
 drivers/video/vesafb.c                             |   58 +-
 drivers/video/via/via_clock.h                      |    2 +-
 fs/9p/vfs_addr.c                                   |    2 +-
 fs/9p/vfs_inode.c                                  |    2 +-
 fs/Kconfig.binfmt                                  |    2 +-
 fs/afs/inode.c                                     |    4 +-
 fs/aio.c                                           |    2 +-
 fs/autofs4/waitq.c                                 |    2 +-
 fs/befs/endian.h                                   |    6 +-
 fs/befs/linuxvfs.c                                 |    2 +-
 fs/binfmt_aout.c                                   |   23 +-
 fs/binfmt_elf.c                                    |  656 ++-
 fs/binfmt_flat.c                                   |    6 +
 fs/bio.c                                           |    6 +-
 fs/block_dev.c                                     |    2 +-
 fs/btrfs/ctree.c                                   |    9 +-
 fs/btrfs/delayed-inode.c                           |    6 +-
 fs/btrfs/delayed-inode.h                           |    4 +-
 fs/btrfs/super.c                                   |    2 +-
 fs/buffer.c                                        |    2 +-
 fs/cachefiles/bind.c                               |    6 +-
 fs/cachefiles/daemon.c                             |    8 +-
 fs/cachefiles/internal.h                           |   12 +-
 fs/cachefiles/namei.c                              |    2 +-
 fs/cachefiles/proc.c                               |   12 +-
 fs/cachefiles/rdwr.c                               |    2 +-
 fs/ceph/dir.c                                      |    2 +-
 fs/ceph/super.c                                    |    4 +-
 fs/cifs/cifs_debug.c                               |   12 +-
 fs/cifs/cifsfs.c                                   |    8 +-
 fs/cifs/cifsglob.h                                 |   54 +-
 fs/cifs/link.c                                     |    2 +-
 fs/cifs/misc.c                                     |    4 +-
 fs/cifs/smb1ops.c                                  |   80 +-
 fs/cifs/smb2ops.c                                  |   84 +-
 fs/cifs/smb2pdu.c                                  |    3 +-
 fs/coda/cache.c                                    |   10 +-
 fs/compat.c                                        |    4 +-
 fs/compat_binfmt_elf.c                             |    2 +
 fs/compat_ioctl.c                                  |   12 +-
 fs/configfs/dir.c                                  |   10 +-
 fs/coredump.c                                      |   18 +-
 fs/dcache.c                                        |    3 +-
 fs/ecryptfs/inode.c                                |    4 +-
 fs/ecryptfs/miscdev.c                              |    2 +-
 fs/exec.c                                          |  362 +-
 fs/ext2/xattr.c                                    |    5 +-
 fs/ext3/xattr.c                                    |    5 +-
 fs/ext4/ext4.h                                     |   20 +-
 fs/ext4/mballoc.c                                  |   44 +-
 fs/ext4/mmp.c                                      |    2 +-
 fs/ext4/super.c                                    |    4 +-
 fs/ext4/xattr.c                                    |    5 +-
 fs/fhandle.c                                       |    3 +-
 fs/fs_struct.c                                     |    8 +-
 fs/fscache/cookie.c                                |   40 +-
 fs/fscache/internal.h                              |  200 +-
 fs/fscache/object.c                                |   26 +-
 fs/fscache/operation.c                             |   30 +-
 fs/fscache/page.c                                  |  110 +-
 fs/fscache/stats.c                                 |  344 +-
 fs/fuse/cuse.c                                     |   10 +-
 fs/fuse/dev.c                                      |    4 +-
 fs/fuse/dir.c                                      |    2 +-
 fs/gfs2/inode.c                                    |    2 +-
 fs/hostfs/hostfs_kern.c                            |    2 +-
 fs/hugetlbfs/inode.c                               |   13 +-
 fs/inode.c                                         |    4 +-
 fs/jffs2/erase.c                                   |    3 +-
 fs/jffs2/wbuf.c                                    |    3 +-
 fs/jfs/super.c                                     |    2 +-
 fs/libfs.c                                         |   10 +-
 fs/lockd/clntproc.c                                |    4 +-
 fs/locks.c                                         |    8 +-
 fs/namei.c                                         |   15 +-
 fs/namespace.c                                     |   16 +-
 fs/nfs/callback_xdr.c                              |    2 +-
 fs/nfs/inode.c                                     |    6 +-
 fs/nfsd/nfs4proc.c                                 |    2 +-
 fs/nfsd/nfs4xdr.c                                  |    6 +-
 fs/nfsd/nfscache.c                                 |    9 +-
 fs/nfsd/vfs.c                                      |    6 +-
 fs/nls/nls_base.c                                  |   18 +-
 fs/nls/nls_euc-jp.c                                |    6 +-
 fs/nls/nls_koi8-ru.c                               |    6 +-
 fs/notify/fanotify/fanotify_user.c                 |    4 +-
 fs/notify/notification.c                           |    4 +-
 fs/ntfs/dir.c                                      |    2 +-
 fs/ntfs/file.c                                     |    2 +-
 fs/ntfs/super.c                                    |    6 +-
 fs/ocfs2/localalloc.c                              |    2 +-
 fs/ocfs2/ocfs2.h                                   |   10 +-
 fs/ocfs2/suballoc.c                                |   12 +-
 fs/ocfs2/super.c                                   |   20 +-
 fs/pipe.c                                          |   61 +-
 fs/proc/array.c                                    |   20 +
 fs/proc/base.c                                     |    4 +-
 fs/proc/kcore.c                                    |   32 +-
 fs/proc/meminfo.c                                  |    2 +-
 fs/proc/nommu.c                                    |    2 +-
 fs/proc/proc_sysctl.c                              |   18 +-
 fs/proc/self.c                                     |    2 +-
 fs/proc/task_mmu.c                                 |   39 +-
 fs/proc/task_nommu.c                               |    4 +-
 fs/proc/vmcore.c                                   |   12 +-
 fs/qnx6/qnx6.h                                     |    4 +-
 fs/quota/netlink.c                                 |    4 +-
 fs/read_write.c                                    |    2 +-
 fs/reiserfs/do_balan.c                             |    2 +-
 fs/reiserfs/procfs.c                               |    2 +-
 fs/reiserfs/reiserfs.h                             |    4 +-
 fs/seq_file.c                                      |    4 +-
 fs/splice.c                                        |   41 +-
 fs/sysfs/bin.c                                     |    6 +-
 fs/sysfs/dir.c                                     |    2 +-
 fs/sysfs/file.c                                    |   10 +-
 fs/sysfs/symlink.c                                 |    2 +-
 fs/sysv/sysv.h                                     |    2 +-
 fs/ubifs/io.c                                      |    2 +-
 fs/udf/misc.c                                      |    2 +-
 fs/ufs/swab.h                                      |    4 +-
 fs/xattr.c                                         |   21 +
 fs/xattr_acl.c                                     |    4 +-
 fs/xfs/xfs_bmap.c                                  |    2 +-
 fs/xfs/xfs_dir2_readdir.c                          |    7 +-
 fs/xfs/xfs_ioctl.c                                 |    2 +-
 fs/xfs/xfs_iops.c                                  |    2 +-
 include/asm-generic/4level-fixup.h                 |    2 +
 include/asm-generic/atomic-long.h                  |  210 +
 include/asm-generic/atomic.h                       |    2 +-
 include/asm-generic/atomic64.h                     |   12 +
 include/asm-generic/cache.h                        |    4 +-
 include/asm-generic/emergency-restart.h            |    2 +-
 include/asm-generic/kmap_types.h                   |    4 +-
 include/asm-generic/local.h                        |   13 +
 include/asm-generic/pgtable-nopmd.h                |   18 +-
 include/asm-generic/pgtable-nopud.h                |   15 +-
 include/asm-generic/pgtable.h                      |   16 +
 include/asm-generic/uaccess.h                      |   16 +
 include/asm-generic/vmlinux.lds.h                  |   10 +-
 include/crypto/algapi.h                            |    2 +-
 include/drm/drmP.h                                 |   17 +-
 include/drm/drm_crtc_helper.h                      |    2 +-
 include/drm/i915_pciids.h                          |    2 +-
 include/drm/ttm/ttm_memory.h                       |    2 +-
 include/keys/asymmetric-subtype.h                  |    2 +-
 include/linux/atmdev.h                             |    4 +-
 include/linux/audit.h                              |    2 +-
 include/linux/binfmts.h                            |    3 +-
 include/linux/bitops.h                             |    4 +-
 include/linux/blkdev.h                             |    2 +-
 include/linux/blktrace_api.h                       |    2 +-
 include/linux/cache.h                              |    8 +
 include/linux/cdrom.h                              |    1 -
 include/linux/cleancache.h                         |    2 +-
 include/linux/clk-provider.h                       |    1 +
 include/linux/compat.h                             |    4 +-
 include/linux/compiler-gcc4.h                      |   20 +
 include/linux/compiler.h                           |   65 +-
 include/linux/completion.h                         |   12 +-
 include/linux/configfs.h                           |    2 +-
 include/linux/cpufreq.h                            |    3 +-
 include/linux/cpuidle.h                            |    5 +-
 include/linux/cpumask.h                            |   12 +-
 include/linux/crypto.h                             |    6 +-
 include/linux/ctype.h                              |    2 +-
 include/linux/decompress/mm.h                      |    2 +-
 include/linux/devfreq.h                            |    2 +-
 include/linux/device.h                             |    7 +-
 include/linux/dma-mapping.h                        |    2 +-
 include/linux/dmaengine.h                          |    4 +-
 include/linux/efi.h                                |    1 +
 include/linux/elf.h                                |    2 +
 include/linux/err.h                                |    4 +-
 include/linux/extcon.h                             |    2 +-
 include/linux/fb.h                                 |    2 +-
 include/linux/fdtable.h                            |    2 +-
 include/linux/frontswap.h                          |    2 +-
 include/linux/fs.h                                 |    3 +-
 include/linux/fs_struct.h                          |    2 +-
 include/linux/fscache-cache.h                      |    4 +-
 include/linux/fscache.h                            |    2 +-
 include/linux/fsnotify.h                           |    2 +-
 include/linux/genhd.h                              |    4 +-
 include/linux/genl_magic_func.h                    |    2 +-
 include/linux/gfp.h                                |   12 +-
 include/linux/highmem.h                            |   12 +
 include/linux/hwmon-sysfs.h                        |    5 +-
 include/linux/i2c.h                                |    1 +
 include/linux/i2o.h                                |    2 +-
 include/linux/if_pppox.h                           |    2 +-
 include/linux/init.h                               |   12 +-
 include/linux/init_task.h                          |    7 +
 include/linux/interrupt.h                          |    8 +-
 include/linux/iommu.h                              |    2 +-
 include/linux/ioport.h                             |    2 +-
 include/linux/irq.h                                |    3 +-
 include/linux/irqchip/arm-gic.h                    |    4 +-
 include/linux/jiffies.h                            |   12 +-
 include/linux/key-type.h                           |    2 +-
 include/linux/kgdb.h                               |    6 +-
 include/linux/kobject.h                            |    3 +-
 include/linux/kobject_ns.h                         |    2 +-
 include/linux/kref.h                               |    2 +-
 include/linux/kvm_host.h                           |    4 +-
 include/linux/libata.h                             |    2 +-
 include/linux/linkage.h                            |    1 +
 include/linux/list.h                               |   15 +
 include/linux/math64.h                             |   10 +-
 include/linux/mempolicy.h                          |    7 +
 include/linux/mm.h                                 |  118 +-
 include/linux/mm_types.h                           |   20 +
 include/linux/mmiotrace.h                          |    4 +-
 include/linux/mmzone.h                             |    2 +-
 include/linux/mod_devicetable.h                    |    6 +-
 include/linux/module.h                             |   60 +-
 include/linux/moduleloader.h                       |   16 +
 include/linux/moduleparam.h                        |    4 +-
 include/linux/namei.h                              |    6 +-
 include/linux/net.h                                |    2 +-
 include/linux/netdevice.h                          |    3 +-
 include/linux/netfilter.h                          |    2 +-
 include/linux/netfilter/ipset/ip_set.h             |    2 +-
 include/linux/netfilter/nfnetlink.h                |    2 +-
 include/linux/nls.h                                |    2 +-
 include/linux/notifier.h                           |    3 +-
 include/linux/oprofile.h                           |    4 +-
 include/linux/pci_hotplug.h                        |    3 +-
 include/linux/perf_event.h                         |   10 +-
 include/linux/pipe_fs_i.h                          |    8 +-
 include/linux/platform_data/usb-ehci-s5p.h         |    2 +-
 include/linux/platform_data/usb-ohci-exynos.h      |    2 +-
 include/linux/pm_domain.h                          |    2 +-
 include/linux/pm_runtime.h                         |    2 +-
 include/linux/pnp.h                                |    2 +-
 include/linux/poison.h                             |    4 +-
 include/linux/power/smartreflex.h                  |    2 +-
 include/linux/ppp-comp.h                           |    2 +-
 include/linux/preempt.h                            |   19 +
 include/linux/proc_ns.h                            |    2 +-
 include/linux/quota.h                              |    2 +-
 include/linux/random.h                             |   19 +-
 include/linux/rculist.h                            |   16 +
 include/linux/reboot.h                             |   14 +-
 include/linux/regset.h                             |    3 +-
 include/linux/relay.h                              |    2 +-
 include/linux/rio.h                                |    2 +-
 include/linux/rmap.h                               |    4 +-
 include/linux/sched.h                              |   67 +-
 include/linux/sched/sysctl.h                       |    1 +
 include/linux/security.h                           |    2 -
 include/linux/semaphore.h                          |    2 +-
 include/linux/seq_file.h                           |    1 +
 include/linux/skbuff.h                             |   12 +-
 include/linux/slab.h                               |   48 +-
 include/linux/slab_def.h                           |   14 +-
 include/linux/slub_def.h                           |    2 +-
 include/linux/smp.h                                |    2 +
 include/linux/sock_diag.h                          |    2 +-
 include/linux/sonet.h                              |    2 +-
 include/linux/sunrpc/addr.h                        |    8 +-
 include/linux/sunrpc/clnt.h                        |    2 +-
 include/linux/sunrpc/svc.h                         |    2 +-
 include/linux/sunrpc/svc_rdma.h                    |   18 +-
 include/linux/sunrpc/svcauth.h                     |    2 +-
 include/linux/swiotlb.h                            |    3 +-
 include/linux/syscalls.h                           |   18 +-
 include/linux/syscore_ops.h                        |    2 +-
 include/linux/sysctl.h                             |    6 +-
 include/linux/sysfs.h                              |    9 +-
 include/linux/sysrq.h                              |    3 +-
 include/linux/thread_info.h                        |    7 +
 include/linux/tty.h                                |    4 +-
 include/linux/tty_driver.h                         |    2 +-
 include/linux/tty_ldisc.h                          |    2 +-
 include/linux/types.h                              |   16 +
 include/linux/uaccess.h                            |    6 +-
 include/linux/unaligned/access_ok.h                |   24 +-
 include/linux/usb.h                                |    4 +-
 include/linux/usb/renesas_usbhs.h                  |    2 +-
 include/linux/vermagic.h                           |   21 +-
 include/linux/vmalloc.h                            |    9 +-
 include/linux/vmstat.h                             |   20 +-
 include/linux/xattr.h                              |    5 +-
 include/linux/zlib.h                               |    3 +-
 include/media/v4l2-dev.h                           |    2 +-
 include/media/v4l2-device.h                        |    2 +-
 include/net/9p/transport.h                         |    2 +-
 include/net/bluetooth/l2cap.h                      |    2 +-
 include/net/caif/cfctrl.h                          |    6 +-
 include/net/flow.h                                 |    2 +-
 include/net/genetlink.h                            |    2 +-
 include/net/gro_cells.h                            |    2 +-
 include/net/inet_connection_sock.h                 |    2 +-
 include/net/inetpeer.h                             |   17 +-
 include/net/ip.h                                   |    2 +-
 include/net/ip_fib.h                               |    2 +-
 include/net/ip_vs.h                                |    8 +-
 include/net/irda/ircomm_tty.h                      |    1 +
 include/net/iucv/af_iucv.h                         |    2 +-
 include/net/llc_c_ac.h                             |    2 +-
 include/net/llc_c_ev.h                             |    4 +-
 include/net/llc_c_st.h                             |    2 +-
 include/net/llc_s_ac.h                             |    2 +-
 include/net/llc_s_st.h                             |    2 +-
 include/net/mac80211.h                             |    2 +-
 include/net/neighbour.h                            |    2 +-
 include/net/net_namespace.h                        |   20 +-
 include/net/netdma.h                               |    2 +-
 include/net/netlink.h                              |    2 +-
 include/net/netns/conntrack.h                      |    6 +-
 include/net/netns/ipv4.h                           |    4 +-
 include/net/netns/ipv6.h                           |    4 +-
 include/net/ping.h                                 |    2 +-
 include/net/protocol.h                             |    4 +-
 include/net/rtnetlink.h                            |    2 +-
 include/net/sctp/sm.h                              |    4 +-
 include/net/sctp/structs.h                         |    2 +-
 include/net/sock.h                                 |    6 +-
 include/net/tcp.h                                  |    8 +-
 include/net/xfrm.h                                 |   13 +-
 include/rdma/iw_cm.h                               |    2 +-
 include/scsi/libfc.h                               |    3 +-
 include/scsi/scsi_device.h                         |    6 +-
 include/scsi/scsi_transport_fc.h                   |    3 +-
 include/sound/compress_driver.h                    |    2 +-
 include/sound/soc.h                                |    4 +-
 include/target/target_core_base.h                  |    2 +-
 include/trace/events/irq.h                         |    4 +-
 include/uapi/linux/a.out.h                         |    8 +
 include/uapi/linux/byteorder/little_endian.h       |   28 +-
 include/uapi/linux/elf.h                           |   28 +
 include/uapi/linux/screen_info.h                   |    3 +-
 include/uapi/linux/swab.h                          |    6 +-
 include/uapi/linux/sysctl.h                        |    6 +-
 include/uapi/linux/xattr.h                         |    4 +
 include/video/udlfb.h                              |    8 +-
 include/video/uvesafb.h                            |    1 +
 init/Kconfig                                       |    2 +-
 init/Makefile                                      |    3 +
 init/do_mounts.c                                   |   14 +-
 init/do_mounts.h                                   |    8 +-
 init/do_mounts_initrd.c                            |   30 +-
 init/do_mounts_md.c                                |    6 +-
 init/init_task.c                                   |    4 +
 init/initramfs.c                                   |   42 +-
 init/main.c                                        |   77 +-
 ipc/ipc_sysctl.c                                   |   10 +-
 ipc/mq_sysctl.c                                    |    2 +-
 ipc/msg.c                                          |   11 +-
 ipc/sem.c                                          |   11 +-
 ipc/shm.c                                          |   17 +-
 kernel/acct.c                                      |    2 +-
 kernel/audit.c                                     |   10 +-
 kernel/auditsc.c                                   |    4 +-
 kernel/capability.c                                |    3 +
 kernel/compat.c                                    |   38 +-
 kernel/debug/debug_core.c                          |   16 +-
 kernel/debug/kdb/kdb_main.c                        |    4 +-
 kernel/events/core.c                               |   30 +-
 kernel/events/internal.h                           |   12 +-
 kernel/events/uprobes.c                            |    2 +-
 kernel/exit.c                                      |    4 +-
 kernel/fork.c                                      |  166 +-
 kernel/futex.c                                     |   11 +-
 kernel/futex_compat.c                              |    2 +-
 kernel/gcov/base.c                                 |    7 +-
 kernel/hrtimer.c                                   |    2 +-
 kernel/irq_work.c                                  |    7 +-
 kernel/jump_label.c                                |    5 +
 kernel/kallsyms.c                                  |   39 +-
 kernel/kexec.c                                     |    3 +-
 kernel/kmod.c                                      |    4 +-
 kernel/kprobes.c                                   |    8 +-
 kernel/ksysfs.c                                    |    2 +-
 kernel/lockdep.c                                   |    7 +-
 kernel/module.c                                    |  337 +-
 kernel/mutex-debug.c                               |   12 +-
 kernel/mutex-debug.h                               |    4 +-
 kernel/mutex.c                                     |   10 +-
 kernel/notifier.c                                  |   17 +-
 kernel/panic.c                                     |    3 +-
 kernel/pid.c                                       |    2 +-
 kernel/pid_namespace.c                             |    2 +-
 kernel/posix-cpu-timers.c                          |    4 +-
 kernel/posix-timers.c                              |   24 +-
 kernel/power/process.c                             |   12 +-
 kernel/profile.c                                   |   14 +-
 kernel/ptrace.c                                    |    8 +-
 kernel/rcupdate.c                                  |    4 +-
 kernel/rcutiny.c                                   |    4 +-
 kernel/rcutorture.c                                |   56 +-
 kernel/rcutree.c                                   |   76 +-
 kernel/rcutree.h                                   |   26 +-
 kernel/rcutree_plugin.h                            |   30 +-
 kernel/rcutree_trace.c                             |   22 +-
 kernel/rtmutex-tester.c                            |   24 +-
 kernel/sched/auto_group.c                          |    4 +-
 kernel/sched/core.c                                |   49 +-
 kernel/sched/fair.c                                |    4 +-
 kernel/sched/sched.h                               |    2 +-
 kernel/signal.c                                    |   12 +-
 kernel/smpboot.c                                   |    4 +-
 kernel/softirq.c                                   |   14 +-
 kernel/srcu.c                                      |    4 +-
 kernel/sys.c                                       |   10 +-
 kernel/sysctl.c                                    |   39 +-
 kernel/time/alarmtimer.c                           |    2 +-
 kernel/time/timer_stats.c                          |   10 +-
 kernel/timer.c                                     |    4 +-
 kernel/trace/blktrace.c                            |    6 +-
 kernel/trace/ftrace.c                              |   18 +-
 kernel/trace/ring_buffer.c                         |   76 +-
 kernel/trace/trace.c                               |    2 +-
 kernel/trace/trace.h                               |    2 +-
 kernel/trace/trace_clock.c                         |    4 +-
 kernel/trace/trace_events.c                        |    1 -
 kernel/trace/trace_mmiotrace.c                     |    8 +-
 kernel/trace/trace_output.c                        |   12 +-
 kernel/trace/trace_stack.c                         |    2 +-
 kernel/user_namespace.c                            |    2 +-
 kernel/utsname_sysctl.c                            |    2 +-
 kernel/watchdog.c                                  |    2 +-
 kernel/workqueue.c                                 |    2 +-
 lib/Kconfig.debug                                  |    8 +-
 lib/Makefile                                       |    2 +-
 lib/bitmap.c                                       |    8 +-
 lib/bug.c                                          |    2 +
 lib/debugobjects.c                                 |    2 +-
 lib/devres.c                                       |    4 +-
 lib/div64.c                                        |    4 +-
 lib/dma-debug.c                                    |    4 +-
 lib/inflate.c                                      |    2 +-
 lib/ioremap.c                                      |    4 +-
 lib/kobject.c                                      |    4 +-
 lib/list_debug.c                                   |  126 +-
 lib/percpu-refcount.c                              |    2 +-
 lib/radix-tree.c                                   |    2 +-
 lib/strncpy_from_user.c                            |    2 +-
 lib/strnlen_user.c                                 |    2 +-
 lib/swiotlb.c                                      |    2 +-
 lib/usercopy.c                                     |    6 +
 lib/vsprintf.c                                     |   12 +-
 mm/Kconfig                                         |    6 +-
 mm/backing-dev.c                                   |    4 +-
 mm/filemap.c                                       |   10 +-
 mm/fremap.c                                        |    5 +
 mm/highmem.c                                       |    7 +-
 mm/hugetlb.c                                       |   70 +-
 mm/internal.h                                      |    3 +-
 mm/maccess.c                                       |    4 +-
 mm/madvise.c                                       |   41 +
 mm/memory-failure.c                                |   26 +-
 mm/memory.c                                        |  424 +-
 mm/mempolicy.c                                     |   25 +
 mm/mlock.c                                         |   15 +-
 mm/mmap.c                                          |  591 ++-
 mm/mprotect.c                                      |  139 +-
 mm/mremap.c                                        |   44 +-
 mm/nommu.c                                         |   21 +-
 mm/page-writeback.c                                |    2 +-
 mm/page_alloc.c                                    |   42 +-
 mm/page_io.c                                       |    2 +-
 mm/percpu.c                                        |    2 +-
 mm/process_vm_access.c                             |   14 +-
 mm/rmap.c                                          |   44 +-
 mm/shmem.c                                         |   19 +-
 mm/slab.c                                          |  108 +-
 mm/slab.h                                          |   15 +-
 mm/slab_common.c                                   |   60 +-
 mm/slob.c                                          |  206 +-
 mm/slub.c                                          |   88 +-
 mm/sparse-vmemmap.c                                |    4 +-
 mm/sparse.c                                        |    2 +-
 mm/swap.c                                          |    2 +
 mm/swapfile.c                                      |   12 +-
 mm/util.c                                          |    6 +
 mm/vmalloc.c                                       |   75 +-
 mm/vmstat.c                                        |   12 +-
 net/8021q/vlan.c                                   |    5 +-
 net/9p/mod.c                                       |    4 +-
 net/9p/trans_fd.c                                  |    2 +-
 net/atm/atm_misc.c                                 |    8 +-
 net/atm/lec.h                                      |    2 +-
 net/atm/proc.c                                     |    6 +-
 net/atm/resources.c                                |    4 +-
 net/ax25/sysctl_net_ax25.c                         |    2 +-
 net/batman-adv/bat_iv_ogm.c                        |    8 +-
 net/batman-adv/hard-interface.c                    |    2 +-
 net/batman-adv/soft-interface.c                    |    4 +-
 net/batman-adv/types.h                             |    6 +-
 net/batman-adv/unicast.c                           |    2 +-
 net/bluetooth/hci_sock.c                           |    2 +-
 net/bluetooth/l2cap_core.c                         |    6 +-
 net/bluetooth/l2cap_sock.c                         |   12 +-
 net/bluetooth/rfcomm/sock.c                        |    4 +-
 net/bluetooth/rfcomm/tty.c                         |    4 +-
 net/bridge/netfilter/ebtables.c                    |    6 +-
 net/caif/cfctrl.c                                  |   11 +-
 net/can/af_can.c                                   |    2 +-
 net/can/gw.c                                       |    6 +-
 net/ceph/messenger.c                               |    4 +-
 net/compat.c                                       |   34 +-
 net/core/datagram.c                                |    2 +-
 net/core/dev.c                                     |   16 +-
 net/core/flow.c                                    |    8 +-
 net/core/iovec.c                                   |    4 +-
 net/core/neighbour.c                               |    2 +-
 net/core/net-sysfs.c                               |    2 +-
 net/core/net_namespace.c                           |    8 +-
 net/core/netpoll.c                                 |    4 +-
 net/core/rtnetlink.c                               |   13 +-
 net/core/scm.c                                     |    8 +-
 net/core/skbuff.c                                  |    6 +-
 net/core/sock.c                                    |   28 +-
 net/core/sock_diag.c                               |    9 +-
 net/core/sysctl_net_core.c                         |   18 +-
 net/decnet/af_decnet.c                             |    1 +
 net/decnet/sysctl_net_decnet.c                     |    4 +-
 net/ieee802154/6lowpan.c                           |    2 +-
 net/ipv4/af_inet.c                                 |    8 +-
 net/ipv4/devinet.c                                 |   18 +-
 net/ipv4/fib_frontend.c                            |    6 +-
 net/ipv4/fib_semantics.c                           |    2 +-
 net/ipv4/inet_connection_sock.c                    |    2 +-
 net/ipv4/inetpeer.c                                |    4 +-
 net/ipv4/ip_fragment.c                             |   15 +-
 net/ipv4/ip_gre.c                                  |    6 +-
 net/ipv4/ip_sockglue.c                             |    2 +-
 net/ipv4/ip_vti.c                                  |    4 +-
 net/ipv4/ipconfig.c                                |    6 +-
 net/ipv4/ipip.c                                    |    4 +-
 net/ipv4/netfilter/arp_tables.c                    |   12 +-
 net/ipv4/netfilter/ip_tables.c                     |   12 +-
 net/ipv4/ping.c                                    |   14 +-
 net/ipv4/raw.c                                     |   14 +-
 net/ipv4/route.c                                   |   20 +-
 net/ipv4/sysctl_net_ipv4.c                         |   45 +-
 net/ipv4/tcp_input.c                               |    2 +-
 net/ipv4/tcp_probe.c                               |    2 +-
 net/ipv4/udp.c                                     |   10 +-
 net/ipv4/xfrm4_policy.c                            |   18 +-
 net/ipv6/addrconf.c                                |   12 +-
 net/ipv6/af_inet6.c                                |    2 +-
 net/ipv6/datagram.c                                |    2 +-
 net/ipv6/icmp.c                                    |    2 +-
 net/ipv6/ip6_gre.c                                 |    8 +-
 net/ipv6/ip6_tunnel.c                              |    4 +-
 net/ipv6/ipv6_sockglue.c                           |    2 +-
 net/ipv6/netfilter/ip6_tables.c                    |   12 +-
 net/ipv6/netfilter/nf_conntrack_reasm.c            |   14 +-
 net/ipv6/output_core.c                             |   15 +-
 net/ipv6/ping.c                                    |   28 +-
 net/ipv6/raw.c                                     |   17 +-
 net/ipv6/reassembly.c                              |   13 +-
 net/ipv6/route.c                                   |    2 +-
 net/ipv6/sit.c                                     |    4 +-
 net/ipv6/sysctl_net_ipv6.c                         |    2 +-
 net/ipv6/udp.c                                     |    6 +-
 net/ipv6/xfrm6_policy.c                            |   17 +-
 net/irda/ircomm/ircomm_tty.c                       |   18 +-
 net/iucv/af_iucv.c                                 |    4 +-
 net/iucv/iucv.c                                    |    2 +-
 net/key/af_key.c                                   |    4 +-
 net/mac80211/cfg.c                                 |    8 +-
 net/mac80211/ieee80211_i.h                         |    3 +-
 net/mac80211/iface.c                               |   16 +-
 net/mac80211/main.c                                |    2 +-
 net/mac80211/pm.c                                  |    6 +-
 net/mac80211/rate.c                                |    2 +-
 net/mac80211/rc80211_pid_debugfs.c                 |    2 +-
 net/mac80211/util.c                                |    4 +-
 net/netfilter/ipset/ip_set_core.c                  |    2 +-
 net/netfilter/ipvs/ip_vs_conn.c                    |    6 +-
 net/netfilter/ipvs/ip_vs_core.c                    |    4 +-
 net/netfilter/ipvs/ip_vs_ctl.c                     |   14 +-
 net/netfilter/ipvs/ip_vs_lblc.c                    |    2 +-
 net/netfilter/ipvs/ip_vs_lblcr.c                   |    2 +-
 net/netfilter/ipvs/ip_vs_sync.c                    |    6 +-
 net/netfilter/ipvs/ip_vs_xmit.c                    |    4 +-
 net/netfilter/nf_conntrack_acct.c                  |    2 +-
 net/netfilter/nf_conntrack_ecache.c                |    2 +-
 net/netfilter/nf_conntrack_helper.c                |    2 +-
 net/netfilter/nf_conntrack_proto.c                 |    2 +-
 net/netfilter/nf_conntrack_proto_dccp.c            |   10 +-
 net/netfilter/nf_conntrack_standalone.c            |    2 +-
 net/netfilter/nf_conntrack_timestamp.c             |    2 +-
 net/netfilter/nf_log.c                             |   10 +-
 net/netfilter/nf_sockopt.c                         |    4 +-
 net/netfilter/nfnetlink_log.c                      |    4 +-
 net/netfilter/xt_statistic.c                       |    8 +-
 net/netlink/af_netlink.c                           |    4 +-
 net/netlink/genetlink.c                            |   16 +-
 net/packet/af_packet.c                             |    8 +-
 net/phonet/pep.c                                   |    6 +-
 net/phonet/socket.c                                |    2 +-
 net/phonet/sysctl.c                                |    2 +-
 net/rds/cong.c                                     |    6 +-
 net/rds/ib.h                                       |    2 +-
 net/rds/ib_cm.c                                    |    2 +-
 net/rds/ib_recv.c                                  |    4 +-
 net/rds/iw.h                                       |    2 +-
 net/rds/iw_cm.c                                    |    2 +-
 net/rds/iw_recv.c                                  |    4 +-
 net/rds/rds.h                                      |    2 +-
 net/rds/tcp.c                                      |    2 +-
 net/rds/tcp_send.c                                 |    2 +-
 net/rxrpc/af_rxrpc.c                               |    2 +-
 net/rxrpc/ar-ack.c                                 |   14 +-
 net/rxrpc/ar-call.c                                |    2 +-
 net/rxrpc/ar-connection.c                          |    2 +-
 net/rxrpc/ar-connevent.c                           |    2 +-
 net/rxrpc/ar-input.c                               |    4 +-
 net/rxrpc/ar-internal.h                            |    8 +-
 net/rxrpc/ar-local.c                               |    2 +-
 net/rxrpc/ar-output.c                              |    4 +-
 net/rxrpc/ar-peer.c                                |    2 +-
 net/rxrpc/ar-proc.c                                |    4 +-
 net/rxrpc/ar-transport.c                           |    2 +-
 net/rxrpc/rxkad.c                                  |    4 +-
 net/sctp/ipv6.c                                    |    6 +-
 net/sctp/protocol.c                                |   10 +-
 net/sctp/sm_sideeffect.c                           |    2 +-
 net/sctp/socket.c                                  |   21 +-
 net/sctp/sysctl.c                                  |    4 +-
 net/socket.c                                       |   18 +-
 net/sunrpc/auth_gss/svcauth_gss.c                  |    4 +-
 net/sunrpc/clnt.c                                  |    4 +-
 net/sunrpc/sched.c                                 |    4 +-
 net/sunrpc/svc.c                                   |    4 +-
 net/sunrpc/svcauth_unix.c                          |    4 +-
 net/sunrpc/xprtrdma/svc_rdma.c                     |   38 +-
 net/sunrpc/xprtrdma/svc_rdma_recvfrom.c            |    6 +-
 net/sunrpc/xprtrdma/svc_rdma_sendto.c              |    2 +-
 net/sunrpc/xprtrdma/svc_rdma_transport.c           |   10 +-
 net/tipc/link.c                                    |    4 +-
 net/tipc/msg.c                                     |    2 +-
 net/tipc/subscr.c                                  |    2 +-
 net/unix/sysctl_net_unix.c                         |    2 +-
 net/wireless/wext-core.c                           |   19 +-
 net/xfrm/xfrm_policy.c                             |   22 +-
 net/xfrm/xfrm_state.c                              |   33 +-
 net/xfrm/xfrm_sysctl.c                             |    2 +-
 scripts/Makefile.build                             |    2 +-
 scripts/Makefile.clean                             |    3 +-
 scripts/Makefile.host                              |   28 +-
 scripts/basic/fixdep.c                             |   12 +-
 scripts/gcc-plugin.sh                              |   17 +
 scripts/headers_install.sh                         |    1 +
 scripts/link-vmlinux.sh                            |    2 +-
 scripts/mod/file2alias.c                           |   14 +-
 scripts/mod/modpost.c                              |   25 +-
 scripts/mod/modpost.h                              |    6 +-
 scripts/mod/sumversion.c                           |    2 +-
 scripts/module-common.lds                          |    4 +
 scripts/package/builddeb                           |    1 +
 scripts/pnmtologo.c                                |    6 +-
 scripts/sortextable.h                              |    6 +-
 security/Kconfig                                   |  690 ++-
 security/apparmor/lsm.c                            |    2 +-
 security/integrity/ima/ima.h                       |    4 +-
 security/integrity/ima/ima_api.c                   |    2 +-
 security/integrity/ima/ima_fs.c                    |    4 +-
 security/integrity/ima/ima_queue.c                 |    2 +-
 security/keys/compat.c                             |    2 +-
 security/keys/internal.h                           |    2 +-
 security/keys/key.c                                |   18 +-
 security/keys/keyctl.c                             |    8 +-
 security/keys/keyring.c                            |    6 +-
 security/security.c                                |    9 +-
 security/selinux/avc.c                             |    6 +-
 security/selinux/hooks.c                           |   11 +-
 security/selinux/include/xfrm.h                    |    2 +-
 security/smack/smack_lsm.c                         |    2 +-
 security/tomoyo/tomoyo.c                           |    2 +-
 security/yama/yama_lsm.c                           |   22 +-
 sound/aoa/codecs/onyx.c                            |    7 +-
 sound/aoa/codecs/onyx.h                            |    1 +
 sound/core/oss/pcm_oss.c                           |   18 +-
 sound/core/pcm_compat.c                            |    2 +-
 sound/core/pcm_native.c                            |    4 +-
 sound/core/seq/seq_device.c                        |    8 +-
 sound/core/sound.c                                 |    2 +-
 sound/drivers/mts64.c                              |   14 +-
 sound/drivers/opl4/opl4_lib.c                      |    2 +-
 sound/drivers/portman2x4.c                         |    3 +-
 sound/firewire/amdtp.c                             |    4 +-
 sound/firewire/amdtp.h                             |    2 +-
 sound/firewire/isight.c                            |   10 +-
 sound/firewire/scs1x.c                             |    8 +-
 sound/oss/sb_audio.c                               |    2 +-
 sound/oss/swarm_cs4297a.c                          |    6 +-
 sound/pci/hda/hda_codec.c                          |    8 +-
 sound/pci/ymfpci/ymfpci.h                          |    2 +-
 sound/pci/ymfpci/ymfpci_main.c                     |   12 +-
 sound/soc/fsl/fsl_ssi.c                            |    2 +-
 tools/gcc/.gitignore                               |    1 +
 tools/gcc/Makefile                                 |   45 +
 tools/gcc/checker_plugin.c                         |  172 +
 tools/gcc/colorize_plugin.c                        |  151 +
 tools/gcc/constify_plugin.c                        |  560 ++
 tools/gcc/generate_size_overflow_hash.sh           |   94 +
 tools/gcc/kallocstat_plugin.c                      |  170 +
 tools/gcc/kernexec_plugin.c                        |  471 ++
 tools/gcc/latent_entropy_plugin.c                  |  335 +
 tools/gcc/size_overflow_hash.data                  | 7613 ++++++++++++++++++++
 tools/gcc/size_overflow_plugin.c                   | 3840 ++++++++++
 tools/gcc/stackleak_plugin.c                       |  327 +
 tools/gcc/structleak_plugin.c                      |  277 +
 tools/lib/lk/Makefile                              |    2 +-
 tools/perf/util/include/asm/alternative-asm.h      |    3 +
 tools/perf/util/include/linux/compiler.h           |    8 +
 virt/kvm/kvm_main.c                                |   32 +-
 1701 files changed, 36050 insertions(+), 7719 deletions(-)
commit 9a7168e3d96ba81ab00bde22d38f7a035cc25466
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Nov 24 17:50:21 2013 -0500

    remove unnecessary code/comments after new reload method

 grsecurity/gracl.c        |    4 ----
 grsecurity/gracl_policy.c |   13 -------------
 2 files changed, 0 insertions(+), 17 deletions(-)

commit 4e61142788b54cbbc4e0d3418987ee892b34ee7d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Nov 24 16:05:01 2013 -0500

    Version bumped to 3.0 (we'd been on 2.9.1 for way too long and numerous
    features have been added since then)
    
    Introduce new atomic RBAC reload method, developed as part of sponsorship
    by EIG
    
    This is accompanied by an updated 3.0 gradm which will use the new reload
    method when -R is passed to gradm.  The old method will still be available
    via gradm -r (which is what a 2.9.1 gradm will continue to use).
    
    The new RBAC reload method is atomic in the sense that at no point in the
    reload process will the system not be covered by a coherent full policy.
    In contrast to previous reload behavior, it also preserves inherited subjects
    and special roles.
    
    The old RBAC reload method has also been made atomic.  Both methods have
    been updated to perform role_allowed_ip checks only against the IP tagged
    to the task at the time its role was first applied or changed.  This resolves
    long-standing usability problems with the use of role_allowed_ip and matches
    the policies created by learning.

 grsecurity/Makefile         |    2 +-
 grsecurity/gracl.c          | 3903 +++++++++++++------------------------------
 grsecurity/gracl_alloc.c    |   42 +-
 grsecurity/gracl_compat.c   |    3 +-
 grsecurity/gracl_policy.c   | 1838 ++++++++++++++++++++
 grsecurity/gracl_segv.c     |   12 +-
 grsecurity/grsec_disabled.c |    7 -
 grsecurity/grsec_init.c     |   15 -
 include/linux/gracl.h       |   43 +-
 include/linux/grinternal.h  |    1 -
 include/linux/grsecurity.h  |    1 -
 include/linux/sched.h       |    2 +
 12 files changed, 3082 insertions(+), 2787 deletions(-)

commit d8981a4fd03025434a466fd87a0eaea93755bc70
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Nov 24 15:08:28 2013 -0500

    compile fix for recent GRKERNSEC_CHROOT_INITRD change

 init/main.c |   12 +++---------
 1 files changed, 3 insertions(+), 9 deletions(-)

commit c3f95fe9875bea3eeb61cad1586b3f9b6226a42f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Nov 23 18:27:37 2013 -0500

    Make the recent usermode_helper protection race-free as far as userland
    is concerned by creating a copy of the path to be executed, then check against
    that copied path instead of the still-mutable original path

 include/linux/kmod.h |    3 +++
 kernel/kmod.c        |   13 +++++++++++++
 2 files changed, 16 insertions(+), 0 deletions(-)

commit ecdd0610bef058fd33fee50b489d949c1a0db07a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Nov 23 17:20:15 2013 -0500

    Produce a UDEREF message when faulting on kernel access to a non-present
    page in the userland range.  This is purely for consistency of logs,
    due to there being no domain present to fault based on.  An
    "Unable to handle kernel fault.." oops would already (and still is)
    generated for these cases, triggering grsec's bruteforce prevention.
    
    Reported by acez on IRC

 arch/arm/mm/fault.c |   11 +++++++++++
 1 files changed, 11 insertions(+), 0 deletions(-)

commit 3f4adfade80bba0d865b5c603bd58da555ca4553
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Nov 23 16:56:46 2013 -0500

    Make GRKERNSEC_CHROOT_INITRD depend on the correct initrd option,
    Also make sure we mark init as run if no initrd was used. Though this
    should already be enforced in grsec_chroot.c, this should future-proof
    the feature a bit in case userland somehow changes drastically.
    
    Conflicts:
    
        init/main.c

 grsecurity/Kconfig        |    2 +-
 grsecurity/grsec_chroot.c |    2 +-
 init/main.c               |   15 +++++++++++++++
 3 files changed, 17 insertions(+), 2 deletions(-)

commit d4a9bb63091852b5b49ebd216796b374e5c0dc71
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Nov 23 16:33:20 2013 -0500

    limit all usermode helper binaries to /sbin, all other attempts will be logged and rejected

 kernel/kmod.c |    8 ++++++++
 1 files changed, 8 insertions(+), 0 deletions(-)

commit e727db195f8bed17c65d050e1772643d730fe565
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Nov 23 16:02:01 2013 -0500

    perform USERCOPY kernel text checks against the linear mapping on amd64 as well

 fs/exec.c |    8 ++++++++
 1 files changed, 8 insertions(+), 0 deletions(-)

commit 7e0e0cf6d81af9c7901e16345737157fd563ccfb
Merge: 2fcc3a5 2d1263b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Nov 22 21:11:44 2013 -0500

    Merge branch 'pax-test' into grsec-test

commit 2d1263be436ef0c7c964a2028dec3fc7e90205a1
Merge: d52f291 e0cd057
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Nov 22 21:11:33 2013 -0500

    Merge branch 'linux-3.11.y' into pax-test
    
    Conflicts:
        drivers/net/ethernet/chelsio/cxgb3/sge.c

commit 2fcc3a573d2b676c6cdb1aa0c9f61ce723189972
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Nov 22 20:31:37 2013 -0500

    Revert "Upstream commit: bceaa90240b6019ed73b49965eac7d167610be69"
    
    This reverts commit 8bb32f2682953e1b748a59c4a4363b237c3510df.
    
    It caused errors with traceroute, reported to upstream and fixed with
    http://patchwork.ozlabs.org/patch/293614/
    But there's no reason for us to maintain this backport as we're
    already impervious to recvmsg/msg_name infoleaks
    
    Conflicts:
    
        net/ipv4/ping.c

 net/ieee802154/dgram.c |    3 ++-
 net/ipv4/ping.c        |   11 +++++++++--
 net/ipv4/raw.c         |    4 +++-
 net/ipv4/udp.c         |    7 ++++++-
 net/ipv6/raw.c         |    4 +++-
 net/ipv6/udp.c         |    5 ++++-
 net/l2tp/l2tp_ip.c     |    4 +++-
 net/phonet/datagram.c  |    9 +++++----
 8 files changed, 35 insertions(+), 12 deletions(-)

commit 5a0b39755f07014ed0d34a432b89cfbb38b82e0b
Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
Date:   Mon Nov 18 07:07:45 2013 +0100

    Upstream commit: cf970c002d270c36202bd5b9c2804d3097a52da0
    
    ping: prevent NULL pointer dereference on write to msg_name
    
    A plain read() on a socket does set msg->msg_name to NULL. So check for
    NULL pointer first.
    
    Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/ping.c |   34 +++++++++++++++++++---------------
 1 files changed, 19 insertions(+), 15 deletions(-)

commit 8bb32f2682953e1b748a59c4a4363b237c3510df
Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
Date:   Mon Nov 18 04:20:45 2013 +0100

    Upstream commit: bceaa90240b6019ed73b49965eac7d167610be69
    
    inet: prevent leakage of uninitialized memory to user in recv syscalls
    
    Only update *addr_len when we actually fill in sockaddr, otherwise we
    can return uninitialized memory from the stack to the caller in the
    recvfrom, recvmmsg and recvmsg syscalls. Drop the the (addr_len == NULL)
    checks because we only get called with a valid addr_len pointer either
    from sock_common_recvmsg or inet_recvmsg.
    
    If a blocking read waits on a socket which is concurrently shut down we
    now return zero and set msg_msgnamelen to 0.
    
    Reported-by: mpb <mpb.mail@gmail.com>
    Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
    Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ieee802154/dgram.c |    3 +--
 net/ipv4/ping.c        |   19 +++++++------------
 net/ipv4/raw.c         |    4 +---
 net/ipv4/udp.c         |    7 +------
 net/ipv6/raw.c         |    4 +---
 net/ipv6/udp.c         |    5 +----
 net/l2tp/l2tp_ip.c     |    4 +---
 net/phonet/datagram.c  |    9 ++++-----
 8 files changed, 17 insertions(+), 38 deletions(-)

commit 642d754081c130a151e7df27e5c07edf2f368106
Author: Jeff Layton <jlayton@redhat.com>
Date:   Wed Nov 13 09:08:21 2013 -0500

    Upstream commit: 6d769f1e1420179d1f83cf1a9cdc585b46c28545
    
    nfs: don't retry detect_trunking with RPC_AUTH_UNIX more than once
    
    Currently, when we try to mount and get back NFS4ERR_CLID_IN_USE or
    NFS4ERR_WRONGSEC, we create a new rpc_clnt and then try the call again.
    There is no guarantee that doing so will work however, so we can end up
    retrying the call in an infinite loop.
    
    Worse yet, we create the new client using rpc_clone_client_set_auth,
    which creates the new client as a child of the old one. Thus, we can end
    up with a *very* long lineage of rpc_clnts. When we go to put all of the
    references to them, we can end up with a long call chain that can smash
    the stack as each rpc_free_client() call can recurse back into itself.
    
    This patch fixes this by simply ensuring that the SETCLIENTID call will
    only be retried in this situation if the last attempt did not use
    RPC_AUTH_UNIX.
    
    Note too that with this change, we don't need the (i > 2) check in the
    -EACCES case since we now have a more reliable test as to whether we
    should reattempt.
    
    Cc: stable@vger.kernel.org # v3.10+
    Cc: Chuck Lever <chuck.lever@oracle.com>
    Tested-by/Acked-by: Weston Andros Adamson <dros@netapp.com>
    Signed-off-by: Jeff Layton <jlayton@redhat.com>
    Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>

 fs/nfs/nfs4state.c |    7 ++++++-
 1 files changed, 6 insertions(+), 1 deletions(-)

commit a96ee20d2e099c56fd89b91ee309551e7b50b8f2
Author: Chuck Lever <chuck.lever@oracle.com>
Date:   Wed Jul 24 12:28:28 2013 -0400

    Upstream commit: d688f7b8f62857c252b886fa16e8b38b83cfaf7e
    
    NFS: Use root's credential for lease management when keytab is missing
    
    Commit 05f4c350 "NFS: Discover NFSv4 server trunking when mounting"
    Fri Sep 14 17:24:32 2012 introduced Uniform Client String support,
    which forces our NFS client to establish a client ID immediately
    during a mount operation rather than waiting until a user wants to
    open a file.
    
    Normally machine credentials (eg. from a keytab) are used to perform
    a mount operation that is protected by Kerberos.  Before 05fc350,
    SETCLIENTID used a machine credential, or fell back to a regular
    user's credential if no keytab is available.
    
    On clients that don't have a keytab, performing SETCLIENTID early
    means there's no user credential to fall back on, since no regular
    user has kinit'd yet.  05f4c350 seems to have broken the ability
    to mount with sec=krb5 on clients that don't have a keytab in
    kernels 3.7 - 3.10.
    
    To address this regression, commit 4edaa308 (NFS: Use "krb5i" to
    establish NFSv4 state whenever possible), Sat Mar 16 15:56:20 2013,
    was merged in 3.10.  This commit forces the NFS client to fall back
    to AUTH_SYS for lease management operations if no keytab is
    available.
    
    Neil Brown noticed that, since root is required to kinit to do a
    sec=krb5 mount when a client doesn't have a keytab, we can try to
    use root's Kerberos credential before AUTH_SYS.
    
    Now, when determining a principal and flavor to use for lease
    management, the NFS client tries in this order:
    
      1.  Flavor: AUTH_GSS, krb5i
          Principal: service principal (via keytab)
    
      2.  Flavor: AUTH_GSS, krb5i
          Principal: user principal established for UID 0 (via kinit)
    
      3.  Flavor: AUTH_SYS
          Principal: UID 0 / GID 0
    
    Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
    Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>

 fs/nfs/nfs4state.c |   19 ++++++++++++++++++-
 1 files changed, 18 insertions(+), 1 deletions(-)

commit 6ebab64904f37af82e950b0c6d321437e810b248
Author: Trond Myklebust <Trond.Myklebust@netapp.com>
Date:   Tue Nov 12 17:24:36 2013 -0500

    Upstream commit: d07ba8422f1e58be94cc98a1f475946dc1b89f1b
    
    SUNRPC: Avoid deep recursion in rpc_release_client
    
    In cases where an rpc client has a parent hierarchy, then
    rpc_free_client may end up calling rpc_release_client() on the
    parent, thus recursing back into rpc_free_client. If the hierarchy
    is deep enough, then we can get into situations where the stack
    simply overflows.
    
    The fix is to have rpc_release_client() loop so that it can take
    care of the parent rpc client hierarchy without needing to
    recurse.
    
    Reported-by: Jeff Layton <jlayton@redhat.com>
    Reported-by: Weston Andros Adamson <dros@netapp.com>
    Reported-by: Bruce Fields <bfields@fieldses.org>
    Link: http://lkml.kernel.org/r/2C73011F-0939-434C-9E4D-13A1EB1403D7@netapp.com
    Cc: stable@vger.kernel.org
    Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>

 net/sunrpc/clnt.c |   29 +++++++++++++++++------------
 1 files changed, 17 insertions(+), 12 deletions(-)

commit fcb4306973aed105cc6d042077bf31e21b812008
Author: Trond Myklebust <Trond.Myklebust@netapp.com>
Date:   Fri Nov 8 16:03:50 2013 -0500

    Upstream commit: a6b31d18b02ff9d7915c5898c9b5ca41a798cd73
    
    SUNRPC: Fix a data corruption issue when retransmitting RPC calls
    
    The following scenario can cause silent data corruption when doing
    NFS writes. It has mainly been observed when doing database writes
    using O_DIRECT.
    
    1) The RPC client uses sendpage() to do zero-copy of the page data.
    2) Due to networking issues, the reply from the server is delayed,
       and so the RPC client times out.
    
    3) The client issues a second sendpage of the page data as part of
       an RPC call retransmission.
    
    4) The reply to the first transmission arrives from the server
       _before_ the client hardware has emptied the TCP socket send
       buffer.
    5) After processing the reply, the RPC state machine rules that
       the call to be done, and triggers the completion callbacks.
    6) The application notices the RPC call is done, and reuses the
       pages to store something else (e.g. a new write).
    
    7) The client NIC drains the TCP socket send buffer. Since the
       page data has now changed, it reads a corrupted version of the
       initial RPC call, and puts it on the wire.
    
    This patch fixes the problem in the following manner:
    
    The ordering guarantees of TCP ensure that when the server sends a
    reply, then we know that the _first_ transmission has completed. Using
    zero-copy in that situation is therefore safe.
    If a time out occurs, we then send the retransmission using sendmsg()
    (i.e. no zero-copy), We then know that the socket contains a full copy of
    the data, and so it will retransmit a faithful reproduction even if the
    RPC call completes, and the application reuses the O_DIRECT buffer in
    the meantime.
    
    Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
    Cc: stable@vger.kernel.org

 net/sunrpc/xprtsock.c |   28 +++++++++++++++++++++-------
 1 files changed, 21 insertions(+), 7 deletions(-)

commit 2c59d4080ae744532dbe595f6923dcba72279977
Merge: b2b99c6 d52f291
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Nov 18 19:07:55 2013 -0500

    Merge branch 'pax-test' into grsec-test

commit d52f291621da9227cda5fd647e82dfe9bfc11265
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Nov 18 19:07:14 2013 -0500

    Update to pax-linux-3.11.8-test14.patch:
    - fixed a gcc-4.6 crash caused by a recent change in the latent entropy plugin, reported by Marko Randjelovic and mckinney (http://forums.grsecurity.net/viewtopic.php?f=3&t=3878)

 mm/page_alloc.c                   |    2 +-
 tools/gcc/latent_entropy_plugin.c |   34 ++++++++++++++++++++++++----------
 2 files changed, 25 insertions(+), 11 deletions(-)

commit b2b99c6972e345565d561b722de210f071e5e259
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Nov 14 20:47:37 2013 -0500

    Upstream commit: 0e033e04c2678dbbe74a46b23fffb7bb918c288e
    
    ipv6: fix headroom calculation in udp6_ufo_fragment
    Commit 1e2bd517c108816220f262d7954b697af03b5f9c ("udp6: Fix udp
    fragmentation for tunnel traffic.") changed the calculation if
    there is enough space to include a fragment header in the skb from a
    skb->mac_header dervived one to skb_headroom. Because we already peeled
    off the skb to transport_header this is wrong. Change this back to check
    if we have enough room before the mac_header.
    
    This fixes a panic Saran Neti reported. He used the tbf scheduler which
    skb_gso_segments the skb. The offsets get negative and we panic in memcpy
    because the skb was erroneously not expanded at the head.
    
    Reported-by: Saran Neti <Saran.Neti@telus.com>
    Cc: Pravin B Shelar <pshelar@nicira.com>
    Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv6/udp_offload.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 012ee7647e16f464f8d1ad004e28eac2ba778158
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Thu Nov 14 11:21:10 2013 +0300

    Upstream commit: f9a23c84486ed350cce7bb1b2828abd1f6658796
    
    isdnloop: use strlcpy() instead of strcpy()
    
    These strings come from a copy_from_user() and there is no way to be
    sure they are NUL terminated.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/isdn/isdnloop/isdnloop.c |    8 +++++---
 1 files changed, 5 insertions(+), 3 deletions(-)

commit 2a897c9870257c3cd6dd17ec6ff453331dc71a4f
Author: Eric Dumazet <edumazet@google.com>
Date:   Thu Nov 14 13:37:54 2013 -0800

    Upstream commit: c9e9042994d37cbc1ee538c500e9da1bb9d1bcdf
    
    ipv4: fix possible seqlock deadlock
    
    ip4_datagram_connect() being called from process context,
    it should use IP_INC_STATS() instead of IP_INC_STATS_BH()
    otherwise we can deadlock on 32bit arches, or get corruptions of
    SNMP counters.
    
    Fixes: 584bdf8cbdf6 ("[IPV4]: Fix "ipOutNoRoutes" counter error for TCP and UDP")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Reported-by: Dave Jones <davej@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/datagram.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 1a642170613ae336331f2df38aa8f2c1227d3c96
Merge: 60c6423 84d78c7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Nov 14 20:28:51 2013 -0500

    Merge branch 'pax-test' into grsec-test

commit 84d78c7b2f5d1517e8c9d5ef2ca178c90e80a730
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Nov 14 20:28:07 2013 -0500

    Update to pax-linux-3.11.8-test13.patch:
    - forward port to 3.11.8
    - removed some no longer used code from bpf jit
    - fixed some atomic_unchecked_t usage in oprofile and uio
    - fixed a few incorrect uses of static local variables based on an analysis plugin written by Emese Revfy

 arch/x86/include/asm/mmu_context.h                 |    8 ++++++++
 arch/x86/kernel/setup.c                            |    2 +-
 drivers/bluetooth/btwilink.c                       |    2 +-
 drivers/md/dm-table.c                              |    2 +-
 drivers/message/i2o/i2o_proc.c                     |   16 ++++++++--------
 drivers/mfd/max8925-i2c.c                          |    2 +-
 drivers/mfd/tps65910.c                             |    2 +-
 drivers/mtd/chips/cfi_cmdset_0020.c                |    2 +-
 drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c    |    2 +-
 .../net/ethernet/qlogic/qlcnic/qlcnic_minidump.c   |    2 +-
 drivers/net/wireless/airo.c                        |    2 +-
 drivers/net/wireless/b43/phy_lp.c                  |    2 +-
 drivers/nfc/nfcwilink.c                            |    2 +-
 drivers/oprofile/oprofilefs.c                      |    4 ++--
 drivers/platform/x86/msi-wmi.c                     |    2 +-
 drivers/scsi/aic7xxx/aic79xx_pci.c                 |   18 +++++-------------
 drivers/scsi/mpt2sas/mpt2sas_scsih.c               |    8 ++++----
 drivers/usb/serial/console.c                       |    2 +-
 include/linux/filter.h                             |    4 ----
 kernel/audit.c                                     |    2 +-
 20 files changed, 41 insertions(+), 45 deletions(-)

commit 60c642339ceb814688d1fdfa9bf3f9bc4cd0a38c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Nov 14 20:15:51 2013 -0500

    GRKERNSEC_HARDEN_IPC should depend on SYSVIPC

 grsecurity/Kconfig |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit a5bc567fc9cea02e7e0146d4d25bbc25d9903f43
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Nov 14 19:07:11 2013 -0500

    Not necessary since CPU_V6 is the only bool that would select CPU_USE_DOMAINS
    and that depended on !PAX_KERNEXEC && !PAX_MEMORY_UDEREF, but this helps
    make it more obvious that while we make use of domains, CPU_USE_DOMAINS is
    disabled as far as the kernel knows

 arch/arm/mm/Kconfig |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit a2568c19e361c8599fb9bb0a58ba758f5cb40dba
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Nov 14 19:01:59 2013 -0500

    Add a new feature: GRKERNSEC_HARDEN_IPC in response to Tim Brown's research
    on overly-permissive shared memory found in hundreds of areas in Linux
    distros:
    http://labs.portcullis.co.uk/whitepapers/memory-squatting-attacks-on-system-v-shared-memory/
    
    Will let this sit in -test for a while to weed out any app incompatibilities

 grsecurity/Kconfig         |   17 +++++++++++++++++
 grsecurity/Makefile        |    2 +-
 grsecurity/grsec_init.c    |    4 ++++
 grsecurity/grsec_ipc.c     |   22 ++++++++++++++++++++++
 grsecurity/grsec_sysctl.c  |    9 +++++++++
 include/linux/grinternal.h |    1 +
 include/linux/grmsg.h      |    1 +
 ipc/util.c                 |    5 +++++
 8 files changed, 60 insertions(+), 1 deletions(-)

commit 27c3b43bd5ad9c9b877016f26192dbc30da54018
Merge: 08e883f d0a09ad
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Nov 13 22:27:13 2013 -0500

    Merge branch 'pax-test' into grsec-test

commit d0a09ad6430008135b98da6e1941e98a6110b59e
Merge: 4e826ac 02709ef
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Nov 13 22:27:03 2013 -0500

    Merge branch 'linux-3.11.y' into pax-test

commit 08e883f3159b541ec8b2740a4b3f35fb25629fd1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Nov 11 10:48:10 2013 -0500

    Fix the overflowable range check just to be correct.
    Referenced in http://www.x90c.org/advisories/xadv-2013003_linux_kernel.txt
    but I believe this to be unexploitable due to bounds checks on 'count'
    from rw_verify_area() in fs/read_write.c

 drivers/video/arcfb.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 094c08532f9877a287ffac7a87b05841a56b4e5d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Nov 10 22:01:33 2013 -0500

    Add missing include

 fs/proc/proc_sysctl.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit e383790f8252620f52895e202cc057c4318da3f4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Nov 10 17:50:12 2013 -0500

    add an option to handle old ARM userlands to properly toggle the KUSER_HELPERS
    option: GRKERNSEC_OLD_ARM_USERLAND

 arch/arm/mm/Kconfig |    2 +-
 grsecurity/Kconfig  |   14 ++++++++++++++
 2 files changed, 15 insertions(+), 1 deletions(-)

commit 9b2775742dbcfcc004f02e5cc6bed6dcd9d73d26
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Nov 10 15:19:27 2013 -0500

    On ARM (and other arches) we were defaulting mmap_min_addr to 64K if the LSM-based mmap_min_addr
    was disabled in config.  This caused non-root execs to fail in some cases (via SIGKILL during ELF
    loading).  Fix this by setting a proper default on these architectures like set on the LSM-based
    mmap_min_addr.
    
    Thanks to acez from IRC for debugging.

 mm/Kconfig |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 17f832897194f46c4759aa02e048ad5623a04eed
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Nov 10 13:54:25 2013 -0500

    Compatibility fix for LXC:
    Don't require CAP_SYS_ADMIN to modify our own net namespace's sysctl values,
    use a CAP_NET_ADMIN check within the user namespace of the process performing the modification
    CAP_SYS_ADMIN is still required for any other sysctl modification, including modification
    of sysctls of a net namespace other than our own
    
    This allows for LXC containers to not need CAP_SYS_ADMIN to be able to set up their namespace's
    networking
    
    Thanks to ncopa from IRC for testing

 fs/proc/proc_sysctl.c |    9 +++++++--
 1 files changed, 7 insertions(+), 2 deletions(-)

commit b374a895f9ecfccbf3c8536a5a1a51b359a66a20
Merge: fb281bd 4e826ac
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Nov 6 17:27:16 2013 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        net/l2tp/l2tp_core.c

commit 4e826ac763867707352d93b7d23ed86e4c6829cf
Merge: e309bfb 39773be
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Nov 6 17:26:23 2013 -0500

    Merge branch 'linux-3.11.y' into pax-test
    
    Conflicts:
        net/compat.c

commit fb281bdee5ccb76facfe1172318a867b624011f4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Nov 6 16:23:36 2013 -0500

    Force on DEBUG_LIST so all users can benefit from safe linking/unlinking
    
    Conflicts:
    
        security/Kconfig

 security/Kconfig |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit e249a2a0ee333a6ec0234de20d17670fe0d2b64a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Nov 6 16:19:21 2013 -0500

    change DEBUG_LIST WARNs back to BUGs so they can benefit from the kernel
    bruteforce deterrence
    
    Conflicts:
    
        lib/list_debug.c

 lib/list_debug.c |   65 ++++++++++++++++++++++++++++++++++-------------------
 1 files changed, 42 insertions(+), 23 deletions(-)

commit 61f8b4eb5c8b11ff11d28372a44d6e0f3b9b68ba
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Tue Oct 29 23:01:43 2013 +0300

    Upstream commit: a8b33654b1e3b0c74d4a1fed041c9aae50b3c427
    
    Staging: sb105x: info leak in mp_get_count()
    
    The icount.reserved[] array isn't initialized so it leaks stack
    information to userspace.
    
    Reported-by: Nico Golde <nico@ngolde.de>
    Reported-by: Fabian Yamaguchi <fabs@goesec.de>
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Cc: stable@kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 drivers/staging/sb105x/sb_pci_mp.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 731cf7d12aa699cc30c18e5fe25b8c72b97df3de
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Tue Oct 29 22:06:04 2013 +0300

    Upstream commit: 201f99f170df14ba52ea4c52847779042b7a623b
    
    uml: check length in exitcode_proc_write()
    
    We don't cap the size of buffer from the user so we could write past the
    end of the array here.  Only root can write to this file.
    
    Reported-by: Nico Golde <nico@ngolde.de>
    Reported-by: Fabian Yamaguchi <fabs@goesec.de>
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Cc: stable@kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 arch/um/kernel/exitcode.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

commit 1285d10ec38f216f3c5de7ce085ce43447c78916
Author: Jason Wang <jasowang@redhat.com>
Date:   Fri Nov 1 15:01:10 2013 +0800

    Upstream commit: 6f092343855a71e03b8d209815d8c45bf3a27fcd
    
    net: flow_dissector: fail on evil iph->ihl
    
    We don't validate iph->ihl which may lead a dead loop if we meet a IPIP
    skb whose iph->ihl is zero. Fix this by failing immediately when iph->ihl
    is evil (less than 5).
    
    This issue were introduced by commit ec5efe7946280d1e84603389a1030ccec0a767ae
    (rps: support IPIP encapsulation).
    
    Cc: Eric Dumazet <edumazet@google.com>
    Cc: Petr Matousek <pmatouse@redhat.com>
    Cc: Michael S. Tsirkin <mst@redhat.com>
    Cc: Daniel Borkmann <dborkman@redhat.com>
    Signed-off-by: Jason Wang <jasowang@redhat.com>
    Acked-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/core/flow_dissector.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 3afa8cd39a80620059d7de6c382c853afe1ab4cc
Author: Ming Lei <ming.lei@canonical.com>
Date:   Thu Oct 31 16:34:17 2013 -0700

    Upstream commit: 3d77b50c5874b7e923be946ba793644f82336b75
    
    lib/scatterlist.c: don't flush_kernel_dcache_page on slab page
    
    Commit b1adaf65ba03 ("[SCSI] block: add sg buffer copy helper
    functions") introduces two sg buffer copy helpers, and calls
    flush_kernel_dcache_page() on pages in SG list after these pages are
    written to.
    
    Unfortunately, the commit may introduce a potential bug:
    
     - Before sending some SCSI commands, kmalloc() buffer may be passed to
       block layper, so flush_kernel_dcache_page() can see a slab page
       finally
    
     - According to cachetlb.txt, flush_kernel_dcache_page() is only called
       on "a user page", which surely can't be a slab page.
    
     - ARCH's implementation of flush_kernel_dcache_page() may use page
       mapping information to do optimization so page_mapping() will see the
       slab page, then VM_BUG_ON() is triggered.
    
    Aaro Koskinen reported the bug on ARM/kirkwood when DEBUG_VM is enabled,
    and this patch fixes the bug by adding test of '!PageSlab(miter->page)'
    before calling flush_kernel_dcache_page().
    
    Signed-off-by: Ming Lei <ming.lei@canonical.com>
    Reported-by: Aaro Koskinen <aaro.koskinen@iki.fi>
    Tested-by: Simon Baatz <gmbnomis@gmail.com>
    Cc: Russell King - ARM Linux <linux@arm.linux.org.uk>
    Cc: Will Deacon <will.deacon@arm.com>
    Cc: Aaro Koskinen <aaro.koskinen@iki.fi>
    Acked-by: Catalin Marinas <catalin.marinas@arm.com>
    Cc: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>
    Cc: Tejun Heo <tj@kernel.org>
    Cc: "James E.J. Bottomley" <JBottomley@parallels.com>
    Cc: Jens Axboe <axboe@kernel.dk>
    Cc: <stable@vger.kernel.org>        [3.2+]
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 lib/scatterlist.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 54a2d1367d37e6ff23e91e81e8a293f6db3572c4
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Tue Oct 29 23:01:11 2013 +0300

    Upstream commit: 8d1e72250c847fa96498ec029891de4dc638a5ba
    
    Staging: bcm: info leak in ioctl
    
    The DevInfo.u32Reserved[] array isn't initialized so it leaks kernel
    information to user space.
    
    Reported-by: Nico Golde <nico@ngolde.de>
    Reported-by: Fabian Yamaguchi <fabs@goesec.de>
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Cc: stable@kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 drivers/staging/bcm/Bcmchar.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit a2ab9d69265a08280241a2f2152e535316d02f53
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Tue Oct 29 22:11:06 2013 +0300

    Upstream commit: f856567b930dfcdbc3323261bf77240ccdde01f5
    
    aacraid: missing capable() check in compat ioctl
    
    In commit d496f94d22d1 ('[SCSI] aacraid: fix security weakness') we
    added a check on CAP_SYS_RAWIO to the ioctl.  The compat ioctls need the
    check as well.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Cc: stable@kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 drivers/scsi/aacraid/linit.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 45be53b2583e3c3d9eb0bad55f22e03ad7943b3e
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Tue Oct 29 23:00:15 2013 +0300

    Upstream commit: b5e2f339865fb443107e5b10603e53bbc92dc054
    
    staging: wlags49_h2: buffer overflow setting station name
    
    We need to check the length parameter before doing the memcpy().  I've
    actually changed it to strlcpy() as well so that it's NUL terminated.
    
    You need CAP_NET_ADMIN to trigger these so it's not the end of the
    world.
    
    Reported-by: Nico Golde <nico@ngolde.de>
    Reported-by: Fabian Yamaguchi <fabs@goesec.de>
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Cc: stable@kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 drivers/staging/wlags49_h2/wl_priv.c |    9 ++++++---
 1 files changed, 6 insertions(+), 3 deletions(-)

commit afd645c1684265260b64ec8189cbc2703b91f6ab
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Tue Oct 29 22:07:47 2013 +0300

    Upstream commit: c2c65cd2e14ada6de44cb527e7f1990bede24e15
    
    staging: ozwpan: prevent overflow in oz_cdev_write()
    
    We need to check "count" so we don't overflow the ei->data buffer.
    
    Reported-by: Nico Golde <nico@ngolde.de>
    Reported-by: Fabian Yamaguchi <fabs@goesec.de>
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Cc: stable@kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 drivers/staging/ozwpan/ozcdev.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit 4a907baeb462b7e0f50923be5a9d842aec93c97a
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date:   Tue Oct 29 10:21:34 2013 -0700

    Fixed a little differently than Linus...
    
    Obfuscated upstream security commit: 7314e613d5ff9f0934f7a0f74ed7973b903315d1
    
    Fix a few incorrectly checked [io_]remap_pfn_range() calls
    
    Nico Golde reports a few straggling uses of [io_]remap_pfn_range() that
    really should use the vm_iomap_memory() helper.  This trivially converts
    two of them to the helper, and comments about why the third one really
    needs to continue to use remap_pfn_range(), and adds the missing size
    check.
    
    Reported-by: Nico Golde <nico@ngolde.de>
    Cc: stable@kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org.
    
    Conflicts:
    
        drivers/uio/uio.c

 drivers/uio/uio.c        |   19 +++++++++++++++++--
 drivers/video/au1100fb.c |   26 +-------------------------
 drivers/video/au1200fb.c |   23 +----------------------
 3 files changed, 19 insertions(+), 49 deletions(-)

commit e68e94ddd03cf81d875b30a5e7b0e1bb4682e61f
Merge: 0970b16 e309bfb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Oct 27 15:17:05 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit e309bfbf7b506b2294b30233f7a3299173a75cf7
Author: Hugh Dickins <hughd@google.com>
Date:   Wed Oct 16 13:47:09 2013 -0700

    Upstream commit: 57a8f0cdb87da776bf0e4ce7554a9133854fa779
    
    mm: revert mremap pud_free anti-fix
    
    Revert commit 1ecfd533f4c5 ("mm/mremap.c: call pud_free() after fail
    calling pmd_alloc()").
    
    The original code was correct: pud_alloc(), pmd_alloc(), pte_alloc_map()
    ensure that the pud, pmd, pt is already allocated, and seldom do they
    need to allocate; on failure, upper levels are freed if appropriate by
    the subsequent do_munmap().  Whereas commit 1ecfd533f4c5 did an
    unconditional pud_free() of a most-likely still-in-use pud: saved only
    by the near-impossiblity of pmd_alloc() failing.
    
    Signed-off-by: Hugh Dickins <hughd@google.com>
    Cc: Chen Gang <gang.chen@asianux.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 mm/mremap.c |    5 +----
 1 files changed, 1 insertions(+), 4 deletions(-)

commit 0970b16a9df08b8cca6929b6443f67df432ac3e5
Author: Eric Dumazet <edumazet@google.com>
Date:   Tue Oct 1 21:04:11 2013 -0700

    Upstream commit: 80ad1d61e72d626e30ebe8529a0455e660ca4693
    
    net: do not call sock_put() on TIMEWAIT sockets
    
    commit 3ab5aee7fe84 ("net: Convert TCP & DCCP hash tables to use RCU /
    hlist_nulls") incorrectly used sock_put() on TIMEWAIT sockets.
    
    We should instead use inet_twsk_put()
    
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/inet_hashtables.c  |    2 +-
 net/ipv6/inet6_hashtables.c |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

commit ed0c9c47bc3468ad88b45b8ec55d0ad335214d28
Author: Andi Kleen <ak@linux.intel.com>
Date:   Mon Sep 30 13:29:08 2013 -0700

    Upstream commit: 58e4e1f6cacddb7823c44bcfb272174553f6c645
    
    igb: Avoid uninitialized advertised variable in eee_set_cur
    
    eee_get_cur assumes that the output data is already zeroed. It can
    read-modify-write the advertised field:
    
                  if (ipcnfg & E1000_IPCNFG_EEE_100M_AN)
    2594                        edata->advertised |= ADVERTISED_100baseT_Full;
    
    This is ok for the normal ethtool eee_get call, which always
    zeroes the input data before.
    
    But eee_set_cur also calls eee_get_cur and it did not zero the input
    field. Later on it then compares agsinst the field, which can contain partial
    stack garbage.
    
    Zero the input field in eee_set_cur() too.
    
    Cc: jeffrey.t.kirsher@intel.com
    Cc: netdev@vger.kernel.org
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
    Acked-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/ethernet/intel/igb/igb_ethtool.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 651730a8caabce37f78d8e6c84283b96e434d19f
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Thu Oct 3 00:27:20 2013 +0300

    Upstream commit: 1661bf364ae9c506bc8795fef70d1532931be1e8
    
    net: heap overflow in __audit_sockaddr()
    
    We need to cap ->msg_namelen or it leads to a buffer overflow when we
    to the memcpy() in __audit_sockaddr().  It requires CAP_AUDIT_CONTROL to
    exploit this bug.
    
    The call tree is:
    ___sys_recvmsg()
      move_addr_to_user()
        audit_sockaddr()
          __audit_sockaddr()
    
    Reported-by: Jüri Aedla <juri.aedla@gmail.com>
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    
    Conflicts:
    
        net/compat.c

 net/compat.c |    2 ++
 net/socket.c |   24 ++++++++++++++++++++----
 2 files changed, 22 insertions(+), 4 deletions(-)

commit b52e008aa27ecec1ca4a2d92ffe2fe874c47fcfc
Author: Salva Peiró <speiro@ai2.upv.es>
Date:   Wed Oct 16 12:46:50 2013 +0200

    Upstream commit: 2b13d06c9584b4eb773f1e80bbaedab9a1c344e1
    
    wanxl: fix info leak in ioctl
    
    The wanxl_ioctl() code fails to initialize the two padding bytes of
    struct sync_serial_settings after the ->loopback member. Add an explicit
    memset(0) before filling the structure to avoid the info leak.
    
    Signed-off-by: Salva Peiró <speiro@ai2.upv.es>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/wan/wanxl.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit d7e5b4f97fbdd06c03433939efe0e444d877ab4f
Author: Geyslan G. Bem <geyslan@gmail.com>
Date:   Fri Oct 11 16:49:16 2013 -0300

    Upstream commit: 3edc8376c06133e3386265a824869cad03a4efd4
    
    ecryptfs: Fix memory leakage in keystore.c
    
    In 'decrypt_pki_encrypted_session_key' function:
    
    Initializes 'payload' pointer and releases it on exit.
    
    Signed-off-by: Geyslan G. Bem <geyslan@gmail.com>
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Cc: stable@vger.kernel.org # v2.6.28+

 fs/ecryptfs/keystore.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 0ccb7b191245318a36bbd1f59a1846dda72cb738
Author: Colin Ian King <colin.king@canonical.com>
Date:   Thu Oct 24 14:08:07 2013 +0000

    Upstream commit: 43b7c6c6a4e3916edd186ceb61be0c67d1e0969e
    
    eCryptfs: fix 32 bit corruption issue
    
    Shifting page->index on 32 bit systems was overflowing, causing
    data corruption of > 4GB files. Fix this by casting it first.
    
    https://launchpad.net/bugs/1243636
    
    Signed-off-by: Colin Ian King <colin.king@canonical.com>
    Reported-by: Lars Duesing <lars.duesing@camelotsweb.de>
    Cc: stable@vger.kernel.org # v3.11+
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>

 fs/ecryptfs/crypto.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit eeb8d56181a3fa3cdfbc106156d4f60cf3a386d4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Oct 27 13:29:49 2013 -0400

    This is a replacement patch only for stable which does fix the problems
    handled by the following two commits in -net:
    
    "ip_output: do skb ufo init for peeked non ufo skb as well" (e93b7d748be887cd7639b113ba7d7ef792a7efb9)
    "ip6_output: do skb ufo init for peeked non ufo skb as well" (c547dbf55d5f8cf615ccc0e7265e98db27d3fb8b)
    
    Three frames are written on a corked udp socket for which the output
    netdevice has UFO enabled.  If the first and third frame are smaller than
    the mtu and the second one is bigger, we enqueue the second frame with
    skb_append_datato_frags without initializing the gso fields. This leads
    to the third frame appended regulary and thus constructing an invalid skb.
    
    This fixes the problem by always using skb_append_datato_frags as soon
    as the first frag got enqueued to the skb without marking the packet
    as SKB_GSO_UDP.
    
    The problem with only two frames for ipv6 was fixed by "ipv6: udp
    packets following an UFO enqueued packet need also be handled by UFO"
    (2811ebac2521ceac84f2bdae402455baa6a7fb47).
    
    Cc: Jiri Pirko <jiri@resnulli.us>
    Cc: Eric Dumazet <eric.dumazet@gmail.com>
    Cc: David Miller <davem@davemloft.net>
    Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>

 include/linux/skbuff.h |    5 +++++
 net/ipv4/ip_output.c   |    2 +-
 net/ipv6/ip6_output.c  |    2 +-
 3 files changed, 7 insertions(+), 2 deletions(-)

commit aead8ff29424c6a5d25eb4614be91a01f9f6af00
Merge: 5cf8361 ddadc82
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Oct 26 08:42:26 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        security/Kconfig

commit ddadc822a1de40d3992a5c58ca2f970b5fee57ec
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Oct 26 08:41:24 2013 -0400

    - fixed miscompilation caused by a kernexec plugin related change in copy_user_generic, by Timo Teräs <timo.teras@iki.f> and Natanael Copa <ncopa@alpinelinux.org> (https://github.com/ncopa/linux-stable-grsec/commit/b8bf456d13988fb38cfe248676327f44a2d2ed2e)
    - updated config help for latent entropy to reflect recent changes

 arch/x86/include/asm/uaccess_64.h |    4 ++--
 security/Kconfig                  |    6 +++---
 2 files changed, 5 insertions(+), 5 deletions(-)

commit 5cf8361c2a7762aa1cdd3d75655361058ad451ad
Author: Johannes Weiner <hannes@cmpxchg.org>
Date:   Wed Oct 16 13:47:00 2013 -0700

    Upstream commit: 84235de394d9775bfaa7fa9762a59d91fef0c1fc
    
    fs: buffer: move allocation failure loop into the allocator
    
    Buffer allocation has a very crude indefinite loop around waking the
    flusher threads and performing global NOFS direct reclaim because it can
    not handle allocation failures.
    
    The most immediate problem with this is that the allocation may fail due
    to a memory cgroup limit, where flushers + direct reclaim might not make
    any progress towards resolving the situation at all.  Because unlike the
    global case, a memory cgroup may not have any cache at all, only
    anonymous pages but no swap.  This situation will lead to a reclaim
    livelock with insane IO from waking the flushers and thrashing unrelated
    filesystem cache in a tight loop.
    
    Use __GFP_NOFAIL allocations for buffers for now.  This makes sure that
    any looping happens in the page allocator, which knows how to
    orchestrate kswapd, direct reclaim, and the flushers sensibly.  It also
    allows memory cgroups to detect allocations that can't handle failure
    and will allow them to ultimately bypass the limit if reclaim can not
    make progress.
    
    Reported-by: azurIt <azurit@pobox.sk>
    Signed-off-by: Johannes Weiner <hannes@cmpxchg.org>
    Cc: Michal Hocko <mhocko@suse.cz>
    Cc: <stable@kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 fs/buffer.c     |   14 ++++++++++++--
 mm/memcontrol.c |    2 ++
 2 files changed, 14 insertions(+), 2 deletions(-)

commit 799326c8683d8d70b2035b1e5ab913c159112b6b
Author: Miklos Szeredi <mszeredi@suse.cz>
Date:   Thu Oct 10 16:48:19 2013 +0200

    Upstream commit: 43ae9e3fc70ca0057ae0a24ef5eedff05e3fae06
    
    ext[34]: fix double put in tmpfile
    
    d_tmpfile() already swallowed the inode ref.
    
    Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
    Cc: stable@vger.kernel.org
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

 fs/ext3/namei.c |    5 ++---
 fs/ext4/namei.c |    5 ++---
 2 files changed, 4 insertions(+), 6 deletions(-)

commit 799651db9a3b5b08eac1de0ee05f406df7a9a2e3
Author: Jan Klos <honza.klos@gmail.com>
Date:   Sun Oct 6 21:08:20 2013 +0200

    Upstream commit: 2f6c9479633780ba4a3484bba7eba5a721a5cf20
    
    cifs: Fix inability to write files >2GB to SMB2/3 shares
    
    When connecting to SMB2/3 shares, maximum file size is set to non-LFS maximum in superblock. This is due to cap_large_files bit being different for SMB1 and SMB2/3 (where it is just an internal flag that is not negotiated and the SMB1 one corresponds to multichannel capability, so maybe LFS works correctly if server sends 0x08 flag) while capabilities are checked always for the SMB1 bit in cifs_read_super().
    
    The patch fixes this by checking for the correct bit according to the protocol version.
    
    CC: Stable <stable@kernel.org>
    Signed-off-by: Jan Klos <honza.klos@gmail.com>
    Reviewed-by: Jeff Layton <jlayton@redhat.com>
    Signed-off-by: Steve French <smfrench@gmail.com>

 fs/cifs/cifsfs.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

commit 549fe4c5bb5e67cb1351bb09455b1d77abe5ab22
Author: Tim Gardner <tim.gardner@canonical.com>
Date:   Sun Oct 13 13:29:03 2013 -0600

    Upstream commit: 0c26606cbe4937f2228a27bb0c2cad19855be87a
    
    cifs: ntstatus_to_dos_map[] is not terminated
    
    Functions that walk the ntstatus_to_dos_map[] array could
    run off the end. For example, ntstatus_to_dos() loops
    while ntstatus_to_dos_map[].ntstatus is not 0. Granted,
    this is mostly theoretical, but could be used as a DOS attack
    if the error code in the SMB header is bogus.
    
    [Might consider adding to stable, as this patch is low risk - Steve]
    
    Reviewed-by: Jeff Layton <jlayton@redhat.com>
    Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
    Signed-off-by: Steve French <smfrench@gmail.com>

 fs/cifs/netmisc.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

commit ed8c09a96fa260e1864c632e1dd91b1320876305
Author: Eric Dumazet <edumazet@google.com>
Date:   Tue Oct 15 11:54:30 2013 -0700

    Upstream commit: c52e2421f7368fd36cbe330d2cf41b10452e39a9
    
    tcp: must unclone packets before mangling them
    
    TCP stack should make sure it owns skbs before mangling them.
    
    We had various crashes using bnx2x, and it turned out gso_size
    was cleared right before bnx2x driver was populating TC descriptor
    of the _previous_ packet send. TCP stack can sometime retransmit
    packets that are still in Qdisc.
    
    Of course we could make bnx2x driver more robust (using
    ACCESS_ONCE(shinfo->gso_size) for example), but the bug is TCP stack.
    
    We have identified two points where skb_unclone() was needed.
    
    This patch adds a WARN_ON_ONCE() to warn us if we missed another
    fix of this kind.
    
    Kudos to Neal for finding the root cause of this bug. Its visible
    using small MSS.
    
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: Neal Cardwell <ncardwell@google.com>
    Cc: Yuchung Cheng <ycheng@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/tcp_output.c |    9 ++++++---
 1 files changed, 6 insertions(+), 3 deletions(-)

commit e5dcf1772ca2a85952da10a21d0650507dc061d3
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Mon Oct 14 15:28:38 2013 +0300

    Upstream commit: 9e5f1721907fcfbd4b575bcafa0314188f7330a5
    
    yam: integer underflow in yam_ioctl()
    
    We cap bitrate at YAM_MAXBITRATE in yam_ioctl(), but it could also be
    negative.  I don't know the impact of using a negative bitrate but let's
    prevent it.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 include/linux/yam.h |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 1f5d72d633f317248bba25158c326a61394aebf2
Merge: 7ca4328 4df1b96
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Oct 18 19:36:17 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        ipc/shm.c

commit 4df1b965687831808af2548487e0f35a2ccc5c29
Merge: e41125e 5070441
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Oct 18 19:35:31 2013 -0400

    Merge branch 'linux-3.11.y' into pax-test
    
    Conflicts:
        arch/x86/kernel/setup.c

commit 7ca43282302f7777ca3ae48d2552dbd0a6cef525
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Oct 16 18:35:00 2013 -0400

    From: Mathias Krause <minipli@googlemail.com>
    To: Evgeniy Polyakov <zbr@ioremap.net>
    Cc: Mathias Krause <minipli@googlemail.com>, netdev@vger.kernel.org
    Subject: [PATCH 2/4] connector: use nlmsg_len() to check message length
    
    The current code tests the length of the whole netlink message to be
    at least as long to fit a cn_msg. This is wrong as nlmsg_len includes
    the length of the netlink message header. Use nlmsg_len() instead to
    fix this "off-by-NLMSG_HDRLEN" size check.
    
    Cc: stable@vger.kernel.org  # v2.6.14+
    Signed-off-by: Mathias Krause <minipli@googlemail.com>

 drivers/connector/connector.c |    7 ++++---
 1 files changed, 4 insertions(+), 3 deletions(-)

commit 6c495f94e2f002ed19fb8e265e2746fd6ee08489
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Oct 16 18:36:25 2013 -0400

    From: Mathias Krause <minipli@googlemail.com>
    To: linux-audit@redhat.com
    Cc: Mathias Krause <minipli@googlemail.com>, Al Viro <viro@zeniv.linux.org.uk>, Eric Paris <eparis@redhat.com>
    Subject: [PATCH 1/2] audit: fix info leak in AUDIT_GET requests
    
    We leak 4 bytes of kernel stack in response to an AUDIT_GET request as
    we miss to initialize the mask member of status_set. Fix that.
    
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: Eric Paris <eparis@redhat.com>
    Cc: stable@vger.kernel.org  # v2.6.6+
    Signed-off-by: Mathias Krause <minipli@googlemail.com>

 kernel/audit.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 9557a8727fd46e68f092dec0830a982e85b231f7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Oct 16 19:02:32 2013 -0400

    add 2nd chunk of audit nlmsg_len() fix from minipli

 kernel/audit.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit ceb5f8bae05f3321af941eddb9d2bbe264e0d2cd
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Oct 16 18:37:59 2013 -0400

    From: Mathias Krause <minipli@googlemail.com>
    To: linux-audit@redhat.com
    Cc: Mathias Krause <minipli@googlemail.com>, Al Viro <viro@zeniv.linux.org.uk>, Eric Paris <eparis@redhat.com>
    Subject: [PATCH 2/2] audit: use nlmsg_len() to get message payload length
    
    Using the nlmsg_len member of the netlink header to test if the message
    is valid is wrong as it includes the size of the netlink header itself.
    Thereby allowing to send short netlink messages that pass those checks.
    
    Use nlmsg_len() instead to test for the right message length. The result
    of nlmsg_len() is guaranteed to be non-negative as the netlink message
    already passed the checks of nlmsg_ok().
    
    Also switch to min_t() to please checkpatch.pl.
    
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: Eric Paris <eparis@redhat.com>
    Cc: stable@vger.kernel.org  # v2.6.6+ for the 1st hunk, v2.6.23+ for the 2nd

 kernel/audit.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 7547b29750381c776dfd47f4b1277a492d5b0f72
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Oct 16 18:41:01 2013 -0400

    From: Mathias Krause <minipli@googlemail.com>
    To: netfilter-devel@vger.kernel.org
    Cc: Mathias Krause <minipli@googlemail.com>, Pablo Neira Ayuso <pablo@netfilter.org>, Patrick McHardy <kaber@trash.net>, Jozsef Kadlecsik
            <kadlec@blackhole.kfki.hu>, Bart De Schuymer <bart.de.schuymer@pandora.be>
    Subject: [PATCH 1/2] netfilter: ebt_ulog: fix info leaks
    
    The ulog messages leak heap bytes by the means of padding bytes and
    incompletely filled string arrays. Fix those by memset(0)'ing the
    whole struct before filling it.
    
    Cc: Bart De Schuymer <bart.de.schuymer@pandora.be>
    Signed-off-by: Mathias Krause <minipli@googlemail.com>
    
    Conflicts:
    
        net/bridge/netfilter/ebt_ulog.c

 net/bridge/netfilter/ebt_ulog.c |    9 +++------
 1 files changed, 3 insertions(+), 6 deletions(-)

commit c1da6a5ba1b529d70214142de4eaa7f1b9d62528
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Oct 16 18:43:01 2013 -0400

    From: Mathias Krause <minipli@googlemail.com>
    To: netfilter-devel@vger.kernel.org
    Cc: Mathias Krause <minipli@googlemail.com>, Pablo Neira Ayuso <pablo@netfilter.org>, Patrick McHardy <kaber@trash.net>, Jozsef Kadlecsik
            <kadlec@blackhole.kfki.hu>
    Subject: [PATCH 2/2] netfilter: ipt_ULOG: fix info leaks
    
    The ulog messages leak heap bytes by the means of padding bytes and
    incompletely filled string arrays. Fix those by memset(0)'ing the
    whole struct before filling it.
    
    Cc: Pablo Neira Ayuso <pablo@netfilter.org>
    Cc: Patrick McHardy <kaber@trash.net>
    Cc: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
    Signed-off-by: Mathias Krause <minipli@googlemail.com>
    
    Conflicts:
    
        net/ipv4/netfilter/ipt_ULOG.c

 net/ipv4/netfilter/ipt_ULOG.c |    7 +------
 1 files changed, 1 insertions(+), 6 deletions(-)

commit 2965f6e6122325a18e69296ad3817c66ca59b7e3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Oct 16 18:49:45 2013 -0400

    From: Mathias Krause <minipli@googlemail.com>
    To: "David S. Miller" <davem@davemloft.net>
    Cc: Mathias Krause <minipli@googlemail.com>, netdev@vger.kernel.org
    Subject: [PATCH net] unix_diag: fix info leak
    
    When filling the netlink message we miss to wipe the pad field,
    therefore leak one byte of heap memory to userland. Fix this by
    setting pad to 0.
    
    Signed-off-by: Mathias Krause <minipli@googlemail.com>

 net/unix/diag.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit c6bc48165dc213ad8b24fbd872d5c01deb4508bc
Author: Mathias Krause <minipli@googlemail.com>
Date:   Mon Sep 30 22:03:06 2013 +0200

    Upstream commit: e727ca82e0e9616ab4844301e6bae60ca7327682
    
    proc connector: fix info leaks
    
    Initialize event_data for all possible message types to prevent leaking
    kernel stack contents to userland (up to 20 bytes). Also set the flags
    member of the connector message to 0 to prevent leaking two more stack
    bytes this way.
    
    Cc: stable@vger.kernel.org  # v2.6.15+
    Signed-off-by: Mathias Krause <minipli@googlemail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/connector/cn_proc.c |   18 ++++++++++++++++++
 1 files changed, 18 insertions(+), 0 deletions(-)

commit 6398c8e93f1f8fcf80ae2f024a8cca9ea84ccd04
Author: AKASHI Takahiro <takahiro.akashi@linaro.org>
Date:   Wed Oct 9 15:58:29 2013 +0100

    Upstream commit: 3c1532df5c1b54b5f6246cdef94eeb73a39fe43a
    
    ARM: 7851/1: check for number of arguments in syscall_get/set_arguments()
    
    In ftrace_syscall_enter(),
        syscall_get_arguments(..., 0, n, ...)
            if (i == 0) { <handle ORIG_r0> ...; n--;}
            memcpy(..., n * sizeof(args[0]));
    If 'number of arguments(n)' is zero and 'argument index(i)' is also zero in
    syscall_get_arguments(), none of arguments should be copied by memcpy().
    Otherwise 'n--' can be a big positive number and unexpected amount of data
    will be copied. Tracing system calls which take no argument, say sync(void),
    may hit this case and eventually make the system corrupted.
    This patch fixes the issue both in syscall_get_arguments() and
    syscall_set_arguments().
    
    Cc: <stable@vger.kernel.org>
    Acked-by: Will Deacon <will.deacon@arm.com>
    Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
    Signed-off-by: Will Deacon <will.deacon@arm.com>
    Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>

 arch/arm/include/asm/syscall.h |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

commit c062c6b6774efea3e8b21dc5262f8bf9b34609c2
Author: Dave Jones <davej@redhat.com>
Date:   Thu Oct 10 20:05:35 2013 -0400

    Upstream commit: 6e4ea8e33b2057b85d75175dd89b93f5e26de3bc
    
    ext4: fix memory leak in xattr
    
    If we take the 2nd retry path in ext4_expand_extra_isize_ea, we
    potentionally return from the function without having freed these
    allocations.  If we don't do the return, we over-write the previous
    allocation pointers, so we leak either way.
    
    Spotted with Coverity.
    
    [ Fixed by tytso to set is and bs to NULL after freeing these
      pointers, in case in the retry loop we later end up triggering an
      error causing a jump to cleanup, at which point we could have a double
      free bug. -- Ted ]
    
    Signed-off-by: Dave Jones <davej@fedoraproject.org>
    Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
    Reviewed-by: Eric Sandeen <sandeen@redhat.com>
    Cc: stable@vger.kernel.org

 fs/ext4/xattr.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 224e55268fbd4f81fca479e315c9483df591411d
Author: Salva Peiró <speiro@ai2.upv.es>
Date:   Fri Oct 11 12:50:03 2013 +0300

    Upstream commit: 96b340406724d87e4621284ebac5e059d67b2194
    
    farsync: fix info leak in ioctl
    
    The fst_get_iface() code fails to initialize the two padding bytes of
    struct sync_serial_settings after the ->loopback member. Add an explicit
    memset(0) before filling the structure to avoid the info leak.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/wan/farsync.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 2df2f7f9ca7c383331795980a56a2f47a0d0dfd9
Author: James Hogan <james.hogan@imgtec.com>
Date:   Mon Oct 7 12:14:26 2013 +0100

    Upstream commit: 8b3c569a3999a8fd5a819f892525ab5520777c92
    
    MIPS: stack protector: Fix per-task canary switch
    
    Commit 1400eb6 (MIPS: r4k,octeon,r2300: stack protector: change canary
    per task) was merged in v3.11 and introduced assembly in the MIPS resume
    functions to update the value of the current canary in
    __stack_chk_guard. However it used PTR_L resulting in a load of the
    canary value, instead of PTR_LA to construct its address. The value is
    intended to be random but is then treated as an address in the
    subsequent LONG_S (store).
    
    This was observed to cause a fault and panic:
    
    CPU 0 Unable to handle kernel paging request at virtual address 139fea20, epc == 8000cc0c, ra == 8034f2a4
    Oops[#1]:
    ...
    $24   : 139fea20 1e1f7cb6
    ...
    Call Trace:
    [<8000cc0c>] resume+0xac/0x118
    [<8034f2a4>] __schedule+0x5f8/0x78c
    [<8034f4e0>] schedule_preempt_disabled+0x20/0x2c
    [<80348eec>] rest_init+0x74/0x84
    [<804dc990>] start_kernel+0x43c/0x454
    Code: 3c18804b  8f184030  8cb901f8 <af190000> 00c0e021  8cb002f0 8cb102f4  8cb202f8  8cb302fc
    
    This can also be forced by modifying
    arch/mips/include/asm/stackprotector.h so that the default
    __stack_chk_guard value is more likely to be a bad (or unaligned)
    pointer.
    
    Fix it to use PTR_LA instead, to load the address of the canary value,
    which the LONG_S can then use to write into it.
    
    Reported-by: bobjones (via #mipslinux on IRC)
    Signed-off-by: James Hogan <james.hogan@imgtec.com>
    Cc: Ralf Baechle <ralf@linux-mips.org>
    Cc: Gregory Fong <gregory.0xf0@gmail.com>
    Cc: linux-mips@linux-mips.org
    Cc: stable@vger.kernel.org
    Patchwork: https://patchwork.linux-mips.org/patch/6026/
    Signed-off-by: Ralf Baechle <ralf@linux-mips.org>

 arch/mips/kernel/octeon_switch.S |    2 +-
 arch/mips/kernel/r2300_switch.S  |    2 +-
 arch/mips/kernel/r4k_switch.S    |    2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

commit 4541f6c6871c1cffa3637ccbc817a37d6f093d1c
Author: Fan Du <fan.du@windriver.com>
Date:   Tue Sep 17 15:14:13 2013 +0800

    Upstream commit: 33fce60d6a6e137035f8e23a89d7fd55f3a24cda
    
    xfrm: Guard IPsec anti replay window against replay bitmap
    
    For legacy IPsec anti replay mechanism:
    
    bitmap in struct xfrm_replay_state could only provide a 32 bits
    window size limit in current design, thus user level parameter
    sadb_sa_replay should honor this limit, otherwise misleading
    outputs("replay=244") by setkey -D will be:
    
    192.168.25.2 192.168.22.2
        esp mode=transport spi=147561170(0x08cb9ad2) reqid=0(0x00000000)
        E: aes-cbc  9a8d7468 7655cf0b 719d27be b0ddaac2
        A: hmac-sha1  2d2115c2 ebf7c126 1c54f186 3b139b58 264a7331
        seq=0x00000000 replay=244 flags=0x00000000 state=mature
        created: Sep 17 14:00:00 2013   current: Sep 17 14:00:22 2013
        diff: 22(s)     hard: 30(s)     soft: 26(s)
        last: Sep 17 14:00:00 2013      hard: 0(s)      soft: 0(s)
        current: 1408(bytes)    hard: 0(bytes)  soft: 0(bytes)
        allocated: 22   hard: 0 soft: 0
        sadb_seq=1 pid=4854 refcnt=0
    192.168.22.2 192.168.25.2
        esp mode=transport spi=255302123(0x0f3799eb) reqid=0(0x00000000)
        E: aes-cbc  6485d990 f61a6bd5 e5660252 608ad282
        A: hmac-sha1  0cca811a eb4fa893 c47ae56c 98f6e413 87379a88
        seq=0x00000000 replay=244 flags=0x00000000 state=mature
        created: Sep 17 14:00:00 2013   current: Sep 17 14:00:22 2013
        diff: 22(s)     hard: 30(s)     soft: 26(s)
        last: Sep 17 14:00:00 2013      hard: 0(s)      soft: 0(s)
        current: 1408(bytes)    hard: 0(bytes)  soft: 0(bytes)
        allocated: 22   hard: 0 soft: 0
        sadb_seq=0 pid=4854 refcnt=0
    
    And also, optimizing xfrm_replay_check window checking by setting the
    desirable x->props.replay_window with only doing the comparison once
    for all when xfrm_state is first born.
    
    Signed-off-by: Fan Du <fan.du@windriver.com>
    Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>

 net/key/af_key.c       |    3 ++-
 net/xfrm/xfrm_replay.c |    3 +--
 net/xfrm/xfrm_user.c   |    3 ++-
 3 files changed, 5 insertions(+), 4 deletions(-)

commit 3853002f1fb21ca8e23784e9eaeb971eaebc7541
Author: Thomas Egerer <thomas.egerer@secunet.com>
Date:   Thu Sep 19 13:19:19 2013 +0200

    Upstream commit: cd808fc9a6c7cd3a4311d9d2cffc4adbeaef5f6c
    
    xfrm: Fix aevent generation for each received packet
    
    If asynchronous events are enabled for a particular netlink socket,
    the notify function is called by the advance function. The notify
    function creates and dispatches a km_event if a replay timeout occurred,
    or at least replay_maxdiff packets have been received since the last
    asynchronous event has been sent. The function is supposed to return if
    neither of the two events were detected for a state, or replay_maxdiff
    is equal to zero.
    Replay_maxdiff is initialized in xfrm_state_construct to the value of
    the xfrm.sysctl_aevent_rseqth (2 by default), and updated if for a state
    if the netlink attribute XFRMA_REPLAY_THRESH is set.
    If, however, replay_maxdiff is set to zero, then all of the three notify
    implementations perform a break from the switch statement instead of
    checking whether a timeout occurred, and -- if not -- return.  As a
    result an asynchronous event is generated for every replay update of a
    state that has a zero replay_maxdiff value.
    This patch modifies the notify functions such that they immediately
    return if replay_maxdiff has the value zero, unless a timeout occurred.
    
    Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
    Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>

 net/xfrm/xfrm_replay.c |   51 +++++++++++++++++++++++++----------------------
 1 files changed, 27 insertions(+), 24 deletions(-)

commit dafbbf04fb91cc92c049dcf7cabcc92fd5d29cb8
Author: Steffen Klassert <steffen.klassert@secunet.com>
Date:   Tue Oct 8 10:49:45 2013 +0200

    Upstream commit: e7d8f6cb2f8735693396872f4608bbe305e8baee
    
    xfrm: Add refcount handling to queued policies
    
    We need to ensure that policies can't go away as long as the hold timer
    is armed, so take a refcont when we arm the timer and drop one if we
    delete it.
    
    Bug was introduced with git commit a0073fe18 ("xfrm: Add a state
    resolution packet queue")
    
    Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>

 net/xfrm/xfrm_policy.c |   24 +++++++++++++++++-------
 1 files changed, 17 insertions(+), 7 deletions(-)

commit b4948dc963442682534b3a039664b564c764e4f8
Author: Steffen Klassert <steffen.klassert@secunet.com>
Date:   Tue Oct 8 10:49:51 2013 +0200

    Upstream commit: 2bb53e2557964c2c5368a0392cf3b3b63a288cd0
    
    xfrm: check for a vaild skb in xfrm_policy_queue_process
    
    We might dreference a NULL pointer if the hold_queue is empty,
    so add a check to avoid this.
    
    Bug was introduced with git commit a0073fe18 ("xfrm: Add a state
    resolution packet queue")
    
    Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>

 net/xfrm/xfrm_policy.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

commit fad7f264b264b0b17a307aa16162cb43c7688a30
Author: Marc Kleine-Budde <mkl@pengutronix.de>
Date:   Mon Oct 7 23:19:58 2013 +0200

    Upstream commit: c33a39c575068c2ea9bffb22fd6de2df19c74b89
    
    net: vlan: fix nlmsg size calculation in vlan_get_size()
    
    This patch fixes the calculation of the nlmsg size, by adding the missing
    nla_total_size().
    
    Cc: Patrick McHardy <kaber@trash.net>
    Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/8021q/vlan_netlink.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 675e5611464fe6b4d41e7d8ba56ed845286b28dd
Author: François Cachereul <f.cachereul@alphalink.fr>
Date:   Wed Oct 2 10:16:02 2013 +0200

    Upstream commit: e18503f41f9b12132c95d7c31ca6ee5155e44e5c
    
    l2tp: fix kernel panic when using IPv4-mapped IPv6 addresses
    
    IPv4 mapped addresses cause kernel panic.
    The patch juste check whether the IPv6 address is an IPv4 mapped
    address. If so, use IPv4 API instead of IPv6.
    
    [  940.026915] general protection fault: 0000 [#1]
    [  940.026915] Modules linked in: l2tp_ppp l2tp_netlink l2tp_core pppox ppp_generic slhc loop psmouse
    [  940.026915] CPU: 0 PID: 3184 Comm: memcheck-amd64- Not tainted 3.11.0+ #1
    [  940.026915] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007
    [  940.026915] task: ffff880007130e20 ti: ffff88000737e000 task.ti: ffff88000737e000
    [  940.026915] RIP: 0010:[<ffffffff81333780>]  [<ffffffff81333780>] ip6_xmit+0x276/0x326
    [  940.026915] RSP: 0018:ffff88000737fd28  EFLAGS: 00010286
    [  940.026915] RAX: c748521a75ceff48 RBX: ffff880000c30800 RCX: 0000000000000000
    [  940.026915] RDX: ffff88000075cc4e RSI: 0000000000000028 RDI: ffff8800060e5a40
    [  940.026915] RBP: ffff8800060e5a40 R08: 0000000000000000 R09: ffff88000075cc90
    [  940.026915] R10: 0000000000000000 R11: 0000000000000000 R12: ffff88000737fda0
    [  940.026915] R13: 0000000000000000 R14: 0000000000002000 R15: ffff880005d3b580
    [  940.026915] FS:  00007f163dc5e800(0000) GS:ffffffff81623000(0000) knlGS:0000000000000000
    [  940.026915] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    [  940.026915] CR2: 00000004032dc940 CR3: 0000000005c25000 CR4: 00000000000006f0
    [  940.026915] Stack:
    [  940.026915]  ffff88000075cc4e ffffffff81694e90 ffff880000c30b38 0000000000000020
    [  940.026915]  11000000523c4bac ffff88000737fdb4 0000000000000000 ffff880000c30800
    [  940.026915]  ffff880005d3b580 ffff880000c30b38 ffff8800060e5a40 0000000000000020
    [  940.026915] Call Trace:
    [  940.026915]  [<ffffffff81356cc3>] ? inet6_csk_xmit+0xa4/0xc4
    [  940.026915]  [<ffffffffa0038535>] ? l2tp_xmit_skb+0x503/0x55a [l2tp_core]
    [  940.026915]  [<ffffffff812b8d3b>] ? pskb_expand_head+0x161/0x214
    [  940.026915]  [<ffffffffa003e91d>] ? pppol2tp_xmit+0xf2/0x143 [l2tp_ppp]
    [  940.026915]  [<ffffffffa00292e0>] ? ppp_channel_push+0x36/0x8b [ppp_generic]
    [  940.026915]  [<ffffffffa00293fe>] ? ppp_write+0xaf/0xc5 [ppp_generic]
    [  940.026915]  [<ffffffff8110ead4>] ? vfs_write+0xa2/0x106
    [  940.026915]  [<ffffffff8110edd6>] ? SyS_write+0x56/0x8a
    [  940.026915]  [<ffffffff81378ac0>] ? system_call_fastpath+0x16/0x1b
    [  940.026915] Code: 00 49 8b 8f d8 00 00 00 66 83 7c 11 02 00 74 60 49
    8b 47 58 48 83 e0 fe 48 8b 80 18 01 00 00 48 85 c0 74 13 48 8b 80 78 02
    00 00 <48> ff 40 28 41 8b 57 68 48 01 50 30 48 8b 54 24 08 49 c7 c1 51
    [  940.026915] RIP  [<ffffffff81333780>] ip6_xmit+0x276/0x326
    [  940.026915]  RSP <ffff88000737fd28>
    [  940.057945] ---[ end trace be8aba9a61c8b7f3 ]---
    [  940.058583] Kernel panic - not syncing: Fatal exception in interrupt
    
    Signed-off-by: François CACHEREUL <f.cachereul@alphalink.fr>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/l2tp/l2tp_core.c |   27 +++++++++++++++++++++++----
 net/l2tp/l2tp_core.h |    3 +++
 2 files changed, 26 insertions(+), 4 deletions(-)

commit 2db6fe58460d400bc8b995fa2328be03e27e55e1
Merge: 28f9622 e41125e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Oct 15 10:00:52 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        arch/sparc/kernel/ds.c
        net/sysctl_net.c

commit e41125e4742f332cd8cd8cf0c00cb189dba0e037
Merge: 740e5ec a145cb9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Oct 15 09:58:29 2013 -0400

    Merge branch 'linux-3.11.y' into pax-test

commit 28f9622091224541efadf3ae006f0e5651c7fa45
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Oct 1 22:48:34 2013 -0400

    Fix this strlcpy crap properly

 arch/sparc/kernel/ds.c |    7 +++----
 1 files changed, 3 insertions(+), 4 deletions(-)

commit 837193210e4125fe4e9e554b28d7bc33985f3554
Author: David S. Miller <davem@davemloft.net>
Date:   Fri Sep 27 13:46:04 2013 -0700

    Upstream commit: 2bd161a605f1f84a5fc8a4fe8410113a94f79355
    
    sparc64: Fix buggy strlcpy() conversion in ldom_reboot().
    
    Commit 117a0c5fc9c2d06045bd217385b2b39ea426b5a6 ("sparc: kernel: using
    strlcpy() instead of strcpy()") added a bug to ldom_reboot in
    arch/sparc/kernel/ds.c
    
    -           strcpy(full_boot_str + strlen("boot "), boot_command);
    +                                strlcpy(full_boot_str + strlen("boot "), boot_command,
    +                                                        sizeof(full_boot_str + strlen("boot ")));
    
    That last sizeof() expression evaluates to sizeof(size_t) which is
    not what was intended.
    
    Also even the corrected:
    
         sizeof(full_boot_str) + strlen("boot ")
    
    is not right as the destination buffer length is just plain
    "sizeof(full_boot_str)" and that's what the final argument
    should be.
    
    Signed-off-by: David S. Miller <davem@davemloft.net>

 arch/sparc/kernel/ds.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit fc25f7a8bc9f268e659f0265bcdb4dcac648c249
Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
Date:   Sun Sep 29 05:40:50 2013 +0200

    Upstream commit: 3da812d860755925da890e8c713f2d2e2d7b1bae
    
    ipv6: gre: correct calculation of max_headroom
    
    gre_hlen already accounts for sizeof(struct ipv6_hdr) + gre header,
    so initialize max_headroom to zero. Otherwise the
    
        if (encap_limit >= 0) {
                max_headroom += 8;
                mtu -= 8;
        }
    
    increments an uninitialized variable before max_headroom was reset.
    
    Found with coverity: 728539
    
    Cc: Dmitry Kozlov <xeb@mail.ru>
    Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Acked-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    
    Conflicts:
    
        net/ipv6/ip6_gre.c

 net/ipv6/ip6_gre.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 0d68ac550952d0eaf60851497ceee68dbba24516
Merge: 64257ad 740e5ec
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Oct 1 18:11:52 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        drivers/hid/hid-core.c
        drivers/hid/hid-lg2ff.c
        drivers/hid/hid-lg3ff.c
        drivers/hid/hid-lg4ff.c
        drivers/hid/hid-lgff.c
        drivers/hid/hid-logitech-dj.c
        drivers/hid/hid-steelseries.c
        drivers/hid/hid-zpff.c
        include/linux/hid.h

commit 740e5ec087969afd43ae0b552b4e05914437ed32
Merge: c38c6b0 db20388
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Oct 1 17:40:46 2013 -0400

    Merge branch 'linux-3.11.y' into pax-test

commit 64257ad95c51285d415f93ebdd486fae6bb9415d
Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
Date:   Sat Sep 21 06:27:00 2013 +0200

    Upstream commit: 2811ebac2521ceac84f2bdae402455baa6a7fb47
    
    ipv6: udp packets following an UFO enqueued packet need also be handled by UFO
    
    In the following scenario the socket is corked:
    If the first UDP packet is larger then the mtu we try to append it to the
    write queue via ip6_ufo_append_data. A following packet, which is smaller
    than the mtu would be appended to the already queued up gso-skb via
    plain ip6_append_data. This causes random memory corruptions.
    
    In ip6_ufo_append_data we also have to be careful to not queue up the
    same skb multiple times. So setup the gso frame only when no first skb
    is available.
    
    This also fixes a shortcoming where we add the current packet's length to
    cork->length but return early because of a packet > mtu with dontfrag set
    (instead of sutracting it again).
    
    Found with trinity.
    
    Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
    Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Reported-by: Dmitry Vyukov <dvyukov@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv6/ip6_output.c |   53 ++++++++++++++++++++----------------------------
 1 files changed, 22 insertions(+), 31 deletions(-)

commit ee4ab63f6dfd57e8c5d67e1e154b86d1139937f6
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Tue Sep 24 15:27:45 2013 -0700

    Just a whitespace fix to sync with upstream as we already applied this fix
    via Vasiliy Kulikov in 2010.  It fell through the cracks upstream
    
    cciss: fix info leak in cciss_ioctl32_passthru()
    
    The arg64 struct has a hole after ->buf_size which isn't cleared.  Or if
    any of the calls to copy_from_user() fail then that would cause an
    information leak as well.
    
    This was assigned CVE-2013-2147.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Acked-by: Mike Miller <mike.miller@hp.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    Conflicts:
    
        drivers/block/cciss.c

 drivers/block/cciss.c |    1 -
 1 files changed, 0 insertions(+), 1 deletions(-)

commit 2a5d630a83f5ddd2ab0ce9cb32a93ad3e1f6dc3e
Author: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Date:   Tue Sep 24 18:29:11 2013 -0700

    Upstream commit: 22356f447ceb8d97a4885792e7d9e4607f712e1b
    
    mm: Place preemption point in do_mlockall() loop
    
    There is a loop in do_mlockall() that lacks a preemption point, which
    means that the following can happen on non-preemptible builds of the
    kernel. Dave Jones reports:
    
     "My fuzz tester keeps hitting this.  Every instance shows the non-irq
      stack came in from mlockall.  I'm only seeing this on one box, but
      that has more ram (8gb) than my other machines, which might explain
      it.
    
        INFO: rcu_preempt self-detected stall on CPU { 3}  (t=6500 jiffies g=470344 c=470343 q=0)
        sending NMI to all CPUs:
        NMI backtrace for cpu 3
        CPU: 3 PID: 29664 Comm: trinity-child2 Not tainted 3.11.0-rc1+ #32
        Call Trace:
          lru_add_drain_all+0x15/0x20
          SyS_mlockall+0xa5/0x1a0
          tracesys+0xdd/0xe2"
    
    This commit addresses this problem by inserting the required preemption
    point.
    
    Reported-by: Dave Jones <davej@redhat.com>
    Signed-off-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
    Cc: KOSAKI Motohiro <kosaki.motohiro@gmail.com>
    Cc: Michel Lespinasse <walken@google.com>
    Cc: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 mm/mlock.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 042ecff756f1246abb9c84dd20ad9f6e9c429ed9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Sep 27 21:06:17 2013 -0400

    Don't log attempts to create a socket with a family that the kernel doesn't
    support
    Further, if the kernel doesn't support the socket family, instead of returning
    -EACCES, return -EAFNOSUPPORT -- should resolve the need to allow ipv6
    sockets in RBAC policy despite a kernel that doesn't support ipv6
    observed during a Debian userland update necessitating a policy change

 grsecurity/gracl_ip.c |    7 +++----
 net/socket.c          |   26 +++++++++++++++-----------
 2 files changed, 18 insertions(+), 15 deletions(-)

commit 55f1e409275973513a3314fe5bfa76a4781c0db7
Merge: 2eac654 c38c6b0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Sep 27 20:35:04 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        drivers/hid/hid-picolcd_core.c

commit c38c6b0bbbe53bd528aeeb4a059764abc028c276
Merge: 115bf6a a3308b5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Sep 27 20:34:15 2013 -0400

    Merge branch 'linux-3.11.y' into pax-test
    
    Conflicts:
        arch/x86/ia32/ia32_signal.c
        arch/x86/include/asm/checksum_32.h
        arch/x86/include/asm/mmu_context.h
        arch/x86/kernel/signal.c
        arch/x86/lib/csum-wrappers_64.c
        include/linux/compat.h

commit 2eac65435fdffca548a56e5187840908438fc95c
Merge: ba0ebde 115bf6a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Sep 26 20:00:00 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 115bf6af0083ea28c751d551a39cfdba1798e9dc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Sep 26 19:59:14 2013 -0400

    Update to pax-linux-3.11.1-test10.patch:
    - added missing exports for module_alloc_exec/module_free_exec on arm, by Arnaud Fontaine
    - fixed potential .exit.text section reference problem with REFCOUNT on arm, reported by Corey Minyard
    - fixed REFCOUNT false positive in the new percpu refcount code, reported by Alexander Tsoy (https://bugs.gentoo.org/show_bug.cgi?id=486040)
    - fixed an integer overflow in the ELF loader that happens to be harmless due to another overflow, found by Emese Revfy's new size overflow plugin (not yet released)
    - beefed up latent entropy extraction
      - latent_entropy itself will be initialized to a compile-time random value (instead of 0)
      - entropy will be collected from various irq and softirq handlers

 arch/arm/kernel/module.c          |    2 ++
 arch/arm/kernel/vmlinux.lds.S     |    2 +-
 block/blk-iopoll.c                |    2 +-
 block/blk-softirq.c               |    2 +-
 fs/binfmt_elf.c                   |    8 +++++---
 include/linux/genhd.h             |    2 +-
 include/linux/random.h            |    4 ++--
 kernel/hrtimer.c                  |    2 +-
 kernel/rcutiny.c                  |    2 +-
 kernel/rcutree.c                  |    2 +-
 kernel/sched/fair.c               |    2 +-
 kernel/softirq.c                  |    4 ++--
 kernel/timer.c                    |    2 +-
 lib/percpu-refcount.c             |    2 +-
 net/core/dev.c                    |    4 ++--
 tools/gcc/latent_entropy_plugin.c |    2 +-
 16 files changed, 24 insertions(+), 20 deletions(-)

commit ba0ebdedeb2e128654dac48641bdc9d8b34530d6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Sep 22 18:14:07 2013 -0400

    Revert "Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db"
    
    This reverts commit 7a430f97a2f6538693cb8e354c67c874f24c5ebf.

 net/netlink/genetlink.c |    7 -------
 1 files changed, 0 insertions(+), 7 deletions(-)

commit ca27c99c4f2df039e21ec15c52824d84e2cd2f35
Merge: f1e4228 90db383
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Sep 18 17:34:37 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 90db383fd7d650172d52229b0116ad7604c9bec1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Sep 18 17:32:42 2013 -0400

    Update to pax-linux-3.11.1-test9.patch:
    - fixed some arm compile regressions, reported by Arnaud Ebalard and Michael Tremer
    - better implementation of __read_only for modules
    - fixed a regression and an apparently needed kuser emulation on arm, reported by Arnaud Ebalard

 arch/arm/kernel/entry-common.S            |   12 ++++++------
 arch/arm/mach-omap2/omap-mpuss-lowpower.c |    4 ++--
 arch/arm/mm/fault.c                       |   26 +++++++++++++++++++++++++-
 arch/x86/include/asm/cache.h              |    4 ----
 drivers/bus/arm-cci.c                     |    2 +-
 drivers/clk/socfpga/clk.c                 |    2 +-
 drivers/mmc/host/mmci.c                   |    4 +++-
 drivers/net/ethernet/chelsio/cxgb3/sge.c  |    2 +-
 include/linux/cache.h                     |    4 ++++
 net/netfilter/ipvs/ip_vs_lblc.c           |    2 +-
 net/netfilter/ipvs/ip_vs_lblcr.c          |    2 +-
 scripts/module-common.lds                 |    4 ++++
 12 files changed, 49 insertions(+), 19 deletions(-)

commit 43fd6b476981f2b72f1fcb7dd4de6b04643e0810
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Sep 18 17:32:25 2013 -0400

    Revert "mark sctp_af_inet forward declaration as __read_only to fix compile error"
    
    This reverts commit 5e30989102e2d0df166ab6ff915b90f675f8786f.

 net/sctp/protocol.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit f1e42285e17479067b6cbcffc43916720e6dedd3
Merge: 456ca17 5e30989
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Sep 16 21:42:34 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 5e30989102e2d0df166ab6ff915b90f675f8786f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Sep 16 21:41:44 2013 -0400

    mark sctp_af_inet forward declaration as __read_only to fix compile error

 net/sctp/protocol.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 456ca176141f10355c1569b29225c9ce4b7db18e
Merge: b406eac 5df8f36
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Sep 16 20:02:05 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 5df8f36fbb39fbd47e04945001d11e52c16fc0b6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Sep 16 20:01:38 2013 -0400

    Update to pax-linux-3.11.1-test7.patch:
    - fixed arm compile error, reported by Arnaud Ebalard
    - fixed NULL deref due to some xfrm constification, reported by marcin1j (http://forums.grsecurity.net/viewtopic.php?f=3&t=3743)
    - fixed od_ops constification, fixes cpufreq ondemand on AMD
    - latent entropy will now be gathered from module init code as well (i.e., at module load/init time)
    - __read_only will now be enforced in modules as well
    - removed unneccessary __read_only from ntfs

 arch/arm/lib/uaccess_with_memcpy.c |    2 +-
 arch/x86/include/asm/cache.h       |    4 ++++
 drivers/cpufreq/cpufreq_governor.h |    2 +-
 drivers/cpufreq/cpufreq_ondemand.c |    2 +-
 fs/ntfs/file.c                     |    4 ++--
 include/linux/init.h               |    5 -----
 include/net/xfrm.h                 |    5 ++++-
 init/main.c                        |    9 +++------
 mm/page_alloc.c                    |    1 +
 net/ipv4/xfrm4_policy.c            |    4 ++--
 net/ipv6/xfrm6_policy.c            |    4 ++--
 net/xfrm/xfrm_policy.c             |   11 ++---------
 12 files changed, 23 insertions(+), 30 deletions(-)

commit b406eac579bb3a5faa1c9d73b8af5530f942009a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Sep 16 12:53:22 2013 -0400

    Backport commit from https://git.kernel.org/cgit/linux/kernel/git/klassert/ipsec.git/commit/?h=testing&id=4479ff76c43607b680f9349128d8493228b49dce
    
    author      Steffen Klassert <steffen.klassert@secunet.com> 2013-09-09 07:39:01 (GMT)
    committer    Steffen Klassert <steffen.klassert@secunet.com>        2013-09-16 07:39:37 (GMT)
    
    xfrm: Fix replay size checking on async events
    We pass the wrong netlink attribute to xfrm_replay_verify_len().
    It should be XFRMA_REPLAY_ESN_VAL and not XFRMA_REPLAY_VAL as
    we currently doing. This causes memory corruptions if the
    replay esn attribute has incorrect length. Fix this by passing
    the right attribute to xfrm_replay_verify_len().
    
    Reported-by: Michael Rossberg <michael.rossberg@tu-ilmenau.de>
    Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>

 net/xfrm/xfrm_user.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 9eeb1f53a99068a1f2a77e4d250e334165b789c9
Merge: 84843a3 0a0ced6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Sep 15 11:24:30 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        drivers/net/wireless/ath/ath10k/core.c
        drivers/net/wireless/ath/ath10k/htc.c

commit 0a0ced69ec737fc1abe5bc1c5a66579a22e9bb1d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Sep 15 11:21:43 2013 -0400

    Update to pax-linux-3.11.1-test6.patch:
    - forward port to 3.11.1
    - fixed some CONSTIFY fallout, reported by spender
    - fixed INVPCID on i386, reported by spender
    - simplified/consolidated the recent security_ops change

 arch/x86/include/asm/mmu_context.h         |    4 ++--
 arch/x86/include/asm/tlbflush.h            |    6 +++---
 arch/x86/kernel/cpu/perf_event_amd_iommu.c |    2 +-
 drivers/net/wireless/ath/ath10k/core.c     |    6 +++---
 drivers/net/wireless/ath/ath10k/htc.c      |    7 ++++---
 include/linux/security.h                   |    2 --
 security/security.c                        |    3 ---
 security/selinux/hooks.c                   |    5 +++--
 8 files changed, 16 insertions(+), 19 deletions(-)

commit 84843a394cde0578be728cb5fd34da9859dcf110
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Sep 15 09:19:21 2013 -0400

    remove unnecessary check from when protocol was signed

 net/phonet/af_phonet.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit cc7c916cac4c2eb0ec243690627e2b6a13234fef
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Sep 15 08:53:27 2013 -0400

    resync with PaX

 security/selinux/hooks.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit fdeadf7ba061242685e07a2504c6be99161f292c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Sep 14 23:04:53 2013 -0400

    Fix constification of ath10k_hif_cb struct located on stack

 drivers/net/wireless/ath/ath10k/hif.h |    1 +
 drivers/net/wireless/ath/ath10k/htc.c |    2 +-
 2 files changed, 2 insertions(+), 1 deletions(-)

commit 73c6875760e610cb636f86566a1be7a744d89b82
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Sep 14 22:41:06 2013 -0400

    use a no_const typedef for ath10k_htc_ops, which is located on the stack

 drivers/net/wireless/ath/ath10k/core.c |    6 +++---
 drivers/net/wireless/ath/ath10k/htc.h  |    1 +
 2 files changed, 4 insertions(+), 3 deletions(-)

commit bffb0279b95b717c739365a5a25ca0391e7479b1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Sep 14 22:13:46 2013 -0400

    fix compilation error under constify

 drivers/net/wireless/ath/ath10k/core.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

commit 1044c726fd98de89a711c6655f811600d4051e46
Merge: ffc8003 e39d12a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Sep 14 21:57:25 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit e39d12a3b877293ba677bf7642c8887144ae1576
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Sep 14 21:56:56 2013 -0400

    Update to pax-linux-3.11-test5.patch:
    - backported 1ecfd533f4c528b0b4cc5bc115c4c47f0b5e4828 (pud leak in alloc_new_pmd)
    - build_string doesn't need to account for the null terminator, fix some usage in the kernexec plugin

 mm/mremap.c                 |    5 ++++-
 tools/gcc/kernexec_plugin.c |    4 ++--
 2 files changed, 6 insertions(+), 3 deletions(-)

commit ffc8003e9c6d9a26c92ca83a8cdc48f1bf0d7a4b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Sep 14 21:48:03 2013 -0400

    fix compile error introduced by pipacs

 security/selinux/hooks.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 874e80f445b1325df45f04cc317f67587e241218
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Sep 14 21:12:45 2013 -0400

    Fix invalid dependency causing warning:
    warning: (DEBUG_WW_MUTEX_SLOWPATH) selects DEBUG_LOCK_ALLOC which has unmet direct dependencies (DEBUG_KERNEL && TRACE_IRQFLAGS_SUPPORT && STACKTRACE_SUPPORT && LOCKDEP_SUPPORT && !PAX_CONSTIFY_PLUGIN)

 lib/Kconfig.debug |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 76675229b0398d812bd885c2ea9ebdc66cd5d74a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Sep 14 19:53:56 2013 -0400

    change unsigned long descriptor array to u64, for 32bit kernels on Haswell CPUs

 arch/x86/include/asm/tlbflush.h |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

commit b6dd7c7dd3e78d549c4c0e18f7803aa918d3a838
Author: Daniel Borkmann <dborkman@redhat.com>
Date:   Sat Sep 7 16:44:59 2013 +0200

    Upstream commit: a0fb05d1aef0f5df936f80b726d1b3bfd4275f95
    
    net: sctp: fix bug in sctp_poll for SOCK_SELECT_ERR_QUEUE
    
    If we do not add braces around ...
    
      mask |= POLLERR |
              sock_flag(sk, SOCK_SELECT_ERR_QUEUE) ? POLLPRI : 0;
    
    ... then this condition always evaluates to true as POLLERR is
    defined as 8 and binary or'd with whatever result comes out of
    sock_flag(). Hence instead of (X | Y) ? A : B, transform it into
    X | (Y ? A : B). Unfortunatelty, commit 8facd5fb73 ("net: fix
    smatch warnings inside datagram_poll") forgot about SCTP. :-(
    
    Introduced by 7d4c04fc170 ("net: add option to enable error queue
    packets waking select").
    
    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
    Cc: Jacob Keller <jacob.e.keller@intel.com>
    Acked-by: Neil Horman <nhorman@tuxdriver.com>
    Acked-by: Vlad Yasevich <vyasevich@gmail.com>
    Acked-by: Jacob Keller <jacob.e.keller@intel.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/sctp/socket.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 4ad458cf887df99b3de3ce11fb83cd27bd13d986
Author: Jason Wang <jasowang@redhat.com>
Date:   Wed Sep 11 18:09:48 2013 +0800

    Upstream commit: 662ca437e714caaab855b12415d6ffd815985bc0
    
    tuntap: correctly handle error in tun_set_iff()
    
    Commit c8d68e6be1c3b242f1c598595830890b65cea64a
    (tuntap: multiqueue support) only call free_netdev() on error in
    tun_set_iff(). This causes several issues:
    
    - memory of tun security were leaked
    - use after free since the flow gc timer was not deleted and the tfile
      were not detached
    
    This patch solves the above issues.
    
    Reported-by: Wannes Rombouts <wannes.rombouts@epitech.eu>
    Cc: Michael S. Tsirkin <mst@redhat.com>
    Signed-off-by: Jason Wang <jasowang@redhat.com>
    Acked-by: Michael S. Tsirkin <mst@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/tun.c |   11 ++++++++---
 1 files changed, 8 insertions(+), 3 deletions(-)

commit b504140d8590bd67ed481ea84824a9846dde2d74
Author: Herbert Xu <herbert@gondor.apana.org.au>
Date:   Sun Sep 8 14:33:50 2013 +1000

    Upstream commit: 77dbd7a95e4a4f15264c333a9e9ab97ee27dc2aa
    
    crypto: api - Fix race condition in larval lookup
    
    crypto_larval_lookup should only return a larval if it created one.
    Any larval created by another entity must be processed through
    crypto_larval_wait before being returned.
    
    Otherwise this will lead to a larval being killed twice, which
    will most likely lead to a crash.
    
    Cc: stable@vger.kernel.org
    Reported-by: Kees Cook <keescook@chromium.org>
    Tested-by: Kees Cook <keescook@chromium.org>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

 crypto/api.c |    7 ++++++-
 1 files changed, 6 insertions(+), 1 deletions(-)

commit f4212fa9ec1c34c59fabc43904e16112b776b6b2
Author: Daniel Borkmann <dborkman@redhat.com>
Date:   Wed Sep 11 16:58:36 2013 +0200

    Upstream commit: 95ee62083cb6453e056562d91f597552021e6ae7
    
    net: sctp: fix ipv6 ipsec encryption bug in sctp_v6_xmit
    
    Alan Chester reported an issue with IPv6 on SCTP that IPsec traffic is not
    being encrypted, whereas on IPv4 it is. Setting up an AH + ESP transport
    does not seem to have the desired effect:
    
    SCTP + IPv4:
    
      22:14:20.809645 IP (tos 0x2,ECT(0), ttl 64, id 0, offset 0, flags [DF], proto AH (51), length 116)
        192.168.0.2 > 192.168.0.5: AH(spi=0x00000042,sumlen=16,seq=0x1): ESP(spi=0x00000044,seq=0x1), length 72
      22:14:20.813270 IP (tos 0x2,ECT(0), ttl 64, id 0, offset 0, flags [DF], proto AH (51), length 340)
        192.168.0.5 > 192.168.0.2: AH(spi=0x00000043,sumlen=16,seq=0x1):
    
    SCTP + IPv6:
    
      22:31:19.215029 IP6 (class 0x02, hlim 64, next-header SCTP (132) payload length: 364)
        fe80::222:15ff:fe87:7fc.3333 > fe80::92e6:baff:fe0d:5a54.36767: sctp
        1) [INIT ACK] [init tag: 747759530] [rwnd: 62464] [OS: 10] [MIS: 10]
    
    Moreover, Alan says:
    
      This problem was seen with both Racoon and Racoon2. Other people have seen
      this with OpenSwan. When IPsec is configured to encrypt all upper layer
      protocols the SCTP connection does not initialize. After using Wireshark to
      follow packets, this is because the SCTP packet leaves Box A unencrypted and
      Box B believes all upper layer protocols are to be encrypted so it drops
      this packet, causing the SCTP connection to fail to initialize. When IPsec
      is configured to encrypt just SCTP, the SCTP packets are observed unencrypted.
    
    In fact, using `socat sctp6-listen:3333 -` on one end and transferring "plaintext"
    string on the other end, results in cleartext on the wire where SCTP eventually
    does not report any errors, thus in the latter case that Alan reports, the
    non-paranoid user might think he's communicating over an encrypted transport on
    SCTP although he's not (tcpdump ... -X):
    
      ...
      0x0030: 5d70 8e1a 0003 001a 177d eb6c 0000 0000  ]p.......}.l....
      0x0040: 0000 0000 706c 6169 6e74 6578 740a 0000  ....plaintext...
    
    Only in /proc/net/xfrm_stat we can see XfrmInTmplMismatch increasing on the
    receiver side. Initial follow-up analysis from Alan's bug report was done by
    Alexey Dobriyan. Also thanks to Vlad Yasevich for feedback on this.
    
    SCTP has its own implementation of sctp_v6_xmit() not calling inet6_csk_xmit().
    This has the implication that it probably never really got updated along with
    changes in inet6_csk_xmit() and therefore does not seem to invoke xfrm handlers.
    
    SCTP's IPv4 xmit however, properly calls ip_queue_xmit() to do the work. Since
    a call to inet6_csk_xmit() would solve this problem, but result in unecessary
    route lookups, let us just use the cached flowi6 instead that we got through
    sctp_v6_get_dst(). Since all SCTP packets are being sent through sctp_packet_transmit(),
    we do the route lookup / flow caching in sctp_transport_route(), hold it in
    tp->dst and skb_dst_set() right after that. If we would alter fl6->daddr in
    sctp_v6_xmit() to np->opt->srcrt, we possibly could run into the same effect
    of not having xfrm layer pick it up, hence, use fl6_update_dst() in sctp_v6_get_dst()
    instead to get the correct source routed dst entry, which we assign to the skb.
    
    Also source address routing example from 625034113 ("sctp: fix sctp to work with
    ipv6 source address routing") still works with this patch! Nevertheless, in RFC5095
    it is actually 'recommended' to not use that anyway due to traffic amplification [1].
    So it seems we're not supposed to do that anyway in sctp_v6_xmit(). Moreover, if
    we overwrite the flow destination here, the lower IPv6 layer will be unable to
    put the correct destination address into IP header, as routing header is added in
    ipv6_push_nfrag_opts() but then probably with wrong final destination. Things aside,
    result of this patch is that we do not have any XfrmInTmplMismatch increase plus on
    the wire with this patch it now looks like:
    
    SCTP + IPv6:
    
      08:17:47.074080 IP6 2620:52:0:102f:7a2b:cbff:fe27:1b0a > 2620:52:0:102f:213:72ff:fe32:7eba:
        AH(spi=0x00005fb4,seq=0x1): ESP(spi=0x00005fb5,seq=0x1), length 72
      08:17:47.074264 IP6 2620:52:0:102f:213:72ff:fe32:7eba > 2620:52:0:102f:7a2b:cbff:fe27:1b0a:
        AH(spi=0x00003d54,seq=0x1): ESP(spi=0x00003d55,seq=0x1), length 296
    
    This fixes Kernel Bugzilla 24412. This security issue seems to be present since
    2.6.18 kernels. Lets just hope some big passive adversary in the wild didn't have
    its fun with that. lksctp-tools IPv6 regression test suite passes as well with
    this patch.
    
     [1] http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf
    
    Reported-by: Alan Chester <alan.chester@tekelec.com>
    Reported-by: Alexey Dobriyan <adobriyan@gmail.com>
    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
    Cc: Steffen Klassert <steffen.klassert@secunet.com>
    Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Acked-by: Vlad Yasevich <vyasevich@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/sctp/ipv6.c |   42 +++++++++++++-----------------------------
 1 files changed, 13 insertions(+), 29 deletions(-)

commit 726915e42b1a23b88cd420029003d82208a30006
Author: Kees Cook <keescook@chromium.org>
Date:   Fri Sep 13 14:52:04 2013 -0700

    Upstream commit: 35a4a5733b0a8290de39558b82896ab795b108a7
    
    isdn: clean up debug format string usage
    
    Avoid unneeded local string buffers for constructing debug output.  Also
    cleans up debug calls that contain a single parameter so that they cannot
    be accidentally parsed as format strings.
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: Karsten Keil <isdn@linux-pingi.de>
    Cc: David Miller <davem@davemloft.net>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/isdn/hisax/amd7930_fn.c |    4 +-
 drivers/isdn/hisax/avm_pci.c    |    4 +-
 drivers/isdn/hisax/config.c     |    2 +-
 drivers/isdn/hisax/diva.c       |    4 +-
 drivers/isdn/hisax/elsa.c       |    2 +-
 drivers/isdn/hisax/elsa_ser.c   |    2 +-
 drivers/isdn/hisax/hfc_pci.c    |    2 +-
 drivers/isdn/hisax/hfc_sx.c     |    2 +-
 drivers/isdn/hisax/hscx_irq.c   |    4 +-
 drivers/isdn/hisax/icc.c        |    4 +-
 drivers/isdn/hisax/ipacx.c      |    8 +++---
 drivers/isdn/hisax/isac.c       |    4 +-
 drivers/isdn/hisax/isar.c       |    6 ++--
 drivers/isdn/hisax/jade.c       |   18 ++++----------
 drivers/isdn/hisax/jade_irq.c   |    4 +-
 drivers/isdn/hisax/l3_1tr6.c    |   50 ++++++++++++++-------------------------
 drivers/isdn/hisax/netjet.c     |    2 +-
 drivers/isdn/hisax/q931.c       |    6 ++--
 drivers/isdn/hisax/w6692.c      |    8 +++---
 19 files changed, 57 insertions(+), 79 deletions(-)

commit 4c90e693066a984f2c3a05bd2b75fe2273906eb3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Sep 14 19:16:48 2013 -0400

    Fix a bad git merge, re-applied a previously reverted patch

 arch/x86/include/asm/processor.h |    4 ++--
 arch/x86/kernel/cpu/common.c     |    2 +-
 arch/x86/kernel/process_64.c     |    2 +-
 arch/x86/kernel/smpboot.c        |    2 +-
 arch/x86/xen/smp.c               |    2 +-
 5 files changed, 6 insertions(+), 6 deletions(-)

commit 5dea4b212b0405d6bcbea57516d77b21035d1178
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Sep 14 16:56:37 2013 -0400

    finish porting namei.c

 fs/namei.c |   50 +++++++++++---------------------------------------
 1 files changed, 11 insertions(+), 39 deletions(-)

commit a7d5c5e2d0fd4831df19247e41c73c362809b00f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Sep 14 16:44:08 2013 -0400

    cred->user -> current_user()

 fs/exec.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit be3db5fa6532557384fb66d2d9297d77666912cf
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Sep 14 16:36:24 2013 -0400

    Fix GRKERNSEC_DENYUSB dependency as reported by Victor Roman of Funtoo Linux

 grsecurity/Kconfig |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit ce9afc12137b65991bfc7cce70e28d86bbb76956
Author: Daniel Borkmann <dborkman@redhat.com>
Date:   Tue Sep 3 19:29:12 2013 +0200

    Upstream commit: 3a1c756590633c0e86df606e5c618c190926a0df
    
    net: ipv6: tcp: fix potential use after free in tcp_v6_do_rcv
    
    In tcp_v6_do_rcv() code, when processing pkt options, we soley work
    on our skb clone opt_skb that we've created earlier before entering
    tcp_rcv_established() on our way. However, only in condition ...
    
      if (np->rxopt.bits.rxtclass)
        np->rcv_tclass = ipv6_get_dsfield(ipv6_hdr(skb));
    
    ... we work on skb itself. As we extract every other information out
    of opt_skb in ipv6_pktoptions path, this seems wrong, since skb can
    already be released by tcp_rcv_established() earlier on. When we try
    to access it in ipv6_hdr(), we will dereference freed skb.
    
    [ Bug added by commit 4c507d2897bd9b ("net: implement IP_RECVTOS for
      IP_PKTOPTIONS") ]
    
    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
    Cc: Eric Dumazet <eric.dumazet@gmail.com>
    Acked-by: Eric Dumazet <edumazet@google.com>
    Acked-by: Jiri Benc <jbenc@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 net/ipv6/tcp_ipv6.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 84aa149aa0f178516f5784d028522d60d35696c9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Sep 5 19:36:23 2013 -0400

    fix dependencies for GRKERNSEC_ROFS / GRKERNSEC_DENYUSB
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/Kconfig |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 1145b56059535549be226da9891b56ab2d902b2f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Sep 5 19:17:02 2013 -0400

    Allow the deny_new_usb sysctl to be toggled off by a user with CAP_SYS_ADMIN. This allows for more inventive uses of the feature that would be impossible otherwise (like toggling it while the screen is locked, etc)
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/grsec_sysctl.c |    4 +---
 1 files changed, 1 insertions(+), 3 deletions(-)

commit cc604c1c66e7034ad7ddc7fb3cec749e0e5828a3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Sep 5 18:41:49 2013 -0400

    Add a new GRKERNSEC_DENYUSB_FORCE option that achieves what GRKERNSEC_DENYUSB does without the need for a sysctl toggle, for users who know they want the functionality but don't want to bother with modifying init scripts
    
    Also eliminate reset_security_ops() as a ROP target when
    SECURITY_SELINUX_DISABLE is disabled as it's the only user
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/Kconfig        |   17 ++++++++++++++++-
 grsecurity/grsec_init.c   |    3 +++
 grsecurity/grsec_sysctl.c |    2 +-
 3 files changed, 20 insertions(+), 2 deletions(-)

commit 06f8e6fe41a0de311b0c94bf853cb2c15aee67d4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Aug 30 17:11:11 2013 -0400

    fix compilation with GRKERNSEC_DENYUSB as reported by slashbeast
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/grsec_sysctl.c |    7 ++++---
 1 files changed, 4 insertions(+), 3 deletions(-)

commit 74dc00678ec84a254617b500a2880974dac95220
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Aug 28 20:42:39 2013 -0400

    add export of gr_handle_new_usb()
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/grsec_usb.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit f9b60ffe6e67563faa8d207fa6d00bd04252cf4f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Aug 28 19:24:47 2013 -0400

    Add new GRKERNSEC_DENYUSB feature that I've been sitting on for a bit Kees' recent findings are motivation enough to publish it
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 drivers/usb/core/hub.c     |    5 +++++
 grsecurity/Kconfig         |   20 ++++++++++++++++++++
 grsecurity/Makefile        |    3 ++-
 grsecurity/grsec_init.c    |    1 +
 grsecurity/grsec_sysctl.c  |   11 +++++++++++
 grsecurity/grsec_usb.c     |   13 +++++++++++++
 include/linux/grinternal.h |    1 +
 include/linux/grsecurity.h |    2 ++
 8 files changed, 55 insertions(+), 1 deletions(-)

commit 889852764d245f44e416da4eb203fda0bd327584
Author: Kees Cook <keescook@chromium.org>
Date:   Wed Aug 14 09:35:07 2013 -0700

    HID: zeroplus: validate output report details
    
    The zeroplus HID driver was not checking the size of allocated values
    in fields it used. A HID device could send a malicious output report
    that would cause the driver to write beyond the output report allocation
    during initialization, causing a heap overflow:
    
    [ 1442.728680] usb 1-1: New USB device found, idVendor=0c12, idProduct=0005
    ...
    [ 1466.243173] BUG kmalloc-192 (Tainted: G        W   ): Redzone overwritten
    
    CVE-2013-2889
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 drivers/hid/hid-zpff.c |   14 ++------------
 1 files changed, 2 insertions(+), 12 deletions(-)

commit f30e932a87f25b53779d1f92b49923f8a2dc9834
Author: Kees Cook <keescook@chromium.org>
Date:   Wed Aug 14 14:36:15 2013 -0700

    HID: provide a helper for validating hid reports
    
    Many drivers need to validate the characteristics of their HID report
    during initialization to avoid misusing the reports. This adds a common
    helper to perform validation of the report, its field count, and the
    value count within the fields.
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 drivers/hid/hid-core.c |   50 ++++++++++++++++++++++++++++++++++++++++++++++++
 include/linux/hid.h    |    4 +++
 2 files changed, 54 insertions(+), 0 deletions(-)

commit f9eac59133855befee23d0c899e0d0e6ebcd3d44
Author: Kees Cook <keescook@chromium.org>
Date:   Wed Aug 14 09:14:34 2013 -0700

    HID: steelseries: validate output report details
    
    A HID device could send a malicious output report that would cause the
    steelseries HID driver to write beyond the output report allocation
    during initialization, causing a heap overflow:
    
    [  167.981534] usb 1-1: New USB device found, idVendor=1038, idProduct=1410
    ...
    [  182.050547] BUG kmalloc-256 (Tainted: G        W   ): Redzone overwritten
    
    CVE-2013-2891
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 drivers/hid/hid-steelseries.c |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

commit 9f5ae466957014bc300929374ebb7afdd9d116d6
Author: Kees Cook <keescook@chromium.org>
Date:   Wed Aug 14 08:49:21 2013 -0700

    HID: pantherlord: validate output report details
    
    A HID device could send a malicious output report that would cause the
    pantherlord HID driver to write beyond the output report allocation
    during initialization, causing a heap overflow:
    
    [  310.939483] usb 1-1: New USB device found, idVendor=0e8f, idProduct=0003
    ...
    [  315.980774] BUG kmalloc-192 (Tainted: G        W   ): Redzone overwritten
    
    CVE-2013-2892
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 drivers/hid/hid-pl.c |   10 ++++++++--
 1 files changed, 8 insertions(+), 2 deletions(-)

commit b643b8f8af23488d92f16a817bf16c162d612ce1
Author: Kees Cook <keescook@chromium.org>
Date:   Tue Aug 13 16:49:01 2013 -0700

    HID: LG: validate HID output report details
    
    A HID device could send a malicious output report that would cause the
    lg, lg3, and lg4 HID drivers to write beyond the output report allocation
    during an event, causing a heap overflow:
    
    [  325.245240] usb 1-1: New USB device found, idVendor=046d, idProduct=c287
    ...
    [  414.518960] BUG kmalloc-4096 (Not tainted): Redzone overwritten
    
    Additionally, while lg2 did correctly validate the report details, it was
    cleaned up and shortened.
    
    CVE-2013-2893
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 drivers/hid/hid-lg2ff.c |   19 +++----------------
 drivers/hid/hid-lg3ff.c |   29 ++++++-----------------------
 drivers/hid/hid-lg4ff.c |   20 +-------------------
 drivers/hid/hid-lgff.c  |   17 ++---------------
 4 files changed, 12 insertions(+), 73 deletions(-)

commit 975723a41239b1befae172e88082ff4422753508
Author: Kees Cook <keescook@chromium.org>
Date:   Thu Aug 15 23:21:23 2013 -0700

    HID: lenovo-tpkbd: validate output report details
    
    A HID device could send a malicious output report that would cause the
    lenovo-tpkbd HID driver to write just beyond the output report allocation
    during initialization, causing a heap overflow:
    
    [   76.109807] usb 1-1: New USB device found, idVendor=17ef, idProduct=6009
    ...
    [   80.462540] BUG kmalloc-192 (Tainted: G        W   ): Redzone overwritten
    
    CVE-2013-2894
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 drivers/hid/hid-lenovo-tpkbd.c |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

commit 54b39084efe20a3f10fcb58ee8327d7b6250b7cd
Author: Kees Cook <keescook@chromium.org>
Date:   Thu Aug 15 23:45:03 2013 -0700

    HID: logitech-dj: validate output report details
    
    A HID device could send a malicious output report that would cause the
    logitech-dj HID driver to leak kernel memory contents to the device, or
    trigger a NULL dereference during initialization:
    
    [  304.424553] usb 1-1: New USB device found, idVendor=046d, idProduct=c52b
    ...
    [  304.780467] BUG: unable to handle kernel NULL pointer dereference at 0000000000000028
    [  304.781409] IP: [<ffffffff815d50aa>] logi_dj_recv_send_report.isra.11+0x1a/0x90
    
    CVE-2013-2895
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 drivers/hid/hid-logitech-dj.c |   12 ++++++++++--
 1 files changed, 10 insertions(+), 2 deletions(-)

commit 05c3db7daee82d79c628c15b304f8621159e14f3
Author: Kees Cook <keescook@chromium.org>
Date:   Fri Aug 16 00:18:15 2013 -0700

    HID: ntrig: validate feature report details
    
    A HID device could send a malicious feature report that would cause the
    ntrig HID driver to trigger a NULL dereference during initialization:
    
    [57383.031190] usb 3-1: New USB device found, idVendor=1b96, idProduct=0001
    ...
    [57383.315193] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
    [57383.315308] IP: [<ffffffffa08102de>] ntrig_probe+0x25e/0x420 [hid_ntrig]
    
    CVE-2013-2896
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 drivers/hid/hid-ntrig.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit a79f25f59fdd0abaf4ecfab93017aa49de089498
Author: Kees Cook <keescook@chromium.org>
Date:   Fri Aug 16 00:11:32 2013 -0700

    HID: multitouch: validate feature report details
    
    When working on report indexes, always validate that they are in bounds.
    Without this, a HID device could report a malicious feature report that
    could trick the driver into a heap overflow:
    
    [  634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500
    ...
    [  676.469629] BUG kmalloc-192 (Tainted: G        W   ): Redzone overwritten
    
    CVE-2013-2897
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 drivers/hid/hid-multitouch.c |   25 ++++++++++++++++++++-----
 1 files changed, 20 insertions(+), 5 deletions(-)

commit 6fe8eb06e432f165872d3486fdce0d09de1515b3
Author: Kees Cook <keescook@chromium.org>
Date:   Fri Aug 16 08:12:45 2013 -0700

    HID: sensor-hub: validate feature report details
    
    A HID device could send a malicious feature report that would cause the
    sensor-hub HID driver to read past the end of heap allocation, leaking
    kernel memory contents to the caller.
    
    CVE-2013-2898
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 drivers/hid/hid-sensor-hub.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit cd5ea45deb4aae3a6ca7b99e261d771792c2e8bf
Author: Kees Cook <keescook@chromium.org>
Date:   Fri Aug 16 08:05:10 2013 -0700

    HID: picolcd_core: validate output report details
    
    A HID device could send a malicious output report that would cause the
    picolcd HID driver to trigger a NULL dereference during attr file writing.
    
    CVE-2013-2899
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 drivers/hid/hid-picolcd_core.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit c147e32922dd91edf1969b8a6eb333aafb4abb79
Author: Kees Cook <keescook@chromium.org>
Date:   Fri Aug 16 08:09:54 2013 -0700

    HID: check for NULL field when setting values
    
    Defensively check that the field to be worked on is not NULL.
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 drivers/hid/hid-core.c |    7 ++++++-
 1 files changed, 6 insertions(+), 1 deletions(-)

commit 51b66e0a8cfd2eedb4f3275c7ffc2f7a831b4683
Author: Kees Cook <keescook@chromium.org>
Date:   Wed Aug 28 18:09:18 2013 -0400

    http://marc.info/?l=linux-input&m=137772180514608&q=raw
    
    The "Report ID" field of a HID report is used to build indexes of
    reports. The kernel's index of these is limited to 256 entries, so any
    malicious device that sets a Report ID greater than 255 will trigger
    memory corruption on the host:
    
    [ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878
    [ 1347.156261] IP: [<ffffffff813e4da0>] hid_register_report+0x2a/0x8b
    
    CVE-2013-2888
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 drivers/hid/hid-core.c |   10 +++++++---
 include/linux/hid.h    |    4 +++-
 2 files changed, 10 insertions(+), 4 deletions(-)

commit 4ab7b9ed96612f5621898cead7163b6eecf30c7c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Aug 19 22:10:04 2013 -0400

    fix bad git merge (call to __cpu_disable_lazy_restore was duplicated) as reported by pipacs
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 arch/x86/kernel/smpboot.c |    3 ---
 1 files changed, 0 insertions(+), 3 deletions(-)

commit 8a6f59dd3e43d20d8e999d50001b85ba605a4dac
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 17 12:00:20 2013 -0400

    make kallsyms_lookup_size_offset available to approved source files
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 include/linux/kallsyms.h |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit abde07f6c047c0331f511318cb49a36d49218dfc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 17 11:18:09 2013 -0400

    allow use of kallsyms_lookup_name to approved source files
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 include/linux/kallsyms.h |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 7a430f97a2f6538693cb8e354c67c874f24c5ebf
Author: Johannes Berg <johannes.berg@intel.com>
Date:   Tue Aug 13 09:04:05 2013 +0200

    Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db
    
    genetlink: fix family dump race
    
    When dumping generic netlink families, only the first dump call
    is locked with genl_lock(), which protects the list of families,
    and thus subsequent calls can access the data without locking,
    racing against family addition/removal. This can cause a crash.
    Fix it - the locking needs to be conditional because the first
    time around it's already locked.
    
    A similar bug was reported to me on an old kernel (3.4.47) but
    the exact scenario that happened there is no longer possible,
    on those kernels the first round wasn't locked either. Looking
    at the current code I found the race described above, which had
    also existed on the old kernel.
    
    Cc: stable@vger.kernel.org
    Reported-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 net/netlink/genetlink.c |    7 +++++++
 1 files changed, 7 insertions(+), 0 deletions(-)

commit ab0fc298348a3fce6c8aaf4bef11f388b1bf4782
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 17 08:58:34 2013 -0400

    Fix two harmless compiler warnings
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 arch/arm/kernel/process.c |    4 ++--
 fs/exec.c                 |    2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

commit d502375416b17270008ebdf11f1c3be7837f7c50
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Aug 16 22:46:01 2013 -0400

    Fix HIDESYM compatibility with kprobes, as reported by feandil at: http://forums.grsecurity.net/viewtopic.php?t=3701&p=13376#p13376
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 include/linux/kallsyms.h |    2 +-
 kernel/kprobes.c         |    3 +++
 2 files changed, 4 insertions(+), 1 deletions(-)

commit f6c363aba68cccff2815a488a7e9ed68990100d2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 10 09:41:40 2013 -0400

    propagate the threadstack offset through to the topdown/bottomup allocators on sparc64 hugepages
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 arch/sparc/mm/hugetlbpage.c |   12 ++++++++----
 1 files changed, 8 insertions(+), 4 deletions(-)

commit 279d4c6643931d6488b2d5f1e7d29db8a3c3a347
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Aug 5 17:58:42 2013 -0400

    Disable RANDKSTACK for a VirtualBox host as mentioned on the gentoo-hardened bugzilla: https://bugs.gentoo.org/show_bug.cgi?id=382793
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 security/Kconfig |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 55ee7adc9d4cd900fd86a4cfad7e0841b4373ee1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Aug 5 17:26:40 2013 -0400

    Move user namespace capability check to shared create_user_ns code so we cover unshare() as well.
    
    Also kill a trivial 1-line, 22-character upstream kernel DoS, thanks to
    user namespaces!
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 kernel/fork.c           |   17 -----------------
 kernel/user_namespace.c |   15 +++++++++++++++
 2 files changed, 15 insertions(+), 17 deletions(-)

commit 5c0737b045d057152a39154746d8c8e5d59185ed
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Aug 5 16:05:41 2013 -0400

    silence a warning on older gcc
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit b9cb48614b154a4c9a4caec48f5c6a391c7b4eb8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 3 08:31:08 2013 -0400

    we only care about mmaps of the beginning of an ELF, filter out all others as suggested by pipacs
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 mm/mmap.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit abc10b7630ee1a61c18e7b03b3cbbc9849a346c6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Aug 2 23:54:51 2013 -0400

    add include
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/grsec_log.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 448fdce6e5e32cc5dc8f6a649d58104c11cbe2f5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Aug 2 23:49:13 2013 -0400

    fix compilation
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 include/linux/grinternal.h |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit d4d49138661d5cb646f0dd012178447380b79956
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Aug 2 23:34:35 2013 -0400

    Improve PaX reporting (tells when anon mapping is stack or heap) Remove textrel logging option, combine into rwx logging option Enhance RWX logging option to display when PT_GNU_STACK-enabled library is loaded under an MPROTECTed binary Enhance RWX mprotect logging to display stack/heap instead of just anon mapping
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 fs/binfmt_elf.c            |   37 +++++++++++++++++++++++++++++++++++++
 fs/exec.c                  |    4 ++++
 grsecurity/Kconfig         |   21 +++++----------------
 grsecurity/grsec_init.c    |    4 ----
 grsecurity/grsec_log.c     |   14 ++++++++++++++
 grsecurity/grsec_pax.c     |   19 ++++++++++++++-----
 grsecurity/grsec_sysctl.c  |    9 ---------
 include/linux/binfmts.h    |    1 +
 include/linux/grinternal.h |    2 +-
 include/linux/grmsg.h      |    3 ++-
 include/linux/grsecurity.h |    3 ++-
 mm/mmap.c                  |    7 +++++++
 mm/mprotect.c              |    2 +-
 13 files changed, 88 insertions(+), 38 deletions(-)

commit cfa6b85e91c7e8e7f00eeaf1908d22cbec4b0a15
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Aug 1 18:52:02 2013 -0400

    add missing #define
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 4a307f7d3ff3ab232c0b6341415088e7618c494e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Aug 1 18:43:53 2013 -0400

    fix compilation for !COMPAT as reported on the forums
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl.c |  195 ++++++++++++++++++++++++++--------------------------
 1 files changed, 97 insertions(+), 98 deletions(-)

commit 78011eb5c2454b8afc96b98bd86ac172e589b13c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jul 31 17:47:20 2013 -0400

    Revert "revert recent PaX change that causes boot failures with 32bit userland"
    
    This reverts commit 23278a1ee1c7738dd1e7005241394d32b82196e4.
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 arch/x86/include/asm/processor.h |    4 ++--
 arch/x86/kernel/cpu/common.c     |    2 +-
 arch/x86/kernel/process_64.c     |    2 +-
 arch/x86/kernel/smpboot.c        |    2 +-
 arch/x86/xen/smp.c               |    2 +-
 5 files changed, 6 insertions(+), 6 deletions(-)

commit 17cdb36c3bee85c0985f7cc18aa8405fc7838cad
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jul 31 16:26:58 2013 -0400

    compile fix for !COMPAT as mentioned on forums
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit e670dc535e4501fd12d8bf00f1e1306c44266fe7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 22:33:14 2013 -0400

    perform compat conversion of rlimit infinity
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl_compat.c |   10 ++++++++--
 1 files changed, 8 insertions(+), 2 deletions(-)

commit 2834fe28e69176da6ac4989c6e3dc713faafefe5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 22:21:40 2013 -0400

    remove debugging
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl_compat.c |   44 +++++++++++---------------------------------
 1 files changed, 11 insertions(+), 33 deletions(-)

commit 2669672647f6955f0e5154596492c73cd4fda330
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 22:20:32 2013 -0400

    eliminate compat_dev_t
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 include/linux/gracl_compat.h |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 75de5da79f5e03936a79ffe2c827462000001985
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 22:13:22 2013 -0400

    fix compat rlimit size
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl_compat.c    |   68 +++++++++++++++++++++++++++++-------------
 include/linux/gracl_compat.h |    4 +-
 2 files changed, 49 insertions(+), 23 deletions(-)

commit 9055a8feb8493a30d1ad0fcef25eb496630d223f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 21:20:18 2013 -0400

    compile fix
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 080577d5a71de3d2700c4c17e1d13c67bc9b6720
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 21:14:29 2013 -0400

    copy correct pointer size in new compat code
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl.c        |    8 ++++----
 grsecurity/gracl_compat.c |    4 ++--
 2 files changed, 6 insertions(+), 6 deletions(-)

commit 129b6204587740fd082e731a54d00e8a9fc35f8b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 19:15:50 2013 -0400

    compile fix
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl_compat.c |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

commit 1a8481118c2da1cf9610ec5ba9ad950358e8cd3f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 19:12:46 2013 -0400

    remove BUILD_BUG_ONs
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl_compat.c |   20 --------------------
 1 files changed, 0 insertions(+), 20 deletions(-)

commit 67fc73af0876d311c0d01d3b16fa429f44af12b9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 00:18:36 2013 -0400

    compile fixes
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl_compat.c    |    8 ++++----
 include/linux/gracl_compat.h |    2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

commit 32f9c3609f8d6c5c893c848e0bd76e0d8d3fa096
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 00:16:42 2013 -0400

    compile fixes
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl.c        |    4 ++--
 grsecurity/gracl_compat.c |    2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

commit 798adb5cab6c3a8056e1b415e6f34a270f369721
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 00:13:51 2013 -0400

    compile fixes
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl.c |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

commit 4d4945ce90d83784634b898f83cb5a7699537733
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 00:11:03 2013 -0400

    compile fixes
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl_compat.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit 2e0b7505d92a89b872d9ebccae57720e3c00e4a2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 00:08:21 2013 -0400

    more compile fixes
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl.c |   28 ++++++++++++++--------------
 1 files changed, 14 insertions(+), 14 deletions(-)

commit 6db464f72eff84f77335b69dc2748a3759e151d1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jul 29 23:59:50 2013 -0400

    more compile fixes
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl.c |   10 +++++++++-
 1 files changed, 9 insertions(+), 1 deletions(-)

commit c5c54a2490dd8ec3fcad322d5c64b8cdfc6ce8d7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jul 29 23:56:47 2013 -0400

    additional compile fixes
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl.c |   59 +++++++++++++++++++++++++++++++++++++++++++--------
 1 files changed, 49 insertions(+), 10 deletions(-)

commit e78a78dcfc089142273243b54509840d3b50c538
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jul 29 23:47:15 2013 -0400

    fix typo
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit b27005e62bebc09e6604a6f5dc099742bb6b4434
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jul 29 23:46:59 2013 -0400

    compile fixes
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl.c |   53 ++++++++++++++++++++++++++++++++++++++-------------
 1 files changed, 39 insertions(+), 14 deletions(-)

commit 101b84a778c254dfd7399f5bcd6264ff437f1176
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jul 29 23:22:44 2013 -0400

    Initial commit of compat RBAC loading Permits 32bit gradm to load policy for a 64bit kernel
    
    Also removed code duplication for copying strings into the kernel
    
    Work performed as part of sponsorship
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/Makefile          |    4 +
 grsecurity/gracl.c           |  315 +++++++++++++++++++++++-------------------
 grsecurity/gracl_compat.c    |  270 ++++++++++++++++++++++++++++++++++++
 include/linux/gracl_compat.h |  156 +++++++++++++++++++++
 4 files changed, 603 insertions(+), 142 deletions(-)

commit 9b2b2be730d058a2bac5ded5b51d087aa65eed9e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 16 20:40:24 2013 -0400

    allow viewing of ecryptfs version under SYSFS_RESTRICT
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 fs/sysfs/dir.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 3e182e4da46de4c6b9a9f45d41030bef19260954
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 14 11:49:17 2013 -0400

    Update PaX fix, just return the error
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 mm/madvise.c |   11 +++++------
 1 files changed, 5 insertions(+), 6 deletions(-)

commit 0e4d6c92225be5ed70eb4d826d020c1e49fb4870
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 14 11:36:00 2013 -0400

    Fix madvise oops reported by Peter Keel
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 mm/madvise.c |   11 ++++++-----
 1 files changed, 6 insertions(+), 5 deletions(-)

commit 32537d92b8da84f38bf45eb85b6953f452064936
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 9 22:04:59 2013 -0400

    compile fixes
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 fs/exec.c |    2 +-
 mm/mmap.c |    4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

commit a03302441afb0f56cccc9648a5d5e3c4c4d0db70
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Sep 14 16:15:10 2013 -0400

    Initial port of grsecurity to 3.11 using new git method

 Documentation/kernel-parameters.txt                |    4 +
 Makefile                                           |    8 +-
 arch/alpha/include/asm/cache.h                     |    4 +-
 arch/alpha/kernel/osf_sys.c                        |   12 +-
 arch/arm/include/asm/thread_info.h                 |    3 +-
 arch/arm/kernel/ptrace.c                           |    9 +
 arch/arm/kernel/traps.c                            |    7 +-
 arch/arm/mm/fault.c                                |   29 +-
 arch/arm/mm/mmap.c                                 |    8 +-
 arch/avr32/include/asm/cache.h                     |    4 +-
 arch/blackfin/include/asm/cache.h                  |    3 +-
 arch/cris/include/arch-v10/arch/cache.h            |    3 +-
 arch/cris/include/arch-v32/arch/cache.h            |    3 +-
 arch/frv/include/asm/cache.h                       |    3 +-
 arch/frv/mm/elf-fdpic.c                            |    4 +-
 arch/hexagon/include/asm/cache.h                   |    6 +-
 arch/ia64/include/asm/cache.h                      |    3 +-
 arch/ia64/kernel/sys_ia64.c                        |    2 +
 arch/ia64/mm/hugetlbpage.c                         |    2 +
 arch/m32r/include/asm/cache.h                      |    4 +-
 arch/m68k/include/asm/cache.h                      |    4 +-
 arch/metag/mm/hugetlbpage.c                        |    1 +
 arch/microblaze/include/asm/cache.h                |    3 +-
 arch/mips/include/asm/cache.h                      |    3 +-
 arch/mips/include/asm/thread_info.h                |   12 +-
 arch/mips/kernel/ptrace.c                          |    9 +
 arch/mips/mm/mmap.c                                |    4 +-
 arch/mn10300/proc-mn103e010/include/proc/cache.h   |    4 +-
 arch/mn10300/proc-mn2ws0050/include/proc/cache.h   |    4 +-
 arch/openrisc/include/asm/cache.h                  |    4 +-
 arch/parisc/include/asm/cache.h                    |    5 +-
 arch/parisc/kernel/sys_parisc.c                    |   17 +-
 arch/powerpc/include/asm/cache.h                   |    3 +-
 arch/powerpc/kernel/process.c                      |   10 +-
 arch/powerpc/kernel/ptrace.c                       |   14 +
 arch/powerpc/kernel/traps.c                        |    5 +
 arch/s390/include/asm/cache.h                      |    4 +-
 arch/score/include/asm/cache.h                     |    4 +-
 arch/sh/include/asm/cache.h                        |    3 +-
 arch/sh/mm/mmap.c                                  |    6 +-
 arch/sparc/include/asm/cache.h                     |    4 +-
 arch/sparc/include/asm/thread_info_64.h            |    9 +-
 arch/sparc/kernel/process_32.c                     |    6 +-
 arch/sparc/kernel/process_64.c                     |    4 +-
 arch/sparc/kernel/ptrace_64.c                      |   14 +
 arch/sparc/kernel/sys_sparc_64.c                   |    8 +-
 arch/sparc/kernel/syscalls.S                       |    8 +-
 arch/sparc/kernel/traps_32.c                       |    8 +-
 arch/sparc/kernel/traps_64.c                       |   28 +-
 arch/sparc/kernel/unaligned_64.c                   |    2 +-
 arch/sparc/mm/fault_64.c                           |    2 +-
 arch/sparc/mm/hugetlbpage.c                        |    3 +-
 arch/tile/include/asm/cache.h                      |    3 +-
 arch/tile/mm/hugetlbpage.c                         |    2 +
 arch/um/defconfig                                  |    1 -
 arch/um/include/asm/cache.h                        |    3 +-
 arch/unicore32/include/asm/cache.h                 |    6 +-
 arch/x86/Kconfig                                   |    5 +-
 arch/x86/ia32/ia32_aout.c                          |    2 +
 arch/x86/include/asm/thread_info.h                 |    8 +-
 arch/x86/kernel/dumpstack.c                        |    8 +
 arch/x86/kernel/entry_32.S                         |    2 +-
 arch/x86/kernel/entry_64.S                         |    2 +-
 arch/x86/kernel/ioport.c                           |   13 +
 arch/x86/kernel/ptrace.c                           |   14 +
 arch/x86/kernel/signal.c                           |    9 +-
 arch/x86/kernel/smpboot.c                          |    3 +
 arch/x86/kernel/sys_i386_32.c                      |    9 +-
 arch/x86/kernel/sys_x86_64.c                       |    8 +-
 arch/x86/kernel/verify_cpu.S                       |    1 +
 arch/x86/kernel/vm86_32.c                          |    1 +
 arch/x86/mm/fault.c                                |   12 +-
 arch/x86/mm/hugetlbpage.c                          |   15 +-
 arch/x86/mm/init.c                                 |   66 +-
 arch/x86/net/bpf_jit_comp.c                        |  128 ++-
 arch/xtensa/variants/dc232b/include/variant/core.h |    2 +-
 arch/xtensa/variants/fsf/include/variant/core.h    |    3 +-
 arch/xtensa/variants/s6000/include/variant/core.h  |    3 +-
 drivers/block/cciss.c                              |    2 +
 drivers/block/cpqarray.c                           |    1 +
 drivers/cdrom/cdrom.c                              |    2 +-
 drivers/char/Kconfig                               |    4 +-
 drivers/char/genrtc.c                              |    1 +
 drivers/char/mem.c                                 |   17 +
 drivers/char/random.c                              |   12 +
 drivers/gpu/drm/drm_info.c                         |    4 +
 drivers/hid/hid-wiimote-debug.c                    |    2 +-
 drivers/media/radio/radio-cadet.c                  |    2 +-
 drivers/message/fusion/mptbase.c                   |    9 +
 drivers/net/bonding/bond_main.c                    |    2 +-
 drivers/net/phy/mdio-bitbang.c                     |    1 +
 drivers/net/wireless/zd1211rw/zd_usb.c             |    2 +-
 drivers/pci/proc.c                                 |    9 +
 drivers/rtc/rtc-dev.c                              |    3 +
 drivers/tty/sysrq.c                                |    2 +-
 drivers/tty/vt/keyboard.c                          |   22 +-
 drivers/video/logo/logo_linux_clut224.ppm          | 2000 +++++++++++---------
 drivers/xen/xenfs/xenstored.c                      |    5 +
 fs/attr.c                                          |    1 +
 fs/autofs4/waitq.c                                 |    9 +
 fs/binfmt_aout.c                                   |    7 +
 fs/binfmt_elf.c                                    |    8 +-
 fs/btrfs/ioctl.c                                   |    6 +-
 fs/compat.c                                        |   20 +-
 fs/coredump.c                                      |    9 +-
 fs/debugfs/inode.c                                 |    4 +
 fs/exec.c                                          |  184 ++-
 fs/ext2/balloc.c                                   |    4 +-
 fs/ext3/balloc.c                                   |    4 +-
 fs/fcntl.c                                         |    5 +
 fs/file.c                                          |    4 +
 fs/filesystems.c                                   |    4 +
 fs/fs_struct.c                                     |   13 +-
 fs/hugetlbfs/inode.c                               |    5 +-
 fs/namei.c                                         |  256 +++-
 fs/namespace.c                                     |   16 +
 fs/open.c                                          |   38 +
 fs/proc/Kconfig                                    |   10 +-
 fs/proc/array.c                                    |   59 +-
 fs/proc/base.c                                     |  166 ++-
 fs/proc/cmdline.c                                  |    4 +
 fs/proc/devices.c                                  |    4 +
 fs/proc/fd.c                                       |   17 +-
 fs/proc/inode.c                                    |    4 +
 fs/proc/kcore.c                                    |    3 +
 fs/proc/proc_net.c                                 |   12 +
 fs/proc/proc_sysctl.c                              |   43 +-
 fs/proc/root.c                                     |    8 +
 fs/proc/task_mmu.c                                 |   75 +-
 fs/readdir.c                                       |   19 +
 fs/select.c                                        |    2 +
 fs/seq_file.c                                      |   12 +-
 fs/stat.c                                          |   19 +-
 fs/sysfs/dir.c                                     |   12 +
 fs/utimes.c                                        |    7 +
 fs/xattr.c                                         |   19 +-
 include/linux/capability.h                         |    5 +
 include/linux/cred.h                               |    3 +
 include/linux/fs.h                                 |   10 +
 include/linux/fsnotify.h                           |    6 +
 include/linux/kallsyms.h                           |   14 +-
 include/linux/kmod.h                               |    2 +
 include/linux/mm.h                                 |    1 +
 include/linux/perf_event.h                         |   13 +-
 include/linux/printk.h                             |    3 +-
 include/linux/sched.h                              |   24 +-
 include/linux/security.h                           |    1 +
 include/linux/seq_file.h                           |    3 +
 include/linux/shm.h                                |    4 +
 include/linux/skbuff.h                             |    3 +
 include/linux/slab.h                               |    9 -
 include/linux/sysctl.h                             |    2 +
 include/linux/thread_info.h                        |    2 +
 include/linux/uidgid.h                             |    5 +
 include/linux/vermagic.h                           |    9 +-
 include/uapi/linux/personality.h                   |    1 +
 init/Kconfig                                       |    3 +-
 init/main.c                                        |   14 +
 ipc/mqueue.c                                       |    1 +
 ipc/shm.c                                          |   28 +
 kernel/capability.c                                |   39 +-
 kernel/cgroup.c                                    |    2 +-
 kernel/compat.c                                    |    1 +
 kernel/configs.c                                   |   11 +
 kernel/cred.c                                      |  110 ++-
 kernel/events/core.c                               |   14 +-
 kernel/exit.c                                      |   10 +-
 kernel/fork.c                                      |   41 +-
 kernel/futex.c                                     |    1 +
 kernel/kallsyms.c                                  |    9 +
 kernel/kcmp.c                                      |    4 +
 kernel/kmod.c                                      |   64 +-
 kernel/kprobes.c                                   |    4 +-
 kernel/ksysfs.c                                    |    2 +
 kernel/lockdep_proc.c                              |   10 +-
 kernel/module.c                                    |   81 +-
 kernel/panic.c                                     |    2 +-
 kernel/pid.c                                       |   19 +-
 kernel/posix-timers.c                              |    7 +
 kernel/printk/printk.c                             |    5 +
 kernel/ptrace.c                                    |   20 +-
 kernel/resource.c                                  |   10 +
 kernel/sched/core.c                                |    6 +-
 kernel/signal.c                                    |   37 +-
 kernel/sys.c                                       |   45 +-
 kernel/sysctl.c                                    |   69 +-
 kernel/taskstats.c                                 |    6 +
 kernel/time.c                                      |    5 +
 kernel/time/timekeeping.c                          |    1 +
 kernel/time/timer_list.c                           |   12 +
 kernel/time/timer_stats.c                          |   10 +-
 lib/Kconfig.debug                                  |    5 +-
 lib/is_single_threaded.c                           |    3 +
 mm/Kconfig                                         |    4 +-
 mm/filemap.c                                       |    1 +
 mm/kmemleak.c                                      |    4 +-
 mm/mempolicy.c                                     |   12 +-
 mm/migrate.c                                       |    3 +-
 mm/mlock.c                                         |    3 +
 mm/mmap.c                                          |   63 +-
 mm/mprotect.c                                      |    8 +
 mm/process_vm_access.c                             |    6 +
 mm/slab.c                                          |    2 +-
 mm/slub.c                                          |   14 +-
 mm/vmalloc.c                                       |    4 +
 mm/vmstat.c                                        |   18 +-
 net/core/dev_ioctl.c                               |    4 +
 net/core/sock_diag.c                               |    7 +
 net/ipv4/inet_hashtables.c                         |    5 +
 net/ipv4/ip_sockglue.c                             |    3 +-
 net/ipv4/tcp_input.c                               |    4 +-
 net/ipv4/tcp_ipv4.c                                |   24 +-
 net/ipv4/tcp_minisocks.c                           |    9 +-
 net/ipv4/tcp_timer.c                               |   11 +
 net/ipv4/udp.c                                     |   24 +
 net/ipv6/tcp_ipv6.c                                |   23 +-
 net/ipv6/udp.c                                     |    4 +
 net/netfilter/Kconfig                              |   10 +
 net/netfilter/Makefile                             |    1 +
 net/netfilter/nf_conntrack_core.c                  |    8 +
 net/netrom/af_netrom.c                             |    1 -
 net/phonet/af_phonet.c                             |    2 +-
 net/sctp/proc.c                                    |    3 +-
 net/socket.c                                       |   66 +-
 net/sysctl_net.c                                   |    2 +-
 net/unix/af_unix.c                                 |   31 +-
 security/Kconfig                                   |  341 +++-
 security/apparmor/Kconfig                          |    9 +
 security/apparmor/apparmorfs.c                     |  231 +++
 security/commoncap.c                               |   29 +
 security/min_addr.c                                |    2 +
 security/security.c                                |    2 -
 security/selinux/hooks.c                           |    2 -
 security/tomoyo/mount.c                            |    4 +
 security/yama/Kconfig                              |    2 +-
 235 files changed, 4384 insertions(+), 1312 deletions(-)

commit a76b033c58b4886552911442f1b89e0cee041dae
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 9 20:57:40 2013 -0400

    Commit merge of new files and rejected patches
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 arch/arm/include/asm/thread_info.h     |    6 +-
 arch/arm/kernel/process.c              |    4 +-
 arch/powerpc/include/asm/thread_info.h |    7 +-
 arch/powerpc/mm/slice.c                |    2 +-
 arch/sparc/kernel/process_64.c         |    4 +-
 arch/x86/kernel/vm86_32.c              |   15 +
 fs/coredump.c                          |    1 +
 fs/ext4/balloc.c                       |    4 +-
 fs/namei.c                             |    7 +
 fs/namespace.c                         |    8 +
 fs/pipe.c                              |    2 +-
 fs/proc/inode.c                        |   13 +
 fs/proc/internal.h                     |    3 +
 grsecurity/Kconfig                     | 1054 +++++++++
 grsecurity/Makefile                    |   38 +
 grsecurity/gracl.c                     | 4073 ++++++++++++++++++++++++++++++++
 grsecurity/gracl_alloc.c               |  105 +
 grsecurity/gracl_cap.c                 |  110 +
 grsecurity/gracl_fs.c                  |  431 ++++
 grsecurity/gracl_ip.c                  |  387 +++
 grsecurity/gracl_learn.c               |  207 ++
 grsecurity/gracl_res.c                 |   68 +
 grsecurity/gracl_segv.c                |  305 +++
 grsecurity/gracl_shm.c                 |   40 +
 grsecurity/grsec_chdir.c               |   19 +
 grsecurity/grsec_chroot.c              |  370 +++
 grsecurity/grsec_disabled.c            |  434 ++++
 grsecurity/grsec_exec.c                |  187 ++
 grsecurity/grsec_fifo.c                |   24 +
 grsecurity/grsec_fork.c                |   23 +
 grsecurity/grsec_init.c                |  283 +++
 grsecurity/grsec_link.c                |   58 +
 grsecurity/grsec_log.c                 |  326 +++
 grsecurity/grsec_mem.c                 |   40 +
 grsecurity/grsec_mount.c               |   62 +
 grsecurity/grsec_pax.c                 |   36 +
 grsecurity/grsec_ptrace.c              |   30 +
 grsecurity/grsec_sig.c                 |  246 ++
 grsecurity/grsec_sock.c                |  244 ++
 grsecurity/grsec_sysctl.c              |  469 ++++
 grsecurity/grsec_time.c                |   16 +
 grsecurity/grsec_tpe.c                 |   73 +
 grsecurity/grsum.c                     |   61 +
 include/linux/gracl.h                  |  319 +++
 include/linux/gralloc.h                |    9 +
 include/linux/grdefs.h                 |  140 ++
 include/linux/grinternal.h             |  227 ++
 include/linux/grmsg.h                  |  112 +
 include/linux/grsecurity.h             |  241 ++
 include/linux/grsock.h                 |   19 +
 include/linux/netfilter/xt_gradm.h     |    9 +
 include/linux/proc_fs.h                |   13 +
 include/linux/sched.h                  |   48 +-
 include/trace/events/fs.h              |   53 +
 kernel/kmod.c                          |    7 +-
 kernel/panic.c                         |    2 +-
 kernel/posix-timers.c                  |    1 +
 kernel/time/timekeeping.c              |    2 +
 lib/Kconfig.debug                      |    2 +-
 lib/vsprintf.c                         |   31 +
 localversion-grsec                     |    1 +
 mm/mmap.c                              |   13 +-
 mm/shmem.c                             |    2 +-
 net/core/net-procfs.c                  |    5 +
 net/ipv6/udp.c                         |    3 +
 net/netfilter/xt_gradm.c               |   51 +
 66 files changed, 11184 insertions(+), 21 deletions(-)

commit d1cf217118e0750f54aca9136d8c6a41f0ae439c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Sep 14 14:36:40 2013 -0400

    Initial import of pax-linux-3.11-test4.patch

 Documentation/dontdiff                             |   46 +-
 Documentation/kernel-parameters.txt                |   23 +
 Makefile                                           |  100 +-
 arch/alpha/include/asm/atomic.h                    |   10 +
 arch/alpha/include/asm/elf.h                       |    7 +
 arch/alpha/include/asm/pgalloc.h                   |    6 +
 arch/alpha/include/asm/pgtable.h                   |   11 +
 arch/alpha/kernel/module.c                         |    2 +-
 arch/alpha/kernel/osf_sys.c                        |    8 +-
 arch/alpha/mm/fault.c                              |  141 +-
 arch/arm/Kconfig                                   |    2 +-
 arch/arm/include/asm/atomic.h                      |  444 ++-
 arch/arm/include/asm/cache.h                       |    5 +-
 arch/arm/include/asm/cacheflush.h                  |    2 +-
 arch/arm/include/asm/checksum.h                    |   14 +-
 arch/arm/include/asm/cmpxchg.h                     |    2 +
 arch/arm/include/asm/domain.h                      |   33 +-
 arch/arm/include/asm/elf.h                         |   13 +-
 arch/arm/include/asm/fncpy.h                       |    2 +
 arch/arm/include/asm/futex.h                       |   10 +
 arch/arm/include/asm/kmap_types.h                  |    2 +-
 arch/arm/include/asm/mach/dma.h                    |    2 +-
 arch/arm/include/asm/mach/map.h                    |    7 +-
 arch/arm/include/asm/outercache.h                  |    2 +-
 arch/arm/include/asm/page.h                        |    2 +-
 arch/arm/include/asm/pgalloc.h                     |   22 +-
 arch/arm/include/asm/pgtable-2level-hwdef.h        |    5 +
 arch/arm/include/asm/pgtable-2level.h              |    3 +
 arch/arm/include/asm/pgtable-3level-hwdef.h        |    1 +
 arch/arm/include/asm/pgtable-3level.h              |    2 +
 arch/arm/include/asm/pgtable.h                     |   54 +-
 arch/arm/include/asm/proc-fns.h                    |    2 +-
 arch/arm/include/asm/psci.h                        |    2 +-
 arch/arm/include/asm/smp.h                         |    2 +-
 arch/arm/include/asm/thread_info.h                 |    6 +-
 arch/arm/include/asm/uaccess.h                     |   95 +-
 arch/arm/include/uapi/asm/ptrace.h                 |    2 +-
 arch/arm/kernel/armksyms.c                         |    8 +-
 arch/arm/kernel/entry-armv.S                       |  110 +-
 arch/arm/kernel/entry-common.S                     |   40 +-
 arch/arm/kernel/entry-header.S                     |   60 +
 arch/arm/kernel/fiq.c                              |    3 +
 arch/arm/kernel/head.S                             |    6 +-
 arch/arm/kernel/module.c                           |   29 +-
 arch/arm/kernel/patch.c                            |    2 +
 arch/arm/kernel/process.c                          |   42 +-
 arch/arm/kernel/psci.c                             |    2 +-
 arch/arm/kernel/setup.c                            |   22 +-
 arch/arm/kernel/signal.c                           |   35 +-
 arch/arm/kernel/smp.c                              |    2 +-
 arch/arm/kernel/traps.c                            |    8 +-
 arch/arm/kernel/vmlinux.lds.S                      |   22 +-
 arch/arm/kvm/arm.c                                 |    8 +-
 arch/arm/lib/clear_user.S                          |    6 +-
 arch/arm/lib/copy_from_user.S                      |    6 +-
 arch/arm/lib/copy_page.S                           |    1 +
 arch/arm/lib/copy_to_user.S                        |    6 +-
 arch/arm/lib/csumpartialcopyuser.S                 |    4 +-
 arch/arm/lib/delay.c                               |    2 +-
 arch/arm/lib/uaccess_with_memcpy.c                 |    2 +-
 arch/arm/mach-kirkwood/common.c                    |   19 +-
 arch/arm/mach-omap2/board-n8x0.c                   |    2 +-
 arch/arm/mach-omap2/gpmc.c                         |   22 +-
 arch/arm/mach-omap2/omap-wakeupgen.c               |    2 +-
 arch/arm/mach-omap2/omap_device.c                  |    4 +-
 arch/arm/mach-omap2/omap_device.h                  |    4 +-
 arch/arm/mach-omap2/omap_hwmod.c                   |    4 +-
 arch/arm/mach-omap2/wd_timer.c                     |    6 +-
 arch/arm/mach-tegra/cpuidle-tegra20.c              |    2 +-
 arch/arm/mach-ux500/setup.h                        |    7 -
 arch/arm/mm/Kconfig                                |    6 +-
 arch/arm/mm/alignment.c                            |    8 +
 arch/arm/mm/context.c                              |   10 +-
 arch/arm/mm/fault.c                                |  104 +
 arch/arm/mm/fault.h                                |   12 +
 arch/arm/mm/init.c                                 |   41 +
 arch/arm/mm/ioremap.c                              |    4 +-
 arch/arm/mm/mmap.c                                 |   30 +-
 arch/arm/mm/mmu.c                                  |  185 +-
 arch/arm/plat-omap/sram.c                          |    2 +
 arch/arm/plat-samsung/include/plat/dma-ops.h       |    2 +-
 arch/avr32/include/asm/elf.h                       |    8 +-
 arch/avr32/include/asm/kmap_types.h                |    4 +-
 arch/avr32/mm/fault.c                              |   27 +
 arch/frv/include/asm/atomic.h                      |   10 +
 arch/frv/include/asm/kmap_types.h                  |    2 +-
 arch/frv/mm/elf-fdpic.c                            |    3 +-
 arch/ia64/include/asm/atomic.h                     |   10 +
 arch/ia64/include/asm/elf.h                        |    7 +
 arch/ia64/include/asm/pgalloc.h                    |   12 +
 arch/ia64/include/asm/pgtable.h                    |   13 +-
 arch/ia64/include/asm/spinlock.h                   |    2 +-
 arch/ia64/include/asm/uaccess.h                    |   26 +-
 arch/ia64/kernel/module.c                          |   48 +-
 arch/ia64/kernel/palinfo.c                         |    2 +-
 arch/ia64/kernel/sys_ia64.c                        |    7 +
 arch/ia64/kernel/vmlinux.lds.S                     |    2 +-
 arch/ia64/mm/fault.c                               |   32 +-
 arch/ia64/mm/init.c                                |   13 +
 arch/m32r/lib/usercopy.c                           |    6 +
 arch/mips/include/asm/atomic.h                     |  728 +++-
 arch/mips/include/asm/elf.h                        |   11 +-
 arch/mips/include/asm/exec.h                       |    2 +-
 arch/mips/include/asm/local.h                      |   57 +
 arch/mips/include/asm/page.h                       |    2 +-
 arch/mips/include/asm/pgalloc.h                    |    5 +
 arch/mips/include/asm/smtc_proc.h                  |    2 +-
 arch/mips/kernel/binfmt_elfn32.c                   |    7 +
 arch/mips/kernel/binfmt_elfo32.c                   |    7 +
 arch/mips/kernel/irq.c                             |    6 +-
 arch/mips/kernel/process.c                         |   12 -
 arch/mips/kernel/smtc-proc.c                       |    6 +-
 arch/mips/kernel/smtc.c                            |    2 +-
 arch/mips/kernel/sync-r4k.c                        |   24 +-
 arch/mips/kernel/traps.c                           |   13 +-
 arch/mips/mm/fault.c                               |   25 +
 arch/mips/mm/mmap.c                                |   51 +-
 arch/mips/sgi-ip27/ip27-nmi.c                      |    6 +-
 arch/parisc/include/asm/atomic.h                   |   10 +
 arch/parisc/include/asm/elf.h                      |    7 +
 arch/parisc/include/asm/pgalloc.h                  |    6 +
 arch/parisc/include/asm/pgtable.h                  |   11 +
 arch/parisc/include/asm/uaccess.h                  |    4 +-
 arch/parisc/kernel/module.c                        |   50 +-
 arch/parisc/kernel/sys_parisc.c                    |    9 +-
 arch/parisc/kernel/traps.c                         |    4 +-
 arch/parisc/mm/fault.c                             |  140 +-
 arch/powerpc/include/asm/atomic.h                  |   10 +
 arch/powerpc/include/asm/elf.h                     |   19 +-
 arch/powerpc/include/asm/exec.h                    |    2 +-
 arch/powerpc/include/asm/kmap_types.h              |    2 +-
 arch/powerpc/include/asm/mman.h                    |    2 +-
 arch/powerpc/include/asm/page.h                    |    8 +-
 arch/powerpc/include/asm/page_64.h                 |    7 +-
 arch/powerpc/include/asm/pgalloc-64.h              |    7 +
 arch/powerpc/include/asm/pgtable.h                 |    1 +
 arch/powerpc/include/asm/pte-hash32.h              |    1 +
 arch/powerpc/include/asm/reg.h                     |    1 +
 arch/powerpc/include/asm/smp.h                     |    2 +-
 arch/powerpc/include/asm/uaccess.h                 |  140 +-
 arch/powerpc/kernel/exceptions-64e.S               |    4 +-
 arch/powerpc/kernel/exceptions-64s.S               |    2 +-
 arch/powerpc/kernel/module_32.c                    |   13 +-
 arch/powerpc/kernel/process.c                      |   55 -
 arch/powerpc/kernel/signal_32.c                    |    2 +-
 arch/powerpc/kernel/signal_64.c                    |    2 +-
 arch/powerpc/kernel/vdso.c                         |    5 +-
 arch/powerpc/lib/usercopy_64.c                     |   18 -
 arch/powerpc/mm/fault.c                            |   54 +-
 arch/powerpc/mm/mmap.c                             |   16 +
 arch/powerpc/mm/slice.c                            |   13 +-
 arch/powerpc/platforms/cell/spufs/file.c           |    4 +-
 arch/s390/include/asm/atomic.h                     |   10 +
 arch/s390/include/asm/elf.h                        |   13 +-
 arch/s390/include/asm/exec.h                       |    2 +-
 arch/s390/include/asm/uaccess.h                    |   15 +-
 arch/s390/kernel/module.c                          |   22 +-
 arch/s390/kernel/process.c                         |   36 -
 arch/s390/mm/mmap.c                                |   24 +
 arch/score/include/asm/exec.h                      |    2 +-
 arch/score/kernel/process.c                        |    5 -
 arch/sh/mm/mmap.c                                  |   22 +-
 arch/sparc/include/asm/atomic_64.h                 |  106 +-
 arch/sparc/include/asm/cache.h                     |    2 +-
 arch/sparc/include/asm/elf_32.h                    |    7 +
 arch/sparc/include/asm/elf_64.h                    |    7 +
 arch/sparc/include/asm/pgalloc_32.h                |    1 +
 arch/sparc/include/asm/pgalloc_64.h                |    1 +
 arch/sparc/include/asm/pgtable_32.h                |   15 +-
 arch/sparc/include/asm/pgtsrmmu.h                  |    5 +
 arch/sparc/include/asm/spinlock_64.h               |   35 +-
 arch/sparc/include/asm/thread_info_32.h            |    2 +
 arch/sparc/include/asm/thread_info_64.h            |    2 +
 arch/sparc/include/asm/uaccess.h                   |    1 +
 arch/sparc/include/asm/uaccess_32.h                |   27 +-
 arch/sparc/include/asm/uaccess_64.h                |   19 +-
 arch/sparc/kernel/Makefile                         |    2 +-
 arch/sparc/kernel/prom_common.c                    |    2 +-
 arch/sparc/kernel/smp_64.c                         |   12 +-
 arch/sparc/kernel/sys_sparc_32.c                   |    2 +-
 arch/sparc/kernel/sys_sparc_64.c                   |   52 +-
 arch/sparc/kernel/traps_64.c                       |   27 +-
 arch/sparc/lib/Makefile                            |    2 +-
 arch/sparc/lib/atomic_64.S                         |  136 +-
 arch/sparc/lib/ksyms.c                             |    6 +
 arch/sparc/mm/Makefile                             |    2 +-
 arch/sparc/mm/fault_32.c                           |  292 +
 arch/sparc/mm/fault_64.c                           |  486 ++
 arch/sparc/mm/hugetlbpage.c                        |   21 +-
 arch/sparc/mm/init_64.c                            |   10 +-
 arch/tile/include/asm/atomic_64.h                  |   10 +
 arch/tile/include/asm/uaccess.h                    |    4 +-
 arch/um/Makefile                                   |    4 +
 arch/um/include/asm/kmap_types.h                   |    2 +-
 arch/um/include/asm/page.h                         |    3 +
 arch/um/include/asm/pgtable-3level.h               |    1 +
 arch/um/kernel/process.c                           |   16 -
 arch/x86/Kconfig                                   |   10 +-
 arch/x86/Kconfig.cpu                               |    6 +-
 arch/x86/Kconfig.debug                             |    4 +-
 arch/x86/Makefile                                  |   10 +
 arch/x86/boot/Makefile                             |    3 +
 arch/x86/boot/bitops.h                             |    4 +-
 arch/x86/boot/boot.h                               |    4 +-
 arch/x86/boot/compressed/Makefile                  |    3 +
 arch/x86/boot/compressed/eboot.c                   |    2 -
 arch/x86/boot/compressed/efi_stub_32.S             |   16 +-
 arch/x86/boot/compressed/head_32.S                 |    7 +-
 arch/x86/boot/compressed/head_64.S                 |    8 +-
 arch/x86/boot/compressed/misc.c                    |    4 +-
 arch/x86/boot/cpucheck.c                           |   28 +-
 arch/x86/boot/header.S                             |    6 +-
 arch/x86/boot/memory.c                             |    2 +-
 arch/x86/boot/video-vesa.c                         |    1 +
 arch/x86/boot/video.c                              |    2 +-
 arch/x86/crypto/aes-x86_64-asm_64.S                |    4 +
 arch/x86/crypto/aesni-intel_asm.S                  |   22 +
 arch/x86/crypto/blowfish-x86_64-asm_64.S           |    7 +
 arch/x86/crypto/camellia-aesni-avx-asm_64.S        |   10 +
 arch/x86/crypto/camellia-aesni-avx2-asm_64.S       |   10 +
 arch/x86/crypto/camellia-x86_64-asm_64.S           |    7 +
 arch/x86/crypto/cast5-avx-x86_64-asm_64.S          |    7 +
 arch/x86/crypto/cast6-avx-x86_64-asm_64.S          |    9 +
 arch/x86/crypto/crc32c-pcl-intel-asm_64.S          |    2 +
 arch/x86/crypto/ghash-clmulni-intel_asm.S          |    5 +
 arch/x86/crypto/salsa20-x86_64-asm_64.S            |    4 +
 arch/x86/crypto/serpent-avx-x86_64-asm_64.S        |    9 +
 arch/x86/crypto/serpent-avx2-asm_64.S              |    9 +
 arch/x86/crypto/serpent-sse2-x86_64-asm_64.S       |    4 +
 arch/x86/crypto/sha1_ssse3_asm.S                   |    2 +
 arch/x86/crypto/sha256-avx-asm.S                   |    2 +
 arch/x86/crypto/sha256-avx2-asm.S                  |    2 +
 arch/x86/crypto/sha256-ssse3-asm.S                 |    2 +
 arch/x86/crypto/sha512-avx-asm.S                   |    2 +
 arch/x86/crypto/sha512-avx2-asm.S                  |    2 +
 arch/x86/crypto/sha512-ssse3-asm.S                 |    2 +
 arch/x86/crypto/twofish-avx-x86_64-asm_64.S        |    9 +
 arch/x86/crypto/twofish-x86_64-asm_64-3way.S       |    4 +
 arch/x86/crypto/twofish-x86_64-asm_64.S            |    3 +
 arch/x86/ia32/ia32_signal.c                        |   16 +-
 arch/x86/ia32/ia32entry.S                          |  157 +-
 arch/x86/ia32/sys_ia32.c                           |    4 +-
 arch/x86/include/asm/alternative-asm.h             |   39 +
 arch/x86/include/asm/alternative.h                 |    4 +-
 arch/x86/include/asm/apic.h                        |    2 +-
 arch/x86/include/asm/apm.h                         |    4 +-
 arch/x86/include/asm/atomic.h                      |  307 +-
 arch/x86/include/asm/atomic64_32.h                 |  100 +
 arch/x86/include/asm/atomic64_64.h                 |  202 +-
 arch/x86/include/asm/bitops.h                      |    4 +-
 arch/x86/include/asm/boot.h                        |    7 +-
 arch/x86/include/asm/cache.h                       |    5 +-
 arch/x86/include/asm/cacheflush.h                  |    2 +-
 arch/x86/include/asm/checksum_32.h                 |   12 +-
 arch/x86/include/asm/cmpxchg.h                     |   35 +
 arch/x86/include/asm/compat.h                      |    2 +-
 arch/x86/include/asm/cpufeature.h                  |   16 +-
 arch/x86/include/asm/desc.h                        |   74 +-
 arch/x86/include/asm/desc_defs.h                   |    6 +
 arch/x86/include/asm/div64.h                       |    2 +-
 arch/x86/include/asm/elf.h                         |   31 +-
 arch/x86/include/asm/emergency-restart.h           |    2 +-
 arch/x86/include/asm/fpu-internal.h                |    8 +-
 arch/x86/include/asm/futex.h                       |   20 +-
 arch/x86/include/asm/hw_irq.h                      |    4 +-
 arch/x86/include/asm/i8259.h                       |    2 +-
 arch/x86/include/asm/io.h                          |   21 +-
 arch/x86/include/asm/irqflags.h                    |    5 +
 arch/x86/include/asm/kprobes.h                     |    9 +-
 arch/x86/include/asm/local.h                       |  142 +-
 arch/x86/include/asm/mman.h                        |   15 +
 arch/x86/include/asm/mmu.h                         |   16 +-
 arch/x86/include/asm/mmu_context.h                 |  128 +-
 arch/x86/include/asm/module.h                      |   17 +-
 arch/x86/include/asm/nmi.h                         |    6 +-
 arch/x86/include/asm/page.h                        |    1 +
 arch/x86/include/asm/page_64.h                     |    4 +-
 arch/x86/include/asm/paravirt.h                    |   46 +-
 arch/x86/include/asm/paravirt_types.h              |   17 +-
 arch/x86/include/asm/pgalloc.h                     |   23 +
 arch/x86/include/asm/pgtable-2level.h              |    2 +
 arch/x86/include/asm/pgtable-3level.h              |    4 +
 arch/x86/include/asm/pgtable.h                     |  124 +-
 arch/x86/include/asm/pgtable_32.h                  |   14 +-
 arch/x86/include/asm/pgtable_32_types.h            |   15 +-
 arch/x86/include/asm/pgtable_64.h                  |   19 +-
 arch/x86/include/asm/pgtable_64_types.h            |    5 +
 arch/x86/include/asm/pgtable_types.h               |   36 +-
 arch/x86/include/asm/processor.h                   |   82 +-
 arch/x86/include/asm/ptrace.h                      |   26 +-
 arch/x86/include/asm/realmode.h                    |    4 +-
 arch/x86/include/asm/reboot.h                      |   10 +-
 arch/x86/include/asm/rwsem.h                       |   60 +-
 arch/x86/include/asm/segment.h                     |   29 +-
 arch/x86/include/asm/smap.h                        |   64 +-
 arch/x86/include/asm/smp.h                         |   14 +-
 arch/x86/include/asm/spinlock.h                    |   36 +-
 arch/x86/include/asm/stackprotector.h              |    4 +-
 arch/x86/include/asm/stacktrace.h                  |   32 +-
 arch/x86/include/asm/switch_to.h                   |    4 +-
 arch/x86/include/asm/thread_info.h                 |   83 +-
 arch/x86/include/asm/tlbflush.h                    |   74 +-
 arch/x86/include/asm/uaccess.h                     |  112 +-
 arch/x86/include/asm/uaccess_32.h                  |  106 +-
 arch/x86/include/asm/uaccess_64.h                  |  232 +-
 arch/x86/include/asm/word-at-a-time.h              |    2 +-
 arch/x86/include/asm/x86_init.h                    |   10 +-
 arch/x86/include/asm/xsave.h                       |   14 +-
 arch/x86/include/uapi/asm/e820.h                   |    2 +-
 arch/x86/kernel/Makefile                           |    2 +-
 arch/x86/kernel/acpi/boot.c                        |    4 +-
 arch/x86/kernel/acpi/sleep.c                       |    4 +
 arch/x86/kernel/acpi/wakeup_32.S                   |    6 +-
 arch/x86/kernel/alternative.c                      |   65 +-
 arch/x86/kernel/apic/apic.c                        |    4 +-
 arch/x86/kernel/apic/apic_flat_64.c                |    4 +-
 arch/x86/kernel/apic/apic_noop.c                   |    2 +-
 arch/x86/kernel/apic/bigsmp_32.c                   |    2 +-
 arch/x86/kernel/apic/es7000_32.c                   |    5 +-
 arch/x86/kernel/apic/io_apic.c                     |    8 +-
 arch/x86/kernel/apic/numaq_32.c                    |    3 +-
 arch/x86/kernel/apic/probe_32.c                    |    2 +-
 arch/x86/kernel/apic/summit_32.c                   |    2 +-
 arch/x86/kernel/apic/x2apic_cluster.c              |    4 +-
 arch/x86/kernel/apic/x2apic_phys.c                 |    2 +-
 arch/x86/kernel/apic/x2apic_uv_x.c                 |    2 +-
 arch/x86/kernel/apm_32.c                           |   19 +-
 arch/x86/kernel/asm-offsets.c                      |   20 +
 arch/x86/kernel/asm-offsets_64.c                   |    1 +
 arch/x86/kernel/cpu/Makefile                       |    4 -
 arch/x86/kernel/cpu/amd.c                          |    2 +-
 arch/x86/kernel/cpu/common.c                       |  130 +-
 arch/x86/kernel/cpu/intel_cacheinfo.c              |   48 +-
 arch/x86/kernel/cpu/mcheck/mce.c                   |   31 +-
 arch/x86/kernel/cpu/mcheck/p5.c                    |    3 +
 arch/x86/kernel/cpu/mcheck/winchip.c               |    3 +
 arch/x86/kernel/cpu/mtrr/main.c                    |    2 +-
 arch/x86/kernel/cpu/mtrr/mtrr.h                    |    2 +-
 arch/x86/kernel/cpu/perf_event.c                   |    8 +-
 arch/x86/kernel/cpu/perf_event_intel.c             |    6 +-
 arch/x86/kernel/cpu/perf_event_intel_uncore.c      |    2 +-
 arch/x86/kernel/cpu/perf_event_intel_uncore.h      |    2 +-
 arch/x86/kernel/cpuid.c                            |    2 +-
 arch/x86/kernel/crash.c                            |    4 +-
 arch/x86/kernel/crash_dump_64.c                    |    2 +-
 arch/x86/kernel/doublefault.c                      |    8 +-
 arch/x86/kernel/dumpstack.c                        |   30 +-
 arch/x86/kernel/dumpstack_32.c                     |   34 +-
 arch/x86/kernel/dumpstack_64.c                     |   61 +-
 arch/x86/kernel/e820.c                             |    4 +-
 arch/x86/kernel/early_printk.c                     |    1 +
 arch/x86/kernel/entry_32.S                         |  356 +-
 arch/x86/kernel/entry_64.S                         |  669 ++-
 arch/x86/kernel/ftrace.c                           |   14 +-
 arch/x86/kernel/head64.c                           |   13 +-
 arch/x86/kernel/head_32.S                          |  228 +-
 arch/x86/kernel/head_64.S                          |  138 +-
 arch/x86/kernel/i386_ksyms_32.c                    |   12 +
 arch/x86/kernel/i387.c                             |    2 +-
 arch/x86/kernel/i8259.c                            |   10 +-
 arch/x86/kernel/io_delay.c                         |    2 +-
 arch/x86/kernel/ioport.c                           |    2 +-
 arch/x86/kernel/irq.c                              |    8 +-
 arch/x86/kernel/irq_32.c                           |   67 +-
 arch/x86/kernel/irq_64.c                           |    2 +-
 arch/x86/kernel/kdebugfs.c                         |    2 +-
 arch/x86/kernel/kgdb.c                             |   25 +-
 arch/x86/kernel/kprobes/core.c                     |   30 +-
 arch/x86/kernel/kprobes/opt.c                      |   16 +-
 arch/x86/kernel/ldt.c                              |   31 +-
 arch/x86/kernel/machine_kexec_32.c                 |    6 +-
 arch/x86/kernel/microcode_core.c                   |    2 +-
 arch/x86/kernel/microcode_intel.c                  |    4 +-
 arch/x86/kernel/module.c                           |   76 +-
 arch/x86/kernel/msr.c                              |    2 +-
 arch/x86/kernel/nmi.c                              |   19 +-
 arch/x86/kernel/nmi_selftest.c                     |    4 +-
 arch/x86/kernel/paravirt-spinlocks.c               |    2 +-
 arch/x86/kernel/paravirt.c                         |   43 +-
 arch/x86/kernel/pci-calgary_64.c                   |    2 +-
 arch/x86/kernel/pci-iommu_table.c                  |    2 +-
 arch/x86/kernel/pci-swiotlb.c                      |    2 +-
 arch/x86/kernel/process.c                          |   55 +-
 arch/x86/kernel/process_32.c                       |   29 +-
 arch/x86/kernel/process_64.c                       |   20 +-
 arch/x86/kernel/ptrace.c                           |   25 +-
 arch/x86/kernel/pvclock.c                          |    8 +-
 arch/x86/kernel/reboot.c                           |   42 +-
 arch/x86/kernel/reboot_fixups_32.c                 |    2 +-
 arch/x86/kernel/relocate_kernel_64.S               |    5 +-
 arch/x86/kernel/setup.c                            |   65 +-
 arch/x86/kernel/setup_percpu.c                     |   29 +-
 arch/x86/kernel/signal.c                           |   19 +-
 arch/x86/kernel/smp.c                              |    2 +-
 arch/x86/kernel/smpboot.c                          |   28 +-
 arch/x86/kernel/step.c                             |   10 +-
 arch/x86/kernel/sys_i386_32.c                      |  184 +
 arch/x86/kernel/sys_x86_64.c                       |   22 +-
 arch/x86/kernel/tboot.c                            |   12 +-
 arch/x86/kernel/time.c                             |   10 +-
 arch/x86/kernel/tls.c                              |    7 +-
 arch/x86/kernel/tracepoint.c                       |    4 +-
 arch/x86/kernel/traps.c                            |   62 +-
 arch/x86/kernel/uprobes.c                          |    4 +-
 arch/x86/kernel/vm86_32.c                          |    6 +-
 arch/x86/kernel/vmlinux.lds.S                      |  147 +-
 arch/x86/kernel/vsyscall_64.c                      |   12 +-
 arch/x86/kernel/x8664_ksyms_64.c                   |    6 +-
 arch/x86/kernel/x86_init.c                         |    6 +-
 arch/x86/kernel/xsave.c                            |    2 +
 arch/x86/kvm/cpuid.c                               |   21 +-
 arch/x86/kvm/lapic.c                               |    2 +-
 arch/x86/kvm/paging_tmpl.h                         |    2 +-
 arch/x86/kvm/svm.c                                 |    8 +
 arch/x86/kvm/vmx.c                                 |   61 +-
 arch/x86/kvm/x86.c                                 |    8 +-
 arch/x86/lguest/boot.c                             |    3 +-
 arch/x86/lib/atomic64_386_32.S                     |  164 +
 arch/x86/lib/atomic64_cx8_32.S                     |  103 +-
 arch/x86/lib/checksum_32.S                         |  100 +-
 arch/x86/lib/clear_page_64.S                       |    5 +-
 arch/x86/lib/cmpxchg16b_emu.S                      |    2 +
 arch/x86/lib/copy_page_64.S                        |   24 +-
 arch/x86/lib/copy_user_64.S                        |   89 +-
 arch/x86/lib/copy_user_nocache_64.S                |   22 +-
 arch/x86/lib/csum-copy_64.S                        |    2 +
 arch/x86/lib/csum-wrappers_64.c                    |   13 +-
 arch/x86/lib/getuser.S                             |   74 +-
 arch/x86/lib/insn.c                                |    6 +-
 arch/x86/lib/iomap_copy_64.S                       |    2 +
 arch/x86/lib/memcpy_64.S                           |   22 +-
 arch/x86/lib/memmove_64.S                          |   36 +-
 arch/x86/lib/memset_64.S                           |   11 +-
 arch/x86/lib/mmx_32.c                              |  243 +-
 arch/x86/lib/msr-reg.S                             |   18 +-
 arch/x86/lib/putuser.S                             |   90 +-
 arch/x86/lib/rwlock.S                              |   42 +
 arch/x86/lib/rwsem.S                               |    6 +-
 arch/x86/lib/thunk_64.S                            |    2 +
 arch/x86/lib/usercopy_32.c                         |  363 +-
 arch/x86/lib/usercopy_64.c                         |   18 +-
 arch/x86/mm/Makefile                               |    4 +
 arch/x86/mm/extable.c                              |   25 +-
 arch/x86/mm/fault.c                                |  571 ++-
 arch/x86/mm/gup.c                                  |    2 +-
 arch/x86/mm/highmem_32.c                           |    4 +
 arch/x86/mm/hugetlbpage.c                          |   30 +-
 arch/x86/mm/init.c                                 |  101 +-
 arch/x86/mm/init_32.c                              |  111 +-
 arch/x86/mm/init_64.c                              |   45 +-
 arch/x86/mm/iomap_32.c                             |    4 +
 arch/x86/mm/ioremap.c                              |   15 +-
 arch/x86/mm/kmemcheck/kmemcheck.c                  |    4 +-
 arch/x86/mm/mmap.c                                 |   36 +-
 arch/x86/mm/mmio-mod.c                             |   10 +-
 arch/x86/mm/numa.c                                 |    2 +-
 arch/x86/mm/pageattr-test.c                        |    2 +-
 arch/x86/mm/pageattr.c                             |   33 +-
 arch/x86/mm/pat.c                                  |   12 +-
 arch/x86/mm/pat_rbtree.c                           |    2 +-
 arch/x86/mm/pf_in.c                                |   10 +-
 arch/x86/mm/pgtable.c                              |  139 +-
 arch/x86/mm/pgtable_32.c                           |    3 +
 arch/x86/mm/physaddr.c                             |    4 +-
 arch/x86/mm/setup_nx.c                             |    7 +
 arch/x86/mm/tlb.c                                  |    4 +
 arch/x86/mm/uderef_64.c                            |   37 +
 arch/x86/net/bpf_jit.S                             |   14 +
 arch/x86/net/bpf_jit_comp.c                        |   39 +-
 arch/x86/oprofile/backtrace.c                      |    8 +-
 arch/x86/oprofile/nmi_int.c                        |    8 +-
 arch/x86/oprofile/op_model_amd.c                   |    8 +-
 arch/x86/oprofile/op_model_ppro.c                  |    7 +-
 arch/x86/oprofile/op_x86_model.h                   |    2 +-
 arch/x86/pci/irq.c                                 |    8 +-
 arch/x86/pci/mrst.c                                |    4 +-
 arch/x86/pci/pcbios.c                              |  144 +-
 arch/x86/platform/efi/efi_32.c                     |   24 +
 arch/x86/platform/efi/efi_64.c                     |   10 +
 arch/x86/platform/efi/efi_stub_32.S                |   64 +-
 arch/x86/platform/efi/efi_stub_64.S                |    8 +
 arch/x86/platform/mrst/mrst.c                      |    6 +-
 arch/x86/platform/olpc/olpc_dt.c                   |    2 +-
 arch/x86/power/cpu.c                               |   11 +-
 arch/x86/realmode/init.c                           |   10 +-
 arch/x86/realmode/rm/Makefile                      |    3 +
 arch/x86/realmode/rm/header.S                      |    4 +-
 arch/x86/realmode/rm/trampoline_32.S               |   12 +-
 arch/x86/realmode/rm/trampoline_64.S               |    3 +-
 arch/x86/tools/Makefile                            |    2 +-
 arch/x86/tools/relocs.c                            |   94 +-
 arch/x86/um/tls_32.c                               |    2 +-
 arch/x86/vdso/Makefile                             |    2 +-
 arch/x86/vdso/vdso32-setup.c                       |   23 +-
 arch/x86/vdso/vma.c                                |   29 +-
 arch/x86/xen/enlighten.c                           |   45 +-
 arch/x86/xen/mmu.c                                 |    9 +
 arch/x86/xen/smp.c                                 |   18 +-
 arch/x86/xen/xen-asm_32.S                          |   12 +-
 arch/x86/xen/xen-head.S                            |   11 +
 arch/x86/xen/xen-ops.h                             |    2 -
 block/blk-cgroup.c                                 |    4 +-
 block/blk-iopoll.c                                 |    2 +-
 block/blk-map.c                                    |    2 +-
 block/blk-softirq.c                                |    2 +-
 block/bsg.c                                        |   12 +-
 block/compat_ioctl.c                               |    2 +-
 block/genhd.c                                      |    9 +-
 block/partitions/efi.c                             |    8 +-
 block/scsi_ioctl.c                                 |   27 +-
 crypto/cryptd.c                                    |    4 +-
 crypto/pcrypt.c                                    |    2 +-
 drivers/acpi/apei/apei-internal.h                  |    2 +-
 drivers/acpi/apei/cper.c                           |    8 +-
 drivers/acpi/apei/ghes.c                           |    4 +-
 drivers/acpi/bgrt.c                                |    6 +-
 drivers/acpi/blacklist.c                           |    4 +-
 drivers/acpi/processor_idle.c                      |    2 +-
 drivers/acpi/sysfs.c                               |    4 +-
 drivers/ata/libahci.c                              |    2 +-
 drivers/ata/libata-core.c                          |   12 +-
 drivers/ata/libata-scsi.c                          |    2 +-
 drivers/ata/libata.h                               |    2 +-
 drivers/ata/pata_arasan_cf.c                       |    4 +-
 drivers/atm/adummy.c                               |    2 +-
 drivers/atm/ambassador.c                           |    8 +-
 drivers/atm/atmtcp.c                               |   14 +-
 drivers/atm/eni.c                                  |   10 +-
 drivers/atm/firestream.c                           |    8 +-
 drivers/atm/fore200e.c                             |   14 +-
 drivers/atm/he.c                                   |   18 +-
 drivers/atm/horizon.c                              |    4 +-
 drivers/atm/idt77252.c                             |   36 +-
 drivers/atm/iphase.c                               |   34 +-
 drivers/atm/lanai.c                                |   12 +-
 drivers/atm/nicstar.c                              |   46 +-
 drivers/atm/solos-pci.c                            |    4 +-
 drivers/atm/suni.c                                 |    4 +-
 drivers/atm/uPD98402.c                             |   16 +-
 drivers/atm/zatm.c                                 |    6 +-
 drivers/base/bus.c                                 |    4 +-
 drivers/base/devtmpfs.c                            |    8 +-
 drivers/base/node.c                                |    2 +-
 drivers/base/power/domain.c                        |    4 +-
 drivers/base/power/sysfs.c                         |    2 +-
 drivers/base/power/wakeup.c                        |    8 +-
 drivers/base/syscore.c                             |    4 +-
 drivers/block/cciss.c                              |   28 +-
 drivers/block/cciss.h                              |    2 +-
 drivers/block/cpqarray.c                           |   28 +-
 drivers/block/cpqarray.h                           |    2 +-
 drivers/block/drbd/drbd_int.h                      |    6 +-
 drivers/block/drbd/drbd_main.c                     |    8 +-
 drivers/block/drbd/drbd_nl.c                       |    4 +-
 drivers/block/drbd/drbd_receiver.c                 |   22 +-
 drivers/block/loop.c                               |    2 +-
 drivers/block/pktcdvd.c                            |    2 +-
 drivers/cdrom/cdrom.c                              |   11 +-
 drivers/cdrom/gdrom.c                              |    1 -
 drivers/char/agp/compat_ioctl.c                    |    2 +-
 drivers/char/agp/frontend.c                        |    4 +-
 drivers/char/hpet.c                                |    2 +-
 drivers/char/hw_random/intel-rng.c                 |    2 +-
 drivers/char/ipmi/ipmi_msghandler.c                |    8 +-
 drivers/char/ipmi/ipmi_si_intf.c                   |    8 +-
 drivers/char/mem.c                                 |   43 +-
 drivers/char/nvram.c                               |    2 +-
 drivers/char/pcmcia/synclink_cs.c                  |   18 +-
 drivers/char/random.c                              |   10 +-
 drivers/char/sonypi.c                              |    9 +-
 drivers/char/tpm/tpm_acpi.c                        |    3 +-
 drivers/char/tpm/tpm_eventlog.c                    |    7 +-
 drivers/char/virtio_console.c                      |    4 +-
 drivers/clk/clk-composite.c                        |    2 +-
 drivers/clk/socfpga/clk.c                          |    7 +-
 drivers/cpufreq/acpi-cpufreq.c                     |   20 +-
 drivers/cpufreq/cpufreq.c                          |    9 +-
 drivers/cpufreq/cpufreq_governor.c                 |    6 +-
 drivers/cpufreq/cpufreq_governor.h                 |    2 +-
 drivers/cpufreq/cpufreq_ondemand.c                 |    8 +-
 drivers/cpufreq/cpufreq_stats.c                    |    2 +-
 drivers/cpufreq/p4-clockmod.c                      |   12 +-
 drivers/cpufreq/sparc-us3-cpufreq.c                |   69 +-
 drivers/cpufreq/speedstep-centrino.c               |    7 +-
 drivers/cpuidle/cpuidle.c                          |    2 +-
 drivers/cpuidle/governor.c                         |    4 +-
 drivers/cpuidle/sysfs.c                            |    2 +-
 drivers/crypto/hifn_795x.c                         |    4 +-
 drivers/devfreq/devfreq.c                          |    4 +-
 drivers/dma/sh/shdma.c                             |    2 +-
 drivers/edac/edac_device.c                         |    4 +-
 drivers/edac/edac_mc_sysfs.c                       |   12 +-
 drivers/edac/edac_pci.c                            |    4 +-
 drivers/edac/edac_pci_sysfs.c                      |   22 +-
 drivers/edac/mce_amd.h                             |    2 +-
 drivers/firewire/core-card.c                       |    6 +-
 drivers/firewire/core-device.c                     |    2 +-
 drivers/firewire/core-transaction.c                |    1 +
 drivers/firewire/core.h                            |    1 +
 drivers/firmware/dmi-id.c                          |    2 +-
 drivers/firmware/dmi_scan.c                        |    7 +-
 drivers/firmware/efi/efi.c                         |   12 +-
 drivers/firmware/efi/efivars.c                     |    2 +-
 drivers/firmware/google/memconsole.c               |    4 +-
 drivers/gpio/gpio-ich.c                            |    2 +-
 drivers/gpio/gpio-vr41xx.c                         |    2 +-
 drivers/gpu/drm/drm_crtc_helper.c                  |    2 +-
 drivers/gpu/drm/drm_drv.c                          |    6 +-
 drivers/gpu/drm/drm_fops.c                         |   18 +-
 drivers/gpu/drm/drm_global.c                       |   14 +-
 drivers/gpu/drm/drm_info.c                         |   14 +-
 drivers/gpu/drm/drm_ioc32.c                        |   13 +-
 drivers/gpu/drm/drm_ioctl.c                        |    2 +-
 drivers/gpu/drm/drm_lock.c                         |    4 +-
 drivers/gpu/drm/drm_stub.c                         |    2 +-
 drivers/gpu/drm/drm_sysfs.c                        |    2 +-
 drivers/gpu/drm/i810/i810_dma.c                    |    8 +-
 drivers/gpu/drm/i810/i810_drv.h                    |    4 +-
 drivers/gpu/drm/i915/i915_debugfs.c                |    2 +-
 drivers/gpu/drm/i915/i915_dma.c                    |    2 +-
 drivers/gpu/drm/i915/i915_drv.h                    |    2 +-
 drivers/gpu/drm/i915/i915_gem_execbuffer.c         |    4 +-
 drivers/gpu/drm/i915/i915_ioc32.c                  |   11 +-
 drivers/gpu/drm/i915/i915_irq.c                    |   24 +-
 drivers/gpu/drm/i915/intel_display.c               |   26 +-
 drivers/gpu/drm/mga/mga_drv.h                      |    4 +-
 drivers/gpu/drm/mga/mga_ioc32.c                    |   11 +-
 drivers/gpu/drm/mga/mga_irq.c                      |    8 +-
 drivers/gpu/drm/nouveau/nouveau_bios.c             |    2 +-
 drivers/gpu/drm/nouveau/nouveau_drm.h              |    1 -
 drivers/gpu/drm/nouveau/nouveau_ioc32.c            |    2 +-
 drivers/gpu/drm/nouveau/nouveau_vga.c              |    2 +-
 drivers/gpu/drm/qxl/qxl_ttm.c                      |   38 +-
 drivers/gpu/drm/r128/r128_cce.c                    |    2 +-
 drivers/gpu/drm/r128/r128_drv.h                    |    4 +-
 drivers/gpu/drm/r128/r128_ioc32.c                  |   11 +-
 drivers/gpu/drm/r128/r128_irq.c                    |    4 +-
 drivers/gpu/drm/r128/r128_state.c                  |    4 +-
 drivers/gpu/drm/radeon/mkregtable.c                |    4 +-
 drivers/gpu/drm/radeon/radeon_device.c             |    2 +-
 drivers/gpu/drm/radeon/radeon_drv.h                |    2 +-
 drivers/gpu/drm/radeon/radeon_ioc32.c              |   13 +-
 drivers/gpu/drm/radeon/radeon_irq.c                |    6 +-
 drivers/gpu/drm/radeon/radeon_state.c              |    4 +-
 drivers/gpu/drm/radeon/radeon_ttm.c                |   57 +-
 drivers/gpu/drm/radeon/rs690.c                     |    4 +-
 drivers/gpu/drm/ttm/ttm_memory.c                   |    4 +-
 drivers/gpu/drm/ttm/ttm_page_alloc.c               |    4 +-
 drivers/gpu/drm/udl/udl_fb.c                       |    1 -
 drivers/gpu/drm/via/via_drv.h                      |    4 +-
 drivers/gpu/drm/via/via_irq.c                      |   18 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_drv.h                |    2 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c               |    8 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c              |    4 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_irq.c                |    4 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_marker.c             |    2 +-
 drivers/gpu/host1x/drm/dc.c                        |    2 +-
 drivers/hid/hid-core.c                             |    4 +-
 drivers/hid/uhid.c                                 |    6 +-
 drivers/hv/channel.c                               |    4 +-
 drivers/hv/hv.c                                    |    2 +-
 drivers/hv/hv_balloon.c                            |   18 +-
 drivers/hv/hyperv_vmbus.h                          |    2 +-
 drivers/hv/vmbus_drv.c                             |    4 +-
 drivers/hwmon/acpi_power_meter.c                   |    4 +-
 drivers/hwmon/applesmc.c                           |    2 +-
 drivers/hwmon/asus_atk0110.c                       |   10 +-
 drivers/hwmon/coretemp.c                           |    2 +-
 drivers/hwmon/ibmaem.c                             |    2 +-
 drivers/hwmon/iio_hwmon.c                          |    2 +-
 drivers/hwmon/pmbus/pmbus_core.c                   |   10 +-
 drivers/hwmon/sht15.c                              |   12 +-
 drivers/hwmon/via-cputemp.c                        |    2 +-
 drivers/i2c/busses/i2c-amd756-s4882.c              |    2 +-
 drivers/i2c/busses/i2c-nforce2-s4985.c             |    2 +-
 drivers/i2c/i2c-dev.c                              |    2 +-
 drivers/ide/ide-cd.c                               |    2 +-
 drivers/iio/industrialio-core.c                    |    2 +-
 drivers/infiniband/core/cm.c                       |   32 +-
 drivers/infiniband/core/fmr_pool.c                 |   20 +-
 drivers/infiniband/hw/cxgb4/mem.c                  |    4 +-
 drivers/infiniband/hw/ipath/ipath_rc.c             |    6 +-
 drivers/infiniband/hw/ipath/ipath_ruc.c            |    6 +-
 drivers/infiniband/hw/mlx4/mad.c                   |    2 +-
 drivers/infiniband/hw/mlx4/mcg.c                   |    2 +-
 drivers/infiniband/hw/mlx4/mlx4_ib.h               |    2 +-
 drivers/infiniband/hw/mthca/mthca_cmd.c            |    2 +-
 drivers/infiniband/hw/mthca/mthca_mr.c             |    2 +-
 drivers/infiniband/hw/nes/nes.c                    |    4 +-
 drivers/infiniband/hw/nes/nes.h                    |   40 +-
 drivers/infiniband/hw/nes/nes_cm.c                 |   62 +-
 drivers/infiniband/hw/nes/nes_mgt.c                |    8 +-
 drivers/infiniband/hw/nes/nes_nic.c                |   40 +-
 drivers/infiniband/hw/nes/nes_verbs.c              |   10 +-
 drivers/infiniband/hw/qib/qib.h                    |    1 +
 drivers/input/gameport/gameport.c                  |    4 +-
 drivers/input/input.c                              |    4 +-
 drivers/input/joystick/sidewinder.c                |    1 +
 drivers/input/joystick/xpad.c                      |    4 +-
 drivers/input/misc/ims-pcu.c                       |    4 +-
 drivers/input/mouse/psmouse.h                      |    2 +-
 drivers/input/mousedev.c                           |    2 +-
 drivers/input/serio/serio.c                        |    4 +-
 drivers/input/serio/serio_raw.c                    |    4 +-
 drivers/iommu/iommu.c                              |    2 +-
 drivers/iommu/irq_remapping.c                      |   12 +-
 drivers/irqchip/irq-gic.c                          |    4 +-
 drivers/isdn/capi/capi.c                           |   10 +-
 drivers/isdn/gigaset/interface.c                   |    8 +-
 drivers/isdn/gigaset/usb-gigaset.c                 |    2 +-
 drivers/isdn/hardware/avm/b1.c                     |    4 +-
 drivers/isdn/i4l/isdn_common.c                     |    2 +
 drivers/isdn/i4l/isdn_tty.c                        |   22 +-
 drivers/isdn/icn/icn.c                             |    2 +-
 drivers/leds/leds-clevo-mail.c                     |    2 +-
 drivers/leds/leds-ss4200.c                         |    2 +-
 drivers/lguest/core.c                              |   10 +-
 drivers/lguest/page_tables.c                       |    2 +-
 drivers/lguest/x86/core.c                          |   12 +-
 drivers/lguest/x86/switcher_32.S                   |   27 +-
 drivers/md/bcache/closure.h                        |    2 +-
 drivers/md/bcache/super.c                          |    2 +-
 drivers/md/bitmap.c                                |    2 +-
 drivers/md/dm-ioctl.c                              |    2 +-
 drivers/md/dm-raid1.c                              |   16 +-
 drivers/md/dm-stripe.c                             |   10 +-
 drivers/md/dm-table.c                              |    2 +-
 drivers/md/dm-thin-metadata.c                      |    4 +-
 drivers/md/dm.c                                    |   16 +-
 drivers/md/md.c                                    |   26 +-
 drivers/md/md.h                                    |    6 +-
 drivers/md/persistent-data/dm-space-map.h          |    1 +
 drivers/md/raid1.c                                 |    4 +-
 drivers/md/raid10.c                                |   16 +-
 drivers/md/raid5.c                                 |   10 +-
 drivers/media/dvb-core/dvbdev.c                    |    2 +-
 drivers/media/dvb-frontends/dib3000.h              |    2 +-
 drivers/media/pci/cx88/cx88-video.c                |    6 +-
 drivers/media/pci/ivtv/ivtv-driver.c               |    2 +-
 drivers/media/platform/omap/omap_vout.c            |   11 +-
 drivers/media/platform/s5p-tv/mixer.h              |    2 +-
 drivers/media/platform/s5p-tv/mixer_grp_layer.c    |    2 +-
 drivers/media/platform/s5p-tv/mixer_reg.c          |    2 +-
 drivers/media/platform/s5p-tv/mixer_video.c        |   24 +-
 drivers/media/platform/s5p-tv/mixer_vp_layer.c     |    2 +-
 drivers/media/radio/radio-cadet.c                  |    2 +
 drivers/media/radio/radio-maxiradio.c              |    2 +-
 drivers/media/radio/radio-shark.c                  |    2 +-
 drivers/media/radio/radio-shark2.c                 |    2 +-
 drivers/media/radio/radio-si476x.c                 |    2 +-
 drivers/media/rc/rc-main.c                         |    4 +-
 drivers/media/usb/dvb-usb/cxusb.c                  |    2 +-
 drivers/media/usb/dvb-usb/dw2102.c                 |    2 +-
 drivers/media/v4l2-core/v4l2-compat-ioctl32.c      |    6 +-
 drivers/media/v4l2-core/v4l2-device.c              |    4 +-
 drivers/media/v4l2-core/v4l2-ioctl.c               |   11 +-
 drivers/message/fusion/mptsas.c                    |   34 +-
 drivers/message/fusion/mptscsih.c                  |   19 +-
 drivers/message/i2o/i2o_proc.c                     |   51 +-
 drivers/message/i2o/iop.c                          |    8 +-
 drivers/mfd/janz-cmodio.c                          |    1 +
 drivers/mfd/twl4030-irq.c                          |    9 +-
 drivers/mfd/twl6030-irq.c                          |   10 +-
 drivers/misc/c2port/core.c                         |    4 +-
 drivers/misc/kgdbts.c                              |    4 +-
 drivers/misc/lis3lv02d/lis3lv02d.c                 |    8 +-
 drivers/misc/lis3lv02d/lis3lv02d.h                 |    2 +-
 drivers/misc/sgi-gru/gruhandles.c                  |    4 +-
 drivers/misc/sgi-gru/gruprocfs.c                   |    8 +-
 drivers/misc/sgi-gru/grutables.h                   |  154 +-
 drivers/misc/sgi-xp/xp.h                           |    2 +-
 drivers/misc/sgi-xp/xpc.h                          |    3 +-
 drivers/misc/sgi-xp/xpc_main.c                     |    4 +-
 drivers/mmc/core/mmc_ops.c                         |    2 +-
 drivers/mmc/host/dw_mmc.h                          |    2 +-
 drivers/mmc/host/sdhci-s3c.c                       |    8 +-
 drivers/mtd/nand/denali.c                          |    1 +
 drivers/mtd/nftlmount.c                            |    1 +
 drivers/mtd/sm_ftl.c                               |    2 +-
 drivers/net/bonding/bond_main.c                    |    2 +-
 drivers/net/ethernet/8390/ax88796.c                |    4 +-
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h    |    2 +-
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c     |   11 +-
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h     |    3 +-
 drivers/net/ethernet/broadcom/tg3.h                |    1 +
 drivers/net/ethernet/chelsio/cxgb3/l2t.h           |    2 +-
 drivers/net/ethernet/dec/tulip/de4x5.c             |    4 +-
 drivers/net/ethernet/emulex/benet/be_main.c        |    2 +-
 drivers/net/ethernet/faraday/ftgmac100.c           |    2 +
 drivers/net/ethernet/faraday/ftmac100.c            |    2 +
 drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c       |    2 +-
 drivers/net/ethernet/neterion/vxge/vxge-config.c   |    7 +-
 .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c  |    4 +-
 .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c  |   12 +-
 drivers/net/ethernet/realtek/r8169.c               |    8 +-
 drivers/net/ethernet/sfc/ptp.c                     |    2 +-
 drivers/net/ethernet/stmicro/stmmac/mmc_core.c     |    4 +-
 drivers/net/hyperv/hyperv_net.h                    |    2 +-
 drivers/net/hyperv/rndis_filter.c                  |    4 +-
 drivers/net/ieee802154/fakehard.c                  |    2 +-
 drivers/net/macvlan.c                              |   18 +-
 drivers/net/macvtap.c                              |    2 +-
 drivers/net/ppp/ppp_generic.c                      |    4 +-
 drivers/net/slip/slhc.c                            |    2 +-
 drivers/net/team/team.c                            |    2 +-
 drivers/net/tun.c                                  |    5 +-
 drivers/net/usb/hso.c                              |   23 +-
 drivers/net/usb/sierra_net.c                       |    4 +-
 drivers/net/vxlan.c                                |    2 +-
 drivers/net/wimax/i2400m/rx.c                      |    2 +-
 drivers/net/wireless/at76c50x-usb.c                |    2 +-
 drivers/net/wireless/ath/ath9k/ar9002_mac.c        |   30 +-
 drivers/net/wireless/ath/ath9k/ar9003_mac.c        |   58 +-
 drivers/net/wireless/ath/ath9k/hw.h                |    4 +-
 drivers/net/wireless/iwlegacy/3945-mac.c           |    4 +-
 drivers/net/wireless/iwlwifi/dvm/debugfs.c         |   34 +-
 drivers/net/wireless/iwlwifi/dvm/main.c            |    3 +-
 drivers/net/wireless/iwlwifi/pcie/trans.c          |    4 +-
 drivers/net/wireless/mac80211_hwsim.c              |   32 +-
 drivers/net/wireless/rndis_wlan.c                  |    2 +-
 drivers/net/wireless/rt2x00/rt2x00.h               |    2 +-
 drivers/net/wireless/rt2x00/rt2x00queue.c          |    4 +-
 drivers/net/wireless/ti/wl1251/sdio.c              |   12 +-
 drivers/net/wireless/ti/wl12xx/main.c              |    8 +-
 drivers/net/wireless/ti/wl18xx/main.c              |    6 +-
 drivers/oprofile/buffer_sync.c                     |    8 +-
 drivers/oprofile/event_buffer.c                    |    2 +-
 drivers/oprofile/oprof.c                           |    2 +-
 drivers/oprofile/oprofile_files.c                  |    2 +-
 drivers/oprofile/oprofile_stats.c                  |   10 +-
 drivers/oprofile/oprofile_stats.h                  |   10 +-
 drivers/oprofile/oprofilefs.c                      |    2 +-
 drivers/oprofile/timer_int.c                       |    2 +-
 drivers/parport/procfs.c                           |    4 +-
 drivers/pci/hotplug/acpiphp_ibm.c                  |    4 +-
 drivers/pci/hotplug/cpcihp_generic.c               |    6 +-
 drivers/pci/hotplug/cpcihp_zt5550.c                |   14 +-
 drivers/pci/hotplug/cpqphp_nvram.c                 |    4 +
 drivers/pci/hotplug/pci_hotplug_core.c             |    6 +-
 drivers/pci/hotplug/pciehp_core.c                  |    2 +-
 drivers/pci/pci-sysfs.c                            |    6 +-
 drivers/pci/pci.h                                  |    2 +-
 drivers/pci/pcie/aspm.c                            |    6 +-
 drivers/pci/probe.c                                |    2 +-
 drivers/platform/x86/chromeos_laptop.c             |    2 +-
 drivers/platform/x86/msi-laptop.c                  |   14 +-
 drivers/platform/x86/sony-laptop.c                 |    2 +-
 drivers/platform/x86/thinkpad_acpi.c               |   70 +-
 drivers/pnp/pnpbios/bioscalls.c                    |   14 +-
 drivers/pnp/resource.c                             |    4 +-
 drivers/power/pda_power.c                          |    7 +-
 drivers/power/power_supply.h                       |    4 +-
 drivers/power/power_supply_core.c                  |    7 +-
 drivers/power/power_supply_sysfs.c                 |    6 +-
 drivers/regulator/core.c                           |    4 +-
 drivers/regulator/max8660.c                        |    6 +-
 drivers/regulator/max8973-regulator.c              |    8 +-
 drivers/regulator/mc13892-regulator.c              |    6 +-
 drivers/rtc/rtc-cmos.c                             |    4 +-
 drivers/rtc/rtc-ds1307.c                           |    2 +-
 drivers/rtc/rtc-m48t59.c                           |    4 +-
 drivers/scsi/bfa/bfa_fcpim.h                       |    2 +-
 drivers/scsi/bfa/bfa_ioc.h                         |    4 +-
 drivers/scsi/fcoe/fcoe_sysfs.c                     |   12 +-
 drivers/scsi/hosts.c                               |    4 +-
 drivers/scsi/hpsa.c                                |   30 +-
 drivers/scsi/hpsa.h                                |    2 +-
 drivers/scsi/libfc/fc_exch.c                       |   50 +-
 drivers/scsi/libsas/sas_ata.c                      |    2 +-
 drivers/scsi/lpfc/lpfc.h                           |    8 +-
 drivers/scsi/lpfc/lpfc_debugfs.c                   |   18 +-
 drivers/scsi/lpfc/lpfc_init.c                      |    6 +-
 drivers/scsi/lpfc/lpfc_scsi.c                      |   16 +-
 drivers/scsi/pmcraid.c                             |   20 +-
 drivers/scsi/pmcraid.h                             |    8 +-
 drivers/scsi/qla2xxx/qla_attr.c                    |    4 +-
 drivers/scsi/qla2xxx/qla_gbl.h                     |    4 +-
 drivers/scsi/qla2xxx/qla_os.c                      |    6 +-
 drivers/scsi/qla4xxx/ql4_def.h                     |    2 +-
 drivers/scsi/qla4xxx/ql4_os.c                      |    6 +-
 drivers/scsi/scsi.c                                |    2 +-
 drivers/scsi/scsi_lib.c                            |    6 +-
 drivers/scsi/scsi_sysfs.c                          |    2 +-
 drivers/scsi/scsi_tgt_lib.c                        |    2 +-
 drivers/scsi/scsi_transport_fc.c                   |    8 +-
 drivers/scsi/scsi_transport_iscsi.c                |    6 +-
 drivers/scsi/scsi_transport_srp.c                  |    6 +-
 drivers/scsi/sd.c                                  |    2 +-
 drivers/scsi/sg.c                                  |    2 +-
 drivers/spi/spi.c                                  |    2 +-
 drivers/staging/android/timed_output.c             |    6 +-
 drivers/staging/media/solo6x10/solo6x10-core.c     |    2 +-
 drivers/staging/media/solo6x10/solo6x10-p2m.c      |    2 +-
 drivers/staging/media/solo6x10/solo6x10.h          |    2 +-
 drivers/staging/octeon/ethernet-rx.c               |   12 +-
 drivers/staging/octeon/ethernet.c                  |    8 +-
 drivers/staging/rtl8712/rtl871x_io.h               |    2 +-
 drivers/staging/sbe-2t3e3/netdev.c                 |    2 +-
 drivers/staging/usbip/vhci.h                       |    2 +-
 drivers/staging/usbip/vhci_hcd.c                   |    6 +-
 drivers/staging/usbip/vhci_rx.c                    |    2 +-
 drivers/staging/vt6655/hostap.c                    |    7 +-
 drivers/staging/vt6656/hostap.c                    |    7 +-
 drivers/staging/zcache/tmem.h                      |    4 +-
 drivers/target/sbp/sbp_target.c                    |    4 +-
 drivers/target/target_core_device.c                |    2 +-
 drivers/target/target_core_transport.c             |    2 +-
 drivers/tty/cyclades.c                             |    6 +-
 drivers/tty/hvc/hvc_console.c                      |   14 +-
 drivers/tty/hvc/hvcs.c                             |   21 +-
 drivers/tty/hvc/hvsi.c                             |   12 +-
 drivers/tty/hvc/hvsi_lib.c                         |    6 +-
 drivers/tty/ipwireless/tty.c                       |   27 +-
 drivers/tty/moxa.c                                 |    2 +-
 drivers/tty/n_gsm.c                                |    4 +-
 drivers/tty/n_tty.c                                |    3 +-
 drivers/tty/pty.c                                  |    4 +-
 drivers/tty/rocket.c                               |    6 +-
 drivers/tty/serial/ioc4_serial.c                   |    6 +-
 drivers/tty/serial/kgdboc.c                        |   32 +-
 drivers/tty/serial/msm_serial.c                    |    4 +-
 drivers/tty/serial/samsung.c                       |    9 +-
 drivers/tty/serial/serial_core.c                   |    8 +-
 drivers/tty/synclink.c                             |   34 +-
 drivers/tty/synclink_gt.c                          |   28 +-
 drivers/tty/synclinkmp.c                           |   34 +-
 drivers/tty/tty_io.c                               |    2 +-
 drivers/tty/tty_ldisc.c                            |   10 +-
 drivers/tty/tty_port.c                             |   22 +-
 drivers/uio/uio.c                                  |   21 +-
 drivers/usb/atm/cxacru.c                           |    2 +-
 drivers/usb/atm/usbatm.c                           |   24 +-
 drivers/usb/core/devices.c                         |    6 +-
 drivers/usb/core/hcd.c                             |    4 +-
 drivers/usb/core/message.c                         |    2 +-
 drivers/usb/core/sysfs.c                           |    2 +-
 drivers/usb/core/usb.c                             |    2 +-
 drivers/usb/dwc3/gadget.c                          |    2 -
 drivers/usb/early/ehci-dbgp.c                      |   16 +-
 drivers/usb/gadget/u_serial.c                      |   22 +-
 drivers/usb/misc/appledisplay.c                    |    4 +-
 drivers/usb/serial/console.c                       |    6 +-
 drivers/usb/storage/usb.h                          |    2 +-
 drivers/usb/wusbcore/wa-hc.h                       |    4 +-
 drivers/usb/wusbcore/wa-xfer.c                     |    2 +-
 drivers/vfio/vfio.c                                |    2 +-
 drivers/vhost/vringh.c                             |    2 +-
 drivers/video/aty/aty128fb.c                       |    2 +-
 drivers/video/aty/atyfb_base.c                     |    8 +-
 drivers/video/aty/mach64_cursor.c                  |    5 +-
 drivers/video/backlight/kb3886_bl.c                |    2 +-
 drivers/video/fb_defio.c                           |    6 +-
 drivers/video/fbcmap.c                             |    3 +-
 drivers/video/fbmem.c                              |    6 +-
 drivers/video/hyperv_fb.c                          |    4 +-
 drivers/video/i810/i810_accel.c                    |    1 +
 drivers/video/mb862xx/mb862xxfb_accel.c            |   16 +-
 drivers/video/nvidia/nvidia.c                      |   27 +-
 drivers/video/s1d13xxxfb.c                         |    6 +-
 drivers/video/smscufx.c                            |    4 +-
 drivers/video/udlfb.c                              |   36 +-
 drivers/video/uvesafb.c                            |   53 +-
 drivers/video/vesafb.c                             |   58 +-
 drivers/video/via/via_clock.h                      |    2 +-
 fs/9p/vfs_addr.c                                   |    2 +-
 fs/9p/vfs_inode.c                                  |    2 +-
 fs/Kconfig.binfmt                                  |    2 +-
 fs/afs/inode.c                                     |    4 +-
 fs/aio.c                                           |   12 +-
 fs/autofs4/waitq.c                                 |    2 +-
 fs/befs/endian.h                                   |    4 +-
 fs/befs/linuxvfs.c                                 |    2 +-
 fs/binfmt_aout.c                                   |   23 +-
 fs/binfmt_elf.c                                    |  648 ++-
 fs/binfmt_flat.c                                   |    6 +
 fs/bio.c                                           |    6 +-
 fs/block_dev.c                                     |    2 +-
 fs/btrfs/ctree.c                                   |    9 +-
 fs/btrfs/delayed-inode.c                           |    6 +-
 fs/btrfs/delayed-inode.h                           |    4 +-
 fs/btrfs/super.c                                   |    2 +-
 fs/buffer.c                                        |    2 +-
 fs/cachefiles/bind.c                               |    6 +-
 fs/cachefiles/daemon.c                             |    8 +-
 fs/cachefiles/internal.h                           |   12 +-
 fs/cachefiles/namei.c                              |    2 +-
 fs/cachefiles/proc.c                               |   12 +-
 fs/cachefiles/rdwr.c                               |    2 +-
 fs/ceph/dir.c                                      |    2 +-
 fs/ceph/super.c                                    |    4 +-
 fs/cifs/cifs_debug.c                               |   12 +-
 fs/cifs/cifsfs.c                                   |    8 +-
 fs/cifs/cifsglob.h                                 |   54 +-
 fs/cifs/link.c                                     |    2 +-
 fs/cifs/misc.c                                     |    4 +-
 fs/cifs/smb1ops.c                                  |   80 +-
 fs/cifs/smb2ops.c                                  |   84 +-
 fs/cifs/smb2pdu.c                                  |    3 +-
 fs/coda/cache.c                                    |   10 +-
 fs/compat.c                                        |    4 +-
 fs/compat_binfmt_elf.c                             |    2 +
 fs/compat_ioctl.c                                  |   12 +-
 fs/configfs/dir.c                                  |   10 +-
 fs/coredump.c                                      |   18 +-
 fs/dcache.c                                        |    3 +-
 fs/ecryptfs/inode.c                                |    4 +-
 fs/ecryptfs/miscdev.c                              |    2 +-
 fs/exec.c                                          |  362 +-
 fs/ext4/ext4.h                                     |   20 +-
 fs/ext4/mballoc.c                                  |   44 +-
 fs/ext4/mmp.c                                      |    2 +-
 fs/ext4/super.c                                    |    4 +-
 fs/fhandle.c                                       |    3 +-
 fs/fs_struct.c                                     |    8 +-
 fs/fscache/cookie.c                                |   38 +-
 fs/fscache/internal.h                              |  196 +-
 fs/fscache/object.c                                |   26 +-
 fs/fscache/operation.c                             |   30 +-
 fs/fscache/page.c                                  |  110 +-
 fs/fscache/stats.c                                 |  344 +-
 fs/fuse/cuse.c                                     |   10 +-
 fs/fuse/dev.c                                      |    4 +-
 fs/fuse/dir.c                                      |    2 +-
 fs/gfs2/inode.c                                    |    2 +-
 fs/hugetlbfs/inode.c                               |   13 +-
 fs/inode.c                                         |    4 +-
 fs/jffs2/erase.c                                   |    3 +-
 fs/jffs2/wbuf.c                                    |    3 +-
 fs/jfs/super.c                                     |    2 +-
 fs/libfs.c                                         |   10 +-
 fs/lockd/clntproc.c                                |    4 +-
 fs/locks.c                                         |    8 +-
 fs/namei.c                                         |   15 +-
 fs/namespace.c                                     |   16 +-
 fs/nfs/callback_xdr.c                              |    2 +-
 fs/nfs/inode.c                                     |    6 +-
 fs/nfsd/nfs4proc.c                                 |    2 +-
 fs/nfsd/nfs4xdr.c                                  |    6 +-
 fs/nfsd/nfscache.c                                 |    9 +-
 fs/nfsd/vfs.c                                      |    6 +-
 fs/nls/nls_base.c                                  |   18 +-
 fs/nls/nls_euc-jp.c                                |    6 +-
 fs/nls/nls_koi8-ru.c                               |    6 +-
 fs/notify/fanotify/fanotify_user.c                 |    4 +-
 fs/notify/notification.c                           |    4 +-
 fs/ntfs/dir.c                                      |    2 +-
 fs/ntfs/file.c                                     |    6 +-
 fs/ntfs/super.c                                    |    6 +-
 fs/ocfs2/localalloc.c                              |    2 +-
 fs/ocfs2/ocfs2.h                                   |   10 +-
 fs/ocfs2/suballoc.c                                |   12 +-
 fs/ocfs2/super.c                                   |   20 +-
 fs/pipe.c                                          |   61 +-
 fs/proc/array.c                                    |   20 +
 fs/proc/base.c                                     |    4 +-
 fs/proc/kcore.c                                    |   32 +-
 fs/proc/meminfo.c                                  |    2 +-
 fs/proc/nommu.c                                    |    2 +-
 fs/proc/proc_sysctl.c                              |   18 +-
 fs/proc/self.c                                     |    2 +-
 fs/proc/task_mmu.c                                 |   39 +-
 fs/proc/task_nommu.c                               |    4 +-
 fs/proc/vmcore.c                                   |   12 +-
 fs/qnx6/qnx6.h                                     |    4 +-
 fs/quota/netlink.c                                 |    4 +-
 fs/read_write.c                                    |    2 +-
 fs/reiserfs/do_balan.c                             |    2 +-
 fs/reiserfs/procfs.c                               |    2 +-
 fs/reiserfs/reiserfs.h                             |    4 +-
 fs/seq_file.c                                      |    2 +-
 fs/splice.c                                        |   41 +-
 fs/sysfs/bin.c                                     |    6 +-
 fs/sysfs/dir.c                                     |    2 +-
 fs/sysfs/file.c                                    |   10 +-
 fs/sysfs/symlink.c                                 |    2 +-
 fs/sysv/sysv.h                                     |    2 +-
 fs/ubifs/io.c                                      |    2 +-
 fs/udf/misc.c                                      |    2 +-
 fs/ufs/swab.h                                      |    4 +-
 fs/xattr.c                                         |   21 +
 fs/xattr_acl.c                                     |    4 +-
 fs/xfs/xfs_bmap.c                                  |    2 +-
 fs/xfs/xfs_dir2_sf.c                               |    7 +-
 fs/xfs/xfs_ioctl.c                                 |    2 +-
 fs/xfs/xfs_iops.c                                  |    2 +-
 include/asm-generic/4level-fixup.h                 |    2 +
 include/asm-generic/atomic-long.h                  |  210 +
 include/asm-generic/atomic.h                       |    2 +-
 include/asm-generic/atomic64.h                     |   12 +
 include/asm-generic/cache.h                        |    4 +-
 include/asm-generic/emergency-restart.h            |    2 +-
 include/asm-generic/kmap_types.h                   |    4 +-
 include/asm-generic/local.h                        |   13 +
 include/asm-generic/pgtable-nopmd.h                |   18 +-
 include/asm-generic/pgtable-nopud.h                |   15 +-
 include/asm-generic/pgtable.h                      |   16 +
 include/asm-generic/uaccess.h                      |   16 +
 include/asm-generic/vmlinux.lds.h                  |   10 +-
 include/crypto/algapi.h                            |    2 +-
 include/drm/drmP.h                                 |   17 +-
 include/drm/drm_crtc_helper.h                      |    2 +-
 include/drm/ttm/ttm_memory.h                       |    2 +-
 include/keys/asymmetric-subtype.h                  |    2 +-
 include/linux/atmdev.h                             |    4 +-
 include/linux/binfmts.h                            |    3 +-
 include/linux/blkdev.h                             |    2 +-
 include/linux/blktrace_api.h                       |    2 +-
 include/linux/cache.h                              |    4 +
 include/linux/cdrom.h                              |    1 -
 include/linux/cleancache.h                         |    2 +-
 include/linux/clk-provider.h                       |    1 +
 include/linux/compat.h                             |    5 +-
 include/linux/compiler-gcc4.h                      |   20 +
 include/linux/compiler.h                           |   65 +-
 include/linux/completion.h                         |    6 +-
 include/linux/configfs.h                           |    2 +-
 include/linux/cpufreq.h                            |    3 +-
 include/linux/cpuidle.h                            |    5 +-
 include/linux/cpumask.h                            |   12 +-
 include/linux/crypto.h                             |    6 +-
 include/linux/ctype.h                              |    2 +-
 include/linux/decompress/mm.h                      |    2 +-
 include/linux/devfreq.h                            |    2 +-
 include/linux/device.h                             |    7 +-
 include/linux/dma-mapping.h                        |    2 +-
 include/linux/dmaengine.h                          |    4 +-
 include/linux/efi.h                                |    1 +
 include/linux/elf.h                                |    2 +
 include/linux/err.h                                |    4 +-
 include/linux/extcon.h                             |    2 +-
 include/linux/fb.h                                 |    2 +-
 include/linux/fdtable.h                            |    2 +-
 include/linux/filter.h                             |    4 +
 include/linux/frontswap.h                          |    2 +-
 include/linux/fs.h                                 |    3 +-
 include/linux/fs_struct.h                          |    2 +-
 include/linux/fscache-cache.h                      |    4 +-
 include/linux/fscache.h                            |    2 +-
 include/linux/fsnotify.h                           |    2 +-
 include/linux/genhd.h                              |    2 +-
 include/linux/genl_magic_func.h                    |    2 +-
 include/linux/gfp.h                                |   12 +-
 include/linux/highmem.h                            |   12 +
 include/linux/hwmon-sysfs.h                        |    5 +-
 include/linux/i2c.h                                |    1 +
 include/linux/i2o.h                                |    2 +-
 include/linux/if_pppox.h                           |    2 +-
 include/linux/init.h                               |   17 +-
 include/linux/init_task.h                          |    7 +
 include/linux/interrupt.h                          |    8 +-
 include/linux/iommu.h                              |    2 +-
 include/linux/ioport.h                             |    2 +-
 include/linux/irq.h                                |    3 +-
 include/linux/irqchip/arm-gic.h                    |    4 +-
 include/linux/key-type.h                           |    2 +-
 include/linux/kgdb.h                               |    6 +-
 include/linux/kobject.h                            |    3 +-
 include/linux/kobject_ns.h                         |    2 +-
 include/linux/kref.h                               |    2 +-
 include/linux/kvm_host.h                           |    4 +-
 include/linux/libata.h                             |    2 +-
 include/linux/linkage.h                            |    1 +
 include/linux/list.h                               |   15 +
 include/linux/math64.h                             |    8 +-
 include/linux/mm.h                                 |  116 +-
 include/linux/mm_types.h                           |   20 +
 include/linux/mmiotrace.h                          |    4 +-
 include/linux/mmzone.h                             |    2 +-
 include/linux/mod_devicetable.h                    |    6 +-
 include/linux/module.h                             |   60 +-
 include/linux/moduleloader.h                       |   16 +
 include/linux/moduleparam.h                        |    4 +-
 include/linux/namei.h                              |    6 +-
 include/linux/net.h                                |    2 +-
 include/linux/netdevice.h                          |    3 +-
 include/linux/netfilter.h                          |    2 +-
 include/linux/netfilter/ipset/ip_set.h             |    2 +-
 include/linux/netfilter/nfnetlink.h                |    2 +-
 include/linux/nls.h                                |    2 +-
 include/linux/notifier.h                           |    3 +-
 include/linux/oprofile.h                           |    4 +-
 include/linux/pci_hotplug.h                        |    3 +-
 include/linux/perf_event.h                         |   10 +-
 include/linux/pipe_fs_i.h                          |    8 +-
 include/linux/platform_data/usb-ehci-s5p.h         |    2 +-
 include/linux/platform_data/usb-ohci-exynos.h      |    2 +-
 include/linux/pm_domain.h                          |    2 +-
 include/linux/pm_runtime.h                         |    2 +-
 include/linux/pnp.h                                |    2 +-
 include/linux/poison.h                             |    4 +-
 include/linux/power/smartreflex.h                  |    2 +-
 include/linux/ppp-comp.h                           |    2 +-
 include/linux/preempt.h                            |   19 +
 include/linux/proc_ns.h                            |    2 +-
 include/linux/random.h                             |   15 +
 include/linux/rculist.h                            |   16 +
 include/linux/reboot.h                             |   14 +-
 include/linux/regset.h                             |    3 +-
 include/linux/relay.h                              |    2 +-
 include/linux/rio.h                                |    2 +-
 include/linux/rmap.h                               |    4 +-
 include/linux/sched.h                              |   67 +-
 include/linux/sched/sysctl.h                       |    1 +
 include/linux/security.h                           |    2 +-
 include/linux/seq_file.h                           |    1 +
 include/linux/signal.h                             |    1 +
 include/linux/skbuff.h                             |   12 +-
 include/linux/slab.h                               |   48 +-
 include/linux/slab_def.h                           |   32 +-
 include/linux/slob_def.h                           |    4 +-
 include/linux/slub_def.h                           |    8 +-
 include/linux/smp.h                                |    2 +
 include/linux/sock_diag.h                          |    2 +-
 include/linux/sonet.h                              |    2 +-
 include/linux/sunrpc/addr.h                        |    8 +-
 include/linux/sunrpc/clnt.h                        |    2 +-
 include/linux/sunrpc/svc.h                         |    2 +-
 include/linux/sunrpc/svc_rdma.h                    |   18 +-
 include/linux/sunrpc/svcauth.h                     |    2 +-
 include/linux/swiotlb.h                            |    3 +-
 include/linux/syscalls.h                           |   18 +-
 include/linux/syscore_ops.h                        |    2 +-
 include/linux/sysctl.h                             |    6 +-
 include/linux/sysfs.h                              |    9 +-
 include/linux/sysrq.h                              |    3 +-
 include/linux/thread_info.h                        |    7 +
 include/linux/tty.h                                |    4 +-
 include/linux/tty_driver.h                         |    2 +-
 include/linux/tty_ldisc.h                          |    2 +-
 include/linux/types.h                              |   16 +
 include/linux/uaccess.h                            |    6 +-
 include/linux/unaligned/access_ok.h                |   24 +-
 include/linux/usb.h                                |    4 +-
 include/linux/usb/renesas_usbhs.h                  |    2 +-
 include/linux/vermagic.h                           |   21 +-
 include/linux/vmalloc.h                            |   11 +-
 include/linux/vmstat.h                             |   20 +-
 include/linux/xattr.h                              |    5 +-
 include/linux/zlib.h                               |    3 +-
 include/media/v4l2-dev.h                           |    2 +-
 include/media/v4l2-device.h                        |    2 +-
 include/net/9p/transport.h                         |    2 +-
 include/net/bluetooth/l2cap.h                      |    2 +-
 include/net/caif/cfctrl.h                          |    6 +-
 include/net/flow.h                                 |    2 +-
 include/net/genetlink.h                            |    2 +-
 include/net/gro_cells.h                            |    2 +-
 include/net/inet_connection_sock.h                 |    2 +-
 include/net/inetpeer.h                             |   17 +-
 include/net/ip.h                                   |    2 +-
 include/net/ip_fib.h                               |    2 +-
 include/net/ip_vs.h                                |    8 +-
 include/net/irda/ircomm_tty.h                      |    1 +
 include/net/iucv/af_iucv.h                         |    2 +-
 include/net/llc_c_ac.h                             |    2 +-
 include/net/llc_c_ev.h                             |    4 +-
 include/net/llc_c_st.h                             |    2 +-
 include/net/llc_s_ac.h                             |    2 +-
 include/net/llc_s_st.h                             |    2 +-
 include/net/mac80211.h                             |    2 +-
 include/net/neighbour.h                            |    2 +-
 include/net/net_namespace.h                        |   18 +-
 include/net/netdma.h                               |    2 +-
 include/net/netlink.h                              |    2 +-
 include/net/netns/conntrack.h                      |    6 +-
 include/net/netns/ipv4.h                           |    2 +-
 include/net/netns/ipv6.h                           |    2 +-
 include/net/ping.h                                 |    2 +-
 include/net/protocol.h                             |    4 +-
 include/net/rtnetlink.h                            |    2 +-
 include/net/sctp/sm.h                              |    4 +-
 include/net/sctp/structs.h                         |    2 +-
 include/net/sock.h                                 |    6 +-
 include/net/tcp.h                                  |    8 +-
 include/net/xfrm.h                                 |    8 +-
 include/rdma/iw_cm.h                               |    2 +-
 include/scsi/libfc.h                               |    3 +-
 include/scsi/scsi_device.h                         |    6 +-
 include/scsi/scsi_transport_fc.h                   |    3 +-
 include/sound/compress_driver.h                    |    2 +-
 include/sound/soc.h                                |    4 +-
 include/target/target_core_base.h                  |    2 +-
 include/trace/events/irq.h                         |    4 +-
 include/uapi/linux/a.out.h                         |    8 +
 include/uapi/linux/byteorder/little_endian.h       |   28 +-
 include/uapi/linux/elf.h                           |   28 +
 include/uapi/linux/screen_info.h                   |    3 +-
 include/uapi/linux/swab.h                          |    6 +-
 include/uapi/linux/sysctl.h                        |    6 +-
 include/uapi/linux/xattr.h                         |    4 +
 include/video/udlfb.h                              |    8 +-
 include/video/uvesafb.h                            |    1 +
 init/Kconfig                                       |    2 +-
 init/Makefile                                      |    3 +
 init/do_mounts.c                                   |   14 +-
 init/do_mounts.h                                   |    8 +-
 init/do_mounts_initrd.c                            |   30 +-
 init/do_mounts_md.c                                |    6 +-
 init/init_task.c                                   |    4 +
 init/initramfs.c                                   |   42 +-
 init/main.c                                        |   84 +-
 ipc/ipc_sysctl.c                                   |   10 +-
 ipc/mq_sysctl.c                                    |    2 +-
 ipc/msg.c                                          |   11 +-
 ipc/sem.c                                          |   11 +-
 ipc/shm.c                                          |   17 +-
 kernel/acct.c                                      |    2 +-
 kernel/audit.c                                     |    8 +-
 kernel/auditsc.c                                   |    4 +-
 kernel/capability.c                                |    3 +
 kernel/compat.c                                    |   38 +-
 kernel/debug/debug_core.c                          |   16 +-
 kernel/debug/kdb/kdb_main.c                        |    4 +-
 kernel/events/core.c                               |   30 +-
 kernel/events/internal.h                           |   12 +-
 kernel/events/uprobes.c                            |    2 +-
 kernel/exit.c                                      |    4 +-
 kernel/fork.c                                      |  170 +-
 kernel/futex.c                                     |   11 +-
 kernel/futex_compat.c                              |    2 +-
 kernel/gcov/base.c                                 |    7 +-
 kernel/hrtimer.c                                   |    2 +-
 kernel/irq_work.c                                  |    7 +-
 kernel/jump_label.c                                |    5 +
 kernel/kallsyms.c                                  |   39 +-
 kernel/kexec.c                                     |    3 +-
 kernel/kmod.c                                      |    4 +-
 kernel/kprobes.c                                   |    8 +-
 kernel/ksysfs.c                                    |    2 +-
 kernel/lockdep.c                                   |    7 +-
 kernel/module.c                                    |  337 +-
 kernel/mutex-debug.c                               |   12 +-
 kernel/mutex-debug.h                               |    4 +-
 kernel/mutex.c                                     |   10 +-
 kernel/notifier.c                                  |   17 +-
 kernel/panic.c                                     |    3 +-
 kernel/pid.c                                       |    2 +-
 kernel/pid_namespace.c                             |    2 +-
 kernel/posix-cpu-timers.c                          |    4 +-
 kernel/posix-timers.c                              |   24 +-
 kernel/power/process.c                             |   12 +-
 kernel/profile.c                                   |   14 +-
 kernel/ptrace.c                                    |    8 +-
 kernel/rcupdate.c                                  |    4 +-
 kernel/rcutiny.c                                   |    4 +-
 kernel/rcutorture.c                                |   56 +-
 kernel/rcutree.c                                   |   74 +-
 kernel/rcutree.h                                   |   24 +-
 kernel/rcutree_plugin.h                            |   20 +-
 kernel/rcutree_trace.c                             |   22 +-
 kernel/rtmutex-tester.c                            |   24 +-
 kernel/sched/auto_group.c                          |    4 +-
 kernel/sched/core.c                                |   49 +-
 kernel/sched/fair.c                                |    4 +-
 kernel/sched/sched.h                               |    2 +-
 kernel/signal.c                                    |   32 +-
 kernel/smpboot.c                                   |    4 +-
 kernel/softirq.c                                   |   14 +-
 kernel/srcu.c                                      |    4 +-
 kernel/sys.c                                       |   10 +-
 kernel/sysctl.c                                    |   39 +-
 kernel/time.c                                      |    2 +-
 kernel/time/alarmtimer.c                           |    2 +-
 kernel/time/timer_stats.c                          |   10 +-
 kernel/timer.c                                     |    4 +-
 kernel/trace/blktrace.c                            |    6 +-
 kernel/trace/ftrace.c                              |   18 +-
 kernel/trace/ring_buffer.c                         |   76 +-
 kernel/trace/trace.c                               |    2 +-
 kernel/trace/trace.h                               |    2 +-
 kernel/trace/trace_clock.c                         |    4 +-
 kernel/trace/trace_events.c                        |   25 +-
 kernel/trace/trace_mmiotrace.c                     |    8 +-
 kernel/trace/trace_output.c                        |   12 +-
 kernel/trace/trace_stack.c                         |    2 +-
 kernel/user_namespace.c                            |    2 +-
 kernel/utsname_sysctl.c                            |    2 +-
 kernel/watchdog.c                                  |    2 +-
 kernel/workqueue.c                                 |    2 +-
 lib/Kconfig.debug                                  |    8 +-
 lib/Makefile                                       |    2 +-
 lib/bitmap.c                                       |    8 +-
 lib/bug.c                                          |    2 +
 lib/debugobjects.c                                 |    2 +-
 lib/devres.c                                       |    4 +-
 lib/div64.c                                        |    4 +-
 lib/dma-debug.c                                    |    4 +-
 lib/inflate.c                                      |    2 +-
 lib/ioremap.c                                      |    4 +-
 lib/kobject.c                                      |    4 +-
 lib/list_debug.c                                   |  126 +-
 lib/radix-tree.c                                   |    2 +-
 lib/strncpy_from_user.c                            |    2 +-
 lib/strnlen_user.c                                 |    2 +-
 lib/swiotlb.c                                      |    2 +-
 lib/usercopy.c                                     |    6 +
 lib/vsprintf.c                                     |   12 +-
 mm/Kconfig                                         |    6 +-
 mm/backing-dev.c                                   |    4 +-
 mm/filemap.c                                       |   10 +-
 mm/fremap.c                                        |    5 +
 mm/highmem.c                                       |    7 +-
 mm/hugetlb.c                                       |   70 +-
 mm/internal.h                                      |    3 +-
 mm/maccess.c                                       |    4 +-
 mm/madvise.c                                       |   41 +
 mm/memory-failure.c                                |   26 +-
 mm/memory.c                                        |  424 ++-
 mm/mempolicy.c                                     |   25 +
 mm/mlock.c                                         |   15 +-
 mm/mmap.c                                          |  588 ++-
 mm/mprotect.c                                      |  139 +-
 mm/mremap.c                                        |   44 +-
 mm/nommu.c                                         |   21 +-
 mm/page-writeback.c                                |    2 +-
 mm/page_alloc.c                                    |   41 +-
 mm/page_io.c                                       |    2 +-
 mm/percpu.c                                        |    2 +-
 mm/process_vm_access.c                             |   14 +-
 mm/rmap.c                                          |   44 +-
 mm/shmem.c                                         |   19 +-
 mm/slab.c                                          |  108 +-
 mm/slab.h                                          |   15 +-
 mm/slab_common.c                                   |   60 +-
 mm/slob.c                                          |  206 +-
 mm/slub.c                                          |   88 +-
 mm/sparse-vmemmap.c                                |    4 +-
 mm/sparse.c                                        |    2 +-
 mm/swap.c                                          |    3 +
 mm/swapfile.c                                      |   12 +-
 mm/util.c                                          |    6 +
 mm/vmalloc.c                                       |   77 +-
 mm/vmstat.c                                        |   10 +-
 net/8021q/vlan.c                                   |    5 +-
 net/9p/mod.c                                       |    4 +-
 net/9p/trans_fd.c                                  |    2 +-
 net/atm/atm_misc.c                                 |    8 +-
 net/atm/lec.h                                      |    2 +-
 net/atm/proc.c                                     |    6 +-
 net/atm/resources.c                                |    4 +-
 net/ax25/sysctl_net_ax25.c                         |    2 +-
 net/batman-adv/bat_iv_ogm.c                        |    8 +-
 net/batman-adv/hard-interface.c                    |    2 +-
 net/batman-adv/soft-interface.c                    |    4 +-
 net/batman-adv/types.h                             |    6 +-
 net/batman-adv/unicast.c                           |    2 +-
 net/bluetooth/hci_sock.c                           |    2 +-
 net/bluetooth/l2cap_core.c                         |    6 +-
 net/bluetooth/l2cap_sock.c                         |   12 +-
 net/bluetooth/rfcomm/sock.c                        |    4 +-
 net/bluetooth/rfcomm/tty.c                         |   10 +-
 net/bridge/netfilter/ebtables.c                    |    6 +-
 net/caif/cfctrl.c                                  |   11 +-
 net/can/af_can.c                                   |    2 +-
 net/can/gw.c                                       |    6 +-
 net/ceph/messenger.c                               |    4 +-
 net/compat.c                                       |   34 +-
 net/core/datagram.c                                |    2 +-
 net/core/dev.c                                     |   16 +-
 net/core/flow.c                                    |    8 +-
 net/core/iovec.c                                   |    4 +-
 net/core/neighbour.c                               |    2 +-
 net/core/net-sysfs.c                               |    2 +-
 net/core/net_namespace.c                           |    8 +-
 net/core/netpoll.c                                 |    4 +-
 net/core/rtnetlink.c                               |   13 +-
 net/core/scm.c                                     |    8 +-
 net/core/skbuff.c                                  |    6 +-
 net/core/sock.c                                    |   24 +-
 net/core/sock_diag.c                               |    9 +-
 net/core/sysctl_net_core.c                         |   18 +-
 net/decnet/af_decnet.c                             |    1 +
 net/decnet/sysctl_net_decnet.c                     |    4 +-
 net/ieee802154/6lowpan.c                           |    2 +-
 net/ipv4/af_inet.c                                 |    8 +-
 net/ipv4/devinet.c                                 |   18 +-
 net/ipv4/fib_frontend.c                            |    6 +-
 net/ipv4/fib_semantics.c                           |    2 +-
 net/ipv4/inet_connection_sock.c                    |    2 +-
 net/ipv4/inetpeer.c                                |    4 +-
 net/ipv4/ip_fragment.c                             |   15 +-
 net/ipv4/ip_gre.c                                  |    6 +-
 net/ipv4/ip_sockglue.c                             |    2 +-
 net/ipv4/ip_vti.c                                  |    4 +-
 net/ipv4/ipconfig.c                                |    6 +-
 net/ipv4/ipip.c                                    |    4 +-
 net/ipv4/netfilter/arp_tables.c                    |   12 +-
 net/ipv4/netfilter/ip_tables.c                     |   12 +-
 net/ipv4/ping.c                                    |   14 +-
 net/ipv4/raw.c                                     |   14 +-
 net/ipv4/route.c                                   |   20 +-
 net/ipv4/sysctl_net_ipv4.c                         |   45 +-
 net/ipv4/tcp_input.c                               |    2 +-
 net/ipv4/tcp_probe.c                               |    2 +-
 net/ipv4/udp.c                                     |   10 +-
 net/ipv4/xfrm4_policy.c                            |   14 +-
 net/ipv6/addrconf.c                                |   12 +-
 net/ipv6/datagram.c                                |    2 +-
 net/ipv6/icmp.c                                    |    2 +-
 net/ipv6/ip6_gre.c                                 |    8 +-
 net/ipv6/ip6_tunnel.c                              |    4 +-
 net/ipv6/ipv6_sockglue.c                           |    2 +-
 net/ipv6/netfilter/ip6_tables.c                    |   12 +-
 net/ipv6/netfilter/nf_conntrack_reasm.c            |   14 +-
 net/ipv6/output_core.c                             |   15 +-
 net/ipv6/ping.c                                    |   28 +-
 net/ipv6/raw.c                                     |   19 +-
 net/ipv6/reassembly.c                              |   13 +-
 net/ipv6/route.c                                   |    2 +-
 net/ipv6/sit.c                                     |    4 +-
 net/ipv6/sysctl_net_ipv6.c                         |    2 +-
 net/ipv6/udp.c                                     |    6 +-
 net/ipv6/xfrm6_policy.c                            |   13 +-
 net/irda/ircomm/ircomm_tty.c                       |   18 +-
 net/iucv/af_iucv.c                                 |    4 +-
 net/iucv/iucv.c                                    |    2 +-
 net/key/af_key.c                                   |    4 +-
 net/mac80211/cfg.c                                 |    8 +-
 net/mac80211/ieee80211_i.h                         |    3 +-
 net/mac80211/iface.c                               |   16 +-
 net/mac80211/main.c                                |    2 +-
 net/mac80211/pm.c                                  |    6 +-
 net/mac80211/rate.c                                |    2 +-
 net/mac80211/rc80211_pid_debugfs.c                 |    2 +-
 net/mac80211/util.c                                |    4 +-
 net/netfilter/ipset/ip_set_core.c                  |    2 +-
 net/netfilter/ipvs/ip_vs_conn.c                    |    6 +-
 net/netfilter/ipvs/ip_vs_core.c                    |    4 +-
 net/netfilter/ipvs/ip_vs_ctl.c                     |   14 +-
 net/netfilter/ipvs/ip_vs_lblc.c                    |    2 +-
 net/netfilter/ipvs/ip_vs_lblcr.c                   |    2 +-
 net/netfilter/ipvs/ip_vs_sync.c                    |    6 +-
 net/netfilter/ipvs/ip_vs_xmit.c                    |    4 +-
 net/netfilter/nf_conntrack_acct.c                  |    2 +-
 net/netfilter/nf_conntrack_ecache.c                |    2 +-
 net/netfilter/nf_conntrack_helper.c                |    2 +-
 net/netfilter/nf_conntrack_proto.c                 |    2 +-
 net/netfilter/nf_conntrack_proto_dccp.c            |   10 +-
 net/netfilter/nf_conntrack_standalone.c            |    2 +-
 net/netfilter/nf_conntrack_timestamp.c             |    2 +-
 net/netfilter/nf_log.c                             |   10 +-
 net/netfilter/nf_sockopt.c                         |    4 +-
 net/netfilter/nfnetlink_log.c                      |    4 +-
 net/netfilter/xt_statistic.c                       |    8 +-
 net/netlink/af_netlink.c                           |    4 +-
 net/netlink/genetlink.c                            |   16 +-
 net/packet/af_packet.c                             |   12 +-
 net/phonet/pep.c                                   |    6 +-
 net/phonet/socket.c                                |    2 +-
 net/phonet/sysctl.c                                |    2 +-
 net/rds/cong.c                                     |    6 +-
 net/rds/ib.h                                       |    2 +-
 net/rds/ib_cm.c                                    |    2 +-
 net/rds/ib_recv.c                                  |    4 +-
 net/rds/iw.h                                       |    2 +-
 net/rds/iw_cm.c                                    |    2 +-
 net/rds/iw_recv.c                                  |    4 +-
 net/rds/rds.h                                      |    2 +-
 net/rds/tcp.c                                      |    2 +-
 net/rds/tcp_send.c                                 |    2 +-
 net/rxrpc/af_rxrpc.c                               |    2 +-
 net/rxrpc/ar-ack.c                                 |   14 +-
 net/rxrpc/ar-call.c                                |    2 +-
 net/rxrpc/ar-connection.c                          |    2 +-
 net/rxrpc/ar-connevent.c                           |    2 +-
 net/rxrpc/ar-input.c                               |    4 +-
 net/rxrpc/ar-internal.h                            |    8 +-
 net/rxrpc/ar-local.c                               |    2 +-
 net/rxrpc/ar-output.c                              |    4 +-
 net/rxrpc/ar-peer.c                                |    2 +-
 net/rxrpc/ar-proc.c                                |    4 +-
 net/rxrpc/ar-transport.c                           |    2 +-
 net/rxrpc/rxkad.c                                  |    4 +-
 net/sctp/ipv6.c                                    |    6 +-
 net/sctp/protocol.c                                |   10 +-
 net/sctp/sm_sideeffect.c                           |    2 +-
 net/sctp/socket.c                                  |   21 +-
 net/sctp/sysctl.c                                  |    4 +-
 net/socket.c                                       |   18 +-
 net/sunrpc/auth_gss/svcauth_gss.c                  |    4 +-
 net/sunrpc/clnt.c                                  |    4 +-
 net/sunrpc/sched.c                                 |    4 +-
 net/sunrpc/svc.c                                   |    4 +-
 net/sunrpc/xprtrdma/svc_rdma.c                     |   38 +-
 net/sunrpc/xprtrdma/svc_rdma_recvfrom.c            |    6 +-
 net/sunrpc/xprtrdma/svc_rdma_sendto.c              |    2 +-
 net/sunrpc/xprtrdma/svc_rdma_transport.c           |   10 +-
 net/tipc/link.c                                    |    4 +-
 net/tipc/msg.c                                     |    2 +-
 net/tipc/subscr.c                                  |    2 +-
 net/unix/sysctl_net_unix.c                         |    2 +-
 net/wireless/wext-core.c                           |   19 +-
 net/xfrm/xfrm_policy.c                             |   27 +-
 net/xfrm/xfrm_state.c                              |   33 +-
 net/xfrm/xfrm_sysctl.c                             |    2 +-
 scripts/Makefile.build                             |    2 +-
 scripts/Makefile.clean                             |    3 +-
 scripts/Makefile.host                              |   28 +-
 scripts/basic/fixdep.c                             |   12 +-
 scripts/gcc-plugin.sh                              |   17 +
 scripts/headers_install.sh                         |    1 +
 scripts/link-vmlinux.sh                            |    2 +-
 scripts/mod/file2alias.c                           |   14 +-
 scripts/mod/modpost.c                              |   25 +-
 scripts/mod/modpost.h                              |    6 +-
 scripts/mod/sumversion.c                           |    2 +-
 scripts/package/builddeb                           |    1 +
 scripts/pnmtologo.c                                |    6 +-
 scripts/sortextable.h                              |    6 +-
 security/Kconfig                                   |  690 +++-
 security/apparmor/lsm.c                            |    2 +-
 security/integrity/ima/ima.h                       |    4 +-
 security/integrity/ima/ima_api.c                   |    2 +-
 security/integrity/ima/ima_fs.c                    |    4 +-
 security/integrity/ima/ima_queue.c                 |    2 +-
 security/keys/compat.c                             |    2 +-
 security/keys/internal.h                           |    2 +-
 security/keys/key.c                                |   18 +-
 security/keys/keyctl.c                             |    8 +-
 security/keys/keyring.c                            |    6 +-
 security/security.c                                |   12 +-
 security/selinux/avc.c                             |    6 +-
 security/selinux/hooks.c                           |    6 +-
 security/selinux/include/xfrm.h                    |    2 +-
 security/smack/smack_lsm.c                         |    2 +-
 security/tomoyo/tomoyo.c                           |    2 +-
 security/yama/yama_lsm.c                           |   22 +-
 sound/aoa/codecs/onyx.c                            |    7 +-
 sound/aoa/codecs/onyx.h                            |    1 +
 sound/core/oss/pcm_oss.c                           |   18 +-
 sound/core/pcm_compat.c                            |    2 +-
 sound/core/pcm_native.c                            |    4 +-
 sound/core/seq/seq_device.c                        |    8 +-
 sound/core/sound.c                                 |    2 +-
 sound/drivers/mts64.c                              |   14 +-
 sound/drivers/opl4/opl4_lib.c                      |    2 +-
 sound/drivers/portman2x4.c                         |    3 +-
 sound/firewire/amdtp.c                             |    4 +-
 sound/firewire/amdtp.h                             |    2 +-
 sound/firewire/isight.c                            |   10 +-
 sound/firewire/scs1x.c                             |    8 +-
 sound/oss/sb_audio.c                               |    2 +-
 sound/oss/swarm_cs4297a.c                          |    6 +-
 sound/pci/hda/hda_codec.c                          |    8 +-
 sound/pci/ymfpci/ymfpci.h                          |    2 +-
 sound/pci/ymfpci/ymfpci_main.c                     |   12 +-
 sound/soc/fsl/fsl_ssi.c                            |    2 +-
 tools/gcc/.gitignore                               |    1 +
 tools/gcc/Makefile                                 |   45 +
 tools/gcc/checker_plugin.c                         |  172 +
 tools/gcc/colorize_plugin.c                        |  151 +
 tools/gcc/constify_plugin.c                        |  560 ++
 tools/gcc/generate_size_overflow_hash.sh           |   94 +
 tools/gcc/kallocstat_plugin.c                      |  170 +
 tools/gcc/kernexec_plugin.c                        |  471 ++
 tools/gcc/latent_entropy_plugin.c                  |  321 +
 tools/gcc/size_overflow_hash.data                  | 6350 ++++++++++++++++++++
 tools/gcc/size_overflow_plugin.c                   | 2113 +++++++
 tools/gcc/stackleak_plugin.c                       |  327 +
 tools/gcc/structleak_plugin.c                      |  277 +
 tools/lib/lk/Makefile                              |    2 +-
 tools/perf/util/include/asm/alternative-asm.h      |    3 +
 tools/perf/util/include/linux/compiler.h           |    8 +
 virt/kvm/kvm_main.c                                |   32 +-
 1664 files changed, 32957 insertions(+), 7636 deletions(-)
commit 4c61dba17c53d0a775c77aed0c0ddb15a12daa3c
Merge: c3ccfb2 777e08c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Sep 8 19:49:04 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 777e08c6a87ef43439f4431d8d458732ca5e17c6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Sep 8 19:47:32 2013 -0400

    Update to pax-linux-3.10.11-test26.patch:
    - reworked __SC_LONG to care about only int and smaller types, this eliminates size overflow false positives reported by hunger
    - fixed an uninitialized read in splice, reported by hunger

 fs/splice.c                       |    1 +
 include/linux/syscalls.h          |   14 +-
 tools/gcc/size_overflow_hash.data |  426 +++++++++++++++++++++----------------
 3 files changed, 247 insertions(+), 194 deletions(-)

commit 5c3161364270c842d901789faac731f79a9f9cd6
Merge: cf9c476 85cdabb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Sep 8 19:24:25 2013 -0400

    Merge branch 'linux-3.10.y' into pax-test

commit c3ccfb29794a03413095422100ce90d40ef7df0f
Author: Jakob Bornecrantz <jakob@vmware.com>
Date:   Thu Aug 29 02:32:53 2013 +0200

    Upstream commit: 6e4dcff3adbf25acb87e74500a58e3c07bdec40f
    
    drm/vmwgfx: Split GMR2_REMAP commands if they are to large
    
    This fixes the piglit test texturing/max-texture-size
    causing the VM to die due to a too large SVGA command.
    
    Signed-off-by: Jakob Bornecrantz <jakob@vmware.com>
    Reviewed-by: Biran Paul <brianp@vmware.com>
    Reviewed-by: Zack Rusin <zackr@vmware.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Dave Airlie <airlied@gmail.com>

 drivers/gpu/drm/vmwgfx/vmwgfx_gmr.c |   58 +++++++++++++++++++++++-----------
 1 files changed, 39 insertions(+), 19 deletions(-)

commit d260badf708d6aa16c44f56f54727532dcae826e
Author: Daniel Borkmann <dborkman@redhat.com>
Date:   Tue Sep 3 19:29:12 2013 +0200

    Upstream commit: 3a1c756590633c0e86df606e5c618c190926a0df
    
    net: ipv6: tcp: fix potential use after free in tcp_v6_do_rcv
    
    In tcp_v6_do_rcv() code, when processing pkt options, we soley work
    on our skb clone opt_skb that we've created earlier before entering
    tcp_rcv_established() on our way. However, only in condition ...
    
      if (np->rxopt.bits.rxtclass)
        np->rcv_tclass = ipv6_get_dsfield(ipv6_hdr(skb));
    
    ... we work on skb itself. As we extract every other information out
    of opt_skb in ipv6_pktoptions path, this seems wrong, since skb can
    already be released by tcp_rcv_established() earlier on. When we try
    to access it in ipv6_hdr(), we will dereference freed skb.
    
    [ Bug added by commit 4c507d2897bd9b ("net: implement IP_RECVTOS for
      IP_PKTOPTIONS") ]
    
    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
    Cc: Eric Dumazet <eric.dumazet@gmail.com>
    Acked-by: Eric Dumazet <edumazet@google.com>
    Acked-by: Jiri Benc <jbenc@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv6/tcp_ipv6.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit ee3db7a4fb3619d70b8e0c1a8de07402a67e8d31
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Thu Aug 29 11:47:00 2013 +0300

    Upstream commit: 0d63c27d9e879a0b54eb405636d60ab12040ca46
    
    mISDN: return -EINVAL on error in dsp_control_req()
    
    If skb->len is too short then we should return an error.  Otherwise we
    read beyond the end of skb->data for several bytes.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/isdn/mISDN/dsp_core.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

commit af7c2bc789c8fe5ef7474f22dacf212be22fd0af
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Sep 5 19:36:23 2013 -0400

    fix dependencies for GRKERNSEC_ROFS / GRKERNSEC_DENYUSB

 grsecurity/Kconfig |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit da68dbcd96c617923a0aedb177d36b2701f9c858
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Sep 5 19:17:02 2013 -0400

    Allow the deny_new_usb sysctl to be toggled off by a user with
    CAP_SYS_ADMIN.  This allows for more inventive uses of the feature
    that would be impossible otherwise (like toggling it while the screen is
    locked, etc)

 grsecurity/grsec_sysctl.c |    4 +---
 1 files changed, 1 insertions(+), 3 deletions(-)

commit ce0e893adc830ee110f97071cc17e661fb35ae3d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Sep 5 18:41:49 2013 -0400

    Add a new GRKERNSEC_DENYUSB_FORCE option that achieves what
    GRKERNSEC_DENYUSB does without the need for a sysctl toggle, for
    users who know they want the functionality but don't want to bother
    with modifying init scripts
    
    Also eliminate reset_security_ops() as a ROP target when
    SECURITY_SELINUX_DISABLE is disabled as it's the only user

 grsecurity/Kconfig        |   17 ++++++++++++++++-
 grsecurity/grsec_init.c   |    3 +++
 grsecurity/grsec_sysctl.c |    2 +-
 security/security.c       |    4 ++++
 4 files changed, 24 insertions(+), 2 deletions(-)

commit 0d5ca3a057ae48b5fdccb2f0a7a841a5cc76d3dd
Merge: 7ee3899 cf9c476
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Sep 1 13:56:57 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit cf9c47690fa0f3da590de766ea8c6a543984ee3c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Sep 1 13:56:16 2013 -0400

    Update to pax-linux-3.10.10-test25.patch:
    - fixed a few more REFCOUNT false positives, by Mathias Krause <minipli@googlemail.com>
    - got inet_getid and ipv6_select_ident rid of the cmpxchg loop

 block/blk-cgroup.c                |    4 ++--
 drivers/video/hyperv_fb.c         |    4 ++--
 fs/namespace.c                    |    4 ++--
 include/net/inetpeer.h            |   13 +++++--------
 kernel/trace/trace_clock.c        |    4 ++--
 net/ipv6/output_core.c            |   15 ++++++---------
 net/sunrpc/auth_gss/svcauth_gss.c |    4 ++--
 7 files changed, 21 insertions(+), 27 deletions(-)

commit 7ee3899312d611b85cadd3eda173f7a3952bb8aa
Merge: fd0338c 2bdeae7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 31 22:07:38 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 2bdeae76eab5c34e4b88c7090a435b969037a3c1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 31 22:06:55 2013 -0400

    Update to pax-linux-3.10.10-test24.patch:
    - fixed a REFCOUNT false positive, by Mathias Krause <minipli@googlemail.com>
    - fixed a bunch more after a quick audit of atomic_inc_return users

 drivers/acpi/apei/ghes.c                      |    4 ++--
 drivers/ata/libata-core.c                     |    4 ++--
 drivers/ata/libata-scsi.c                     |    2 +-
 drivers/ata/libata.h                          |    2 +-
 drivers/block/drbd/drbd_nl.c                  |    4 ++--
 drivers/crypto/hifn_795x.c                    |    4 ++--
 drivers/edac/edac_device.c                    |    4 ++--
 drivers/edac/edac_pci.c                       |    4 ++--
 drivers/firewire/core-card.c                  |    4 ++--
 drivers/hv/hv_balloon.c                       |   18 +++++++++---------
 drivers/infiniband/hw/mlx4/mad.c              |    2 +-
 drivers/infiniband/hw/mlx4/mlx4_ib.h          |    2 +-
 drivers/input/misc/ims-pcu.c                  |    4 ++--
 drivers/input/serio/serio_raw.c               |    4 ++--
 drivers/media/pci/ivtv/ivtv-driver.c          |    2 +-
 drivers/media/radio/radio-maxiradio.c         |    2 +-
 drivers/media/radio/radio-shark.c             |    2 +-
 drivers/media/radio/radio-shark2.c            |    2 +-
 drivers/media/radio/radio-si476x.c            |    2 +-
 drivers/media/rc/rc-main.c                    |    4 ++--
 drivers/media/v4l2-core/v4l2-device.c         |    4 ++--
 drivers/net/usb/sierra_net.c                  |    4 ++--
 drivers/pci/hotplug/pciehp_hpc.c              |    4 +---
 drivers/regulator/core.c                      |    4 ++--
 drivers/scsi/fcoe/fcoe_sysfs.c                |   12 ++++++------
 drivers/staging/android/timed_output.c        |    6 +++---
 drivers/staging/media/solo6x10/solo6x10-p2m.c |    2 +-
 drivers/staging/media/solo6x10/solo6x10.h     |    2 +-
 drivers/target/sbp/sbp_target.c               |    4 ++--
 drivers/tty/hvc/hvsi.c                        |   12 ++++++------
 drivers/tty/hvc/hvsi_lib.c                    |    6 +++---
 drivers/tty/serial/ioc4_serial.c              |    6 +++---
 drivers/tty/serial/msm_serial.c               |    4 ++--
 drivers/usb/misc/appledisplay.c               |    4 ++--
 fs/afs/inode.c                                |    4 ++--
 fs/btrfs/delayed-inode.c                      |    6 +++---
 fs/btrfs/delayed-inode.h                      |    4 ++--
 fs/fscache/cookie.c                           |    4 ++--
 include/media/v4l2-device.h                   |    2 +-
 net/ceph/messenger.c                          |    4 ++--
 net/core/netpoll.c                            |    4 ++--
 net/xfrm/xfrm_state.c                         |    4 ++--
 security/selinux/avc.c                        |    6 +++---
 43 files changed, 93 insertions(+), 95 deletions(-)

commit fd0338c8877c47789a9cc61f3a26c83e68aa3d37
Merge: 1bdf7ec 85099d2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 31 21:07:29 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 85099d220fb014b6e4c6ffe18a55b20c61f6daed
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 31 21:06:55 2013 -0400

    Update to pax-linux-3.10.10-test23.patch:
    - added the necessary atomic_unchecked_t conversion for mips
    - audited and fixed arm and sparc for proper atomic_unchecked_t usage

 arch/arm/kvm/arm.c            |    8 ++++----
 arch/arm/mm/context.c         |   10 +++++-----
 arch/mips/kernel/irq.c        |    6 +++---
 arch/mips/kernel/sync-r4k.c   |   24 ++++++++++++------------
 arch/mips/sgi-ip27/ip27-nmi.c |    6 +++---
 arch/sparc/kernel/smp_64.c    |   12 ++++++------
 arch/sparc/kernel/traps_64.c  |   14 +++++++-------
 arch/sparc/mm/init_64.c       |   10 +++++-----
 8 files changed, 45 insertions(+), 45 deletions(-)

commit 1bdf7ec39027ffd7c3099b78ff20c39295448b34
Merge: 995a168 38ee86c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Aug 30 19:23:36 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 38ee86c05df0f8db582df8776b9f23f317d42bbb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Aug 30 19:23:11 2013 -0400

    Update to pax-linux-3.10.10-test22.patch:
    - fixed !REFCOUNT/mips compilation, by Corey Minyard <cminyard@mvista.com>
    - fixed a few more format strings

 arch/mips/include/asm/atomic.h          |   20 ++++++++++++++++----
 drivers/md/bcache/super.c               |    2 +-
 drivers/net/wireless/iwlwifi/dvm/main.c |    3 +--
 drivers/pci/hotplug/pciehp_hpc.c        |    2 +-
 drivers/platform/x86/wmi.c              |    2 +-
 drivers/scsi/sd.c                       |    2 +-
 drivers/vfio/vfio.c                     |    4 ++--
 fs/ntfs/super.c                         |    6 +++---
 include/linux/workqueue.h               |    6 +++---
 net/mac80211/main.c                     |    2 +-
 sound/pci/hda/hda_codec.c               |    8 ++------
 11 files changed, 32 insertions(+), 25 deletions(-)

commit 995a16841e2097c3a9dfc652e856469679c4a0ba
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Aug 30 17:11:11 2013 -0400

    fix compilation with GRKERNSEC_DENYUSB as reported by slashbeast

 grsecurity/grsec_sysctl.c |    7 ++++---
 1 files changed, 4 insertions(+), 3 deletions(-)

commit 8ba1cc35ec5216383369ddf3ef2cde5e4aaacb57
Merge: be2497c 1052971
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Aug 29 20:44:29 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        include/linux/sched.h

commit 10529710192fe7f7d42ad7bb1dfef2143cca8ad2
Merge: e902dad 8bf3379
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Aug 29 20:39:50 2013 -0400

    Update to pax-linux-3.10.10-test21.patch
    
    Merge branch 'linux-3.10.y' into pax-test
    
    Conflicts:
        arch/x86/kernel/sys_x86_64.c
        arch/x86/mm/mmap.c
        include/linux/sched.h

commit be2497c1b629a5ad604a8b0ec265ef5d801c7de8
Merge: 081c22b e902dad
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Aug 28 20:52:44 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit e902dad6b609a176f58c1b9393b3a98f14bd4b74
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Aug 28 20:51:21 2013 -0400

    Update to pax-linux-3.10.9-test21.patch:
    - removed unnecessary type cast in do_PrefetchAbort, noticed by spender
    - since pax_report_refcount_overflow disables preemption inside, no need to do it explicitly in do_ov
    - fixed a REFCOUNT false positive in UHID
    - inspired by Dan Carpenter's recent fix (http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=909bd5926d474e275599094acad986af79671ac9)
      Emese Revfy wrote a gcc plugin to find other instances of the same error, here's the fallout
      (come to the 10th H2HC if you want to learn about the magic behind this and other plugins):
      - icmpv6_filter: no memory corruption, probably just some logical error in the caller
      - dccp_new/dccp_packet/dccp_error: probably remote kernel stack overflow (12 byte network data overwriting a local ptr variable)
      - gigaset_brkchars: causes DMA on the kernel stack, some archs don't like it (more of this is to come)
      - isdn_ioctl/IIOCDBGVAR: kernel heap address leak (by design), restricted to CAP_SYS_RAWIO now
      - __dwc3_gadget_ep_enable: probably forgotten memset, seems harmless
      - lowpan_header_create: leaks 3 bytes of a kernel heap address over the network

 arch/arm/mm/fault.c                        |    2 +-
 arch/mips/kernel/traps.c                   |    2 --
 drivers/hid/uhid.c                         |    6 +++---
 drivers/isdn/gigaset/usb-gigaset.c         |    2 +-
 drivers/isdn/i4l/isdn_common.c             |    2 ++
 drivers/net/wireless/hostap/hostap_ioctl.c |    4 ++--
 drivers/usb/dwc3/gadget.c                  |    2 --
 net/ieee802154/6lowpan.c                   |    2 +-
 net/ipv6/raw.c                             |    2 +-
 net/netfilter/nf_conntrack_proto_dccp.c    |    6 +++---
 10 files changed, 14 insertions(+), 16 deletions(-)

commit 081c22b436d4d4ac8c9ef7c3f3b9587cfb02d804
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Aug 28 20:42:39 2013 -0400

    add export of gr_handle_new_usb()

 grsecurity/grsec_usb.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 2e708ca9984ef74536d1d9b1d4e6e73d27561ed6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Aug 28 19:24:47 2013 -0400

    Add new GRKERNSEC_DENYUSB feature that I've been sitting on for a bit
    Kees' recent findings are motivation enough to publish it

 drivers/usb/core/hub.c     |    5 +++++
 grsecurity/Kconfig         |   20 ++++++++++++++++++++
 grsecurity/Makefile        |    3 ++-
 grsecurity/grsec_init.c    |    1 +
 grsecurity/grsec_sysctl.c  |   11 +++++++++++
 grsecurity/grsec_usb.c     |   13 +++++++++++++
 include/linux/grinternal.h |    1 +
 include/linux/grsecurity.h |    2 ++
 8 files changed, 55 insertions(+), 1 deletions(-)

commit 8044382257ec75a03f3d784ce048ef14e94b90ca
Author: Kees Cook <keescook@chromium.org>
Date:   Wed Aug 14 09:35:07 2013 -0700

    HID: zeroplus: validate output report details
    
    The zeroplus HID driver was not checking the size of allocated values
    in fields it used. A HID device could send a malicious output report
    that would cause the driver to write beyond the output report allocation
    during initialization, causing a heap overflow:
    
    [ 1442.728680] usb 1-1: New USB device found, idVendor=0c12, idProduct=0005
    ...
    [ 1466.243173] BUG kmalloc-192 (Tainted: G        W   ): Redzone overwritten
    
    CVE-2013-2889
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org

 drivers/hid/hid-zpff.c |   14 ++------------
 1 files changed, 2 insertions(+), 12 deletions(-)

commit 1ead832874dde8c45c3d4c8c704f2cd7ad6a328f
Author: Kees Cook <keescook@chromium.org>
Date:   Wed Aug 14 14:36:15 2013 -0700

    HID: provide a helper for validating hid reports
    
    Many drivers need to validate the characteristics of their HID report
    during initialization to avoid misusing the reports. This adds a common
    helper to perform validation of the report, its field count, and the
    value count within the fields.
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org

 drivers/hid/hid-core.c |   50 ++++++++++++++++++++++++++++++++++++++++++++++++
 include/linux/hid.h    |    4 +++
 2 files changed, 54 insertions(+), 0 deletions(-)

commit 270ba9096ddecdc3cf6c4d76e6892184820116be
Author: Kees Cook <keescook@chromium.org>
Date:   Wed Aug 14 09:14:34 2013 -0700

    HID: steelseries: validate output report details
    
    A HID device could send a malicious output report that would cause the
    steelseries HID driver to write beyond the output report allocation
    during initialization, causing a heap overflow:
    
    [  167.981534] usb 1-1: New USB device found, idVendor=1038, idProduct=1410
    ...
    [  182.050547] BUG kmalloc-256 (Tainted: G        W   ): Redzone overwritten
    
    CVE-2013-2891
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org

 drivers/hid/hid-steelseries.c |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

commit 366e6cf394366e4bb2598e5d3763c6ca53fb7248
Author: Kees Cook <keescook@chromium.org>
Date:   Wed Aug 14 08:49:21 2013 -0700

    HID: pantherlord: validate output report details
    
    A HID device could send a malicious output report that would cause the
    pantherlord HID driver to write beyond the output report allocation
    during initialization, causing a heap overflow:
    
    [  310.939483] usb 1-1: New USB device found, idVendor=0e8f, idProduct=0003
    ...
    [  315.980774] BUG kmalloc-192 (Tainted: G        W   ): Redzone overwritten
    
    CVE-2013-2892
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org

 drivers/hid/hid-pl.c |   10 ++++++++--
 1 files changed, 8 insertions(+), 2 deletions(-)

commit 60115e8108e508060815bce5ef9504233c81898c
Author: Kees Cook <keescook@chromium.org>
Date:   Tue Aug 13 16:49:01 2013 -0700

    HID: LG: validate HID output report details
    
    A HID device could send a malicious output report that would cause the
    lg, lg3, and lg4 HID drivers to write beyond the output report allocation
    during an event, causing a heap overflow:
    
    [  325.245240] usb 1-1: New USB device found, idVendor=046d, idProduct=c287
    ...
    [  414.518960] BUG kmalloc-4096 (Not tainted): Redzone overwritten
    
    Additionally, while lg2 did correctly validate the report details, it was
    cleaned up and shortened.
    
    CVE-2013-2893
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org

 drivers/hid/hid-lg2ff.c |   19 +++----------------
 drivers/hid/hid-lg3ff.c |   29 ++++++-----------------------
 drivers/hid/hid-lg4ff.c |   20 +-------------------
 drivers/hid/hid-lgff.c  |   17 ++---------------
 4 files changed, 12 insertions(+), 73 deletions(-)

commit 1814f6ffbd0d5feccce1f03e8cc17882528e8a9f
Author: Kees Cook <keescook@chromium.org>
Date:   Thu Aug 15 23:21:23 2013 -0700

    HID: lenovo-tpkbd: validate output report details
    
    A HID device could send a malicious output report that would cause the
    lenovo-tpkbd HID driver to write just beyond the output report allocation
    during initialization, causing a heap overflow:
    
    [   76.109807] usb 1-1: New USB device found, idVendor=17ef, idProduct=6009
    ...
    [   80.462540] BUG kmalloc-192 (Tainted: G        W   ): Redzone overwritten
    
    CVE-2013-2894
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org

 drivers/hid/hid-lenovo-tpkbd.c |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

commit 38627769bb2b9a550e251b2caf1babda7566fb4a
Author: Kees Cook <keescook@chromium.org>
Date:   Thu Aug 15 23:45:03 2013 -0700

    HID: logitech-dj: validate output report details
    
    A HID device could send a malicious output report that would cause the
    logitech-dj HID driver to leak kernel memory contents to the device, or
    trigger a NULL dereference during initialization:
    
    [  304.424553] usb 1-1: New USB device found, idVendor=046d, idProduct=c52b
    ...
    [  304.780467] BUG: unable to handle kernel NULL pointer dereference at 0000000000000028
    [  304.781409] IP: [<ffffffff815d50aa>] logi_dj_recv_send_report.isra.11+0x1a/0x90
    
    CVE-2013-2895
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org

 drivers/hid/hid-logitech-dj.c |   12 ++++++++++--
 1 files changed, 10 insertions(+), 2 deletions(-)

commit db334388c9d3f95aeb6aacdcec72169b6edd6f07
Author: Kees Cook <keescook@chromium.org>
Date:   Fri Aug 16 00:18:15 2013 -0700

    HID: ntrig: validate feature report details
    
    A HID device could send a malicious feature report that would cause the
    ntrig HID driver to trigger a NULL dereference during initialization:
    
    [57383.031190] usb 3-1: New USB device found, idVendor=1b96, idProduct=0001
    ...
    [57383.315193] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
    [57383.315308] IP: [<ffffffffa08102de>] ntrig_probe+0x25e/0x420 [hid_ntrig]
    
    CVE-2013-2896
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org

 drivers/hid/hid-ntrig.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 86adcfe96ceefd7d64593a493abe07c155bb8f88
Author: Kees Cook <keescook@chromium.org>
Date:   Fri Aug 16 00:11:32 2013 -0700

    HID: multitouch: validate feature report details
    
    When working on report indexes, always validate that they are in bounds.
    Without this, a HID device could report a malicious feature report that
    could trick the driver into a heap overflow:
    
    [  634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500
    ...
    [  676.469629] BUG kmalloc-192 (Tainted: G        W   ): Redzone overwritten
    
    CVE-2013-2897
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org

 drivers/hid/hid-multitouch.c |   25 ++++++++++++++++++++-----
 1 files changed, 20 insertions(+), 5 deletions(-)

commit 813f51e0881e4ea6d221da828b1cced02ad9694d
Author: Kees Cook <keescook@chromium.org>
Date:   Fri Aug 16 08:12:45 2013 -0700

    HID: sensor-hub: validate feature report details
    
    A HID device could send a malicious feature report that would cause the
    sensor-hub HID driver to read past the end of heap allocation, leaking
    kernel memory contents to the caller.
    
    CVE-2013-2898
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org

 drivers/hid/hid-sensor-hub.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 6ed7d602e322c67adcfa3ebe79ca2c4a3376330c
Author: Kees Cook <keescook@chromium.org>
Date:   Fri Aug 16 08:05:10 2013 -0700

    HID: picolcd_core: validate output report details
    
    A HID device could send a malicious output report that would cause the
    picolcd HID driver to trigger a NULL dereference during attr file writing.
    
    CVE-2013-2899
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org

 drivers/hid/hid-picolcd_core.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 95e3cfb5a995dabe45b98cafb77e59d074de151f
Author: Kees Cook <keescook@chromium.org>
Date:   Fri Aug 16 08:09:54 2013 -0700

    HID: check for NULL field when setting values
    
    Defensively check that the field to be worked on is not NULL.
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org

 drivers/hid/hid-core.c |    7 ++++++-
 1 files changed, 6 insertions(+), 1 deletions(-)

commit 96a55ce1b2f3af376c400a02059174e79ce4399c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Aug 28 18:09:18 2013 -0400

    http://marc.info/?l=linux-input&m=137772180514608&q=raw
    
    From: Kees Cook <keescook@chromium.org>
    
    The "Report ID" field of a HID report is used to build indexes of
    reports. The kernel's index of these is limited to 256 entries, so any
    malicious device that sets a Report ID greater than 255 will trigger
    memory corruption on the host:
    
    [ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878
    [ 1347.156261] IP: [<ffffffff813e4da0>] hid_register_report+0x2a/0x8b
    
    CVE-2013-2888
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org
    ---
     drivers/hid/hid-core.c |   10 +++++++---
     include/linux/hid.h    |    4 +++-
     2 files changed, 10 insertions(+), 4 deletions(-)

 drivers/hid/hid-core.c |   10 +++++++---
 include/linux/hid.h    |    4 +++-
 2 files changed, 10 insertions(+), 4 deletions(-)

commit eb1106eef5f17bfda833ca3cf89e315919173257
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Fri Aug 9 12:52:31 2013 +0300

    Upstream commit: 909bd5926d474e275599094acad986af79671ac9
    
    Hostap: copying wrong data prism2_ioctl_giwaplist()
    
    We want the data stored in "addr" and "qual", but the extra ampersands
    mean we are copying stack data instead.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: John W. Linville <linville@tuxdriver.com>

 drivers/net/wireless/hostap/hostap_ioctl.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit b12fdddbc01b0d855dd56fa6fea6b4100aae7af4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Aug 28 17:01:21 2013 -0400

    fix typo in ipv6 backport

 net/ipv6/addrconf.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit b42367d45ce67de82c38c5c7cb6f4cf521cca2f4
Author: Andy Lutomirski <luto@amacapital.net>
Date:   Thu Aug 22 11:39:15 2013 -0700

    Upstream commit: d661684cf6820331feae71146c35da83d794467e
    
    net: Check the correct namespace when spoofing pid over SCM_RIGHTS
    
    This is a security bug.
    
    The follow-up will fix nsproxy to discourage this type of issue from
    happening again.
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Andy Lutomirski <luto@amacapital.net>
    Reviewed-by: "Eric W. Biederman" <ebiederm@xmission.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/core/scm.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 10b2e7e1f75d1da2e0bbe0bff04233ea2ec1bed9
Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
Date:   Fri Aug 16 13:02:27 2013 +0200

    Upstream commit: 4b08a8f1bd8cb4541c93ec170027b4d0782dab52
    
    ipv6: remove max_addresses check from ipv6_create_tempaddr
    
    Because of the max_addresses check attackers were able to disable privacy
    extensions on an interface by creating enough autoconfigured addresses:
    
    <http://seclists.org/oss-sec/2012/q4/292>
    
    But the check is not actually needed: max_addresses protects the
    kernel to install too many ipv6 addresses on an interface and guards
    addrconf_prefix_rcv to install further addresses as soon as this limit
    is reached. We only generate temporary addresses in direct response of
    a new address showing up. As soon as we filled up the maximum number of
    addresses of an interface, we stop installing more addresses and thus
    also stop generating more temp addresses.
    
    Even if the attacker tries to generate a lot of temporary addresses
    by announcing a prefix and removing it again (lifetime == 0) we won't
    install more temp addresses, because the temporary addresses do count
    to the maximum number of addresses, thus we would stop installing new
    autoconfigured addresses when the limit is reached.
    
    This patch fixes CVE-2013-0343 (but other layer-2 attacks are still
    possible).
    
    Thanks to Ding Tianhong to bring this topic up again.
    
    Cc: Ding Tianhong <dingtianhong@huawei.com>
    Cc: George Kargiotakis <kargig@void.gr>
    Cc: P J P <ppandit@redhat.com>
    Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
    Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Acked-by: Ding Tianhong <dingtianhong@huawei.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    
    Conflicts:
    
        net/ipv6/addrconf.c

 net/ipv6/addrconf.c |   10 ++++------
 1 files changed, 4 insertions(+), 6 deletions(-)

commit 8333e0981469a226a47d0142ff31090a48db95a4
Author: David Vrabel <david.vrabel@citrix.com>
Date:   Thu Aug 15 13:21:06 2013 +0100

    Upstream commit: 84ca7a8e45dafb49cd5ca90a343ba033e2885c17
    
    xen/events: initialize local per-cpu mask for all possible events
    
    The sizeof() argument in init_evtchn_cpu_bindings() is incorrect
    resulting in only the first 64 (or 32 in 32-bit guests) ports having
    their bindings being initialized to VCPU 0.
    
    In most cases this does not cause a problem as request_irq() will set
    the irq affinity which will set the correct local per-cpu mask.
    However, if the request_irq() is called on a VCPU other than 0, there
    is a window between the unmasking of the event and the affinity being
    set were an event may be lost because it is not locally unmasked on
    any VCPU. If request_irq() is called on VCPU 0 then local irqs are
    disabled during the window and the race does not occur.
    
    Fix this by initializing all NR_EVENT_CHANNEL bits in the local
    per-cpu masks.
    
    Signed-off-by: David Vrabel <david.vrabel@citrix.com>
    Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
    CC: stable@vger.kernel.org

 drivers/xen/events.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 2a9a83768433937a2b7a97001ba1627156c0efed
Author: Roland Dreier <roland@purestorage.com>
Date:   Mon Aug 5 17:55:01 2013 -0700

    Upstream commit: 35dc248383bbab0a7203fca4d722875bc81ef091
    
    [SCSI] sg: Fix user memory corruption when SG_IO is interrupted by a signal
    
    There is a nasty bug in the SCSI SG_IO ioctl that in some circumstances
    leads to one process writing data into the address space of some other
    random unrelated process if the ioctl is interrupted by a signal.
    What happens is the following:
    
     - A process issues an SG_IO ioctl with direction DXFER_FROM_DEV (ie the
       underlying SCSI command will transfer data from the SCSI device to
       the buffer provided in the ioctl)
    
     - Before the command finishes, a signal is sent to the process waiting
       in the ioctl.  This will end up waking up the sg_ioctl() code:
    
                result = wait_event_interruptible(sfp->read_wait,
                        (srp_done(sfp, srp) || sdp->detached));
    
       but neither srp_done() nor sdp->detached is true, so we end up just
       setting srp->orphan and returning to userspace:
    
                srp->orphan = 1;
                write_unlock_irq(&sfp->rq_list_lock);
                return result;  /* -ERESTARTSYS because signal hit process */
    
       At this point the original process is done with the ioctl and
       blithely goes ahead handling the signal, reissuing the ioctl, etc.
    
     - Eventually, the SCSI command issued by the first ioctl finishes and
       ends up in sg_rq_end_io().  At the end of that function, we run through:
    
        write_lock_irqsave(&sfp->rq_list_lock, iflags);
        if (unlikely(srp->orphan)) {
                if (sfp->keep_orphan)
                        srp->sg_io_owned = 0;
                else
                        done = 0;
        }
        srp->done = done;
        write_unlock_irqrestore(&sfp->rq_list_lock, iflags);
    
        if (likely(done)) {
                /* Now wake up any sg_read() that is waiting for this
                 * packet.
                 */
                wake_up_interruptible(&sfp->read_wait);
                kill_fasync(&sfp->async_qp, SIGPOLL, POLL_IN);
                kref_put(&sfp->f_ref, sg_remove_sfp);
        } else {
                INIT_WORK(&srp->ew.work, sg_rq_end_io_usercontext);
                schedule_work(&srp->ew.work);
        }
    
       Since srp->orphan *is* set, we set done to 0 (assuming the
       userspace app has not set keep_orphan via an SG_SET_KEEP_ORPHAN
       ioctl), and therefore we end up scheduling sg_rq_end_io_usercontext()
       to run in a workqueue.
    
     - In workqueue context we go through sg_rq_end_io_usercontext() ->
       sg_finish_rem_req() -> blk_rq_unmap_user() -> ... ->
       bio_uncopy_user() -> __bio_copy_iov() -> copy_to_user().
    
       The key point here is that we are doing copy_to_user() on a
       workqueue -- that is, we're on a kernel thread with current->mm
       equal to whatever random previous user process was scheduled before
       this kernel thread.  So we end up copying whatever data the SCSI
       command returned to the virtual address of the buffer passed into
       the original ioctl, but it's quite likely we do this copying into a
       different address space!
    
    As suggested by James Bottomley <James.Bottomley@hansenpartnership.com>,
    add a check for current->mm (which is NULL if we're on a kernel thread
    without a real userspace address space) in bio_uncopy_user(), and skip
    the copy if we're on a kernel thread.
    
    There's no reason that I can think of for any caller of bio_uncopy_user()
    to want to do copying on a kernel thread with a random active userspace
    address space.
    
    Huge thanks to Costa Sapuntzakis <costa@purestorage.com> for the
    original pointer to this bug in the sg code.
    
    Signed-off-by: Roland Dreier <roland@purestorage.com>
    Tested-by: David Milburn <dmilburn@redhat.com>
    Cc: Jens Axboe <axboe@kernel.dk>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: James Bottomley <JBottomley@Parallels.com>

 fs/bio.c |   20 +++++++++++++++-----
 1 files changed, 15 insertions(+), 5 deletions(-)

commit e6fe57dee152671afd618d6bc8cbf23155be6c34
Merge: cdc8f7d f2095a4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Aug 27 18:13:35 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        arch/arm/mm/fault.c
        security/Kconfig

commit f2095a4787f7d332e5919f0bd00f8de6021ad612
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Aug 27 18:08:23 2013 -0400

    Update to pax-linux-3.10.9-test20.patch:
    - removed unnecessary mark_sym_for_renaming calls from the gcc plugins, reported by Emese Revfy
    - made some KERNEXEC/UDEREF induced fault handling on arm more robust (IFAR isn't always set on v7), by Corey Minyard <cminyard@mvista.com>
    - converted some mips atomic accessor macros to functions in preparation of REFCOUNT support, by Corey Minyard <cminyard@mvista.com>
    - __copy_from_user_inatomic on amd64 will now return unsigned long like other userland accessors do
    - added REFCOUNT support for mips, by Corey Minyard <cminyard@mvista.com>
    - fixed arm compilation with UDEREF disabled, reported by fabled (http://forums.grsecurity.net/viewtopic.php?f=1&t=3720)
    - fixed early boot panic due to a INVCPID/PCID mismatch, reported by Patrick McLean (https://bugs.gentoo.org/show_bug.cgi?id=482010)

 arch/arm/mm/fault.c               |   11 +-
 arch/mips/include/asm/atomic.h    |  722 +++++++++++++++++++++++++++++++++++--
 arch/mips/kernel/traps.c          |   14 +-
 arch/x86/include/asm/tlbflush.h   |    4 +
 arch/x86/include/asm/uaccess_64.h |    2 +-
 fs/ntfs/file.c                    |    2 +-
 kernel/events/internal.h          |    4 +-
 kernel/events/uprobes.c           |    2 +-
 kernel/futex.c                    |    2 +-
 mm/filemap.c                      |    8 +-
 security/Kconfig                  |    2 +-
 tools/gcc/kernexec_plugin.c       |   18 +-
 tools/gcc/latent_entropy_plugin.c |   26 +-
 tools/gcc/size_overflow_plugin.c  |    3 +-
 14 files changed, 750 insertions(+), 70 deletions(-)

commit cdc8f7d7a0d09f5ccec1717d1378ac284b5bb4e9
Merge: 5a9ae57 745975e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Aug 26 20:27:33 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 745975e3b3b74b64e00e85778f9a22714d1274f2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Aug 26 20:26:33 2013 -0400

    Fix compilation when UDEREF is enabled and KERNEXEC is disabled,
    as reported by fabled on the forums:
    http://forums.grsecurity.net/viewtopic.php?f=1&t=3720

 arch/arm/include/asm/pgtable.h |    4 +---
 1 files changed, 1 insertions(+), 3 deletions(-)

commit 5a9ae577def10802fc8ad6957f05ce2a180dfa36
Merge: 486ec00 f68df21
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Aug 20 20:15:20 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit f68df215c8bf7fada2710c14b3f3a0ea53fd9e43
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Aug 20 20:14:50 2013 -0400

    Update to pax-linux-3.10.9-test18.patch:
    - fixed missing export of cpu_pgd, reported by Alexander Tsoy (https://bugs.gentoo.org/show_bug.cgi?id=481786)
    - fixed UDEREF regression on !PCID processors, reported by Alexander Tsoy (https://bugs.gentoo.org/show_bug.cgi?id=481790)
    - forward port to 3.10.9

 arch/x86/kernel/entry_64.S       |   18 +++++++++---------
 arch/x86/kernel/i386_ksyms_32.c  |    4 ++++
 arch/x86/kernel/x8664_ksyms_64.c |    4 ++++
 3 files changed, 17 insertions(+), 9 deletions(-)

commit 486ec00945b5dd8826f625e4af8995c5c8cb2a6f
Merge: f47a293 d8fed0e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Aug 20 20:12:47 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit d8fed0eba89a7607afe296c0caf17bc72311d6e9
Merge: f6ace8e 0a4b6d4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Aug 20 20:12:33 2013 -0400

    Merge branch 'linux-3.10.y' into pax-test

commit f47a293a1440da2a3e2c239d43d636e37ca74f10
Merge: f1e8ec7 f6ace8e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Aug 20 18:20:05 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        arch/arm/kernel/perf_event.c
        include/linux/sched.h

commit f6ace8e1804aadc296bec38b4c4a2d711b9e7c72
Merge: b4fa847 6f54059
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Aug 20 18:18:02 2013 -0400

    Update to pax-linux-3.10.8-test18.patch
    
    Merge branch 'linux-3.10.y' into pax-test
    
    Conflicts:
        arch/x86/kernel/sys_x86_64.c
        arch/x86/mm/mmap.c
        include/linux/sched.h

commit f1e8ec79b6019ca0aa6a6cdde5668c1bbd9f51ca
Merge: 6f88011 b4fa847
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Aug 20 18:05:12 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit b4fa84790ec760430818ab9b74a8b5acc6b40e63
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Aug 20 18:04:14 2013 -0400

    Update to pax-linux-3.10.7-test18.patch:
    - reverted constification of zcache, problem reported by Marcin Mirosław (https://bugs.gentoo.org/show_bug.cgi?id=481752)
    - fixed a UDEREF resume regression due to the constification of clone_pgd_mask
    - fixed suspend/resume regression due to the recent constification of mmu_cr4_features, reported by Mathias Krause

 arch/arm/kernel/process.c        |    2 +-
 arch/x86/include/asm/processor.h |   25 ++-----------------------
 arch/x86/kernel/cpu/common.c     |    4 ++++
 arch/x86/kernel/setup.c          |   36 ++++++++++++++++++++++++++++++++++++
 drivers/staging/zcache/tmem.c    |    4 ++--
 drivers/staging/zcache/tmem.h    |    6 ++----
 6 files changed, 47 insertions(+), 30 deletions(-)

commit 6f88011297cb3b1b79ff4d96f8a9b8e2ed5a025f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Aug 19 22:10:04 2013 -0400

    fix bad git merge (call to __cpu_disable_lazy_restore was duplicated)
    as reported by pipacs

 arch/x86/kernel/smpboot.c |    3 ---
 1 files changed, 0 insertions(+), 3 deletions(-)

commit 07f718e061bc4696b64a98ac1cf56e9ca1275dc3
Merge: 6eba999 5de93c8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Aug 18 22:03:19 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 5de93c8e2a86865f7a2d62dbcf8702dbf12494db
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Aug 18 22:02:47 2013 -0400

    Update to pax-linux-3.10.7-test15.patch:
    - fixed more PCID fallout, reported by spender, Negres and GBit (http://forums.grsecurity.net/viewtopic.php?f=3&t=3705)
    - fixed some new REFCOUNT false positives, caught by inspection

 arch/x86/kernel/cpu/common.c |    5 +++--
 arch/x86/kernel/entry_64.S   |   11 +++++++----
 fs/ceph/super.c              |    4 ++--
 mm/backing-dev.c             |    4 ++--
 4 files changed, 14 insertions(+), 10 deletions(-)

commit 94c119587c76723c1072237b98fff9886ccb7689
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Aug 18 20:49:39 2013 -0400

    fix pipacs' DEMORGAN typo

 arch/x86/include/asm/tlbflush.h |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 6eba999a3263c2ed3f7e87222a5c9c55315c7f00
Merge: df347f6 64a293e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Aug 18 18:13:04 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 64a293ebd17bf4a7ce6bd921ed879673e79fe128
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Aug 18 18:12:37 2013 -0400

    Update to pax-linux-3.10.7-test14.patch:
    - fixed compile error introduced by the previous PCID change
    - fixed timer_create kernel stack leak, reported by Roman Žilka (https://bugs.gentoo.org/show_bug.cgi?id=470214)

 arch/x86/include/asm/tlbflush.h |    2 +-
 kernel/posix-timers.c           |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

commit df347f6db6cc0aaa40406d8a8b7284b7c15bc685
Merge: d8efbc5 e11b314
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Aug 18 08:15:00 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit e11b314734c5b7317f5468be75305ad812e78c2b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Aug 18 08:14:26 2013 -0400

    Update to pax-linux-3.10.7-test13.patch:
    - always enable the use of PCID and INVPCID when available in the CPU
      - kvm guest kernels can use these features even if the host kernel lacks UDEREF

 arch/x86/include/asm/tlbflush.h |   69 ++++++++++++++++++++++----------------
 arch/x86/kernel/cpu/common.c    |   48 +++++++++++++++++----------
 2 files changed, 70 insertions(+), 47 deletions(-)

commit d8efbc54f5c8aba589d4d12eed9257a754a67de8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 17 12:00:20 2013 -0400

    make kallsyms_lookup_size_offset available to approved source files

 include/linux/kallsyms.h |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit 6c8feffa95ce2db280160015027b52bb41a344c8
Merge: dbf6930 0bb1c2b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 17 11:57:50 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 0bb1c2b2d9ba9a15fb504d47270499e8e2764106
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 17 11:56:43 2013 -0400

    Update to pax-linux-3.10.7-test12.patch:
    - fixed superfluous initializer in __native_flush_tlb_single, reported by Mathias Krause
    - fixed some arm compile problems

 arch/x86/include/asm/tlbflush.h      |    2 +-
 drivers/clocksource/bcm_kona_timer.c |    2 +-
 kernel/signal.c                      |    4 ++++
 3 files changed, 6 insertions(+), 2 deletions(-)

commit dbf69305ad4f8a037aae95af90f9201f556dcb48
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 17 11:18:09 2013 -0400

    allow use of kallsyms_lookup_name to approved source files

 include/linux/kallsyms.h |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit a566c5f4dec33f410678c257e95ab6726ce8e4f9
Merge: 68bd16f f562e3e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 17 10:35:02 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit f562e3ef7737ea8d80431a722479b36a12504ace
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 17 10:34:51 2013 -0400

    add uderef_64.c

 arch/x86/mm/uderef_64.c |   37 +++++++++++++++++++++++++++++++++++++
 1 files changed, 37 insertions(+), 0 deletions(-)

commit 68bd16fce3cf51c4c407e2ac6bc3db0629783622
Author: Asbjoern Sloth Toennesen <ast@fiberby.net>
Date:   Mon Aug 12 16:30:09 2013 +0000

    Upstream commit: 3e805ad288c524bb65aad3f1e004402223d3d504
    
    rtnetlink: rtnl_bridge_getlink: Call nlmsg_find_attr() with ifinfomsg header
    
    Fix the iproute2 command `bridge vlan show`, after switching from
    rtgenmsg to ifinfomsg.
    
    Let's start with a little history:
    
    Feb 20:   Vlad Yasevich got his VLAN-aware bridge patchset included in
              the 3.9 merge window.
              In the kernel commit 6cbdceeb, he added attribute support to
              bridge GETLINK requests sent with rtgenmsg.
    
    Mar 6th:  Vlad got this iproute2 reference implementation of the bridge
              vlan netlink interface accepted (iproute2 9eff0e5c)
    
    Apr 25th: iproute2 switched from using rtgenmsg to ifinfomsg (63338dca)
              http://patchwork.ozlabs.org/patch/239602/
              http://marc.info/?t=136680900700007
    
    Apr 28th: Linus released 3.9
    
    Apr 30th: Stephen released iproute2 3.9.0
    
    The `bridge vlan show` command haven't been working since the switch to
    ifinfomsg, or in a released version of iproute2. Since the kernel side
    only supports rtgenmsg, which iproute2 switched away from just prior to
    the iproute2 3.9.0 release.
    
    I haven't been able to find any documentation, about neither rtgenmsg
    nor ifinfomsg, and in which situation to use which, but kernel commit
    88c5b5ce seams to suggest that ifinfomsg should be used.
    
    Fixing this in kernel will break compatibility, but I doubt that anybody
    have been using it due to this bug in the user space reference
    implementation, at least not without noticing this bug. That said the
    functionality is still fully functional in 3.9, when reversing iproute2
    commit 63338dca.
    
    This could also be fixed in iproute2, but thats an ugly patch that would
    reintroduce rtgenmsg in iproute2, and from searching in netdev it seams
    like rtgenmsg usage is discouraged. I'm assuming that the only reason
    that Vlad implemented the kernel side to use rtgenmsg, was because
    iproute2 was using it at the time.
    
    Signed-off-by: Asbjoern Sloth Toennesen <ast@fiberby.net>
    Reviewed-by: Vlad Yasevich <vyasevich@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/core/rtnetlink.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 8c7bc5bafddddff55ed4687203a977e96f72540a
Author: Johannes Berg <johannes.berg@intel.com>
Date:   Tue Aug 13 09:04:05 2013 +0200

    Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db
    
    genetlink: fix family dump race
    
    When dumping generic netlink families, only the first dump call
    is locked with genl_lock(), which protects the list of families,
    and thus subsequent calls can access the data without locking,
    racing against family addition/removal. This can cause a crash.
    Fix it - the locking needs to be conditional because the first
    time around it's already locked.
    
    A similar bug was reported to me on an old kernel (3.4.47) but
    the exact scenario that happened there is no longer possible,
    on those kernels the first round wasn't locked either. Looking
    at the current code I found the race described above, which had
    also existed on the old kernel.
    
    Cc: stable@vger.kernel.org
    Reported-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/netlink/genetlink.c |    7 +++++++
 1 files changed, 7 insertions(+), 0 deletions(-)

commit 0aef405c4f269d1e35abb5393cee4e7d452ed4bb
Author: Daniel Borkmann <dborkman@redhat.com>
Date:   Fri Aug 9 16:25:21 2013 +0200

    Upstream commit: 771085d6bf3c52de29fc213e5bad07a82e57c23e
    
    net: sctp: sctp_transport_destroy{, _rcu}: fix potential pointer corruption
    
    Probably this one is quite unlikely to be triggered, but it's more safe
    to do the call_rcu() at the end after we have dropped the reference on
    the asoc and freed sctp packet chunks. The reason why is because in
    sctp_transport_destroy_rcu() the transport is being kfree()'d, and if
    we're unlucky enough we could run into corrupted pointers. Probably
    that's more of theoretical nature, but it's safer to have this simple fix.
    
    Introduced by commit 8c98653f ("sctp: sctp_close: fix release of bindings
    for deferred call_rcu's"). I also did the 8c98653f regression test and
    it's fine that way.
    
    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
    Acked-by: Vlad Yasevich <vyasevich@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/sctp/transport.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 3925eab5483946fd746575a46f97bee9d566bb77
Author: Stephane Grosjean <s.grosjean@peak-system.com>
Date:   Fri Aug 9 11:44:06 2013 +0200

    Upstream commit: 3c322a56b01695df15c70bfdc2d02e0ccd80654e
    
    can: pcan_usb: fix wrong memcpy() bytes length
    
    Fix possibly wrong memcpy() bytes length since some CAN records received from
    PCAN-USB could define a DLC field in range [9..15].
    In that case, the real DLC value MUST be used to move forward the record pointer
    but, only 8 bytes max. MUST be copied into the data field of the struct
    can_frame object of the skb given to the network core.
    
    Cc: linux-stable <stable@vger.kernel.org>
    Signed-off-by: Stephane Grosjean <s.grosjean@peak-system.com>
    Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/can/usb/peak_usb/pcan_usb.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit c1ac6642baae4a400d1f87115024d1bb1ef53598
Author: Linus Lüssing <linus.luessing@web.de>
Date:   Tue Aug 6 20:21:15 2013 +0200

    Upstream commit: 9d2c9488cedb666bc8206fbdcdc1575e0fbc5929
    
    batman-adv: fix potential kernel paging errors for unicast transmissions
    
    There are several functions which might reallocate skb data. Currently
    some places keep reusing their old ethhdr pointer regardless of whether
    they became invalid after such a reallocation or not. This potentially
    leads to kernel paging errors.
    
    This patch fixes these by refetching the ethdr pointer after the
    potential reallocations.
    
    Signed-off-by: Linus Lüssing <linus.luessing@web.de>
    Signed-off-by: Marek Lindner <lindner_marek@yahoo.de>
    Signed-off-by: Antonio Quartulli <ordex@autistici.org>

 net/batman-adv/bridge_loop_avoidance.c |    2 ++
 net/batman-adv/gateway_client.c        |   13 ++++++++++++-
 net/batman-adv/gateway_client.h        |    3 +--
 net/batman-adv/soft-interface.c        |    9 ++++++++-
 net/batman-adv/unicast.c               |   13 ++++++++++---
 5 files changed, 33 insertions(+), 7 deletions(-)

commit d11ebb55757d366b2e445dea5a96e3ef1b4d22eb
Author: Yuchung Cheng <ycheng@google.com>
Date:   Fri Aug 9 17:21:27 2013 -0700

    Upstream commit: 356d7d88e088687b6578ca64601b0a2c9d145296
    
    netfilter: nf_conntrack: fix tcp_in_window for Fast Open
    
    Currently the conntrack checks if the ending sequence of a packet
    falls within the observed receive window. However it does so even
    if it has not observe any packet from the remote yet and uses an
    uninitialized receive window (td_maxwin).
    
    If a connection uses Fast Open to send a SYN-data packet which is
    dropped afterward in the network. The subsequent SYNs retransmits
    will all fail this check and be discarded, leading to a connection
    timeout. This is because the SYN retransmit does not contain data
    payload so
    
    end == initial sequence number (isn) + 1
    sender->td_end == isn + syn_data_len
    receiver->td_maxwin == 0
    
    The fix is to only apply this check after td_maxwin is initialized.
    
    Reported-by: Michael Chan <mcfchan@stanford.edu>
    Signed-off-by: Yuchung Cheng <ycheng@google.com>
    Acked-by: Eric Dumazet <edumazet@google.com>
    Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

 net/netfilter/nf_conntrack_proto_tcp.c |   12 ++++++++----
 1 files changed, 8 insertions(+), 4 deletions(-)

commit 94462727d1f151aa2e3f7fbf0dedb19d8545d2ec
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Thu Aug 1 12:36:57 2013 +0300

    Upstream commit: e4d091d7bf787cd303383725b8071d0bae76f981
    
    netfilter: nfnetlink_{log,queue}: fix information leaks in netlink message
    
    These structs have a "_pad" member.  Also the "phw" structs have an 8
    byte "hw_addr[]" array but sometimes only the first 6 bytes are
    initialized.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

 net/netfilter/nfnetlink_log.c        |    6 +++++-
 net/netfilter/nfnetlink_queue_core.c |    5 ++++-
 2 files changed, 9 insertions(+), 2 deletions(-)

commit c5b469d0a0b480a8b2dcac9b4e6532c0ac17f81f
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date:   Thu Jul 25 10:46:46 2013 +0200

    Upstream commit: a206bcb3b02025b23137f3228109d72e0f835c05
    
    netfilter: xt_TCPOPTSTRIP: fix possible off by one access
    
    Fix a possible off by one access since optlen()
    touches opt[offset+1] unsafely when i == tcp_hdrlen(skb) - 1.
    
    This patch replaces tcp_hdrlen() by the local variable tcp_hdrlen
    that stores the TCP header length, to save some cycles.
    
    Reported-by: Julian Anastasov <ja@ssi.bg>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

 net/netfilter/xt_TCPOPTSTRIP.c |   10 ++++++----
 1 files changed, 6 insertions(+), 4 deletions(-)

commit 4634def261cf5f635bc60afe8a6ad436b3ec151e
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date:   Thu Jul 25 10:37:49 2013 +0200

    Upstream commit: 71ffe9c77dd7a2b62207953091efa8dafec958dd
    
    netfilter: xt_TCPMSS: fix handling of malformed TCP header and options
    
    Make sure the packet has enough room for the TCP header and
    that it is not malformed.
    
    While at it, store tcph->doff*4 in a variable, as it is used
    several times.
    
    This patch also fixes a possible off by one in case of malformed
    TCP options.
    
    Reported-by: Julian Anastasov <ja@ssi.bg>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

 net/netfilter/xt_TCPMSS.c |   28 ++++++++++++++++------------
 1 files changed, 16 insertions(+), 12 deletions(-)

commit dc552b7b377b8b0cba23513ee09a2341d6714ae8
Author: Dave Jones <davej@redhat.com>
Date:   Fri Aug 9 11:16:34 2013 -0700

    Upstream commit: d06f5187469eee1b2932c02fd093d113cfc60d5e
    
    8139cp: Fix skb leak in rx_status_loop failure path.
    
    Introduced in cf3c4c03060b688cbc389ebc5065ebcce5653e96
    ("8139cp: Add dma_mapping_error checking")
    
    Signed-off-by: Dave Jones <davej@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/ethernet/realtek/8139cp.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 227b279491a0bbcc70ca3654f34903282c378600
Author: Timo Teräs <timo.teras@iki.fi>
Date:   Tue Aug 6 13:45:43 2013 +0300

    Upstream commit: 77a482bdb2e68d13fae87541b341905ba70d572b
    
    ip_gre: fix ipgre_header to return correct offset
    
    Fix ipgre_header() (header_ops->create) to return the correct
    amount of bytes pushed. Most callers of dev_hard_header() seem
    to care only if it was success, but af_packet.c uses it as
    offset to the skb to copy from userspace only once. In practice
    this fixes packet socket sendto()/sendmsg() to gre tunnels.
    
    Regression introduced in c54419321455631079c7d6e60bc732dd0c5914c5
    ("GRE: Refactor GRE tunneling code.")
    
    Cc: Pravin B Shelar <pshelar@nicira.com>
    Signed-off-by: Timo Teräs <timo.teras@iki.fi>
    Acked-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/ip_gre.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 4b37d11c0ebb440d9335861ce8f1e690a34c10fb
Author: Eric Dumazet <edumazet@google.com>
Date:   Mon Aug 5 11:18:49 2013 -0700

    Upstream commit: aab515d7c32a34300312416c50314e755ea6f765
    
    fib_trie: remove potential out of bound access
    
    AddressSanitizer [1] dynamic checker pointed a potential
    out of bound access in leaf_walk_rcu()
    
    We could allocate one more slot in tnode_new() to leave the prefetch()
    in-place but it looks not worth the pain.
    
    Bug added in commit 82cfbb008572b ("[IPV4] fib_trie: iterator recode")
    
    [1] :
    https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerForKernel
    
    Reported-by: Andrey Konovalov <andreyknvl@google.com>
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Cc: Dmitry Vyukov <dvyukov@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/fib_trie.c |    5 +----
 1 files changed, 1 insertions(+), 4 deletions(-)

commit 3928184d65fdaf3eef446f0e6c5f305352c1fd02
Author: Daniel Borkmann <dborkman@redhat.com>
Date:   Mon Aug 5 12:49:35 2013 +0200

    Upstream commit: 7921895a5e852fc99de347bc0600659997de9298
    
    net: esp{4,6}: fix potential MTU calculation overflows
    
    Commit 91657eafb ("xfrm: take net hdr len into account for esp payload
    size calculation") introduced a possible interger overflow in
    esp{4,6}_get_mtu() handlers in case of x->props.mode equals
    XFRM_MODE_TUNNEL. Thus, the following expression will overflow
    
      unsigned int net_adj;
      ...
      <case ipv{4,6} XFRM_MODE_TUNNEL>
             net_adj = 0;
      ...
      return ((mtu - x->props.header_len - crypto_aead_authsize(esp->aead) -
               net_adj) & ~(align - 1)) + (net_adj - 2);
    
    where (net_adj - 2) would be evaluated as <foo> + (0 - 2) in an unsigned
    context. Fix it by simply removing brackets as those operations here
    do not need to have special precedence.
    
    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
    Cc: Benjamin Poirier <bpoirier@suse.de>
    Cc: Steffen Klassert <steffen.klassert@secunet.com>
    Acked-by: Benjamin Poirier <bpoirier@suse.de>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/esp4.c |    2 +-
 net/ipv6/esp6.c |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

commit f02bce292d1c2fe610be509c96593e70b3de387b
Author: Julia Lawall <Julia.Lawall@lip6.fr>
Date:   Mon Aug 5 16:47:38 2013 +0200

    Upstream commit: d9af2d67e490b48f0d36f448d34e7bab9425f142
    
    net/vmw_vsock/af_vsock.c: drop unneeded semicolon
    
    Drop the semicolon at the end of the list_for_each_entry loop header.
    
    Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/vmw_vsock/af_vsock.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 4b62f0cbc3f949056e8bbe0af036acfc20e8e049
Author: Tiger Yang <tiger.yang@oracle.com>
Date:   Tue Aug 13 16:00:58 2013 -0700

    Upstream commit: c7dd3392ad469e6ba125170ad29f881bed85b678
    
    ocfs2: fix NULL pointer dereference in ocfs2_duplicate_clusters_by_page
    
    Since ocfs2_cow_file_pos will invoke ocfs2_refcount_icow with a NULL as
    the struct file pointer, it finally result in a null pointer dereference
    in ocfs2_duplicate_clusters_by_page.
    
    This patch replace file pointer with inode pointer in
    cow_duplicate_clusters to fix this issue.
    
    [jeff.liu@oracle.com: rebased patch against linux-next tree]
    Signed-off-by: Tiger Yang <tiger.yang@oracle.com>
    Signed-off-by: Jie Liu <jeff.liu@oracle.com>
    Cc: Joel Becker <jlbec@evilplan.org>
    Cc: Mark Fasheh <mfasheh@suse.com>
    Acked-by: Tao Ma <tm@tao.ma>
    Tested-by: David Weber <wb@munzinger.de>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 fs/ocfs2/aops.c         |    2 +-
 fs/ocfs2/file.c         |    6 ++--
 fs/ocfs2/move_extents.c |    2 +-
 fs/ocfs2/refcounttree.c |   53 +++++++---------------------------------------
 fs/ocfs2/refcounttree.h |    6 ++--
 5 files changed, 16 insertions(+), 53 deletions(-)

commit 433bf493c7472435b328b2bc85b6e54f6dd3d0d3
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Thu Aug 15 15:52:57 2013 +0300

    Upstream commit: 15718ea0d844e4816dbd95d57a8a0e3e264ba90e
    
    tun: signedness bug in tun_get_user()
    
    The recent fix d9bf5f1309 "tun: compare with 0 instead of total_len" is
    not totally correct.  Because "len" and "sizeof()" are size_t type, that
    means they are never less than zero.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Acked-by: Michael S. Tsirkin <mst@redhat.com>
    Acked-by: Neil Horman <nhorman@tuxdriver.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/tun.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

commit 26ad267ddda451919357965a0cf271ca24d1bcf2
Author: Weiping Pan <wpan@redhat.com>
Date:   Tue Aug 13 21:46:56 2013 +0800

    Upstream commit: d9bf5f130946695063469749bfd190087b7fad39
    
    tun: compare with 0 instead of total_len
    
    Since we set "len = total_len" in the beginning of tun_get_user(),
    so we should compare the new len with 0, instead of total_len,
    or the if statement always returns false.
    
    Signed-off-by: Weiping Pan <wpan@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/tun.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 70023d3ea40fae8b6b6a142a7a5c3db0bcc283f9
Author: Guenter Roeck <linux@roeck-us.net>
Date:   Fri Aug 16 20:50:55 2013 -0700

    Upstream commit: 215b28a5308f3d332df2ee09ef11fda45d7e4a92
    
    s390: Fix broken build
    
    Fix this build error:
    
      In file included from fs/exec.c:61:0:
      arch/s390/include/asm/tlb.h:35:23: error: expected identifier or '(' before 'unsigned'
      arch/s390/include/asm/tlb.h:36:1: warning: no semicolon at end of struct or union [enabled by default]
      arch/s390/include/asm/tlb.h: In function 'tlb_gather_mmu':
      arch/s390/include/asm/tlb.h:57:5: error: 'struct mmu_gather' has no member named 'end'
    
    Broken due to commit 2b047252d0 ("Fix TLB gather virtual address range
    invalidation corner cases").
    
    Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Cc: stable@vger.kernel.org
    Signed-off-by: Guenter Roeck <linux@roeck-us.net>
    [ Oh well. We had build testing for ppc amd um, but no s390  - Linus ]
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 arch/s390/include/asm/tlb.h |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 4e57312c2de2a25ddb181d129dafbc0251062c33
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date:   Thu Aug 15 11:42:25 2013 -0700

    Upstream commit: 2b047252d087be7f2ba088b4933cd904f92e6fce
    
    Fix TLB gather virtual address range invalidation corner cases
    
    Ben Tebulin reported:
    
     "Since v3.7.2 on two independent machines a very specific Git
      repository fails in 9/10 cases on git-fsck due to an SHA1/memory
      failures.  This only occurs on a very specific repository and can be
      reproduced stably on two independent laptops.  Git mailing list ran
      out of ideas and for me this looks like some very exotic kernel issue"
    
    and bisected the failure to the backport of commit 53a59fc67f97 ("mm:
    limit mmu_gather batching to fix soft lockups on !CONFIG_PREEMPT").
    
    That commit itself is not actually buggy, but what it does is to make it
    much more likely to hit the partial TLB invalidation case, since it
    introduces a new case in tlb_next_batch() that previously only ever
    happened when running out of memory.
    
    The real bug is that the TLB gather virtual memory range setup is subtly
    buggered.  It was introduced in commit 597e1c3580b7 ("mm/mmu_gather:
    enable tlb flush range in generic mmu_gather"), and the range handling
    was already fixed at least once in commit e6c495a96ce0 ("mm: fix the TLB
    range flushed when __tlb_remove_page() runs out of slots"), but that fix
    was not complete.
    
    The problem with the TLB gather virtual address range is that it isn't
    set up by the initial tlb_gather_mmu() initialization (which didn't get
    the TLB range information), but it is set up ad-hoc later by the
    functions that actually flush the TLB.  And so any such case that forgot
    to update the TLB range entries would potentially miss TLB invalidates.
    
    Rather than try to figure out exactly which particular ad-hoc range
    setup was missing (I personally suspect it's the hugetlb case in
    zap_huge_pmd(), which didn't have the same logic as zap_pte_range()
    did), this patch just gets rid of the problem at the source: make the
    TLB range information available to tlb_gather_mmu(), and initialize it
    when initializing all the other tlb gather fields.
    
    This makes the patch larger, but conceptually much simpler.  And the end
    result is much more understandable; even if you want to play games with
    partial ranges when invalidating the TLB contents in chunks, now the
    range information is always there, and anybody who doesn't want to
    bother with it won't introduce subtle bugs.
    
    Ben verified that this fixes his problem.
    
    Reported-bisected-and-tested-by: Ben Tebulin <tebulin@googlemail.com>
    Build-testing-by: Stephen Rothwell <sfr@canb.auug.org.au>
    Build-testing-by: Richard Weinberger <richard.weinberger@gmail.com>
    Reviewed-by: Michal Hocko <mhocko@suse.cz>
    Acked-by: Peter Zijlstra <peterz@infradead.org>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 arch/arm/include/asm/tlb.h   |    7 +++++--
 arch/arm64/include/asm/tlb.h |    7 +++++--
 arch/ia64/include/asm/tlb.h  |    9 ++++++---
 arch/s390/include/asm/tlb.h  |    8 ++++++--
 arch/sh/include/asm/tlb.h    |    6 ++++--
 arch/um/include/asm/tlb.h    |    6 ++++--
 fs/exec.c                    |    4 ++--
 include/asm-generic/tlb.h    |    2 +-
 mm/hugetlb.c                 |    2 +-
 mm/memory.c                  |   36 +++++++++++++++++++++---------------
 mm/mmap.c                    |    4 ++--
 11 files changed, 57 insertions(+), 34 deletions(-)

commit 771ed01c6027772eca1a0df8de65043e7f0d94f8
Merge: 5568c80 ffceabf
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 17 09:11:41 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit ffceabfcc65c60109ba5fca694d78d4dc7047809
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 17 09:10:44 2013 -0400

    Update to pax-linux-3.10.7-test11.patch:
    - simplified some arm code
    - disabled preemption when calling show_regs, reported by Corey Minyard
    - added PCID based support for UDEREF on amd64 (blog will have more details)
      - requires Westmere/Sandy Bridge/Ivy Bridge/Haswell/etc
      - nopcid turns it off
      - by default a strong form of UDEREF is used under PCID
      - pax_weakuderef switches to the older, less secure UDEREF
      - fixed several bugs that would also have manifested under SMAP
      - INVPCID is used when available (Haswell)
    - added a few more return insn instrumentation in new amd64 crypto code

 Documentation/kernel-parameters.txt          |    7 +
 arch/arm/include/asm/uaccess.h               |    3 +
 arch/x86/crypto/blowfish-avx2-asm_64.S       |    6 +
 arch/x86/crypto/camellia-aesni-avx-asm_64.S  |   10 ++
 arch/x86/crypto/camellia-aesni-avx2-asm_64.S |   10 ++
 arch/x86/crypto/crc32c-pcl-intel-asm_64.S    |    2 +
 arch/x86/crypto/ghash-clmulni-intel_asm.S    |    5 +
 arch/x86/crypto/serpent-avx2-asm_64.S        |    9 ++
 arch/x86/crypto/sha256-avx-asm.S             |    2 +
 arch/x86/crypto/sha256-avx2-asm.S            |    2 +
 arch/x86/crypto/sha256-ssse3-asm.S           |    2 +
 arch/x86/crypto/sha512-avx-asm.S             |    2 +
 arch/x86/crypto/sha512-avx2-asm.S            |    2 +
 arch/x86/crypto/sha512-ssse3-asm.S           |    2 +
 arch/x86/crypto/twofish-avx2-asm_64.S        |    8 ++
 arch/x86/ia32/ia32_signal.c                  |    2 +-
 arch/x86/ia32/ia32entry.S                    |   24 ++++-
 arch/x86/include/asm/cpufeature.h            |    3 +-
 arch/x86/include/asm/fpu-internal.h          |    2 +
 arch/x86/include/asm/futex.h                 |    4 +
 arch/x86/include/asm/mmu_context.h           |   80 +++++++++++---
 arch/x86/include/asm/pgtable.h               |   10 +-
 arch/x86/include/asm/processor.h             |   15 +++-
 arch/x86/include/asm/segment.h               |    5 +-
 arch/x86/include/asm/smap.h                  |   64 +++++++++++-
 arch/x86/include/asm/tlbflush.h              |   63 +++++++++--
 arch/x86/include/asm/uaccess.h               |   18 +++-
 arch/x86/include/asm/xsave.h                 |    4 +
 arch/x86/kernel/cpu/common.c                 |   38 +++++++
 arch/x86/kernel/entry_32.S                   |    2 +-
 arch/x86/kernel/entry_64.S                   |  152 +++++++++++++++++++++++---
 arch/x86/kernel/head_32.S                    |    2 +-
 arch/x86/kernel/head_64.S                    |    8 +-
 arch/x86/kernel/process_64.c                 |    5 +
 arch/x86/kernel/setup.c                      |    8 +-
 arch/x86/kernel/signal.c                     |    4 +-
 arch/x86/kernel/smpboot.c                    |   15 ++-
 arch/x86/lib/copy_user_64.S                  |   50 +--------
 arch/x86/lib/copy_user_nocache_64.S          |    2 +
 arch/x86/lib/csum-wrappers_64.c              |   11 ++-
 arch/x86/lib/memcpy_64.S                     |    4 +-
 arch/x86/lib/memmove_64.S                    |    2 +-
 arch/x86/lib/memset_64.S                     |    4 +-
 arch/x86/lib/usercopy_64.c                   |    5 +-
 arch/x86/mm/Makefile                         |    4 +
 arch/x86/mm/fault.c                          |   29 ++++--
 arch/x86/mm/init.c                           |    7 +-
 arch/x86/mm/init_64.c                        |    9 ++-
 arch/x86/mm/pageattr.c                       |    2 +-
 arch/x86/mm/pgtable.c                        |    3 +
 arch/x86/platform/efi/efi_32.c               |    2 +-
 arch/x86/platform/efi/efi_64.c               |    2 +-
 arch/x86/realmode/rm/trampoline_64.S         |    1 +
 fs/exec.c                                    |    2 +
 include/asm-generic/uaccess.h                |    8 ++
 include/linux/compat.h                       |    1 +
 include/linux/preempt.h                      |   19 +++
 include/linux/signal.h                       |    1 +
 include/linux/smp.h                          |    2 +
 init/main.c                                  |   14 ++-
 kernel/signal.c                              |   16 +++
 security/Kconfig                             |    5 +
 tools/lib/lk/Makefile                        |    2 +-
 tools/perf/Makefile                          |    2 +-
 64 files changed, 673 insertions(+), 136 deletions(-)

commit 5568c8059e78d6d002815409df4e90c83b3b08a8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 17 08:58:34 2013 -0400

    Fix two harmless compiler warnings

 arch/arm/kernel/process.c |    4 ++--
 fs/exec.c                 |    2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

commit e4a41a3eef8c6bdebdbe273cc0fbe372bcb62806
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Aug 16 22:55:24 2013 -0400

    Upstream commit: c95eb3184ea1a3a2551df57190c81da695e2144b

 arch/arm/kernel/perf_event.c |    5 ++++-
 1 files changed, 4 insertions(+), 1 deletions(-)

commit 3637bc893b57a227b01852fe34685ab237285b10
Author: Stephen Boyd <sboyd@codeaurora.org>
Date:   Wed Aug 7 16:18:08 2013 -0700

    Upstream commit: b88a2595b6d8aedbd275c07dfa784657b4f757eb
    
    perf/arm: Fix armpmu_map_hw_event()
    
    Fix constraint check in armpmu_map_hw_event().
    
    Reported-and-tested-by: Vince Weaver <vincent.weaver@maine.edu>
    Cc: <stable@kernel.org>
    Signed-off-by: Ingo Molnar <mingo@kernel.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 arch/arm/kernel/perf_event.c |    7 ++++++-
 1 files changed, 6 insertions(+), 1 deletions(-)

commit 11802e1f961a088c39af58d1c1b14d861eedfb35
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Aug 16 22:53:30 2013 -0400

    More ARM backports

 arch/arm/kernel/entry-armv.S |    3 ++-
 arch/arm/kernel/fiq.c        |    8 ++------
 2 files changed, 4 insertions(+), 7 deletions(-)

commit bf89938c71ddbd6efb2c2e43bf4f3f99fef623ea
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Aug 16 22:46:01 2013 -0400

    Fix HIDESYM compatibility with kprobes, as reported by feandil at:
    http://forums.grsecurity.net/viewtopic.php?t=3701&p=13376#p13376

 include/linux/kallsyms.h |    2 +-
 kernel/kprobes.c         |    3 +++
 2 files changed, 4 insertions(+), 1 deletions(-)

commit 3d1cf88bbdbe4c0e83dd7d731ecaf1741209d6b7
Author: yonghua zheng <younghua.zheng@gmail.com>
Date:   Tue Aug 13 16:01:03 2013 -0700

    fs/proc/task_mmu.c: fix buffer overflow in add_page_map()
    
    Recently we met quite a lot of random kernel panic issues after enabling
    CONFIG_PROC_PAGE_MONITOR.  After debuggind we found this has something
    to do with following bug in pagemap:
    
    In struct pagemapread:
    
      struct pagemapread {
          int pos, len;
          pagemap_entry_t *buffer;
          bool v2;
      };
    
    pos is number of PM_ENTRY_BYTES in buffer, but len is the size of
    buffer, it is a mistake to compare pos and len in add_page_map() for
    checking buffer is full or not, and this can lead to buffer overflow and
    random kernel panic issue.
    
    Correct len to be total number of PM_ENTRY_BYTES in buffer.
    
    [akpm@linux-foundation.org: document pagemapread.pos and .len units, fix PM_ENTRY_BYTES definition]
    Signed-off-by: Yonghua Zheng <younghua.zheng@gmail.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    Conflicts:
    
        fs/proc/task_mmu.c

 fs/proc/task_mmu.c |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

commit 0a3dac834746de241c10d4978bf61b4f146ba89d
Merge: dc19474 e12de30
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Aug 16 17:39:01 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit e12de30aa6b575fc3c9f5cd098dd03623598cb33
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Aug 16 17:34:47 2013 -0400

    Update to pax-linux-3.10.7-test9.patch:
    - Emese fixed a size overflow false positive reported by Sven Vermeulen
    - fixed some arm compile problems reported by spender
    - added empty unchecked wrappers for local_t accessors on mips, by Corey Minyard <cminyard@mvista.com>
      eventually we'll have full REFCOUNT support on mips

 arch/arm/kernel/process.c     |    5 ++-
 arch/arm/mm/Kconfig           |    2 +-
 arch/arm/mm/fault.c           |    3 ++
 arch/mips/include/asm/local.h |   57 +++++++++++++++++++++++++++++++++++++++++
 mm/internal.h                 |    2 +-
 5 files changed, 65 insertions(+), 4 deletions(-)

commit dc19474d0ea6ea3c939544ae5f906067b1784a10
Merge: 51b78c0 82266f9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Aug 15 21:47:37 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 82266f90a3f87ab5017329fb539aebf94c42253a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Aug 15 21:14:47 2013 -0400

    Update to pax-linux-3.10.7-test9.patch

 arch/arm/kernel/process.c |    6 ++----
 1 files changed, 2 insertions(+), 4 deletions(-)

commit 51b78c06d1f41614f593cd36456b4af559e9d7fa
Merge: e32d904 cb77ead
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Aug 15 20:53:45 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        security/Kconfig

commit cb77ead0eccb5abb75f7e437a3725d0254558ccd
Merge: 13675b8 519be45
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Aug 15 20:50:47 2013 -0400

    Update to pax-linux-3.10.7-test8.patch
    
    Merge branch 'linux-3.10.y' into pax-test

commit e32d904b87292288e74e2637b900fd1115687b8e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 10 09:41:40 2013 -0400

    propagate the threadstack offset through to the topdown/bottomup allocators
    on sparc64 hugepages

 arch/sparc/mm/hugetlbpage.c |   12 ++++++++----
 1 files changed, 8 insertions(+), 4 deletions(-)

commit cefa30759f6c977fff5cc1634ecfbfe0ee44391c
Author: Oleg Nesterov <oleg@redhat.com>
Date:   Thu Aug 8 18:55:32 2013 +0200

    Upstream commit: 8742f229b635bf1c1c84a3dfe5e47c814c20b5c8
    
    another local DoS found in reaction to the one I reported,
    we don't allow unpriv user ns use so this doesn't matter much to us
    
    userns: limit the maximum depth of user_namespace->parent chain
    
    Ensure that user_namespace->parent chain can't grow too much.
    Currently we use the hardroded 32 as limit.
    
    Reported-by: Andy Lutomirski <luto@amacapital.net>
    Signed-off-by: Oleg Nesterov <oleg@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 include/linux/user_namespace.h |    1 +
 kernel/user_namespace.c        |    4 ++++
 2 files changed, 5 insertions(+), 0 deletions(-)

commit 223ac007ef18bf3a5095ba0a56675c1f16200149
Merge: 1c92de4 13675b8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Aug 8 20:45:24 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        security/Kconfig

commit 13675b848cf02bffd26924b2b84d927095bc253d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Aug 8 20:43:52 2013 -0400

    Update to pax-linux-3.10.5-test8.patch:
    - Emese fixed a size overflow false positive, reported by markusle (http://forums.grsecurity.net/viewtopic.php?f=3&t=3692)
    - fixed the use of PXN for 2-level pages tables on arm, by Corey Minyard <cminyard@mvista.com>
    - added PAGEEXEC/XI violation reporting on mips, by Corey Minyard <cminyard@mvista.com>

 arch/arm/include/asm/pgtable-2level.h |    4 +++-
 arch/arm/mm/proc-v7-2level.S          |    3 ---
 arch/mips/mm/fault.c                  |    8 ++++++++
 arch/x86/include/asm/processor.h      |    3 ++-
 include/linux/math64.h                |    2 +-
 security/Kconfig                      |    2 --
 6 files changed, 14 insertions(+), 8 deletions(-)

commit 1c92de4b8811c330af033c31d83c9c45e3d064b2
Merge: e65aa3d 1660f49
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Aug 5 18:50:45 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 1660f496848b8400d263f7920989dae15e72185a
Merge: 7f91ba1 dc51cd2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Aug 5 18:50:12 2013 -0400

    Update to pax-linux-3.10.5-test7.patch
    
    Merge branch 'linux-3.10.y' into pax-test
    
    Conflicts:
        arch/x86/kernel/head_64.S
        mm/mempolicy.c

commit e65aa3dd447115cb79b4815bc1ceac7b3cacef15
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Aug 5 17:58:42 2013 -0400

    Disable RANDKSTACK for a VirtualBox host as mentioned on the
    gentoo-hardened bugzilla:
    https://bugs.gentoo.org/show_bug.cgi?id=382793

 security/Kconfig |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 60d8cffd7740fd1d527790caf9a24a35d8c45858
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Tue Jul 30 13:23:39 2013 +0300

    Upstream commit: 8cb3b9c3642c0263d48f31d525bcee7170eedc20
    
    net_sched: info leak in atm_tc_dump_class()
    
    The "pvc" struct has a hole after pvc.sap_family which is not cleared.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Reviewed-by: Jiri Pirko <jiri@resnulli.us>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/sched/sch_atm.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 50d20ebce56b6e0b9622685930e007e46c7c04bb
Author: Daniel Borkmann <dborkman@redhat.com>
Date:   Fri Aug 2 11:32:43 2013 +0200

    Upstream commit: 446266b0c742a2c9ee8f0dce759a0117bce58a86
    
    net: rtm_to_ifaddr: free ifa if ifa_cacheinfo processing fails
    
    Commit 5c766d642 ("ipv4: introduce address lifetime") leaves the ifa
    resource that was allocated via inet_alloc_ifa() unfreed when returning
    the function with -EINVAL. Thus, free it first via inet_free_ifa().
    
    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
    Reviewed-by: Jiri Pirko <jiri@resnulli.us>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/devinet.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

commit 0acaba4eea12097cc59bc61a46ba1ef4a468b260
Author: Himanshu Madhani <himanshu.madhani@qlogic.com>
Date:   Fri Aug 2 23:15:56 2013 -0400

    Upstream commit: f91bbcb0b82186b4d5669021b142c263b66505e1
    
    qlcnic: Free up memory in error path.
    
    Signed-off-by: Himanshu Madhani <himanshu.madhani@qlogic.com>
    Signed-off-by: Shahed Shaikh <shahed.shaikh@qlogic.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/ethernet/qlogic/qlcnic/qlcnic_ctx.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

commit 3626ec32c8b24cb38b8db2a1b2f5430bd898408a
Author: Shahed Shaikh <shahed.shaikh@qlogic.com>
Date:   Fri Aug 2 23:15:54 2013 -0400

    Upstream commit: 4a99ab56cea66f9f67b9d07ace5cd40a336c8e6f
    
    qlcnic: Fix MAC address filter issue on 82xx adapter
    
    Driver was passing the address of a pointer instead of
    the pointer itself.
    
    Signed-off-by: Shahed Shaikh <shahed.shaikh@qlogic.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/ethernet/qlogic/qlcnic/qlcnic_io.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 5570df953d6c143e05f1d60d9c23210e60dbbe81
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Aug 5 17:26:40 2013 -0400

    Move user namespace capability check to shared create_user_ns code so we
    cover unshare() as well.
    
    Also kill a trivial 1-line, 22-character upstream kernel DoS, thanks to
    user namespaces!

 kernel/fork.c           |   17 -----------------
 kernel/user_namespace.c |   24 ++++++++++++++++++++++--
 2 files changed, 22 insertions(+), 19 deletions(-)

commit 97112fe30de4ca84e79c82ebfa2353b9c9988ca1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Aug 5 16:05:41 2013 -0400

    silence a warning on older gcc

 grsecurity/gracl.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit b8966a5d577e9220fbc63306eee978f819f24e2e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 3 08:31:08 2013 -0400

    we only care about mmaps of the beginning of an ELF, filter out
    all others as suggested by pipacs

 mm/mmap.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 8aea9fe5866dec3c847a34f743f343e18cf1cdcb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Aug 2 23:54:51 2013 -0400

    add include

 grsecurity/grsec_log.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit d48425ef8cb3761ab6130e52f1f8e401f5b5a295
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Aug 2 23:49:13 2013 -0400

    fix compilation

 include/linux/grinternal.h |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 1704c23fdc55b68f512dc9927940e72237f3f43e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Aug 2 23:34:35 2013 -0400

    Improve PaX reporting (tells when anon mapping is stack or heap)
    Remove textrel logging option, combine into rwx logging option
    Enhance RWX logging option to display when PT_GNU_STACK-enabled library
    is loaded under an MPROTECTed binary
    Enhance RWX mprotect logging to display stack/heap instead of just
    anon mapping

 fs/binfmt_elf.c            |   37 +++++++++++++++++++++++++++++++++++++
 fs/exec.c                  |    4 ++++
 grsecurity/Kconfig         |   21 +++++----------------
 grsecurity/grsec_init.c    |    4 ----
 grsecurity/grsec_log.c     |   14 ++++++++++++++
 grsecurity/grsec_pax.c     |   19 ++++++++++++++-----
 grsecurity/grsec_sysctl.c  |    9 ---------
 include/linux/binfmts.h    |    1 +
 include/linux/grinternal.h |    2 +-
 include/linux/grmsg.h      |    3 ++-
 include/linux/grsecurity.h |    3 ++-
 mm/mmap.c                  |    7 +++++++
 mm/mprotect.c              |    2 +-
 13 files changed, 88 insertions(+), 38 deletions(-)

commit faf81c100c8565524e21c9af780a0ad2ce3fd925
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Aug 1 18:52:02 2013 -0400

    add missing #define

 grsecurity/gracl.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit e87232d1fcb4da72df971cbc623aac6c9b3871a0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Aug 1 18:43:53 2013 -0400

    fix compilation for !COMPAT as reported on the forums

 grsecurity/gracl.c |  195 ++++++++++++++++++++++++++--------------------------
 1 files changed, 97 insertions(+), 98 deletions(-)

commit 65c9b9c6c42939dc55be1b8842e7c2e05733056c
Merge: 65019c9 7f91ba1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jul 31 17:47:31 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 65019c9bd05f860437071cbf00e2027fd2d68615
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jul 31 17:47:20 2013 -0400

    Revert "revert recent PaX change that causes boot failures with 32bit userland"
    
    This reverts commit 23278a1ee1c7738dd1e7005241394d32b82196e4.

 arch/x86/include/asm/processor.h |    4 ++--
 arch/x86/kernel/cpu/common.c     |    2 +-
 arch/x86/kernel/process_64.c     |    2 +-
 arch/x86/kernel/smpboot.c        |    2 +-
 arch/x86/xen/smp.c               |    2 +-
 5 files changed, 6 insertions(+), 6 deletions(-)

commit 7f91ba11122fcaa96fc2dca42bddcd5f8db3b945
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jul 31 17:46:00 2013 -0400

    Update to pax-linux-3.10.4-test7.patch:
    - added a few more missing format strings
    - added reporting of mismatched MPROTECT/EMUTRAMP flags between libraries and the main executable
    - reverted the recent amd64 kstack alignment fix, it'll be done the harder way another time
    - fixed a UDEREF/i386 regression, __get_user_8 would always fail

 arch/x86/include/asm/processor.h           |    4 +-
 arch/x86/kernel/cpu/common.c               |    2 +-
 arch/x86/kernel/dumpstack.c                |    2 +-
 arch/x86/kernel/process_64.c               |    2 +-
 arch/x86/kernel/reboot_fixups_32.c         |    2 +-
 arch/x86/kernel/smpboot.c                  |    2 +-
 arch/x86/lib/getuser.S                     |    4 +-
 arch/x86/xen/smp.c                         |    2 +-
 drivers/net/wireless/iwlwifi/dvm/debugfs.c |    8 ++--
 drivers/video/backlight/backlight.c        |    2 +-
 drivers/video/backlight/lcd.c              |    2 +-
 fs/binfmt_elf.c                            |   51 +++++++++++++++++++++++++---
 fs/exec.c                                  |   50 +++++++++++++--------------
 include/linux/sched.h                      |    2 +
 14 files changed, 88 insertions(+), 47 deletions(-)

commit 043130da54cb7cc8dc44e0ce889d426e889a0532
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jul 31 16:26:58 2013 -0400

    compile fix for !COMPAT as mentioned on forums

 grsecurity/gracl.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit ed0a195abd4e41c2449a020a53a19c74dc866d78
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 22:33:14 2013 -0400

    perform compat conversion of rlimit infinity

 grsecurity/gracl_compat.c |   10 ++++++++--
 1 files changed, 8 insertions(+), 2 deletions(-)

commit a99c1b9f31678c1c72a63bea65aed1b2d3205259
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 22:21:40 2013 -0400

    remove debugging

 grsecurity/gracl_compat.c |   44 +++++++++++---------------------------------
 1 files changed, 11 insertions(+), 33 deletions(-)

commit e75b3f504692b97960a7530ad0855d91441d79c0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 22:20:32 2013 -0400

    eliminate compat_dev_t

 include/linux/gracl_compat.h |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit e5abbaf95313066a724e1a843d4fc902a9a6450e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 22:13:22 2013 -0400

    fix compat rlimit size

 grsecurity/gracl_compat.c    |   68 +++++++++++++++++++++++++++++-------------
 include/linux/gracl_compat.h |    4 +-
 2 files changed, 49 insertions(+), 23 deletions(-)

commit 877d6c2f8b3518ff39601084560bb33c58d35a1f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 21:20:18 2013 -0400

    compile fix

 grsecurity/gracl.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit a2062eae8d1dc48d338480e599fedee2dc5e2f98
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 21:14:29 2013 -0400

    copy correct pointer size in new compat code

 grsecurity/gracl.c        |    8 ++++----
 grsecurity/gracl_compat.c |    4 ++--
 2 files changed, 6 insertions(+), 6 deletions(-)

commit 23278a1ee1c7738dd1e7005241394d32b82196e4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 19:48:58 2013 -0400

    revert recent PaX change that causes boot failures with 32bit userland

 arch/x86/include/asm/processor.h |    4 ++--
 arch/x86/kernel/cpu/common.c     |    2 +-
 arch/x86/kernel/process_64.c     |    2 +-
 arch/x86/kernel/smpboot.c        |    2 +-
 arch/x86/xen/smp.c               |    2 +-
 5 files changed, 6 insertions(+), 6 deletions(-)

commit ec27f71a813656fea8ab37faecb2b485fe99d08e
Merge: 3a11bcf 05f0a61
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 19:42:21 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 05f0a610373fa95df838f97c3fcfb59a3d79c5b8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 19:41:44 2013 -0400

    Update to pax-linux-3.10.4-test6.patch:
    - fixed some size_overflow false positives on i386 caused by __SC_LONG, reported by spender

 include/linux/syscalls.h |    8 ++++++--
 1 files changed, 6 insertions(+), 2 deletions(-)

commit 3a11bcfcc738ed5dbf0d56713db872ed36351a26
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 19:15:50 2013 -0400

    compile fix

 grsecurity/gracl_compat.c |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

commit 1dbd99b5cb0b6757eadf22309501e7fdd84f5de7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 19:12:46 2013 -0400

    remove BUILD_BUG_ONs

 grsecurity/gracl_compat.c |   20 --------------------
 1 files changed, 0 insertions(+), 20 deletions(-)

commit a283b21cbd77622383a1dcb1f7bf1080db3bae88
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 00:18:36 2013 -0400

    compile fixes

 grsecurity/gracl_compat.c    |    8 ++++----
 include/linux/gracl_compat.h |    2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

commit 8b744005f8bae565e24c1fd88af77e6e619b9434
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 00:16:42 2013 -0400

    compile fixes

 grsecurity/gracl.c        |    4 ++--
 grsecurity/gracl_compat.c |    2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

commit 5cd86afa393bf9bf38c2e9063191709ac2beff2c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 00:13:51 2013 -0400

    compile fixes

 grsecurity/gracl.c |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

commit b93b829afcc98b6108b18d99ff63c53642d0b951
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 00:11:03 2013 -0400

    compile fixes

 grsecurity/gracl_compat.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit 7da096415fa633c4ad2b1f74bd43d3a58a63b5c0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 00:08:21 2013 -0400

    more compile fixes

 grsecurity/gracl.c |   28 ++++++++++++++--------------
 1 files changed, 14 insertions(+), 14 deletions(-)

commit 6c1fd80e19f1449b6895f1ed77f23f1245470b3b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jul 29 23:59:50 2013 -0400

    more compile fixes

 grsecurity/gracl.c |   10 +++++++++-
 1 files changed, 9 insertions(+), 1 deletions(-)

commit 89dda536f276dd4bb55fa0f9ea8980ac8b750d29
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jul 29 23:56:47 2013 -0400

    additional compile fixes

 grsecurity/gracl.c |   59 +++++++++++++++++++++++++++++++++++++++++++--------
 1 files changed, 49 insertions(+), 10 deletions(-)

commit ac695a081d1124fb28bec46814535d34c5e40611
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jul 29 23:47:15 2013 -0400

    fix typo

 grsecurity/gracl.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit d95dd21a8d6d00c5cf34fee3f45dd914b6da6093
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jul 29 23:46:59 2013 -0400

    compile fixes

 grsecurity/gracl.c |   53 ++++++++++++++++++++++++++++++++++++++-------------
 1 files changed, 39 insertions(+), 14 deletions(-)

commit 82631f451cc7432b6c5578cf8d24155473feb25c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jul 29 23:22:44 2013 -0400

    Initial commit of compat RBAC loading
    Permits 32bit gradm to load policy for a 64bit kernel
    
    Also removed code duplication for copying strings into the kernel
    
    Work performed as part of sponsorship

 grsecurity/Makefile          |    4 +
 grsecurity/gracl.c           |  315 +++++++++++++++++++++++-------------------
 grsecurity/gracl_compat.c    |  270 ++++++++++++++++++++++++++++++++++++
 include/linux/gracl_compat.h |  156 +++++++++++++++++++++
 4 files changed, 603 insertions(+), 142 deletions(-)

commit 84c4a433dfb096e4a1162ee5e68025122c70b421
Merge: c9d3ed3 9fe5897
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jul 29 17:08:56 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 9fe58978938e357642885866ca48090a7753d403
Merge: 8f693ad 6f7bb6b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jul 29 17:08:43 2013 -0400

    Merge branch 'linux-3.10.y' into pax-test

commit c9d3ed33c5370bbacfadf86f6a1566828a3d7775
Merge: d5e5bfd 8f693ad
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 28 10:03:08 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 8f693ade9b3e448f92706d34148b00a087637f70
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 28 10:02:16 2013 -0400

    Update to pax-linux-3.10.3-test5.patch:
    - fixed amd64 kstack alignment (caught by some crazy codegen by clang/llvm)
    - fixed handling of faulting userland accesses for UDEREF/arm, from spender
    - updated the size overflow hash table, from Emese

 arch/arm/kernel/entry-armv.S      |    3 +-
 arch/x86/include/asm/processor.h  |    4 +-
 arch/x86/kernel/cpu/common.c      |    2 +-
 arch/x86/kernel/process_64.c      |    2 +-
 arch/x86/kernel/smpboot.c         |    2 +-
 arch/x86/xen/smp.c                |    2 +-
 tools/gcc/size_overflow_hash.data |  553 +++++++++++++++++++++++++++++++++----
 7 files changed, 513 insertions(+), 55 deletions(-)

commit d5e5bfd6ecc1fc7e86d070df8eb0ce8d0643c558
Merge: 19e077b 8a8a0d0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 25 21:05:18 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 8a8a0d0b22a86bf65302d03bb6732e42bc0a2e56
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 25 21:04:09 2013 -0400

    Update to pax-linux-3.10.3-test4.patch:
    - introduced per-slab object sanitization, contributed by Mathias Krause and secunet.
      this is finer grained sanitization than the existing per-page based approach (which
      is still done) at a somewhat higher performance cost. the pax_sanitize_slab command
      line option can be used to enable/disable it on boot (it's enabled by default when
      CONFIG_PAX_MEMORY_SANITIZE is enabled).

 Documentation/kernel-parameters.txt |    4 ++++
 fs/buffer.c                         |    2 +-
 fs/dcache.c                         |    3 ++-
 include/linux/slab.h                |    7 +++++++
 include/linux/slab_def.h            |    4 ++++
 kernel/fork.c                       |    2 +-
 mm/rmap.c                           |    6 ++++--
 mm/slab.c                           |   27 +++++++++++++++++++++++++++
 mm/slab.h                           |   12 +++++++++++-
 mm/slab_common.c                    |   14 ++++++++++++++
 mm/slob.c                           |    5 +++++
 mm/slub.c                           |   11 +++++++++++
 net/core/skbuff.c                   |    6 ++++--
 security/Kconfig                    |   23 +++++++++++++++++------
 14 files changed, 112 insertions(+), 14 deletions(-)

commit 19e077bfff54ca211d0142c07cb6dd88069a390c
Merge: 960ec51 c8f7f51
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 25 19:53:34 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit c8f7f51591207b82530214300e86277028919286
Merge: d5142e3 81a4648
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 25 19:52:29 2013 -0400

    Update to pax-linux-3.10.3-test3.patch:
    - fixed some compile issues reported by Michael Tremer and spender
    - fixed an i386 regression with the lower address space gap on i386, reported by cnu
    
    Merge branch 'linux-3.10.y' into pax-test
    
    Conflicts:
        kernel/time/tick-broadcast.c

commit 960ec51ab2142544fbae563d4fd5744775408965
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Sat Jul 20 03:13:55 2013 +0400

    Upstream commit: acfec9a5a892f98461f52ed5770de99a3e571ae2
    
    livelock avoidance in sget()
    
    Eric Sandeen has found a nasty livelock in sget() - take a mount(2) about
    to fail.  The superblock is on ->fs_supers, ->s_umount is held exclusive,
    ->s_active is 1.  Along comes two more processes, trying to mount the same
    thing; sget() in each is picking that superblock, bumping ->s_count and
    trying to grab ->s_umount.  ->s_active is 3 now.  Original mount(2)
    finally gets to deactivate_locked_super() on failure; ->s_active is 2,
    superblock is still ->fs_supers because shutdown will *not* happen until
    ->s_active hits 0.  ->s_umount is dropped and now we have two processes
    chasing each other:
    s_active = 2, A acquired ->s_umount, B blocked
    A sees that the damn thing is stillborn, does deactivate_locked_super()
    s_active = 1, A drops ->s_umount, B gets it
    A restarts the search and finds the same superblock.  And bumps it ->s_active.
    s_active = 2, B holds ->s_umount, A blocked on trying to get it
    ... and we are in the earlier situation with A and B switched places.
    
    The root cause, of course, is that ->s_active should not grow until we'd
    got MS_BORN.  Then failing ->mount() will have deactivate_locked_super()
    shut the damn thing down.  Fortunately, it's easy to do - the key point
    is that grab_super() is called only for superblocks currently on ->fs_supers,
    so it can bump ->s_count and grab ->s_umount first, then check MS_BORN and
    bump ->s_active; we must never increment ->s_count for superblocks past
    ->kill_sb(), but grab_super() is never called for those.
    
    The bug is pretty old; we would've caught it by now, if not for accidental
    exclusion between sget() for block filesystems; the things like cgroup or
    e.g. mtd-based filesystems don't have anything of that sort, so they get
    bitten.  The right way to deal with that is obviously to fix sget()...
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

 fs/super.c |   25 ++++++++++---------------
 1 files changed, 10 insertions(+), 15 deletions(-)

commit 3540cebbbfa4aef94527ad3e0e49097848147fb9
Merge: ab95b58 d5142e3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 21 22:47:46 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit d5142e31785f8c32c7338c51fcc27313bdd4a84e
Merge: f36ae8c 0f4a56e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 21 22:47:34 2013 -0400

    Merge branch 'linux-3.10.y' into pax-test

commit ab95b5842899d61ff5c30f4582e72029b3155be8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 21 22:28:40 2013 -0400

    compile fix with constification reported by Michael Tremer

 drivers/gpu/host1x/drm/dc.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 817cd2d1e7a55720326599dd8f542578eef30927
Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
Date:   Fri Jul 12 23:46:33 2013 +0200

    Upstream commit: 307f2fb95e9b96b3577916e73d92e104f8f26494
    
    ipv6: only static routes qualify for equal cost multipathing
    
    Static routes in this case are non-expiring routes which did not get
    configured by autoconf or by icmpv6 redirects.
    
    To make sure we actually get an ecmp route while searching for the first
    one in this fib6_node's leafs, also make sure it matches the ecmp route
    assumptions.
    
    v2:
    a) Removed RTF_EXPIRE check in dst.from chain. The check of RTF_ADDRCONF
       already ensures that this route, even if added again without
       RTF_EXPIRES (in case of a RA announcement with infinite timeout),
       does not cause the rt6i_nsiblings logic to go wrong if a later RA
       updates the expiration time later.
    
    v3:
    a) Allow RTF_EXPIRES routes to enter the ecmp route set. We have to do so,
       because an pmtu event could update the RTF_EXPIRES flag and we would
       not count this route, if another route joins this set. We now filter
       only for RTF_GATEWAY|RTF_ADDRCONF|RTF_DYNAMIC, which are flags that
       don't get changed after rt6_info construction.
    
    Cc: Nicolas Dichtel <nicolas.dichtel@6wind.com>
    Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv6/ip6_fib.c |   15 +++++++++++----
 1 files changed, 11 insertions(+), 4 deletions(-)

commit 77db8196d51b043e2e2d124094da101b0f01bccb
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Fri Jul 12 09:39:03 2013 +0300

    Upstream commit: b2781e1021525649c0b33fffd005ef219da33926
    
    svcrdma: underflow issue in decode_write_list()
    
    My static checker marks everything from ntohl() as untrusted and it
    complains we could have an underflow problem doing:
    
        return (u32 *)&ary->wc_array[nchunks];
    
    Also on 32 bit systems the upper bound check could overflow.
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: J. Bruce Fields <bfields@redhat.com>

 net/sunrpc/xprtrdma/svc_rdma_marshal.c |   20 ++++++++++++++------
 1 files changed, 14 insertions(+), 6 deletions(-)

commit 926473317fd7953137ef97835edd36dabc584b01
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jul 17 21:29:02 2013 -0400

    add missing asm/pgtable.h include, reported by Michael Tremer

 drivers/clk/socfpga/clk.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit c592ae0001b31932ef1491784dfa374058797c66
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 16 20:40:24 2013 -0400

    allow viewing of ecryptfs version under SYSFS_RESTRICT

 fs/sysfs/dir.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 36db325ef3b07ea8cdb47f549e706e5d71398e14
Merge: 9c96441 f36ae8c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 14 19:23:13 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit f36ae8c741ae32b1caff10825be12c327792c925
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 14 19:22:15 2013 -0400

    Update to pax-linux-3.10-test2.patch:
    - spender fixed a compile regression in a recent arm/UDEREF change, reported by Michael Tremer
    - spender fixed arm/KERNEXEC for v5 and older CPUs, reported by Michael Tremer
    - spender fixed a new CONSTIFY victim on arm, reported by Michael Tremer
    - spender fixed an madvise regression, reported by Peter Keel
    - spender fixed a SLAB regression, reported by Thorsten (http://forums.grsecurity.net/viewtopic.php?f=3&t=3614) and Jens (http://forums.grsecurity.net/viewtopic.php?f=1&t=3616)
    - fixed a headers_install regression, reported by Mathias Krause
    - fixed a SLOB compile regression, reported by Mathias Krause

 arch/arm/include/asm/uaccess.h |    4 ++--
 arch/arm/mm/mmu.c              |   15 +++++++++++++--
 drivers/clk/socfpga/clk.c      |    6 ++++--
 mm/madvise.c                   |    4 ++--
 mm/slab.c                      |    4 ++--
 mm/slob.c                      |    4 ++--
 scripts/headers_install.sh     |    2 +-
 7 files changed, 26 insertions(+), 13 deletions(-)

commit 9c9644156a49637050741d9165df79174e59b0ef
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 14 19:19:54 2013 -0400

    Fix sparc64 compilation, reported by Blake Self

 arch/sparc/kernel/sys_sparc_64.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 7bcd3db081454768542c3d741bcf32cd61a50cf5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 14 11:49:17 2013 -0400

    Update PaX fix, just return the error

 mm/madvise.c |   15 +++++++--------
 1 files changed, 7 insertions(+), 8 deletions(-)

commit a10e377d0eddd37e8a3665b135e546ab03d9d171
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 14 11:36:00 2013 -0400

    Fix madvise oops reported by Peter Keel

 mm/madvise.c |   11 ++++++-----
 1 files changed, 6 insertions(+), 5 deletions(-)

commit 08c5adca34d408772255b313f90d82c250c1d967
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 14 11:26:34 2013 -0400

    don't make high vector mapping non-present on old ARM architectures, no
    point in emulating some vector entries when the processor doesn't even support XN

 arch/arm/mm/mmu.c |    7 +++++--
 1 files changed, 5 insertions(+), 2 deletions(-)

commit 2b40781d4197a89a003616af584884e36361c5b2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 14 09:51:58 2013 -0400

    Temporary compile fix for code incorrectly modifying const data
    Wrap a cast version of the code with open/close
    
    Thanks to Michael Tremer for the report

 drivers/clk/socfpga/clk.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

commit a8258c1b4098c396cd4ea719e20858182feac1c1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 14 09:41:16 2013 -0400

    Fix missing right parens in pipacs' "improvement" of my ARM code ;)
    Thanks to Michael Tremer for reporting

 arch/arm/include/asm/uaccess.h |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 8542e1e973be7cc9a009d2ada8033576b2890e6f
Merge: 86f446e 2577f8e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jul 13 20:46:58 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        mm/memcontrol.c

commit 2577f8e4ec41efb347706a59c6838de20f0c90da
Merge: 75a36f0 cb5d8be
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jul 13 20:43:42 2013 -0400

    Merge branch 'linux-3.10.y' into pax-test
    
    Conflicts:
        crypto/algapi.c
        drivers/block/nbd.c

commit 86f446e9d5c6b475d2e9360cc04f4361ad1b19b8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jul 12 23:02:11 2013 -0400

    we always want the vector page to be noaccess for userland
    therefore, when kernexec is disabled, instead of L_PTE_USER | L_PTE_RDONLY
    which turns into supervisor rwx, userland rx, we instead omit that entirely,
    leaving it as supervisor rwx only
    
    Fixes booting on ARMv5 and earlier, which need to write directly
    to the high vector mapping via set_tls when context switching
    
    Thanks to Michael Tremer for the bugreport

 arch/arm/mm/mmu.c |   12 ++++++++++--
 1 files changed, 10 insertions(+), 2 deletions(-)

commit 90cd0827eef656ec884f19c977873fefe2f2e47d
Author: Cong Wang <amwang@redhat.com>
Date:   Sat Jun 29 12:02:59 2013 +0800

    Upstream commit: 6c734fb8592f6768170e48e7102cb2f0a1bb9759
    
    gre: fix a regression in ioctl
    
    When testing GRE tunnel, I got:
    
     # ip tunnel show
     get tunnel gre0 failed: Invalid argument
     get tunnel gre1 failed: Invalid argument
    
    This is a regression introduced by commit c54419321455631079c7d
    ("GRE: Refactor GRE tunneling code.") because previously we
    only check the parameters for SIOCADDTUNNEL and SIOCCHGTUNNEL,
    after that commit, the check is moved for all commands.
    
    So, just check for SIOCADDTUNNEL and SIOCCHGTUNNEL.
    
    After this patch I got:
    
     # ip tunnel show
     gre0: gre/ip  remote any  local any  ttl inherit  nopmtudisc
     gre1: gre/ip  remote 192.168.122.101  local 192.168.122.45  ttl inherit
    
    Cc: Pravin B Shelar <pshelar@nicira.com>
    Cc: "David S. Miller" <davem@davemloft.net>
    Signed-off-by: Cong Wang <amwang@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/ip_gre.c |    9 +++++----
 1 files changed, 5 insertions(+), 4 deletions(-)

commit 50d4e90ec8da630eac8840da9c53b8738a2f98b5
Author: Cong Wang <amwang@redhat.com>
Date:   Sat Jun 29 13:00:57 2013 +0800

    Upstream commit: ab6c7a0a43c2eaafa57583822b619b22637b49c7
    
    vti: remove duplicated code to fix a memory leak
    
    vti module allocates dev->tstats twice: in vti_fb_tunnel_init()
    and in vti_tunnel_init(), this lead to a memory leak of
    dev->tstats.
    
    Just remove the duplicated operations in vti_fb_tunnel_init().
    
    (candidate for -stable)
    
    Cc: Stephen Hemminger <stephen@networkplumber.org>
    Cc: Saurabh Mohan <saurabh.mohan@vyatta.com>
    Cc: "David S. Miller" <davem@davemloft.net>
    Signed-off-by: Cong Wang <amwang@redhat.com>
    Acked-by: Stephen Hemminger <stephen@networkplumber.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/ip_vti.c |    7 -------
 1 files changed, 0 insertions(+), 7 deletions(-)

commit af9e57897a8fab9bbeceb984bd0aeaedb36aefcd
Author: Michal Schmidt <mschmidt@redhat.com>
Date:   Mon Jul 1 17:23:05 2013 +0200

    Upstream commit: 058eec4116935c5640299913e1e0715e87ec622a
    
    bnx2x: remove zeroing of dump data buffer
    
    There is no need to initialize the dump data with zeros.
    data is allocated with vzalloc, so it's already zero-filled.
    
    More importantly, the memset is harmful, because dump->len (the length
    requested by userspace) can be bigger than the allocated buffer (whose
    size is determined by asking the driver's .get_dump_flag method).
    
    Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 .../net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c    |    2 --
 1 files changed, 0 insertions(+), 2 deletions(-)

commit c771072b72c261f9bddd6734dca6979c1b96e7df
Author: Michal Schmidt <mschmidt@redhat.com>
Date:   Mon Jul 1 17:23:06 2013 +0200

    Upstream commit: 5bb680d6cbe36de9d7ba12b05f845c91a8692318
    
    bnx2x: fix dump flag handling
    
    bnx2x interprets the dump flag as an index of a register preset.
    It is important to validate the index to avoid out of bounds
    memory accesses.
    
    Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 .../net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c    |    3 +++
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c   |    2 ++
 2 files changed, 5 insertions(+), 0 deletions(-)

commit aed315c8fad9b2044143b46b239574b1b72135ce
Author: Michal Schmidt <mschmidt@redhat.com>
Date:   Mon Jul 1 17:23:30 2013 +0200

    Upstream commit: c590b5e2f05b5e98e614382582b7ae4cddb37599
    
    ethtool: make .get_dump_data() harder to misuse by drivers
    
    As the patch "bnx2x: remove zeroing of dump data buffer" showed,
    it is too easy implement .get_dump_data incorrectly in a driver.
    
    Let's make sure drivers cannot get confused by userspace requesting
    a too big dump.
    
    Also WARN if the driver sets dump->len to something weird and make
    sure the length reported to userspace is the actual length of data
    copied to userspace.
    
    Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
    Reviewed-by: Ben Hutchings <ben@decadent.org.uk>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/core/ethtool.c |   21 ++++++++++++++++++++-
 1 files changed, 20 insertions(+), 1 deletions(-)

commit 5c57991e66216e386dcc875d34c33f0edd038569
Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Date:   Tue Jul 2 09:02:07 2013 +0800

    Upstream commit: e1558a93b61962710733dc8c11a2bc765607f1cd
    
    l2tp: add missing .owner to struct pppox_proto
    
    Add missing .owner of struct pppox_proto. This prevents the
    module from being removed from underneath its users.
    
    Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/l2tp/l2tp_ppp.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 4613b8adae32cc774bb727d2ec71f3d0bd7ff1c4
Author: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Date:   Sun Jun 30 14:37:11 2013 +1000

    Upstream commit: 7cc47d139f9a815a91bd9e7377063238c69a0423
    
    cxgb3: Missing rtnl lock in error recovery
    
    When exercising error injection on IBM pseries machine, I hit the
    following warning:
    
    [  251.450043] RTAS: event: 89, Type: Platform Error, Severity: 2
    [  253.549822] cxgb3 0006:01:00.0: enabling device (0140 -> 0142)
    [  253.713560] cxgb3 0006:01:00.0: adapter recovering, PEX ERR 0x100
    [  254.895437] RTNL: assertion failed at net/core/dev.c (2031)
    [  254.895467] CPU: 6 PID: 5449 Comm: eehd Tainted: G        W    3.10.0-rc7-00157-gea461ab #19
    [  254.895474] Call Trace:
    [  254.895483] [c000000fac56f7d0] [c000000000014dcc] .show_stack+0x7c/0x1f0 (unreliable)
    [  254.895493] [c000000fac56f8a0] [c0000000007ba318] .dump_stack+0x28/0x3c
    [  254.895500] [c000000fac56f910] [c0000000006c0384] .netif_set_real_num_tx_queues+0x224/0x230
    [  254.895515] [c000000fac56f9b0] [d00000000ef35510] .cxgb_open+0x80/0x3f0 [cxgb3]
    [  254.895525] [c000000fac56fa50] [d00000000ef35914] .t3_resume_ports+0x94/0x100 [cxgb3]
    [  254.895533] [c000000fac56fae0] [c00000000005fc8c] .eeh_report_resume+0x8c/0xd0
    [  254.895539] [c000000fac56fb60] [c00000000005e9fc] .eeh_pe_dev_traverse+0x9c/0x190
    [  254.895545] [c000000fac56fc10] [c000000000060000] .eeh_handle_event+0x110/0x330
    [  254.895551] [c000000fac56fca0] [c000000000060350] .eeh_event_handler+0x130/0x1a0
    [  254.895558] [c000000fac56fd30] [c0000000000ad758] .kthread+0xe8/0xf0
    [  254.895566] [c000000fac56fe30] [c00000000000a05c] .ret_from_kernel_thread+0x5c/0x80
    
    It appears that t3_resume_ports() is called with the rtnl_lock held from
    the fatal error task but not from the PCI error callbacks. This fixes it.
    
    Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit ea8f4222cddf3250dbcfc7db0437ebf74c352370
Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
Date:   Mon Jul 1 20:21:30 2013 +0200

    Upstream commit: 8822b64a0fa64a5dd1dfcf837c5b0be83f8c05d1
    
    ipv6: call udp_push_pending_frames when uncorking a socket with AF_INET pending data
    
    We accidentally call down to ip6_push_pending_frames when uncorking
    pending AF_INET data on a ipv6 socket. This results in the following
    splat (from Dave Jones):
    
    skbuff: skb_under_panic: text:ffffffff816765f6 len:48 put:40 head:ffff88013deb6df0 data:ffff88013deb6dec tail:0x2c end:0xc0 dev:<NULL>
    ------------[ cut here ]------------
    kernel BUG at net/core/skbuff.c:126!
    invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
    Modules linked in: dccp_ipv4 dccp 8021q garp bridge stp dlci mpoa snd_seq_dummy sctp fuse hidp tun bnep nfnetlink scsi_transport_iscsi rfcomm can_raw can_bcm af_802154 appletalk caif_socket can caif ipt_ULOG x25 rose af_key pppoe pppox ipx phonet irda llc2 ppp_generic slhc p8023 psnap p8022 llc crc_ccitt atm bluetooth
    +netrom ax25 nfc rfkill rds af_rxrpc coretemp hwmon kvm_intel kvm crc32c_intel snd_hda_codec_realtek ghash_clmulni_intel microcode pcspkr snd_hda_codec_hdmi snd_hda_intel snd_hda_codec snd_hwdep usb_debug snd_seq snd_seq_device snd_pcm e1000e snd_page_alloc snd_timer ptp snd pps_core soundcore xfs libcrc32c
    CPU: 2 PID: 8095 Comm: trinity-child2 Not tainted 3.10.0-rc7+ #37
    task: ffff8801f52c2520 ti: ffff8801e6430000 task.ti: ffff8801e6430000
    RIP: 0010:[<ffffffff816e759c>]  [<ffffffff816e759c>] skb_panic+0x63/0x65
    RSP: 0018:ffff8801e6431de8  EFLAGS: 00010282
    RAX: 0000000000000086 RBX: ffff8802353d3cc0 RCX: 0000000000000006
    RDX: 0000000000003b90 RSI: ffff8801f52c2ca0 RDI: ffff8801f52c2520
    RBP: ffff8801e6431e08 R08: 0000000000000000 R09: 0000000000000000
    R10: 0000000000000001 R11: 0000000000000001 R12: ffff88022ea0c800
    R13: ffff88022ea0cdf8 R14: ffff8802353ecb40 R15: ffffffff81cc7800
    FS:  00007f5720a10740(0000) GS:ffff880244c00000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 0000000005862000 CR3: 000000022843c000 CR4: 00000000001407e0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
    Stack:
     ffff88013deb6dec 000000000000002c 00000000000000c0 ffffffff81a3f6e4
     ffff8801e6431e18 ffffffff8159a9aa ffff8801e6431e90 ffffffff816765f6
     ffffffff810b756b 0000000700000002 ffff8801e6431e40 0000fea9292aa8c0
    Call Trace:
     [<ffffffff8159a9aa>] skb_push+0x3a/0x40
     [<ffffffff816765f6>] ip6_push_pending_frames+0x1f6/0x4d0
     [<ffffffff810b756b>] ? mark_held_locks+0xbb/0x140
     [<ffffffff81694919>] udp_v6_push_pending_frames+0x2b9/0x3d0
     [<ffffffff81694660>] ? udplite_getfrag+0x20/0x20
     [<ffffffff8162092a>] udp_lib_setsockopt+0x1aa/0x1f0
     [<ffffffff811cc5e7>] ? fget_light+0x387/0x4f0
     [<ffffffff816958a4>] udpv6_setsockopt+0x34/0x40
     [<ffffffff815949f4>] sock_common_setsockopt+0x14/0x20
     [<ffffffff81593c31>] SyS_setsockopt+0x71/0xd0
     [<ffffffff816f5d54>] tracesys+0xdd/0xe2
    Code: 00 00 48 89 44 24 10 8b 87 d8 00 00 00 48 89 44 24 08 48 8b 87 e8 00 00 00 48 c7 c7 c0 04 aa 81 48 89 04 24 31 c0 e8 e1 7e ff ff <0f> 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 55
    RIP  [<ffffffff816e759c>] skb_panic+0x63/0x65
     RSP <ffff8801e6431de8>
    
    This patch adds a check if the pending data is of address family AF_INET
    and directly calls udp_push_ending_frames from udp_v6_push_pending_frames
    if that is the case.
    
    This bug was found by Dave Jones with trinity.
    
    (Also move the initialization of fl6 below the AF_INET check, even if
    not strictly necessary.)
    
    Cc: Dave Jones <davej@redhat.com>
    Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
    Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 include/net/udp.h |    1 +
 net/ipv4/udp.c    |    3 ++-
 net/ipv6/udp.c    |    7 ++++++-
 3 files changed, 9 insertions(+), 2 deletions(-)

commit cd83094a85d9bbd5a67332156407d53cf8835432
Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
Date:   Tue Jul 2 08:04:05 2013 +0200

    Upstream commit: 75a493e60ac4bbe2e977e7129d6d8cbb0dd236be
    
    ipv6: ip6_append_data_mtu did not care about pmtudisc and frag_size
    
    If the socket had an IPV6_MTU value set, ip6_append_data_mtu lost track
    of this when appending the second frame on a corked socket. This results
    in the following splat:
    
    [37598.993962] ------------[ cut here ]------------
    [37598.994008] kernel BUG at net/core/skbuff.c:2064!
    [37598.994008] invalid opcode: 0000 [#1] SMP
    [37598.994008] Modules linked in: tcp_lp uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_core videodev media vfat fat usb_storage fuse ebtable_nat xt_CHECKSUM bridge stp llc ipt_MASQUERADE nf_conntrack_netbios_ns nf_conntrack_broadcast ip6table_mangle ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 iptable_nat
    +nf_nat_ipv4 nf_nat iptable_mangle nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ebtable_filter ebtables ip6table_filter ip6_tables be2iscsi iscsi_boot_sysfs bnx2i cnic uio cxgb4i cxgb4 cxgb3i cxgb3 mdio libcxgbi ib_iser rdma_cm ib_addr iw_cm ib_cm ib_sa ib_mad ib_core iscsi_tcp libiscsi_tcp libiscsi
    +scsi_transport_iscsi rfcomm bnep iTCO_wdt iTCO_vendor_support snd_hda_codec_conexant arc4 iwldvm mac80211 snd_hda_intel acpi_cpufreq mperf coretemp snd_hda_codec microcode cdc_wdm cdc_acm
    [37598.994008]  snd_hwdep cdc_ether snd_seq snd_seq_device usbnet mii joydev btusb snd_pcm bluetooth i2c_i801 e1000e lpc_ich mfd_core ptp iwlwifi pps_core snd_page_alloc mei cfg80211 snd_timer thinkpad_acpi snd tpm_tis soundcore rfkill tpm tpm_bios vhost_net tun macvtap macvlan kvm_intel kvm uinput binfmt_misc
    +dm_crypt i915 i2c_algo_bit drm_kms_helper drm i2c_core wmi video
    [37598.994008] CPU 0
    [37598.994008] Pid: 27320, comm: t2 Not tainted 3.9.6-200.fc18.x86_64 #1 LENOVO 27744PG/27744PG
    [37598.994008] RIP: 0010:[<ffffffff815443a5>]  [<ffffffff815443a5>] skb_copy_and_csum_bits+0x325/0x330
    [37598.994008] RSP: 0018:ffff88003670da18  EFLAGS: 00010202
    [37598.994008] RAX: ffff88018105c018 RBX: 0000000000000004 RCX: 00000000000006c0
    [37598.994008] RDX: ffff88018105a6c0 RSI: ffff88018105a000 RDI: ffff8801e1b0aa00
    [37598.994008] RBP: ffff88003670da78 R08: 0000000000000000 R09: ffff88018105c040
    [37598.994008] R10: ffff8801e1b0aa00 R11: 0000000000000000 R12: 000000000000fff8
    [37598.994008] R13: 00000000000004fc R14: 00000000ffff0504 R15: 0000000000000000
    [37598.994008] FS:  00007f28eea59740(0000) GS:ffff88023bc00000(0000) knlGS:0000000000000000
    [37598.994008] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
    [37598.994008] CR2: 0000003d935789e0 CR3: 00000000365cb000 CR4: 00000000000407f0
    [37598.994008] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    [37598.994008] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
    [37598.994008] Process t2 (pid: 27320, threadinfo ffff88003670c000, task ffff88022c162ee0)
    [37598.994008] Stack:
    [37598.994008]  ffff88022e098a00 ffff88020f973fc0 0000000000000008 00000000000004c8
    [37598.994008]  ffff88020f973fc0 00000000000004c4 ffff88003670da78 ffff8801e1b0a200
    [37598.994008]  0000000000000018 00000000000004c8 ffff88020f973fc0 00000000000004c4
    [37598.994008] Call Trace:
    [37598.994008]  [<ffffffff815fc21f>] ip6_append_data+0xccf/0xfe0
    [37598.994008]  [<ffffffff8158d9f0>] ? ip_copy_metadata+0x1a0/0x1a0
    [37598.994008]  [<ffffffff81661f66>] ? _raw_spin_lock_bh+0x16/0x40
    [37598.994008]  [<ffffffff8161548d>] udpv6_sendmsg+0x1ed/0xc10
    [37598.994008]  [<ffffffff812a2845>] ? sock_has_perm+0x75/0x90
    [37598.994008]  [<ffffffff815c3693>] inet_sendmsg+0x63/0xb0
    [37598.994008]  [<ffffffff812a2973>] ? selinux_socket_sendmsg+0x23/0x30
    [37598.994008]  [<ffffffff8153a450>] sock_sendmsg+0xb0/0xe0
    [37598.994008]  [<ffffffff810135d1>] ? __switch_to+0x181/0x4a0
    [37598.994008]  [<ffffffff8153d97d>] sys_sendto+0x12d/0x180
    [37598.994008]  [<ffffffff810dfb64>] ? __audit_syscall_entry+0x94/0xf0
    [37598.994008]  [<ffffffff81020ed1>] ? syscall_trace_enter+0x231/0x240
    [37598.994008]  [<ffffffff8166a7e7>] tracesys+0xdd/0xe2
    [37598.994008] Code: fe 07 00 00 48 c7 c7 04 28 a6 81 89 45 a0 4c 89 4d b8 44 89 5d a8 e8 1b ac b1 ff 44 8b 5d a8 4c 8b 4d b8 8b 45 a0 e9 cf fe ff ff <0f> 0b 66 0f 1f 84 00 00 00 00 00 66 66 66 66 90 55 48 89 e5 48
    [37598.994008] RIP  [<ffffffff815443a5>] skb_copy_and_csum_bits+0x325/0x330
    [37598.994008]  RSP <ffff88003670da18>
    [37599.007323] ---[ end trace d69f6a17f8ac8eee ]---
    
    While there, also check if path mtu discovery is activated for this
    socket. The logic was adapted from ip6_append_data when first writing
    on the corked socket.
    
    This bug was introduced with commit
    0c1833797a5a6ec23ea9261d979aa18078720b74 ("ipv6: fix incorrect ipsec
    fragment").
    
    v2:
    a) Replace IPV6_PMTU_DISC_DO with IPV6_PMTUDISC_PROBE.
    b) Don't pass ipv6_pinfo to ip6_append_data_mtu (suggestion by Gao
       feng, thanks!).
    c) Change mtu to unsigned int, else we get a warning about
       non-matching types because of the min()-macro type-check.
    
    Acked-by: Gao feng <gaofeng@cn.fujitsu.com>
    Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
    Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv6/ip6_output.c |   16 ++++++++++------
 1 files changed, 10 insertions(+), 6 deletions(-)

commit 23151ca7ca80e58d2616dac7be9fd62943c9a72c
Author: Michael S. Tsirkin <mst@redhat.com>
Date:   Sun Jul 7 14:26:53 2013 +0300

    Upstream commit: dd7633ecd553a5e304d349aa6f8eb8a0417098c5
    
    vhost-net: fix use-after-free in vhost_net_flush
    
    vhost_net_ubuf_put_and_wait has a confusing name:
    it will actually also free it's argument.
    Thus since commit 1280c27f8e29acf4af2da914e80ec27c3dbd5c01
        "vhost-net: flush outstanding DMAs on memory change"
    vhost_net_flush tries to use the argument after passing it
    to vhost_net_ubuf_put_and_wait, this results
    in use after free.
    To fix, don't free the argument in vhost_net_ubuf_put_and_wait,
    add an new API for callers that want to free ubufs.
    
    Acked-by: Asias He <asias@redhat.com>
    Acked-by: Jason Wang <jasowang@redhat.com>
    Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/vhost/net.c |    9 +++++++--
 1 files changed, 7 insertions(+), 2 deletions(-)

commit 088806db74ac2f08c106202bc5498585a9ee529f
Author: Michal Hocko <mhocko@suse.cz>
Date:   Mon Jul 8 16:00:29 2013 -0700

    Upstream commit: f37a96914d1aea10fed8d9af10251f0b9caea31b
    
    memcg, kmem: fix reference count handling on the error path
    
    mem_cgroup_css_online calls mem_cgroup_put if memcg_init_kmem fails.
    This is not correct because only memcg_propagate_kmem takes an
    additional reference while mem_cgroup_sockets_init is allowed to fail as
    well (although no current implementation fails) but it doesn't take any
    reference.  This all suggests that it should be memcg_propagate_kmem
    that should clean up after itself so this patch moves mem_cgroup_put
    over there.
    
    Unfortunately this is not that easy (as pointed out by Li Zefan) because
    memcg_kmem_mark_dead marks the group dead (KMEM_ACCOUNTED_DEAD) if it is
    marked active (KMEM_ACCOUNTED_ACTIVE) which is the case even if
    memcg_propagate_kmem fails so the additional reference is dropped in
    that case in kmem_cgroup_destroy which means that the reference would be
    dropped two times.
    
    The easiest way then would be to simply remove mem_cgrroup_put from
    mem_cgroup_css_online and rely on kmem_cgroup_destroy doing the right
    thing.
    
    Signed-off-by: Michal Hocko <mhocko@suse.cz>
    Signed-off-by: Li Zefan <lizefan@huawei.com>
    Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
    Cc: Hugh Dickins <hughd@google.com>
    Cc: Tejun Heo <tj@kernel.org>
    Cc: Glauber Costa <glommer@openvz.org>
    Cc: Johannes Weiner <hannes@cmpxchg.org>
    Cc: <stable@vger.kernel.org>        [3.8]
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 mm/memcontrol.c |    8 --------
 1 files changed, 0 insertions(+), 8 deletions(-)

commit 08bfb6e700d13886ed722c2236e1ec10f03a95df
Author: Michal Hocko <mhocko@suse.cz>
Date:   Mon Jul 8 16:00:27 2013 -0700

    Upstream commit: fa460c2d37870e0a6f94c70e8b76d05ca11b6db0
    
    Revert "memcg: avoid dangling reference count in creation failure"
    
    This reverts commit e4715f01be697a.
    
    mem_cgroup_put is hierarchy aware so mem_cgroup_put(memcg) already drops
    an additional reference from all parents so the additional
    mem_cgrroup_put(parent) potentially causes use-after-free.
    
    Signed-off-by: Michal Hocko <mhocko@suse.cz>
    Signed-off-by: Li Zefan <lizefan@huawei.com>
    Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
    Cc: Hugh Dickins <hughd@google.com>
    Cc: Tejun Heo <tj@kernel.org>
    Cc: Glauber Costa <glommer@openvz.org>
    Cc: Johannes Weiner <hannes@cmpxchg.org>
    Cc: <stable@vger.kernel.org>        [3.9+]
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 mm/memcontrol.c |    2 --
 1 files changed, 0 insertions(+), 2 deletions(-)

commit 3267ec559f48327a1836eccecd53215afc5810d0
Author: Tyler Hicks <tyhicks@canonical.com>
Date:   Thu Jun 20 13:13:59 2013 -0700

    Upstream commit: 2cb33cac622afde897aa02d3dcd9fbba8bae839e
    
    libceph: Fix NULL pointer dereference in auth client code
    
    A malicious monitor can craft an auth reply message that could cause a
    NULL function pointer dereference in the client's kernel.
    
    To prevent this, the auth_none protocol handler needs an empty
    ceph_auth_client_ops->build_request() function.
    
    CVE-2013-1059
    
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Reported-by: Chanam Park <chanam.park@hkpco.kr>
    Reviewed-by: Seth Arnold <seth.arnold@canonical.com>
    Reviewed-by: Sage Weil <sage@inktank.com>
    Cc: stable@vger.kernel.org

 net/ceph/auth_none.c |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

commit cdfeb4049e7cb38702215b2c356ce0407974ac79
Author: Eric Paris <eparis@redhat.com>
Date:   Wed Jul 3 15:08:29 2013 -0700

    Upstream commit: b57922b6c76c3ee401bb32fd3f298409dd6e6a53
    
    fork: reorder permissions when violating number of processes limits
    
    When a task is attempting to violate the RLIMIT_NPROC limit we have a
    check to see if the task is sufficiently priviledged.  The check first
    looks at CAP_SYS_ADMIN, then CAP_SYS_RESOURCE, then if the task is uid=0.
    
    A result is that tasks which are allowed by the uid=0 check are first
    checked against the security subsystem.  This results in the security
    subsystem auditting a denial for sys_admin and sys_resource and then the
    task passing the uid=0 check.
    
    This patch rearranges the code to first check uid=0, since if we pass that
    we shouldn't hit the security system at all.  We then check sys_resource,
    since it is the smallest capability which will solve the problem.  Lastly
    we check the fallback everything cap_sysadmin.  We don't want to give this
    capability many places since it is so powerful.
    
    This will eliminate many of the false positive/needless denial messages we
    get when a root task tries to violate the nproc limit.  (note that
    kthreads count against root, so on a sufficiently large machine we can
    actually get past the default limits before any userspace tasks are
    launched.)
    
    Signed-off-by: Eric Paris <eparis@redhat.com>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 kernel/fork.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 08c87e049c8a50707908785d950fd48c334f4c09
Author: Chen Gang <gang.chen@asianux.com>
Date:   Sat Jun 22 13:26:09 2013 +0800

    Upstream commit: f118e9abddfae94d7ef88858159d7556e1c2f7f6
    
    arch: sparc: kernel: check the memory length before use strcpy().
    
    For the related next strcpy(), the destination length is less than 512,
    but the source maximize length may be 'OPROMMAXPARAM' (4096) which is
    more than 512.
    
    One work flow may:
      openprom_sunos_ioctl() ->  if (cmd == OPROMSETOPT)
        getstrings() ->  will alloc buffer with size 'OPROMMAXPARAM'.
        opromsetopt() ->  devide the buffer into 'var' and 'value'
          of_set_property() -> pass
            prom_setprop() -> pass
              ldom_set_var()
    
    And do not mind the additional 4 alignment buffer increasing, since
    'sizeof(pkt) - sizeof(pkt.header)' is 4 alignment at least.
    
    Signed-off-by: Chen Gang <gang.chen@asianux.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 arch/sparc/kernel/ds.c |   10 ++++++++++
 1 files changed, 10 insertions(+), 0 deletions(-)

commit 0f5d7e1171c65a8d4e9186b3656e1206121efb13
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jul 12 20:38:45 2013 -0400

    Fix SLAB boot errors due to PAX_USERCOPY reported on the forums
    
    Unlike slub, slab can initally create two of the kmalloc_caches
    which will be used later for generic kmallocs of their particular
    aligned size (since the later loop in the unified allocator code
    skips any already-existing kmalloc_caches)

 mm/slab.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 7afc9d07a4c0a676aa5c4ac2b30882f60be6bae3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 9 22:04:59 2013 -0400

    compile fixes

 fs/exec.c |    2 +-
 mm/mmap.c |    4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

commit e2d027c7e0f106be683c0c72482b8285daefcbe6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 9 20:58:40 2013 -0400

    commit successful merges

 Documentation/kernel-parameters.txt                |    4 +
 Makefile                                           |    8 +-
 arch/alpha/include/asm/cache.h                     |    4 +-
 arch/alpha/kernel/osf_sys.c                        |   12 +-
 arch/arm/include/asm/thread_info.h                 |    3 +-
 arch/arm/kernel/ptrace.c                           |    9 +
 arch/arm/kernel/traps.c                            |    7 +-
 arch/arm/mm/fault.c                                |   29 +-
 arch/arm/mm/mmap.c                                 |    8 +-
 arch/avr32/include/asm/cache.h                     |    4 +-
 arch/blackfin/include/asm/cache.h                  |    3 +-
 arch/cris/include/arch-v10/arch/cache.h            |    3 +-
 arch/cris/include/arch-v32/arch/cache.h            |    3 +-
 arch/frv/include/asm/cache.h                       |    3 +-
 arch/frv/mm/elf-fdpic.c                            |    4 +-
 arch/hexagon/include/asm/cache.h                   |    6 +-
 arch/ia64/include/asm/cache.h                      |    3 +-
 arch/ia64/kernel/sys_ia64.c                        |    2 +
 arch/ia64/mm/hugetlbpage.c                         |    2 +
 arch/m32r/include/asm/cache.h                      |    4 +-
 arch/m68k/include/asm/cache.h                      |    4 +-
 arch/metag/mm/hugetlbpage.c                        |    1 +
 arch/microblaze/include/asm/cache.h                |    3 +-
 arch/mips/include/asm/cache.h                      |    3 +-
 arch/mips/include/asm/thread_info.h                |    9 +-
 arch/mips/kernel/ptrace.c                          |    9 +
 arch/mips/kernel/scall32-o32.S                     |    2 +-
 arch/mips/kernel/scall64-64.S                      |    2 +-
 arch/mips/kernel/scall64-n32.S                     |    2 +-
 arch/mips/kernel/scall64-o32.S                     |    2 +-
 arch/mips/mm/mmap.c                                |    4 +-
 arch/mn10300/proc-mn103e010/include/proc/cache.h   |    4 +-
 arch/mn10300/proc-mn2ws0050/include/proc/cache.h   |    4 +-
 arch/openrisc/include/asm/cache.h                  |    4 +-
 arch/parisc/include/asm/cache.h                    |    5 +-
 arch/parisc/kernel/sys_parisc.c                    |   17 +-
 arch/powerpc/include/asm/cache.h                   |    3 +-
 arch/powerpc/kernel/process.c                      |   10 +-
 arch/powerpc/kernel/ptrace.c                       |   14 +
 arch/powerpc/kernel/traps.c                        |    5 +
 arch/s390/include/asm/cache.h                      |    4 +-
 arch/score/include/asm/cache.h                     |    4 +-
 arch/sh/include/asm/cache.h                        |    3 +-
 arch/sh/mm/mmap.c                                  |    6 +-
 arch/sparc/include/asm/cache.h                     |    4 +-
 arch/sparc/include/asm/thread_info_64.h            |    9 +-
 arch/sparc/kernel/process_32.c                     |    6 +-
 arch/sparc/kernel/process_64.c                     |    4 +-
 arch/sparc/kernel/ptrace_64.c                      |   14 +
 arch/sparc/kernel/sys_sparc_64.c                   |    8 +-
 arch/sparc/kernel/syscalls.S                       |    8 +-
 arch/sparc/kernel/traps_32.c                       |    8 +-
 arch/sparc/kernel/traps_64.c                       |   28 +-
 arch/sparc/kernel/unaligned_64.c                   |    2 +-
 arch/sparc/mm/fault_64.c                           |    2 +-
 arch/sparc/mm/hugetlbpage.c                        |    3 +-
 arch/tile/include/asm/cache.h                      |    3 +-
 arch/tile/mm/hugetlbpage.c                         |    2 +
 arch/um/defconfig                                  |    1 -
 arch/um/include/asm/cache.h                        |    3 +-
 arch/unicore32/include/asm/cache.h                 |    6 +-
 arch/x86/Kconfig                                   |    5 +-
 arch/x86/ia32/ia32_aout.c                          |    2 +
 arch/x86/include/asm/thread_info.h                 |    8 +-
 arch/x86/kernel/dumpstack.c                        |    8 +
 arch/x86/kernel/entry_32.S                         |    2 +-
 arch/x86/kernel/entry_64.S                         |    2 +-
 arch/x86/kernel/ioport.c                           |   13 +
 arch/x86/kernel/ptrace.c                           |   14 +
 arch/x86/kernel/signal.c                           |    9 +-
 arch/x86/kernel/smpboot.c                          |    3 +
 arch/x86/kernel/sys_i386_32.c                      |    9 +-
 arch/x86/kernel/sys_x86_64.c                       |    8 +-
 arch/x86/kernel/verify_cpu.S                       |    1 +
 arch/x86/kernel/vm86_32.c                          |    1 +
 arch/x86/mm/fault.c                                |   12 +-
 arch/x86/mm/hugetlbpage.c                          |   15 +-
 arch/x86/mm/init.c                                 |   66 +-
 arch/x86/net/bpf_jit_comp.c                        |  129 +-
 arch/xtensa/variants/dc232b/include/variant/core.h |    2 +-
 arch/xtensa/variants/fsf/include/variant/core.h    |    3 +-
 arch/xtensa/variants/s6000/include/variant/core.h  |    3 +-
 drivers/block/cciss.c                              |    2 +
 drivers/block/cpqarray.c                           |    1 +
 drivers/cdrom/cdrom.c                              |    4 +-
 drivers/char/Kconfig                               |    4 +-
 drivers/char/genrtc.c                              |    1 +
 drivers/char/mem.c                                 |   17 +
 drivers/char/mwave/tp3780i.c                       |    1 +
 drivers/char/random.c                              |   12 +
 drivers/gpu/drm/drm_info.c                         |    4 +
 drivers/hid/hid-wiimote-debug.c                    |    2 +-
 drivers/media/radio/radio-cadet.c                  |    2 +-
 drivers/message/fusion/mptbase.c                   |    9 +
 drivers/net/bonding/bond_main.c                    |    2 +-
 drivers/net/phy/mdio-bitbang.c                     |    1 +
 drivers/net/wireless/zd1211rw/zd_usb.c             |    2 +-
 drivers/pci/proc.c                                 |    9 +
 drivers/rtc/rtc-dev.c                              |    3 +
 drivers/tty/sysrq.c                                |    2 +-
 drivers/tty/vt/keyboard.c                          |   22 +-
 drivers/video/logo/logo_linux_clut224.ppm          | 2721 ++++++++------------
 drivers/xen/xenfs/xenstored.c                      |    5 +
 fs/attr.c                                          |    1 +
 fs/autofs4/waitq.c                                 |    9 +
 fs/binfmt_aout.c                                   |    7 +
 fs/binfmt_elf.c                                    |    8 +-
 fs/btrfs/ioctl.c                                   |    6 +-
 fs/compat.c                                        |   20 +-
 fs/coredump.c                                      |    9 +-
 fs/debugfs/inode.c                                 |    4 +
 fs/exec.c                                          |  184 ++-
 fs/ext2/balloc.c                                   |    4 +-
 fs/ext3/balloc.c                                   |    4 +-
 fs/ext4/resize.c                                   |   17 +-
 fs/fcntl.c                                         |    5 +
 fs/file.c                                          |    4 +
 fs/filesystems.c                                   |    4 +
 fs/fs_struct.c                                     |   13 +-
 fs/hugetlbfs/inode.c                               |    5 +-
 fs/namei.c                                         |  234 ++-
 fs/namespace.c                                     |   16 +
 fs/notify/fanotify/fanotify_user.c                 |    1 +
 fs/open.c                                          |   38 +
 fs/proc/Kconfig                                    |   10 +-
 fs/proc/array.c                                    |   59 +-
 fs/proc/base.c                                     |  168 ++-
 fs/proc/cmdline.c                                  |    4 +
 fs/proc/devices.c                                  |    4 +
 fs/proc/fd.c                                       |   17 +-
 fs/proc/inode.c                                    |    4 +
 fs/proc/kcore.c                                    |    3 +
 fs/proc/proc_net.c                                 |   12 +
 fs/proc/proc_sysctl.c                              |   43 +-
 fs/proc/root.c                                     |    8 +
 fs/proc/task_mmu.c                                 |   75 +-
 fs/readdir.c                                       |   19 +
 fs/select.c                                        |    2 +
 fs/seq_file.c                                      |   12 +-
 fs/stat.c                                          |   19 +-
 fs/sysfs/dir.c                                     |   12 +
 fs/utimes.c                                        |    7 +
 fs/xattr.c                                         |   19 +-
 include/linux/capability.h                         |    5 +
 include/linux/cred.h                               |    3 +
 include/linux/fs.h                                 |   10 +
 include/linux/fsnotify.h                           |    6 +
 include/linux/kallsyms.h                           |   14 +-
 include/linux/kmod.h                               |    2 +
 include/linux/mm.h                                 |    1 +
 include/linux/perf_event.h                         |   13 +-
 include/linux/printk.h                             |    3 +-
 include/linux/sched.h                              |   24 +-
 include/linux/security.h                           |    1 +
 include/linux/seq_file.h                           |    3 +
 include/linux/shm.h                                |    4 +
 include/linux/skbuff.h                             |    3 +
 include/linux/slab.h                               |    9 -
 include/linux/sysctl.h                             |    2 +
 include/linux/thread_info.h                        |    2 +
 include/linux/uidgid.h                             |    5 +
 include/linux/vermagic.h                           |    9 +-
 include/uapi/linux/personality.h                   |    1 +
 init/Kconfig                                       |    3 +-
 init/main.c                                        |   14 +
 ipc/mqueue.c                                       |    1 +
 ipc/shm.c                                          |   28 +
 kernel/capability.c                                |   39 +-
 kernel/cgroup.c                                    |    2 +-
 kernel/compat.c                                    |    1 +
 kernel/configs.c                                   |   11 +
 kernel/cred.c                                      |  110 +-
 kernel/events/core.c                               |   14 +-
 kernel/exit.c                                      |   10 +-
 kernel/fork.c                                      |   41 +-
 kernel/futex.c                                     |    1 +
 kernel/kallsyms.c                                  |    9 +
 kernel/kcmp.c                                      |    4 +
 kernel/kmod.c                                      |   64 +-
 kernel/kprobes.c                                   |    4 +-
 kernel/ksysfs.c                                    |    2 +
 kernel/lockdep_proc.c                              |   10 +-
 kernel/module.c                                    |   81 +-
 kernel/panic.c                                     |    2 +-
 kernel/pid.c                                       |   19 +-
 kernel/posix-timers.c                              |    7 +
 kernel/printk.c                                    |    5 +
 kernel/ptrace.c                                    |   20 +-
 kernel/resource.c                                  |   10 +
 kernel/sched/core.c                                |    6 +-
 kernel/signal.c                                    |   37 +-
 kernel/sys.c                                       |   45 +-
 kernel/sysctl.c                                    |   70 +-
 kernel/taskstats.c                                 |    6 +
 kernel/time.c                                      |    5 +
 kernel/time/timekeeping.c                          |    1 +
 kernel/time/timer_list.c                           |   12 +
 kernel/time/timer_stats.c                          |   10 +-
 lib/Kconfig.debug                                  |    5 +-
 lib/is_single_threaded.c                           |    3 +
 mm/Kconfig                                         |    4 +-
 mm/filemap.c                                       |    1 +
 mm/kmemleak.c                                      |    4 +-
 mm/mempolicy.c                                     |   12 +-
 mm/migrate.c                                       |    3 +-
 mm/mlock.c                                         |    3 +
 mm/mmap.c                                          |   63 +-
 mm/mprotect.c                                      |    8 +
 mm/process_vm_access.c                             |    6 +
 mm/slab.c                                          |    2 +-
 mm/slub.c                                          |   14 +-
 mm/vmalloc.c                                       |    4 +
 mm/vmstat.c                                        |   18 +-
 net/core/dev_ioctl.c                               |    4 +
 net/core/sock_diag.c                               |    7 +
 net/ipv4/inet_hashtables.c                         |    5 +
 net/ipv4/ip_sockglue.c                             |    3 +-
 net/ipv4/tcp_input.c                               |    4 +-
 net/ipv4/tcp_ipv4.c                                |   24 +-
 net/ipv4/tcp_minisocks.c                           |    9 +-
 net/ipv4/tcp_timer.c                               |   11 +
 net/ipv4/udp.c                                     |   24 +
 net/ipv6/tcp_ipv6.c                                |   23 +-
 net/ipv6/udp.c                                     |    4 +
 net/netfilter/Kconfig                              |   10 +
 net/netfilter/Makefile                             |    1 +
 net/netfilter/nf_conntrack_core.c                  |    8 +
 net/netrom/af_netrom.c                             |    1 -
 net/phonet/af_phonet.c                             |    2 +-
 net/sctp/proc.c                                    |    3 +-
 net/socket.c                                       |   66 +-
 net/sysctl_net.c                                   |    2 +-
 net/unix/af_unix.c                                 |   31 +-
 security/Kconfig                                   |  343 +++-
 security/apparmor/Kconfig                          |    9 +
 security/apparmor/apparmorfs.c                     |  231 ++
 security/commoncap.c                               |   29 +
 security/min_addr.c                                |    2 +
 security/security.c                                |    2 -
 security/selinux/hooks.c                           |    2 -
 security/tomoyo/mount.c                            |    4 +
 security/yama/Kconfig                              |    2 +-
 242 files changed, 4385 insertions(+), 2042 deletions(-)

commit 043a378c0f72ed92cc30182c48abce39867ac93f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 9 20:57:40 2013 -0400

    Commit merge of new files and rejected patches

 arch/arm/include/asm/thread_info.h     |    6 +-
 arch/arm/kernel/process.c              |    4 +-
 arch/powerpc/include/asm/thread_info.h |    7 +-
 arch/powerpc/mm/slice.c                |    2 +-
 arch/sparc/kernel/process_64.c         |    4 +-
 arch/x86/kernel/vm86_32.c              |   15 +
 fs/coredump.c                          |    1 +
 fs/ext4/balloc.c                       |    4 +-
 fs/namei.c                             |    7 +
 fs/namespace.c                         |    8 +
 fs/pipe.c                              |    2 +-
 fs/proc/inode.c                        |   13 +
 fs/proc/internal.h                     |    3 +
 grsecurity/Kconfig                     | 1054 +++++++++
 grsecurity/Makefile                    |   38 +
 grsecurity/gracl.c                     | 4073 ++++++++++++++++++++++++++++++++
 grsecurity/gracl_alloc.c               |  105 +
 grsecurity/gracl_cap.c                 |  110 +
 grsecurity/gracl_fs.c                  |  431 ++++
 grsecurity/gracl_ip.c                  |  387 +++
 grsecurity/gracl_learn.c               |  207 ++
 grsecurity/gracl_res.c                 |   68 +
 grsecurity/gracl_segv.c                |  305 +++
 grsecurity/gracl_shm.c                 |   40 +
 grsecurity/grsec_chdir.c               |   19 +
 grsecurity/grsec_chroot.c              |  370 +++
 grsecurity/grsec_disabled.c            |  434 ++++
 grsecurity/grsec_exec.c                |  187 ++
 grsecurity/grsec_fifo.c                |   24 +
 grsecurity/grsec_fork.c                |   23 +
 grsecurity/grsec_init.c                |  283 +++
 grsecurity/grsec_link.c                |   58 +
 grsecurity/grsec_log.c                 |  326 +++
 grsecurity/grsec_mem.c                 |   40 +
 grsecurity/grsec_mount.c               |   62 +
 grsecurity/grsec_pax.c                 |   36 +
 grsecurity/grsec_ptrace.c              |   30 +
 grsecurity/grsec_sig.c                 |  246 ++
 grsecurity/grsec_sock.c                |  244 ++
 grsecurity/grsec_sysctl.c              |  469 ++++
 grsecurity/grsec_time.c                |   16 +
 grsecurity/grsec_tpe.c                 |   73 +
 grsecurity/grsum.c                     |   61 +
 include/linux/gracl.h                  |  319 +++
 include/linux/gralloc.h                |    9 +
 include/linux/grdefs.h                 |  140 ++
 include/linux/grinternal.h             |  227 ++
 include/linux/grmsg.h                  |  112 +
 include/linux/grsecurity.h             |  241 ++
 include/linux/grsock.h                 |   19 +
 include/linux/netfilter/xt_gradm.h     |    9 +
 include/linux/proc_fs.h                |   13 +
 include/linux/sched.h                  |   48 +-
 include/trace/events/fs.h              |   53 +
 kernel/kmod.c                          |    7 +-
 kernel/panic.c                         |    2 +-
 kernel/posix-timers.c                  |    1 +
 kernel/time/timekeeping.c              |    2 +
 lib/Kconfig.debug                      |    2 +-
 lib/vsprintf.c                         |   31 +
 localversion-grsec                     |    1 +
 mm/mmap.c                              |   13 +-
 mm/shmem.c                             |    2 +-
 net/core/net-procfs.c                  |    5 +
 net/ipv6/udp.c                         |    3 +
 net/netfilter/xt_gradm.c               |   51 +
 66 files changed, 11184 insertions(+), 21 deletions(-)

commit 75a36f058b5abbc82f9b94ba5576eef4b40cd5d6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 9 17:35:47 2013 -0400

    Initial import of pax-linux-3.10-test1.patch

 Documentation/dontdiff                             |   46 +-
 Documentation/kernel-parameters.txt                |   12 +
 Makefile                                           |  100 +-
 arch/alpha/include/asm/atomic.h                    |   10 +
 arch/alpha/include/asm/elf.h                       |    7 +
 arch/alpha/include/asm/pgalloc.h                   |    6 +
 arch/alpha/include/asm/pgtable.h                   |   11 +
 arch/alpha/kernel/module.c                         |    2 +-
 arch/alpha/kernel/osf_sys.c                        |    8 +-
 arch/alpha/mm/fault.c                              |  141 +-
 arch/arm/Kconfig                                   |    2 +-
 arch/arm/include/asm/atomic.h                      |  444 ++-
 arch/arm/include/asm/cache.h                       |    5 +-
 arch/arm/include/asm/cacheflush.h                  |    2 +-
 arch/arm/include/asm/checksum.h                    |   14 +-
 arch/arm/include/asm/cmpxchg.h                     |    2 +
 arch/arm/include/asm/domain.h                      |   33 +-
 arch/arm/include/asm/elf.h                         |   13 +-
 arch/arm/include/asm/fncpy.h                       |    2 +
 arch/arm/include/asm/futex.h                       |   10 +
 arch/arm/include/asm/kmap_types.h                  |    2 +-
 arch/arm/include/asm/mach/dma.h                    |    2 +-
 arch/arm/include/asm/mach/map.h                    |    7 +-
 arch/arm/include/asm/outercache.h                  |    2 +-
 arch/arm/include/asm/page.h                        |    2 +-
 arch/arm/include/asm/pgalloc.h                     |   22 +-
 arch/arm/include/asm/pgtable-2level-hwdef.h        |    5 +
 arch/arm/include/asm/pgtable-2level.h              |    1 +
 arch/arm/include/asm/pgtable-3level-hwdef.h        |    2 +
 arch/arm/include/asm/pgtable-3level.h              |    2 +
 arch/arm/include/asm/pgtable.h                     |   56 +-
 arch/arm/include/asm/proc-fns.h                    |    2 +-
 arch/arm/include/asm/processor.h                   |    5 +-
 arch/arm/include/asm/psci.h                        |    2 +-
 arch/arm/include/asm/smp.h                         |    2 +-
 arch/arm/include/asm/thread_info.h                 |    6 +-
 arch/arm/include/asm/uaccess.h                     |   92 +-
 arch/arm/include/uapi/asm/ptrace.h                 |    2 +-
 arch/arm/kernel/armksyms.c                         |    8 +-
 arch/arm/kernel/entry-armv.S                       |  107 +-
 arch/arm/kernel/entry-common.S                     |   41 +-
 arch/arm/kernel/entry-header.S                     |   60 +
 arch/arm/kernel/fiq.c                              |    2 +
 arch/arm/kernel/head.S                             |    6 +-
 arch/arm/kernel/hw_breakpoint.c                    |    2 +-
 arch/arm/kernel/module.c                           |   29 +-
 arch/arm/kernel/patch.c                            |    2 +
 arch/arm/kernel/perf_event_cpu.c                   |    2 +-
 arch/arm/kernel/process.c                          |   14 +-
 arch/arm/kernel/psci.c                             |    2 +-
 arch/arm/kernel/setup.c                            |   22 +-
 arch/arm/kernel/signal.c                           |   24 +-
 arch/arm/kernel/smp.c                              |    2 +-
 arch/arm/kernel/traps.c                            |   15 +-
 arch/arm/kernel/vmlinux.lds.S                      |   22 +-
 arch/arm/lib/clear_user.S                          |    6 +-
 arch/arm/lib/copy_from_user.S                      |    6 +-
 arch/arm/lib/copy_page.S                           |    1 +
 arch/arm/lib/copy_to_user.S                        |    6 +-
 arch/arm/lib/csumpartialcopyuser.S                 |    4 +-
 arch/arm/lib/delay.c                               |    2 +-
 arch/arm/lib/uaccess_with_memcpy.c                 |    2 +-
 arch/arm/mach-kirkwood/common.c                    |   19 +-
 arch/arm/mach-omap2/board-n8x0.c                   |    2 +-
 arch/arm/mach-omap2/gpmc.c                         |   22 +-
 arch/arm/mach-omap2/omap-wakeupgen.c               |    2 +-
 arch/arm/mach-omap2/omap_device.c                  |    4 +-
 arch/arm/mach-omap2/omap_device.h                  |    4 +-
 arch/arm/mach-omap2/omap_hwmod.c                   |    4 +-
 arch/arm/mach-omap2/wd_timer.c                     |    6 +-
 arch/arm/mach-tegra/cpuidle-tegra20.c              |    2 +-
 arch/arm/mach-ux500/setup.h                        |    7 -
 arch/arm/mm/Kconfig                                |    3 +-
 arch/arm/mm/alignment.c                            |    8 +
 arch/arm/mm/fault.c                                |   91 +
 arch/arm/mm/fault.h                                |   12 +
 arch/arm/mm/init.c                                 |   41 +
 arch/arm/mm/ioremap.c                              |    4 +-
 arch/arm/mm/mmap.c                                 |   30 +-
 arch/arm/mm/mmu.c                                  |  187 +-
 arch/arm/mm/proc-v7-2level.S                       |    3 +
 arch/arm/plat-omap/sram.c                          |    2 +
 arch/arm/plat-samsung/include/plat/dma-ops.h       |    2 +-
 arch/arm64/kernel/debug-monitors.c                 |    2 +-
 arch/arm64/kernel/hw_breakpoint.c                  |    2 +-
 arch/avr32/include/asm/elf.h                       |    8 +-
 arch/avr32/include/asm/kmap_types.h                |    4 +-
 arch/avr32/mm/fault.c                              |   27 +
 arch/frv/include/asm/atomic.h                      |   10 +
 arch/frv/include/asm/kmap_types.h                  |    2 +-
 arch/frv/mm/elf-fdpic.c                            |    3 +-
 arch/ia64/include/asm/atomic.h                     |   10 +
 arch/ia64/include/asm/elf.h                        |    7 +
 arch/ia64/include/asm/pgalloc.h                    |   12 +
 arch/ia64/include/asm/pgtable.h                    |   13 +-
 arch/ia64/include/asm/spinlock.h                   |    2 +-
 arch/ia64/include/asm/uaccess.h                    |   26 +-
 arch/ia64/kernel/err_inject.c                      |    2 +-
 arch/ia64/kernel/mca.c                             |    2 +-
 arch/ia64/kernel/module.c                          |   48 +-
 arch/ia64/kernel/palinfo.c                         |    2 +-
 arch/ia64/kernel/salinfo.c                         |    2 +-
 arch/ia64/kernel/sys_ia64.c                        |    7 +
 arch/ia64/kernel/topology.c                        |    2 +-
 arch/ia64/kernel/vmlinux.lds.S                     |    2 +-
 arch/ia64/mm/fault.c                               |   32 +-
 arch/ia64/mm/init.c                                |   13 +
 arch/m32r/lib/usercopy.c                           |    6 +
 arch/mips/include/asm/atomic.h                     |   14 +
 arch/mips/include/asm/elf.h                        |   11 +-
 arch/mips/include/asm/exec.h                       |    2 +-
 arch/mips/include/asm/page.h                       |    2 +-
 arch/mips/include/asm/pgalloc.h                    |    5 +
 arch/mips/kernel/binfmt_elfn32.c                   |    7 +
 arch/mips/kernel/binfmt_elfo32.c                   |    7 +
 arch/mips/kernel/process.c                         |   12 -
 arch/mips/mm/fault.c                               |   17 +
 arch/mips/mm/mmap.c                                |   51 +-
 arch/parisc/include/asm/atomic.h                   |   10 +
 arch/parisc/include/asm/elf.h                      |    7 +
 arch/parisc/include/asm/pgalloc.h                  |    6 +
 arch/parisc/include/asm/pgtable.h                  |   11 +
 arch/parisc/include/asm/uaccess.h                  |    4 +-
 arch/parisc/kernel/module.c                        |   50 +-
 arch/parisc/kernel/sys_parisc.c                    |    9 +-
 arch/parisc/kernel/traps.c                         |    4 +-
 arch/parisc/mm/fault.c                             |  140 +-
 arch/powerpc/include/asm/atomic.h                  |   10 +
 arch/powerpc/include/asm/elf.h                     |   19 +-
 arch/powerpc/include/asm/exec.h                    |    2 +-
 arch/powerpc/include/asm/kmap_types.h              |    2 +-
 arch/powerpc/include/asm/mman.h                    |    2 +-
 arch/powerpc/include/asm/page.h                    |    8 +-
 arch/powerpc/include/asm/page_64.h                 |    7 +-
 arch/powerpc/include/asm/pgalloc-64.h              |    7 +
 arch/powerpc/include/asm/pgtable.h                 |    1 +
 arch/powerpc/include/asm/pte-hash32.h              |    1 +
 arch/powerpc/include/asm/reg.h                     |    1 +
 arch/powerpc/include/asm/smp.h                     |    2 +-
 arch/powerpc/include/asm/uaccess.h                 |  140 +-
 arch/powerpc/kernel/exceptions-64e.S               |    4 +-
 arch/powerpc/kernel/exceptions-64s.S               |    2 +-
 arch/powerpc/kernel/module_32.c                    |   13 +-
 arch/powerpc/kernel/process.c                      |   55 -
 arch/powerpc/kernel/signal_32.c                    |    2 +-
 arch/powerpc/kernel/signal_64.c                    |    2 +-
 arch/powerpc/kernel/sysfs.c                        |    2 +-
 arch/powerpc/kernel/vdso.c                         |    5 +-
 arch/powerpc/lib/usercopy_64.c                     |   18 -
 arch/powerpc/mm/fault.c                            |   54 +-
 arch/powerpc/mm/mmap_64.c                          |   16 +
 arch/powerpc/mm/mmu_context_nohash.c               |    2 +-
 arch/powerpc/mm/numa.c                             |    2 +-
 arch/powerpc/mm/slice.c                            |   13 +-
 arch/powerpc/platforms/cell/spufs/file.c           |    4 +-
 arch/powerpc/platforms/powermac/smp.c              |    2 +-
 arch/s390/include/asm/atomic.h                     |   10 +
 arch/s390/include/asm/elf.h                        |   13 +-
 arch/s390/include/asm/exec.h                       |    2 +-
 arch/s390/include/asm/uaccess.h                    |   15 +-
 arch/s390/kernel/module.c                          |   22 +-
 arch/s390/kernel/process.c                         |   36 -
 arch/s390/mm/mmap.c                                |   24 +
 arch/score/include/asm/exec.h                      |    2 +-
 arch/score/kernel/process.c                        |    5 -
 arch/sh/kernel/cpu/sh4a/smp-shx3.c                 |    2 +-
 arch/sh/mm/mmap.c                                  |   22 +-
 arch/sparc/include/asm/atomic_64.h                 |  106 +-
 arch/sparc/include/asm/cache.h                     |    2 +-
 arch/sparc/include/asm/elf_32.h                    |    7 +
 arch/sparc/include/asm/elf_64.h                    |    7 +
 arch/sparc/include/asm/pgalloc_32.h                |    1 +
 arch/sparc/include/asm/pgalloc_64.h                |    1 +
 arch/sparc/include/asm/pgtable_32.h                |   15 +-
 arch/sparc/include/asm/pgtsrmmu.h                  |    5 +
 arch/sparc/include/asm/spinlock_64.h               |   35 +-
 arch/sparc/include/asm/thread_info_32.h            |    2 +
 arch/sparc/include/asm/thread_info_64.h            |    2 +
 arch/sparc/include/asm/uaccess.h                   |    1 +
 arch/sparc/include/asm/uaccess_32.h                |   27 +-
 arch/sparc/include/asm/uaccess_64.h                |   19 +-
 arch/sparc/kernel/Makefile                         |    2 +-
 arch/sparc/kernel/prom_common.c                    |    2 +-
 arch/sparc/kernel/sys_sparc_32.c                   |    2 +-
 arch/sparc/kernel/sys_sparc_64.c                   |   48 +-
 arch/sparc/kernel/sysfs.c                          |    2 +-
 arch/sparc/kernel/traps_64.c                       |   13 +-
 arch/sparc/lib/Makefile                            |    2 +-
 arch/sparc/lib/atomic_64.S                         |  136 +-
 arch/sparc/lib/ksyms.c                             |    6 +
 arch/sparc/mm/Makefile                             |    2 +-
 arch/sparc/mm/fault_32.c                           |  292 +
 arch/sparc/mm/fault_64.c                           |  486 ++
 arch/sparc/mm/hugetlbpage.c                        |   21 +-
 arch/tile/include/asm/atomic_64.h                  |   10 +
 arch/tile/include/asm/uaccess.h                    |    4 +-
 arch/um/Makefile                                   |    4 +
 arch/um/include/asm/kmap_types.h                   |    2 +-
 arch/um/include/asm/page.h                         |    3 +
 arch/um/include/asm/pgtable-3level.h               |    1 +
 arch/um/kernel/process.c                           |   16 -
 arch/x86/Kconfig                                   |   10 +-
 arch/x86/Kconfig.cpu                               |    6 +-
 arch/x86/Kconfig.debug                             |    4 +-
 arch/x86/Makefile                                  |   10 +
 arch/x86/boot/Makefile                             |    3 +
 arch/x86/boot/bitops.h                             |    4 +-
 arch/x86/boot/boot.h                               |    4 +-
 arch/x86/boot/compressed/Makefile                  |    3 +
 arch/x86/boot/compressed/eboot.c                   |    2 -
 arch/x86/boot/compressed/efi_stub_32.S             |   16 +-
 arch/x86/boot/compressed/head_32.S                 |    7 +-
 arch/x86/boot/compressed/head_64.S                 |    8 +-
 arch/x86/boot/compressed/misc.c                    |    4 +-
 arch/x86/boot/cpucheck.c                           |   28 +-
 arch/x86/boot/header.S                             |    6 +-
 arch/x86/boot/memory.c                             |    2 +-
 arch/x86/boot/video-vesa.c                         |    1 +
 arch/x86/boot/video.c                              |    2 +-
 arch/x86/crypto/aes-x86_64-asm_64.S                |    4 +
 arch/x86/crypto/aesni-intel_asm.S                  |   22 +
 arch/x86/crypto/blowfish-x86_64-asm_64.S           |    7 +
 arch/x86/crypto/camellia-x86_64-asm_64.S           |    7 +
 arch/x86/crypto/cast5-avx-x86_64-asm_64.S          |    7 +
 arch/x86/crypto/cast6-avx-x86_64-asm_64.S          |    9 +
 arch/x86/crypto/salsa20-x86_64-asm_64.S            |    4 +
 arch/x86/crypto/serpent-avx-x86_64-asm_64.S        |    9 +
 arch/x86/crypto/serpent-sse2-x86_64-asm_64.S       |    4 +
 arch/x86/crypto/sha1_ssse3_asm.S                   |    2 +
 arch/x86/crypto/twofish-avx-x86_64-asm_64.S        |    9 +
 arch/x86/crypto/twofish-x86_64-asm_64-3way.S       |    4 +
 arch/x86/crypto/twofish-x86_64-asm_64.S            |    3 +
 arch/x86/ia32/ia32_signal.c                        |   14 +-
 arch/x86/ia32/ia32entry.S                          |  141 +-
 arch/x86/ia32/sys_ia32.c                           |    4 +-
 arch/x86/include/asm/alternative-asm.h             |   39 +
 arch/x86/include/asm/alternative.h                 |    4 +-
 arch/x86/include/asm/apic.h                        |    2 +-
 arch/x86/include/asm/apm.h                         |    4 +-
 arch/x86/include/asm/atomic.h                      |  307 +-
 arch/x86/include/asm/atomic64_32.h                 |  100 +
 arch/x86/include/asm/atomic64_64.h                 |  202 +-
 arch/x86/include/asm/bitops.h                      |    4 +-
 arch/x86/include/asm/boot.h                        |    7 +-
 arch/x86/include/asm/cache.h                       |    5 +-
 arch/x86/include/asm/cacheflush.h                  |    2 +-
 arch/x86/include/asm/checksum_32.h                 |   12 +-
 arch/x86/include/asm/cmpxchg.h                     |   35 +
 arch/x86/include/asm/compat.h                      |    2 +-
 arch/x86/include/asm/cpufeature.h                  |    4 +-
 arch/x86/include/asm/desc.h                        |   67 +-
 arch/x86/include/asm/desc_defs.h                   |    6 +
 arch/x86/include/asm/div64.h                       |    2 +-
 arch/x86/include/asm/elf.h                         |   31 +-
 arch/x86/include/asm/emergency-restart.h           |    2 +-
 arch/x86/include/asm/fpu-internal.h                |    6 +-
 arch/x86/include/asm/futex.h                       |   16 +-
 arch/x86/include/asm/hw_irq.h                      |    4 +-
 arch/x86/include/asm/i8259.h                       |    2 +-
 arch/x86/include/asm/io.h                          |   21 +-
 arch/x86/include/asm/irqflags.h                    |    5 +
 arch/x86/include/asm/kprobes.h                     |    9 +-
 arch/x86/include/asm/local.h                       |  142 +-
 arch/x86/include/asm/mman.h                        |   15 +
 arch/x86/include/asm/mmu.h                         |   16 +-
 arch/x86/include/asm/mmu_context.h                 |   76 +-
 arch/x86/include/asm/module.h                      |   17 +-
 arch/x86/include/asm/nmi.h                         |    6 +-
 arch/x86/include/asm/page.h                        |    1 +
 arch/x86/include/asm/page_64.h                     |    4 +-
 arch/x86/include/asm/paravirt.h                    |   46 +-
 arch/x86/include/asm/paravirt_types.h              |   17 +-
 arch/x86/include/asm/pgalloc.h                     |   23 +
 arch/x86/include/asm/pgtable-2level.h              |    2 +
 arch/x86/include/asm/pgtable-3level.h              |    4 +
 arch/x86/include/asm/pgtable.h                     |  122 +-
 arch/x86/include/asm/pgtable_32.h                  |   14 +-
 arch/x86/include/asm/pgtable_32_types.h            |   15 +-
 arch/x86/include/asm/pgtable_64.h                  |   19 +-
 arch/x86/include/asm/pgtable_64_types.h            |    5 +
 arch/x86/include/asm/pgtable_types.h               |   36 +-
 arch/x86/include/asm/processor.h                   |   39 +-
 arch/x86/include/asm/ptrace.h                      |   26 +-
 arch/x86/include/asm/realmode.h                    |    4 +-
 arch/x86/include/asm/reboot.h                      |   10 +-
 arch/x86/include/asm/rwsem.h                       |   60 +-
 arch/x86/include/asm/segment.h                     |   24 +-
 arch/x86/include/asm/smp.h                         |   14 +-
 arch/x86/include/asm/spinlock.h                    |   36 +-
 arch/x86/include/asm/stackprotector.h              |    4 +-
 arch/x86/include/asm/stacktrace.h                  |   32 +-
 arch/x86/include/asm/switch_to.h                   |    4 +-
 arch/x86/include/asm/thread_info.h                 |   83 +-
 arch/x86/include/asm/uaccess.h                     |   96 +-
 arch/x86/include/asm/uaccess_32.h                  |  106 +-
 arch/x86/include/asm/uaccess_64.h                  |  232 +-
 arch/x86/include/asm/word-at-a-time.h              |    2 +-
 arch/x86/include/asm/x86_init.h                    |   10 +-
 arch/x86/include/asm/xsave.h                       |   10 +-
 arch/x86/include/uapi/asm/e820.h                   |    2 +-
 arch/x86/kernel/Makefile                           |    2 +-
 arch/x86/kernel/acpi/boot.c                        |    4 +-
 arch/x86/kernel/acpi/sleep.c                       |    4 +
 arch/x86/kernel/acpi/wakeup_32.S                   |    6 +-
 arch/x86/kernel/alternative.c                      |   65 +-
 arch/x86/kernel/apic/apic.c                        |    4 +-
 arch/x86/kernel/apic/apic_flat_64.c                |    4 +-
 arch/x86/kernel/apic/apic_noop.c                   |    2 +-
 arch/x86/kernel/apic/bigsmp_32.c                   |    2 +-
 arch/x86/kernel/apic/es7000_32.c                   |    5 +-
 arch/x86/kernel/apic/io_apic.c                     |    8 +-
 arch/x86/kernel/apic/numaq_32.c                    |    3 +-
 arch/x86/kernel/apic/probe_32.c                    |    2 +-
 arch/x86/kernel/apic/summit_32.c                   |    2 +-
 arch/x86/kernel/apic/x2apic_cluster.c              |    4 +-
 arch/x86/kernel/apic/x2apic_phys.c                 |    2 +-
 arch/x86/kernel/apic/x2apic_uv_x.c                 |    2 +-
 arch/x86/kernel/apm_32.c                           |   19 +-
 arch/x86/kernel/asm-offsets.c                      |   20 +
 arch/x86/kernel/asm-offsets_64.c                   |    1 +
 arch/x86/kernel/cpu/Makefile                       |    4 -
 arch/x86/kernel/cpu/amd.c                          |    2 +-
 arch/x86/kernel/cpu/common.c                       |   75 +-
 arch/x86/kernel/cpu/intel_cacheinfo.c              |   50 +-
 arch/x86/kernel/cpu/mcheck/mce.c                   |   33 +-
 arch/x86/kernel/cpu/mcheck/p5.c                    |    3 +
 arch/x86/kernel/cpu/mcheck/therm_throt.c           |    2 +-
 arch/x86/kernel/cpu/mcheck/winchip.c               |    3 +
 arch/x86/kernel/cpu/mtrr/main.c                    |    2 +-
 arch/x86/kernel/cpu/mtrr/mtrr.h                    |    2 +-
 arch/x86/kernel/cpu/perf_event.c                   |    8 +-
 arch/x86/kernel/cpu/perf_event_intel.c             |    6 +-
 arch/x86/kernel/cpu/perf_event_intel_uncore.c      |    4 +-
 arch/x86/kernel/cpu/perf_event_intel_uncore.h      |    2 +-
 arch/x86/kernel/cpuid.c                            |    2 +-
 arch/x86/kernel/crash.c                            |    4 +-
 arch/x86/kernel/crash_dump_64.c                    |    2 +-
 arch/x86/kernel/doublefault_32.c                   |    8 +-
 arch/x86/kernel/dumpstack.c                        |   28 +-
 arch/x86/kernel/dumpstack_32.c                     |   34 +-
 arch/x86/kernel/dumpstack_64.c                     |   61 +-
 arch/x86/kernel/e820.c                             |    4 +-
 arch/x86/kernel/early_printk.c                     |    1 +
 arch/x86/kernel/entry_32.S                         |  354 +-
 arch/x86/kernel/entry_64.S                         |  548 ++-
 arch/x86/kernel/ftrace.c                           |   14 +-
 arch/x86/kernel/head64.c                           |   13 +-
 arch/x86/kernel/head_32.S                          |  237 +-
 arch/x86/kernel/head_64.S                          |  143 +-
 arch/x86/kernel/i386_ksyms_32.c                    |    8 +
 arch/x86/kernel/i387.c                             |    2 +-
 arch/x86/kernel/i8259.c                            |   10 +-
 arch/x86/kernel/io_delay.c                         |    2 +-
 arch/x86/kernel/ioport.c                           |    2 +-
 arch/x86/kernel/irq.c                              |    8 +-
 arch/x86/kernel/irq_32.c                           |   69 +-
 arch/x86/kernel/irq_64.c                           |    2 +-
 arch/x86/kernel/kdebugfs.c                         |    2 +-
 arch/x86/kernel/kgdb.c                             |   25 +-
 arch/x86/kernel/kprobes/core.c                     |   30 +-
 arch/x86/kernel/kprobes/opt.c                      |   16 +-
 arch/x86/kernel/kvm.c                              |    2 +-
 arch/x86/kernel/ldt.c                              |   31 +-
 arch/x86/kernel/machine_kexec_32.c                 |    6 +-
 arch/x86/kernel/microcode_core.c                   |    2 +-
 arch/x86/kernel/microcode_intel.c                  |    4 +-
 arch/x86/kernel/module.c                           |   76 +-
 arch/x86/kernel/msr.c                              |    2 +-
 arch/x86/kernel/nmi.c                              |   19 +-
 arch/x86/kernel/nmi_selftest.c                     |    4 +-
 arch/x86/kernel/paravirt-spinlocks.c               |    2 +-
 arch/x86/kernel/paravirt.c                         |   43 +-
 arch/x86/kernel/pci-calgary_64.c                   |    2 +-
 arch/x86/kernel/pci-iommu_table.c                  |    2 +-
 arch/x86/kernel/pci-swiotlb.c                      |    2 +-
 arch/x86/kernel/process.c                          |   55 +-
 arch/x86/kernel/process_32.c                       |   29 +-
 arch/x86/kernel/process_64.c                       |   15 +-
 arch/x86/kernel/ptrace.c                           |   25 +-
 arch/x86/kernel/pvclock.c                          |    8 +-
 arch/x86/kernel/reboot.c                           |   44 +-
 arch/x86/kernel/relocate_kernel_64.S               |    2 +
 arch/x86/kernel/setup.c                            |   21 +-
 arch/x86/kernel/setup_percpu.c                     |   29 +-
 arch/x86/kernel/signal.c                           |   15 +-
 arch/x86/kernel/smp.c                              |    2 +-
 arch/x86/kernel/smpboot.c                          |   15 +-
 arch/x86/kernel/step.c                             |   10 +-
 arch/x86/kernel/sys_i386_32.c                      |  184 +
 arch/x86/kernel/sys_x86_64.c                       |   22 +-
 arch/x86/kernel/tboot.c                            |   14 +-
 arch/x86/kernel/time.c                             |   10 +-
 arch/x86/kernel/tls.c                              |    7 +-
 arch/x86/kernel/traps.c                            |   64 +-
 arch/x86/kernel/uprobes.c                          |    4 +-
 arch/x86/kernel/vm86_32.c                          |    6 +-
 arch/x86/kernel/vmlinux.lds.S                      |  148 +-
 arch/x86/kernel/vsyscall_64.c                      |   12 +-
 arch/x86/kernel/x8664_ksyms_64.c                   |    2 -
 arch/x86/kernel/x86_init.c                         |    8 +-
 arch/x86/kernel/xsave.c                            |    2 +
 arch/x86/kvm/cpuid.c                               |   21 +-
 arch/x86/kvm/emulate.c                             |    4 +-
 arch/x86/kvm/lapic.c                               |    2 +-
 arch/x86/kvm/paging_tmpl.h                         |    2 +-
 arch/x86/kvm/svm.c                                 |    8 +
 arch/x86/kvm/vmx.c                                 |   61 +-
 arch/x86/kvm/x86.c                                 |    8 +-
 arch/x86/lguest/boot.c                             |    3 +-
 arch/x86/lib/atomic64_386_32.S                     |  164 +
 arch/x86/lib/atomic64_cx8_32.S                     |  103 +-
 arch/x86/lib/checksum_32.S                         |  100 +-
 arch/x86/lib/clear_page_64.S                       |    5 +-
 arch/x86/lib/cmpxchg16b_emu.S                      |    2 +
 arch/x86/lib/copy_page_64.S                        |   24 +-
 arch/x86/lib/copy_user_64.S                        |   47 +-
 arch/x86/lib/copy_user_nocache_64.S                |   20 +-
 arch/x86/lib/csum-copy_64.S                        |    2 +
 arch/x86/lib/csum-wrappers_64.c                    |    4 +-
 arch/x86/lib/getuser.S                             |   70 +-
 arch/x86/lib/insn.c                                |    6 +-
 arch/x86/lib/iomap_copy_64.S                       |    2 +
 arch/x86/lib/memcpy_64.S                           |   18 +-
 arch/x86/lib/memmove_64.S                          |   34 +-
 arch/x86/lib/memset_64.S                           |    7 +-
 arch/x86/lib/mmx_32.c                              |  243 +-
 arch/x86/lib/msr-reg.S                             |   18 +-
 arch/x86/lib/putuser.S                             |   90 +-
 arch/x86/lib/rwlock.S                              |   42 +
 arch/x86/lib/rwsem.S                               |    6 +-
 arch/x86/lib/thunk_64.S                            |    2 +
 arch/x86/lib/usercopy_32.c                         |  363 +-
 arch/x86/lib/usercopy_64.c                         |   13 +-
 arch/x86/mm/extable.c                              |   25 +-
 arch/x86/mm/fault.c                                |  556 ++-
 arch/x86/mm/gup.c                                  |    2 +-
 arch/x86/mm/highmem_32.c                           |    4 +
 arch/x86/mm/hugetlbpage.c                          |   30 +-
 arch/x86/mm/init.c                                 |   98 +-
 arch/x86/mm/init_32.c                              |  113 +-
 arch/x86/mm/init_64.c                              |   38 +-
 arch/x86/mm/iomap_32.c                             |    4 +
 arch/x86/mm/ioremap.c                              |   15 +-
 arch/x86/mm/kmemcheck/kmemcheck.c                  |    4 +-
 arch/x86/mm/mmap.c                                 |   41 +-
 arch/x86/mm/mmio-mod.c                             |   10 +-
 arch/x86/mm/numa.c                                 |    2 +-
 arch/x86/mm/pageattr-test.c                        |    2 +-
 arch/x86/mm/pageattr.c                             |   33 +-
 arch/x86/mm/pat.c                                  |   12 +-
 arch/x86/mm/pat_rbtree.c                           |    2 +-
 arch/x86/mm/pf_in.c                                |   10 +-
 arch/x86/mm/pgtable.c                              |  137 +-
 arch/x86/mm/pgtable_32.c                           |    3 +
 arch/x86/mm/physaddr.c                             |    4 +-
 arch/x86/mm/setup_nx.c                             |    7 +
 arch/x86/mm/tlb.c                                  |    4 +
 arch/x86/net/bpf_jit.S                             |   14 +
 arch/x86/net/bpf_jit_comp.c                        |   37 +-
 arch/x86/oprofile/backtrace.c                      |    8 +-
 arch/x86/oprofile/nmi_int.c                        |    8 +-
 arch/x86/oprofile/op_model_amd.c                   |    8 +-
 arch/x86/oprofile/op_model_ppro.c                  |    7 +-
 arch/x86/oprofile/op_x86_model.h                   |    2 +-
 arch/x86/pci/amd_bus.c                             |    2 +-
 arch/x86/pci/irq.c                                 |    8 +-
 arch/x86/pci/mrst.c                                |    4 +-
 arch/x86/pci/pcbios.c                              |  144 +-
 arch/x86/platform/efi/efi_32.c                     |   24 +
 arch/x86/platform/efi/efi_64.c                     |   10 +
 arch/x86/platform/efi/efi_stub_32.S                |   64 +-
 arch/x86/platform/efi/efi_stub_64.S                |    8 +
 arch/x86/platform/mrst/mrst.c                      |    6 +-
 arch/x86/platform/olpc/olpc_dt.c                   |    2 +-
 arch/x86/power/cpu.c                               |   11 +-
 arch/x86/realmode/init.c                           |   10 +-
 arch/x86/realmode/rm/Makefile                      |    3 +
 arch/x86/realmode/rm/header.S                      |    4 +-
 arch/x86/realmode/rm/trampoline_32.S               |   12 +-
 arch/x86/realmode/rm/trampoline_64.S               |    2 +-
 arch/x86/tools/Makefile                            |    2 +-
 arch/x86/tools/relocs.c                            |   94 +-
 arch/x86/um/tls_32.c                               |    2 +-
 arch/x86/vdso/Makefile                             |    2 +-
 arch/x86/vdso/vdso32-setup.c                       |   23 +-
 arch/x86/vdso/vma.c                                |   29 +-
 arch/x86/xen/enlighten.c                           |   47 +-
 arch/x86/xen/mmu.c                                 |    9 +
 arch/x86/xen/smp.c                                 |   18 +-
 arch/x86/xen/xen-asm_32.S                          |   12 +-
 arch/x86/xen/xen-head.S                            |   11 +
 arch/x86/xen/xen-ops.h                             |    2 -
 block/blk-iopoll.c                                 |    4 +-
 block/blk-map.c                                    |    2 +-
 block/blk-softirq.c                                |    4 +-
 block/bsg.c                                        |   12 +-
 block/compat_ioctl.c                               |    2 +-
 block/genhd.c                                      |   11 +-
 block/partitions/efi.c                             |    8 +-
 block/scsi_ioctl.c                                 |   27 +-
 crypto/algapi.c                                    |    2 +-
 crypto/cryptd.c                                    |    4 +-
 crypto/pcrypt.c                                    |    6 +-
 drivers/acpi/apei/apei-internal.h                  |    2 +-
 drivers/acpi/apei/cper.c                           |    8 +-
 drivers/acpi/bgrt.c                                |    6 +-
 drivers/acpi/blacklist.c                           |    4 +-
 drivers/acpi/ec_sys.c                              |   12 +-
 drivers/acpi/processor_idle.c                      |    2 +-
 drivers/acpi/sysfs.c                               |    4 +-
 drivers/ata/libahci.c                              |    2 +-
 drivers/ata/libata-core.c                          |    8 +-
 drivers/ata/pata_arasan_cf.c                       |    4 +-
 drivers/atm/adummy.c                               |    2 +-
 drivers/atm/ambassador.c                           |    8 +-
 drivers/atm/atmtcp.c                               |   14 +-
 drivers/atm/eni.c                                  |   10 +-
 drivers/atm/firestream.c                           |    8 +-
 drivers/atm/fore200e.c                             |   14 +-
 drivers/atm/he.c                                   |   18 +-
 drivers/atm/horizon.c                              |    4 +-
 drivers/atm/idt77252.c                             |   36 +-
 drivers/atm/iphase.c                               |   34 +-
 drivers/atm/lanai.c                                |   12 +-
 drivers/atm/nicstar.c                              |   46 +-
 drivers/atm/solos-pci.c                            |    4 +-
 drivers/atm/suni.c                                 |    4 +-
 drivers/atm/uPD98402.c                             |   16 +-
 drivers/atm/zatm.c                                 |    6 +-
 drivers/base/attribute_container.c                 |    2 +-
 drivers/base/bus.c                                 |    4 +-
 drivers/base/devtmpfs.c                            |    8 +-
 drivers/base/node.c                                |    2 +-
 drivers/base/power/domain.c                        |    4 +-
 drivers/base/power/sysfs.c                         |    2 +-
 drivers/base/power/wakeup.c                        |    8 +-
 drivers/base/syscore.c                             |    4 +-
 drivers/block/cciss.c                              |   28 +-
 drivers/block/cciss.h                              |    2 +-
 drivers/block/cpqarray.c                           |   28 +-
 drivers/block/cpqarray.h                           |    2 +-
 drivers/block/drbd/drbd_int.h                      |    6 +-
 drivers/block/drbd/drbd_main.c                     |    8 +-
 drivers/block/drbd/drbd_receiver.c                 |   22 +-
 drivers/block/loop.c                               |    2 +-
 drivers/block/nbd.c                                |    2 +-
 drivers/block/pktcdvd.c                            |    2 +-
 drivers/cdrom/cdrom.c                              |   11 +-
 drivers/cdrom/gdrom.c                              |    1 -
 drivers/char/agp/compat_ioctl.c                    |    2 +-
 drivers/char/agp/frontend.c                        |    4 +-
 drivers/char/hpet.c                                |    2 +-
 drivers/char/hw_random/intel-rng.c                 |    2 +-
 drivers/char/ipmi/ipmi_msghandler.c                |    8 +-
 drivers/char/ipmi/ipmi_si_intf.c                   |    8 +-
 drivers/char/mem.c                                 |   45 +-
 drivers/char/nvram.c                               |    2 +-
 drivers/char/pcmcia/synclink_cs.c                  |   18 +-
 drivers/char/random.c                              |   10 +-
 drivers/char/sonypi.c                              |    9 +-
 drivers/char/tpm/tpm_acpi.c                        |    3 +-
 drivers/char/tpm/tpm_eventlog.c                    |    7 +-
 drivers/char/virtio_console.c                      |    4 +-
 drivers/clk/clk-composite.c                        |    2 +-
 drivers/clocksource/arm_arch_timer.c               |    2 +-
 drivers/clocksource/metag_generic.c                |    2 +-
 drivers/cpufreq/acpi-cpufreq.c                     |   20 +-
 drivers/cpufreq/cpufreq.c                          |    9 +-
 drivers/cpufreq/cpufreq_governor.c                 |    6 +-
 drivers/cpufreq/cpufreq_governor.h                 |    2 +-
 drivers/cpufreq/cpufreq_ondemand.c                 |    8 +-
 drivers/cpufreq/cpufreq_stats.c                    |    2 +-
 drivers/cpufreq/p4-clockmod.c                      |   12 +-
 drivers/cpufreq/sparc-us3-cpufreq.c                |   69 +-
 drivers/cpufreq/speedstep-centrino.c               |    7 +-
 drivers/cpuidle/cpuidle.c                          |    2 +-
 drivers/cpuidle/governor.c                         |    4 +-
 drivers/cpuidle/sysfs.c                            |    2 +-
 drivers/devfreq/devfreq.c                          |    6 +-
 drivers/dma/sh/shdma.c                             |    2 +-
 drivers/edac/edac_mc_sysfs.c                       |   12 +-
 drivers/edac/edac_pci_sysfs.c                      |   22 +-
 drivers/edac/mce_amd.h                             |    2 +-
 drivers/firewire/core-card.c                       |    2 +-
 drivers/firewire/core-device.c                     |    2 +-
 drivers/firewire/core-transaction.c                |    1 +
 drivers/firewire/core.h                            |    1 +
 drivers/firmware/dmi-id.c                          |    2 +-
 drivers/firmware/dmi_scan.c                        |    7 +-
 drivers/firmware/efi/efi.c                         |   12 +-
 drivers/firmware/efi/efivars.c                     |    2 +-
 drivers/firmware/google/memconsole.c               |    4 +-
 drivers/gpio/gpio-ich.c                            |    2 +-
 drivers/gpio/gpio-vr41xx.c                         |    2 +-
 drivers/gpu/drm/drm_crtc_helper.c                  |    2 +-
 drivers/gpu/drm/drm_drv.c                          |    6 +-
 drivers/gpu/drm/drm_fops.c                         |   18 +-
 drivers/gpu/drm/drm_global.c                       |   14 +-
 drivers/gpu/drm/drm_info.c                         |   14 +-
 drivers/gpu/drm/drm_ioc32.c                        |   13 +-
 drivers/gpu/drm/drm_ioctl.c                        |    2 +-
 drivers/gpu/drm/drm_lock.c                         |    4 +-
 drivers/gpu/drm/drm_stub.c                         |    2 +-
 drivers/gpu/drm/drm_sysfs.c                        |    2 +-
 drivers/gpu/drm/i810/i810_dma.c                    |    8 +-
 drivers/gpu/drm/i810/i810_drv.h                    |    4 +-
 drivers/gpu/drm/i915/i915_debugfs.c                |    2 +-
 drivers/gpu/drm/i915/i915_dma.c                    |    2 +-
 drivers/gpu/drm/i915/i915_drv.h                    |    4 +-
 drivers/gpu/drm/i915/i915_gem_execbuffer.c         |    4 +-
 drivers/gpu/drm/i915/i915_ioc32.c                  |   11 +-
 drivers/gpu/drm/i915/i915_irq.c                    |   22 +-
 drivers/gpu/drm/i915/intel_display.c               |   26 +-
 drivers/gpu/drm/mga/mga_drv.h                      |    4 +-
 drivers/gpu/drm/mga/mga_ioc32.c                    |   11 +-
 drivers/gpu/drm/mga/mga_irq.c                      |    8 +-
 drivers/gpu/drm/nouveau/nouveau_bios.c             |    2 +-
 drivers/gpu/drm/nouveau/nouveau_drm.h              |    2 +-
 drivers/gpu/drm/nouveau/nouveau_gem.c              |    4 +-
 drivers/gpu/drm/nouveau/nouveau_ioc32.c            |    2 +-
 drivers/gpu/drm/nouveau/nouveau_vga.c              |    2 +-
 drivers/gpu/drm/qxl/qxl_ttm.c                      |   38 +-
 drivers/gpu/drm/r128/r128_cce.c                    |    2 +-
 drivers/gpu/drm/r128/r128_drv.h                    |    4 +-
 drivers/gpu/drm/r128/r128_ioc32.c                  |   11 +-
 drivers/gpu/drm/r128/r128_irq.c                    |    4 +-
 drivers/gpu/drm/r128/r128_state.c                  |    4 +-
 drivers/gpu/drm/radeon/mkregtable.c                |    4 +-
 drivers/gpu/drm/radeon/radeon_device.c             |    2 +-
 drivers/gpu/drm/radeon/radeon_drv.h                |    2 +-
 drivers/gpu/drm/radeon/radeon_ioc32.c              |   13 +-
 drivers/gpu/drm/radeon/radeon_irq.c                |    6 +-
 drivers/gpu/drm/radeon/radeon_state.c              |    4 +-
 drivers/gpu/drm/radeon/radeon_ttm.c                |   57 +-
 drivers/gpu/drm/radeon/rs690.c                     |    4 +-
 drivers/gpu/drm/ttm/ttm_memory.c                   |    4 +-
 drivers/gpu/drm/ttm/ttm_page_alloc.c               |    4 +-
 drivers/gpu/drm/udl/udl_fb.c                       |    1 -
 drivers/gpu/drm/via/via_drv.h                      |    4 +-
 drivers/gpu/drm/via/via_irq.c                      |   18 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_drv.h                |    2 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c               |    8 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c              |    4 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_irq.c                |    4 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_marker.c             |    2 +-
 drivers/hid/hid-core.c                             |    4 +-
 drivers/hv/channel.c                               |    4 +-
 drivers/hv/hv.c                                    |    2 +-
 drivers/hv/hyperv_vmbus.h                          |    2 +-
 drivers/hv/vmbus_drv.c                             |    4 +-
 drivers/hwmon/acpi_power_meter.c                   |    4 +-
 drivers/hwmon/applesmc.c                           |    2 +-
 drivers/hwmon/asus_atk0110.c                       |   10 +-
 drivers/hwmon/coretemp.c                           |    2 +-
 drivers/hwmon/ibmaem.c                             |    2 +-
 drivers/hwmon/iio_hwmon.c                          |    2 +-
 drivers/hwmon/pmbus/pmbus_core.c                   |   10 +-
 drivers/hwmon/sht15.c                              |   12 +-
 drivers/hwmon/via-cputemp.c                        |    2 +-
 drivers/i2c/busses/i2c-amd756-s4882.c              |    2 +-
 drivers/i2c/busses/i2c-nforce2-s4985.c             |    2 +-
 drivers/i2c/i2c-dev.c                              |    2 +-
 drivers/ide/ide-cd.c                               |    2 +-
 drivers/iio/industrialio-core.c                    |    2 +-
 drivers/infiniband/core/cm.c                       |   32 +-
 drivers/infiniband/core/fmr_pool.c                 |   20 +-
 drivers/infiniband/hw/cxgb4/mem.c                  |    4 +-
 drivers/infiniband/hw/ipath/ipath_rc.c             |    6 +-
 drivers/infiniband/hw/ipath/ipath_ruc.c            |    6 +-
 drivers/infiniband/hw/mthca/mthca_cmd.c            |    2 +-
 drivers/infiniband/hw/mthca/mthca_mr.c             |    2 +-
 drivers/infiniband/hw/nes/nes.c                    |    4 +-
 drivers/infiniband/hw/nes/nes.h                    |   40 +-
 drivers/infiniband/hw/nes/nes_cm.c                 |   62 +-
 drivers/infiniband/hw/nes/nes_mgt.c                |    8 +-
 drivers/infiniband/hw/nes/nes_nic.c                |   40 +-
 drivers/infiniband/hw/nes/nes_verbs.c              |   10 +-
 drivers/infiniband/hw/qib/qib.h                    |    1 +
 drivers/input/gameport/gameport.c                  |    4 +-
 drivers/input/input.c                              |    4 +-
 drivers/input/joystick/sidewinder.c                |    1 +
 drivers/input/joystick/xpad.c                      |    4 +-
 drivers/input/mouse/psmouse.h                      |    2 +-
 drivers/input/mousedev.c                           |    2 +-
 drivers/input/serio/serio.c                        |    4 +-
 drivers/iommu/iommu.c                              |    2 +-
 drivers/iommu/irq_remapping.c                      |   12 +-
 drivers/irqchip/irq-gic.c                          |    4 +-
 drivers/isdn/capi/capi.c                           |   10 +-
 drivers/isdn/gigaset/interface.c                   |    8 +-
 drivers/isdn/hardware/avm/b1.c                     |    4 +-
 drivers/isdn/i4l/isdn_tty.c                        |   22 +-
 drivers/isdn/icn/icn.c                             |    2 +-
 drivers/leds/leds-clevo-mail.c                     |    2 +-
 drivers/leds/leds-ss4200.c                         |    2 +-
 drivers/lguest/core.c                              |   10 +-
 drivers/lguest/page_tables.c                       |    2 +-
 drivers/lguest/x86/core.c                          |   12 +-
 drivers/lguest/x86/switcher_32.S                   |   27 +-
 drivers/md/bcache/closure.h                        |    2 +-
 drivers/md/bitmap.c                                |    2 +-
 drivers/md/dm-ioctl.c                              |    2 +-
 drivers/md/dm-raid1.c                              |   16 +-
 drivers/md/dm-stripe.c                             |   10 +-
 drivers/md/dm-table.c                              |    2 +-
 drivers/md/dm-thin-metadata.c                      |    4 +-
 drivers/md/dm.c                                    |   16 +-
 drivers/md/md.c                                    |   26 +-
 drivers/md/md.h                                    |    6 +-
 drivers/md/persistent-data/dm-space-map.h          |    1 +
 drivers/md/raid1.c                                 |    4 +-
 drivers/md/raid10.c                                |   16 +-
 drivers/md/raid5.c                                 |   10 +-
 drivers/media/dvb-core/dvbdev.c                    |    2 +-
 drivers/media/dvb-frontends/dib3000.h              |    2 +-
 drivers/media/pci/cx88/cx88-video.c                |    6 +-
 drivers/media/platform/omap/omap_vout.c            |   11 +-
 drivers/media/platform/s5p-tv/mixer.h              |    2 +-
 drivers/media/platform/s5p-tv/mixer_grp_layer.c    |    2 +-
 drivers/media/platform/s5p-tv/mixer_reg.c          |    2 +-
 drivers/media/platform/s5p-tv/mixer_video.c        |   24 +-
 drivers/media/platform/s5p-tv/mixer_vp_layer.c     |    2 +-
 drivers/media/radio/radio-cadet.c                  |    2 +
 drivers/media/usb/dvb-usb/cxusb.c                  |    2 +-
 drivers/media/usb/dvb-usb/dw2102.c                 |    2 +-
 drivers/media/v4l2-core/v4l2-compat-ioctl32.c      |    6 +-
 drivers/media/v4l2-core/v4l2-ioctl.c               |   11 +-
 drivers/message/fusion/mptsas.c                    |   34 +-
 drivers/message/fusion/mptscsih.c                  |   19 +-
 drivers/message/i2o/i2o_proc.c                     |   51 +-
 drivers/message/i2o/iop.c                          |    8 +-
 drivers/mfd/janz-cmodio.c                          |    1 +
 drivers/mfd/twl4030-irq.c                          |    9 +-
 drivers/mfd/twl6030-irq.c                          |   10 +-
 drivers/misc/c2port/core.c                         |    4 +-
 drivers/misc/kgdbts.c                              |    4 +-
 drivers/misc/lis3lv02d/lis3lv02d.c                 |    8 +-
 drivers/misc/lis3lv02d/lis3lv02d.h                 |    2 +-
 drivers/misc/sgi-gru/gruhandles.c                  |    4 +-
 drivers/misc/sgi-gru/gruprocfs.c                   |    8 +-
 drivers/misc/sgi-gru/grutables.h                   |  154 +-
 drivers/misc/sgi-xp/xp.h                           |    2 +-
 drivers/misc/sgi-xp/xpc.h                          |    3 +-
 drivers/misc/sgi-xp/xpc_main.c                     |    4 +-
 drivers/mmc/core/mmc_ops.c                         |    2 +-
 drivers/mmc/host/dw_mmc.h                          |    2 +-
 drivers/mmc/host/sdhci-s3c.c                       |    8 +-
 drivers/mtd/nand/denali.c                          |    1 +
 drivers/mtd/nftlmount.c                            |    1 +
 drivers/mtd/sm_ftl.c                               |    2 +-
 drivers/net/bonding/bond_main.c                    |    2 +-
 drivers/net/ethernet/8390/ax88796.c                |    4 +-
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h    |    2 +-
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c     |   11 +-
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h     |    3 +-
 drivers/net/ethernet/broadcom/tg3.h                |    1 +
 drivers/net/ethernet/chelsio/cxgb3/l2t.h           |    2 +-
 drivers/net/ethernet/dec/tulip/de4x5.c             |    4 +-
 drivers/net/ethernet/emulex/benet/be_main.c        |    2 +-
 drivers/net/ethernet/faraday/ftgmac100.c           |    2 +
 drivers/net/ethernet/faraday/ftmac100.c            |    2 +
 drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c       |    2 +-
 drivers/net/ethernet/neterion/vxge/vxge-config.c   |    7 +-
 .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c  |    4 +-
 .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c  |   12 +-
 drivers/net/ethernet/realtek/r8169.c               |    8 +-
 drivers/net/ethernet/sfc/ptp.c                     |    2 +-
 drivers/net/ethernet/stmicro/stmmac/mmc_core.c     |    4 +-
 drivers/net/hyperv/hyperv_net.h                    |    2 +-
 drivers/net/hyperv/rndis_filter.c                  |    4 +-
 drivers/net/ieee802154/fakehard.c                  |    2 +-
 drivers/net/macvlan.c                              |   18 +-
 drivers/net/macvtap.c                              |    2 +-
 drivers/net/ppp/ppp_generic.c                      |    4 +-
 drivers/net/slip/slhc.c                            |    2 +-
 drivers/net/team/team.c                            |    2 +-
 drivers/net/tun.c                                  |    5 +-
 drivers/net/usb/hso.c                              |   23 +-
 drivers/net/vxlan.c                                |    2 +-
 drivers/net/wireless/at76c50x-usb.c                |    2 +-
 drivers/net/wireless/ath/ath9k/ar9002_mac.c        |   30 +-
 drivers/net/wireless/ath/ath9k/ar9003_mac.c        |   58 +-
 drivers/net/wireless/ath/ath9k/hw.h                |    4 +-
 drivers/net/wireless/iwlegacy/3945-mac.c           |    4 +-
 drivers/net/wireless/iwlwifi/dvm/debugfs.c         |   26 +-
 drivers/net/wireless/iwlwifi/pcie/trans.c          |    4 +-
 drivers/net/wireless/mac80211_hwsim.c              |   32 +-
 drivers/net/wireless/rndis_wlan.c                  |    2 +-
 drivers/net/wireless/rt2x00/rt2x00.h               |    2 +-
 drivers/net/wireless/rt2x00/rt2x00queue.c          |    4 +-
 drivers/net/wireless/ti/wl1251/sdio.c              |   12 +-
 drivers/net/wireless/ti/wl12xx/main.c              |    8 +-
 drivers/net/wireless/ti/wl18xx/main.c              |    6 +-
 drivers/oprofile/buffer_sync.c                     |    8 +-
 drivers/oprofile/event_buffer.c                    |    2 +-
 drivers/oprofile/oprof.c                           |    2 +-
 drivers/oprofile/oprofile_files.c                  |    2 +-
 drivers/oprofile/oprofile_stats.c                  |   10 +-
 drivers/oprofile/oprofile_stats.h                  |   10 +-
 drivers/oprofile/oprofilefs.c                      |    2 +-
 drivers/oprofile/timer_int.c                       |    2 +-
 drivers/parport/procfs.c                           |    4 +-
 drivers/pci/hotplug/acpiphp_ibm.c                  |    4 +-
 drivers/pci/hotplug/cpcihp_generic.c               |    6 +-
 drivers/pci/hotplug/cpcihp_zt5550.c                |   14 +-
 drivers/pci/hotplug/cpqphp_nvram.c                 |    4 +
 drivers/pci/hotplug/pci_hotplug_core.c             |    6 +-
 drivers/pci/hotplug/pciehp_core.c                  |    2 +-
 drivers/pci/pci-sysfs.c                            |    6 +-
 drivers/pci/pci.h                                  |    2 +-
 drivers/pci/pcie/aspm.c                            |    6 +-
 drivers/pci/probe.c                                |    2 +-
 drivers/platform/x86/chromeos_laptop.c             |    2 +-
 drivers/platform/x86/msi-laptop.c                  |   14 +-
 drivers/platform/x86/sony-laptop.c                 |    2 +-
 drivers/platform/x86/thinkpad_acpi.c               |   70 +-
 drivers/pnp/pnpbios/bioscalls.c                    |   14 +-
 drivers/pnp/resource.c                             |    4 +-
 drivers/power/pda_power.c                          |    7 +-
 drivers/power/power_supply.h                       |    4 +-
 drivers/power/power_supply_core.c                  |    7 +-
 drivers/power/power_supply_sysfs.c                 |    6 +-
 drivers/regulator/max8660.c                        |    6 +-
 drivers/regulator/max8973-regulator.c              |    8 +-
 drivers/regulator/mc13892-regulator.c              |    6 +-
 drivers/rtc/rtc-cmos.c                             |    4 +-
 drivers/rtc/rtc-ds1307.c                           |    2 +-
 drivers/rtc/rtc-m48t59.c                           |    4 +-
 drivers/scsi/bfa/bfa_fcpim.h                       |    2 +-
 drivers/scsi/bfa/bfa_ioc.h                         |    4 +-
 drivers/scsi/hosts.c                               |    4 +-
 drivers/scsi/hpsa.c                                |   30 +-
 drivers/scsi/hpsa.h                                |    2 +-
 drivers/scsi/libfc/fc_exch.c                       |   50 +-
 drivers/scsi/libsas/sas_ata.c                      |    2 +-
 drivers/scsi/lpfc/lpfc.h                           |    8 +-
 drivers/scsi/lpfc/lpfc_debugfs.c                   |   18 +-
 drivers/scsi/lpfc/lpfc_init.c                      |    6 +-
 drivers/scsi/lpfc/lpfc_scsi.c                      |   16 +-
 drivers/scsi/pmcraid.c                             |   20 +-
 drivers/scsi/pmcraid.h                             |    8 +-
 drivers/scsi/qla2xxx/qla_attr.c                    |    4 +-
 drivers/scsi/qla2xxx/qla_gbl.h                     |    4 +-
 drivers/scsi/qla2xxx/qla_os.c                      |    6 +-
 drivers/scsi/qla4xxx/ql4_def.h                     |    2 +-
 drivers/scsi/qla4xxx/ql4_os.c                      |    6 +-
 drivers/scsi/scsi.c                                |    2 +-
 drivers/scsi/scsi_lib.c                            |    6 +-
 drivers/scsi/scsi_sysfs.c                          |    2 +-
 drivers/scsi/scsi_tgt_lib.c                        |    2 +-
 drivers/scsi/scsi_transport_fc.c                   |    8 +-
 drivers/scsi/scsi_transport_iscsi.c                |    6 +-
 drivers/scsi/scsi_transport_srp.c                  |    6 +-
 drivers/scsi/sd.c                                  |    2 +-
 drivers/scsi/sg.c                                  |    2 +-
 drivers/spi/spi.c                                  |    2 +-
 drivers/staging/media/solo6x10/solo6x10-core.c     |    2 +-
 drivers/staging/octeon/ethernet-rx.c               |   12 +-
 drivers/staging/octeon/ethernet.c                  |    8 +-
 drivers/staging/rtl8712/rtl871x_io.h               |    2 +-
 drivers/staging/sbe-2t3e3/netdev.c                 |    2 +-
 drivers/staging/usbip/vhci.h                       |    2 +-
 drivers/staging/usbip/vhci_hcd.c                   |    6 +-
 drivers/staging/usbip/vhci_rx.c                    |    2 +-
 drivers/staging/vt6655/hostap.c                    |    7 +-
 drivers/staging/vt6656/hostap.c                    |    7 +-
 drivers/staging/zcache/tmem.c                      |    4 +-
 drivers/staging/zcache/tmem.h                      |    2 +
 drivers/target/target_core_device.c                |    2 +-
 drivers/target/target_core_transport.c             |    2 +-
 drivers/tty/cyclades.c                             |    6 +-
 drivers/tty/hvc/hvc_console.c                      |   14 +-
 drivers/tty/hvc/hvcs.c                             |   21 +-
 drivers/tty/ipwireless/tty.c                       |   27 +-
 drivers/tty/moxa.c                                 |    2 +-
 drivers/tty/n_gsm.c                                |    4 +-
 drivers/tty/n_tty.c                                |    3 +-
 drivers/tty/pty.c                                  |    4 +-
 drivers/tty/rocket.c                               |    6 +-
 drivers/tty/serial/kgdboc.c                        |   32 +-
 drivers/tty/serial/samsung.c                       |    9 +-
 drivers/tty/serial/serial_core.c                   |    8 +-
 drivers/tty/synclink.c                             |   34 +-
 drivers/tty/synclink_gt.c                          |   28 +-
 drivers/tty/synclinkmp.c                           |   34 +-
 drivers/tty/tty_io.c                               |    2 +-
 drivers/tty/tty_ldisc.c                            |   10 +-
 drivers/tty/tty_port.c                             |   22 +-
 drivers/uio/uio.c                                  |   21 +-
 drivers/usb/atm/cxacru.c                           |    2 +-
 drivers/usb/atm/usbatm.c                           |   24 +-
 drivers/usb/core/devices.c                         |    6 +-
 drivers/usb/core/hcd.c                             |    4 +-
 drivers/usb/core/message.c                         |    2 +-
 drivers/usb/core/sysfs.c                           |    2 +-
 drivers/usb/core/usb.c                             |    2 +-
 drivers/usb/early/ehci-dbgp.c                      |   16 +-
 drivers/usb/gadget/u_serial.c                      |   22 +-
 drivers/usb/serial/console.c                       |    6 +-
 drivers/usb/storage/usb.h                          |    2 +-
 drivers/usb/wusbcore/wa-hc.h                       |    4 +-
 drivers/usb/wusbcore/wa-xfer.c                     |    2 +-
 drivers/vhost/vringh.c                             |    2 +-
 drivers/video/aty/aty128fb.c                       |    2 +-
 drivers/video/aty/atyfb_base.c                     |    8 +-
 drivers/video/aty/mach64_cursor.c                  |    5 +-
 drivers/video/backlight/kb3886_bl.c                |    2 +-
 drivers/video/fb_defio.c                           |    6 +-
 drivers/video/fbcmap.c                             |    3 +-
 drivers/video/fbmem.c                              |    6 +-
 drivers/video/i810/i810_accel.c                    |    1 +
 drivers/video/mb862xx/mb862xxfb_accel.c            |   16 +-
 drivers/video/nvidia/nvidia.c                      |   27 +-
 drivers/video/output.c                             |    2 +-
 drivers/video/s1d13xxxfb.c                         |    6 +-
 drivers/video/smscufx.c                            |    4 +-
 drivers/video/udlfb.c                              |   36 +-
 drivers/video/uvesafb.c                            |   53 +-
 drivers/video/vesafb.c                             |   58 +-
 drivers/video/via/via_clock.h                      |    2 +-
 fs/9p/vfs_addr.c                                   |    2 +-
 fs/9p/vfs_inode.c                                  |    2 +-
 fs/Kconfig.binfmt                                  |    2 +-
 fs/aio.c                                           |   12 +-
 fs/autofs4/waitq.c                                 |    2 +-
 fs/befs/endian.h                                   |    4 +-
 fs/befs/linuxvfs.c                                 |    2 +-
 fs/binfmt_aout.c                                   |   23 +-
 fs/binfmt_elf.c                                    |  607 ++-
 fs/binfmt_flat.c                                   |    6 +
 fs/bio.c                                           |    6 +-
 fs/block_dev.c                                     |    2 +-
 fs/btrfs/ctree.c                                   |    9 +-
 fs/btrfs/super.c                                   |    2 +-
 fs/cachefiles/bind.c                               |    6 +-
 fs/cachefiles/daemon.c                             |    8 +-
 fs/cachefiles/internal.h                           |   12 +-
 fs/cachefiles/namei.c                              |    2 +-
 fs/cachefiles/proc.c                               |   12 +-
 fs/cachefiles/rdwr.c                               |    2 +-
 fs/ceph/dir.c                                      |    2 +-
 fs/cifs/cifs_debug.c                               |   12 +-
 fs/cifs/cifsfs.c                                   |    8 +-
 fs/cifs/cifsglob.h                                 |   54 +-
 fs/cifs/link.c                                     |    2 +-
 fs/cifs/misc.c                                     |    4 +-
 fs/cifs/smb1ops.c                                  |   80 +-
 fs/cifs/smb2ops.c                                  |   84 +-
 fs/cifs/smb2pdu.c                                  |    3 +-
 fs/coda/cache.c                                    |   10 +-
 fs/compat.c                                        |    6 +-
 fs/compat_binfmt_elf.c                             |    2 +
 fs/compat_ioctl.c                                  |   12 +-
 fs/configfs/dir.c                                  |   10 +-
 fs/coredump.c                                      |   24 +-
 fs/dcache.c                                        |    2 +-
 fs/ecryptfs/inode.c                                |    4 +-
 fs/ecryptfs/miscdev.c                              |    2 +-
 fs/exec.c                                          |  362 ++-
 fs/ext4/ext4.h                                     |   20 +-
 fs/ext4/mballoc.c                                  |   44 +-
 fs/ext4/mmp.c                                      |    2 +-
 fs/ext4/super.c                                    |    4 +-
 fs/fhandle.c                                       |    3 +-
 fs/fs_struct.c                                     |    8 +-
 fs/fscache/cookie.c                                |   36 +-
 fs/fscache/internal.h                              |  196 +-
 fs/fscache/object.c                                |   28 +-
 fs/fscache/operation.c                             |   30 +-
 fs/fscache/page.c                                  |  110 +-
 fs/fscache/stats.c                                 |  344 +-
 fs/fuse/cuse.c                                     |   10 +-
 fs/fuse/dev.c                                      |    4 +-
 fs/fuse/dir.c                                      |    2 +-
 fs/gfs2/inode.c                                    |    2 +-
 fs/hugetlbfs/inode.c                               |   13 +-
 fs/inode.c                                         |    4 +-
 fs/jffs2/erase.c                                   |    3 +-
 fs/jffs2/wbuf.c                                    |    3 +-
 fs/jfs/super.c                                     |    2 +-
 fs/libfs.c                                         |   10 +-
 fs/lockd/clntproc.c                                |    4 +-
 fs/lockd/svc.c                                     |    2 +-
 fs/locks.c                                         |    8 +-
 fs/namei.c                                         |   15 +-
 fs/namespace.c                                     |   10 +-
 fs/nfs/callback.c                                  |    4 +-
 fs/nfs/callback_xdr.c                              |    2 +-
 fs/nfs/inode.c                                     |    6 +-
 fs/nfs/nfs4state.c                                 |    2 +-
 fs/nfsd/nfs4proc.c                                 |    2 +-
 fs/nfsd/nfs4xdr.c                                  |    6 +-
 fs/nfsd/nfscache.c                                 |    9 +-
 fs/nfsd/vfs.c                                      |    6 +-
 fs/nls/nls_base.c                                  |   18 +-
 fs/nls/nls_euc-jp.c                                |    6 +-
 fs/nls/nls_koi8-ru.c                               |    6 +-
 fs/notify/fanotify/fanotify_user.c                 |    4 +-
 fs/notify/notification.c                           |    4 +-
 fs/ntfs/dir.c                                      |    2 +-
 fs/ntfs/file.c                                     |    4 +-
 fs/ocfs2/localalloc.c                              |    2 +-
 fs/ocfs2/ocfs2.h                                   |   10 +-
 fs/ocfs2/suballoc.c                                |   12 +-
 fs/ocfs2/super.c                                   |   20 +-
 fs/pipe.c                                          |   61 +-
 fs/proc/array.c                                    |   20 +
 fs/proc/base.c                                     |    4 +-
 fs/proc/kcore.c                                    |   32 +-
 fs/proc/meminfo.c                                  |    2 +-
 fs/proc/nommu.c                                    |    2 +-
 fs/proc/proc_sysctl.c                              |   18 +-
 fs/proc/self.c                                     |    2 +-
 fs/proc/task_mmu.c                                 |   39 +-
 fs/proc/task_nommu.c                               |    4 +-
 fs/proc/vmcore.c                                   |   12 +-
 fs/qnx6/qnx6.h                                     |    4 +-
 fs/quota/netlink.c                                 |    4 +-
 fs/read_write.c                                    |    2 +-
 fs/readdir.c                                       |    2 +-
 fs/reiserfs/do_balan.c                             |    2 +-
 fs/reiserfs/procfs.c                               |    2 +-
 fs/reiserfs/reiserfs.h                             |    4 +-
 fs/seq_file.c                                      |    2 +-
 fs/splice.c                                        |   40 +-
 fs/sysfs/bin.c                                     |    6 +-
 fs/sysfs/dir.c                                     |    2 +-
 fs/sysfs/file.c                                    |   10 +-
 fs/sysfs/symlink.c                                 |    2 +-
 fs/sysv/sysv.h                                     |    2 +-
 fs/ubifs/io.c                                      |    2 +-
 fs/udf/misc.c                                      |    2 +-
 fs/ufs/swab.h                                      |    4 +-
 fs/xattr.c                                         |   21 +
 fs/xattr_acl.c                                     |    4 +-
 fs/xfs/xfs_bmap.c                                  |    2 +-
 fs/xfs/xfs_dir2_sf.c                               |   10 +-
 fs/xfs/xfs_ioctl.c                                 |    2 +-
 fs/xfs/xfs_iops.c                                  |    2 +-
 include/asm-generic/4level-fixup.h                 |    2 +
 include/asm-generic/atomic-long.h                  |  210 +
 include/asm-generic/atomic.h                       |    2 +-
 include/asm-generic/atomic64.h                     |   12 +
 include/asm-generic/cache.h                        |    4 +-
 include/asm-generic/emergency-restart.h            |    2 +-
 include/asm-generic/kmap_types.h                   |    4 +-
 include/asm-generic/local.h                        |   13 +
 include/asm-generic/pgtable-nopmd.h                |   18 +-
 include/asm-generic/pgtable-nopud.h                |   15 +-
 include/asm-generic/pgtable.h                      |    8 +
 include/asm-generic/vmlinux.lds.h                  |   10 +-
 include/crypto/algapi.h                            |    2 +-
 include/drm/drmP.h                                 |   17 +-
 include/drm/drm_crtc_helper.h                      |    2 +-
 include/drm/ttm/ttm_memory.h                       |    2 +-
 include/keys/asymmetric-subtype.h                  |    2 +-
 include/linux/atmdev.h                             |    4 +-
 include/linux/binfmts.h                            |    3 +-
 include/linux/blkdev.h                             |    2 +-
 include/linux/blktrace_api.h                       |    2 +-
 include/linux/cache.h                              |    4 +
 include/linux/cdrom.h                              |    1 -
 include/linux/cleancache.h                         |    2 +-
 include/linux/clk-provider.h                       |    1 +
 include/linux/compat.h                             |    4 +-
 include/linux/compiler-gcc4.h                      |   20 +
 include/linux/compiler.h                           |   65 +-
 include/linux/completion.h                         |    6 +-
 include/linux/configfs.h                           |    2 +-
 include/linux/cpu.h                                |    2 +-
 include/linux/cpufreq.h                            |    3 +-
 include/linux/cpuidle.h                            |    5 +-
 include/linux/cpumask.h                            |   12 +-
 include/linux/crypto.h                             |    6 +-
 include/linux/ctype.h                              |    2 +-
 include/linux/decompress/mm.h                      |    2 +-
 include/linux/devfreq.h                            |    2 +-
 include/linux/device.h                             |    7 +-
 include/linux/dma-mapping.h                        |    2 +-
 include/linux/dmaengine.h                          |    4 +-
 include/linux/efi.h                                |    1 +
 include/linux/elf.h                                |    2 +
 include/linux/err.h                                |    4 +-
 include/linux/extcon.h                             |    2 +-
 include/linux/fb.h                                 |    2 +-
 include/linux/filter.h                             |    4 +
 include/linux/frontswap.h                          |    2 +-
 include/linux/fs.h                                 |    3 +-
 include/linux/fs_struct.h                          |    2 +-
 include/linux/fscache-cache.h                      |    4 +-
 include/linux/fscache.h                            |    2 +-
 include/linux/fsnotify.h                           |    2 +-
 include/linux/genhd.h                              |    2 +-
 include/linux/genl_magic_func.h                    |    2 +-
 include/linux/gfp.h                                |   12 +-
 include/linux/highmem.h                            |   12 +
 include/linux/hwmon-sysfs.h                        |    5 +-
 include/linux/i2c.h                                |    1 +
 include/linux/i2o.h                                |    2 +-
 include/linux/if_pppox.h                           |    2 +-
 include/linux/init.h                               |   33 +-
 include/linux/init_task.h                          |    7 +
 include/linux/interrupt.h                          |    8 +-
 include/linux/iommu.h                              |    2 +-
 include/linux/ioport.h                             |    2 +-
 include/linux/irq.h                                |    3 +-
 include/linux/irqchip/arm-gic.h                    |    4 +-
 include/linux/key-type.h                           |    2 +-
 include/linux/kgdb.h                               |    6 +-
 include/linux/kobject.h                            |    3 +-
 include/linux/kobject_ns.h                         |    2 +-
 include/linux/kref.h                               |    2 +-
 include/linux/kvm_host.h                           |    4 +-
 include/linux/libata.h                             |    2 +-
 include/linux/list.h                               |   15 +
 include/linux/math64.h                             |    6 +-
 include/linux/mm.h                                 |  116 +-
 include/linux/mm_types.h                           |   20 +
 include/linux/mmiotrace.h                          |    4 +-
 include/linux/mmzone.h                             |    2 +-
 include/linux/mod_devicetable.h                    |    6 +-
 include/linux/module.h                             |   60 +-
 include/linux/moduleloader.h                       |   16 +
 include/linux/moduleparam.h                        |    4 +-
 include/linux/namei.h                              |    6 +-
 include/linux/net.h                                |    2 +-
 include/linux/netdevice.h                          |    3 +-
 include/linux/netfilter.h                          |    2 +-
 include/linux/netfilter/ipset/ip_set.h             |    2 +-
 include/linux/netfilter/nfnetlink.h                |    2 +-
 include/linux/nls.h                                |    2 +-
 include/linux/notifier.h                           |    3 +-
 include/linux/oprofile.h                           |    4 +-
 include/linux/pci_hotplug.h                        |    3 +-
 include/linux/perf_event.h                         |   12 +-
 include/linux/pipe_fs_i.h                          |    8 +-
 include/linux/platform_data/usb-ehci-s5p.h         |    2 +-
 include/linux/platform_data/usb-ohci-exynos.h      |    2 +-
 include/linux/pm_domain.h                          |    2 +-
 include/linux/pm_runtime.h                         |    2 +-
 include/linux/pnp.h                                |    2 +-
 include/linux/poison.h                             |    4 +-
 include/linux/power/smartreflex.h                  |    2 +-
 include/linux/ppp-comp.h                           |    2 +-
 include/linux/proc_ns.h                            |    2 +-
 include/linux/random.h                             |    5 +
 include/linux/rculist.h                            |   16 +
 include/linux/reboot.h                             |   14 +-
 include/linux/regset.h                             |    3 +-
 include/linux/relay.h                              |    2 +-
 include/linux/rio.h                                |    2 +-
 include/linux/rmap.h                               |    4 +-
 include/linux/sched.h                              |   65 +-
 include/linux/sched/sysctl.h                       |    1 +
 include/linux/seq_file.h                           |    1 +
 include/linux/skbuff.h                             |   12 +-
 include/linux/slab.h                               |   42 +-
 include/linux/slab_def.h                           |   28 +-
 include/linux/slob_def.h                           |    4 +-
 include/linux/slub_def.h                           |    8 +-
 include/linux/sock_diag.h                          |    2 +-
 include/linux/sonet.h                              |    2 +-
 include/linux/sunrpc/addr.h                        |    8 +-
 include/linux/sunrpc/clnt.h                        |    2 +-
 include/linux/sunrpc/svc.h                         |    2 +-
 include/linux/sunrpc/svc_rdma.h                    |   18 +-
 include/linux/sunrpc/svcauth.h                     |    2 +-
 include/linux/swiotlb.h                            |    3 +-
 include/linux/syscalls.h                           |   10 +-
 include/linux/syscore_ops.h                        |    2 +-
 include/linux/sysctl.h                             |    6 +-
 include/linux/sysfs.h                              |   10 +-
 include/linux/sysrq.h                              |    3 +-
 include/linux/thread_info.h                        |    7 +
 include/linux/tty.h                                |    4 +-
 include/linux/tty_driver.h                         |    2 +-
 include/linux/tty_ldisc.h                          |    2 +-
 include/linux/types.h                              |   16 +
 include/linux/uaccess.h                            |    6 +-
 include/linux/unaligned/access_ok.h                |   24 +-
 include/linux/usb.h                                |    4 +-
 include/linux/usb/renesas_usbhs.h                  |    2 +-
 include/linux/vermagic.h                           |   21 +-
 include/linux/vmalloc.h                            |   11 +-
 include/linux/vmstat.h                             |   20 +-
 include/linux/xattr.h                              |    5 +-
 include/linux/zlib.h                               |    3 +-
 include/media/v4l2-dev.h                           |    2 +-
 include/net/9p/transport.h                         |    2 +-
 include/net/bluetooth/l2cap.h                      |    2 +-
 include/net/caif/cfctrl.h                          |    6 +-
 include/net/flow.h                                 |    2 +-
 include/net/genetlink.h                            |    2 +-
 include/net/gro_cells.h                            |    2 +-
 include/net/inet_connection_sock.h                 |    2 +-
 include/net/inetpeer.h                             |    8 +-
 include/net/ip.h                                   |    2 +-
 include/net/ip_fib.h                               |    2 +-
 include/net/ip_vs.h                                |    8 +-
 include/net/irda/ircomm_tty.h                      |    1 +
 include/net/iucv/af_iucv.h                         |    2 +-
 include/net/llc_c_ac.h                             |    2 +-
 include/net/llc_c_ev.h                             |    4 +-
 include/net/llc_c_st.h                             |    2 +-
 include/net/llc_s_ac.h                             |    2 +-
 include/net/llc_s_st.h                             |    2 +-
 include/net/mac80211.h                             |    2 +-
 include/net/neighbour.h                            |    2 +-
 include/net/net_namespace.h                        |   12 +-
 include/net/netdma.h                               |    2 +-
 include/net/netlink.h                              |    2 +-
 include/net/netns/conntrack.h                      |    6 +-
 include/net/netns/ipv4.h                           |    2 +-
 include/net/netns/ipv6.h                           |    2 +-
 include/net/protocol.h                             |    4 +-
 include/net/rtnetlink.h                            |    2 +-
 include/net/sctp/sctp.h                            |    6 +-
 include/net/sctp/sm.h                              |    4 +-
 include/net/sctp/structs.h                         |    2 +-
 include/net/sock.h                                 |    6 +-
 include/net/tcp.h                                  |    8 +-
 include/net/xfrm.h                                 |    8 +-
 include/rdma/iw_cm.h                               |    2 +-
 include/scsi/libfc.h                               |    3 +-
 include/scsi/scsi_device.h                         |    6 +-
 include/scsi/scsi_transport_fc.h                   |    3 +-
 include/sound/compress_driver.h                    |    2 +-
 include/sound/soc.h                                |    4 +-
 include/target/target_core_base.h                  |    2 +-
 include/trace/events/irq.h                         |    4 +-
 include/uapi/linux/a.out.h                         |    8 +
 include/uapi/linux/byteorder/little_endian.h       |   28 +-
 include/uapi/linux/elf.h                           |   28 +
 include/uapi/linux/screen_info.h                   |    3 +-
 include/uapi/linux/swab.h                          |    6 +-
 include/uapi/linux/sysctl.h                        |    6 +-
 include/uapi/linux/xattr.h                         |    4 +
 include/video/udlfb.h                              |    8 +-
 include/video/uvesafb.h                            |    1 +
 init/Kconfig                                       |    2 +-
 init/Makefile                                      |    3 +
 init/do_mounts.c                                   |   14 +-
 init/do_mounts.h                                   |    8 +-
 init/do_mounts_initrd.c                            |   30 +-
 init/do_mounts_md.c                                |    6 +-
 init/init_task.c                                   |    4 +
 init/initramfs.c                                   |   42 +-
 init/main.c                                        |   83 +-
 ipc/ipc_sysctl.c                                   |   10 +-
 ipc/mq_sysctl.c                                    |    2 +-
 ipc/msg.c                                          |   11 +-
 ipc/sem.c                                          |   11 +-
 ipc/shm.c                                          |   17 +-
 kernel/acct.c                                      |    2 +-
 kernel/audit.c                                     |    8 +-
 kernel/auditfilter.c                               |    2 +-
 kernel/auditsc.c                                   |    4 +-
 kernel/capability.c                                |    3 +
 kernel/compat.c                                    |   38 +-
 kernel/debug/debug_core.c                          |   16 +-
 kernel/debug/kdb/kdb_main.c                        |    4 +-
 kernel/events/core.c                               |   30 +-
 kernel/events/internal.h                           |   10 +-
 kernel/exit.c                                      |    4 +-
 kernel/fork.c                                      |  167 +-
 kernel/futex.c                                     |    9 +
 kernel/futex_compat.c                              |    2 +-
 kernel/gcov/base.c                                 |    7 +-
 kernel/hrtimer.c                                   |    4 +-
 kernel/irq_work.c                                  |    7 +-
 kernel/jump_label.c                                |    5 +
 kernel/kallsyms.c                                  |   39 +-
 kernel/kexec.c                                     |    3 +-
 kernel/kmod.c                                      |    4 +-
 kernel/kprobes.c                                   |    8 +-
 kernel/ksysfs.c                                    |    2 +-
 kernel/lockdep.c                                   |    7 +-
 kernel/module.c                                    |  337 +-
 kernel/mutex-debug.c                               |   12 +-
 kernel/mutex-debug.h                               |    4 +-
 kernel/mutex.c                                     |   11 +-
 kernel/notifier.c                                  |   17 +-
 kernel/panic.c                                     |    3 +-
 kernel/pid.c                                       |    2 +-
 kernel/pid_namespace.c                             |    2 +-
 kernel/posix-cpu-timers.c                          |    4 +-
 kernel/posix-timers.c                              |   22 +-
 kernel/power/process.c                             |   12 +-
 kernel/profile.c                                   |   14 +-
 kernel/ptrace.c                                    |    8 +-
 kernel/rcupdate.c                                  |    4 +-
 kernel/rcutiny.c                                   |    4 +-
 kernel/rcutiny_plugin.h                            |    2 +-
 kernel/rcutorture.c                                |   56 +-
 kernel/rcutree.c                                   |   76 +-
 kernel/rcutree.h                                   |   24 +-
 kernel/rcutree_plugin.h                            |   20 +-
 kernel/rcutree_trace.c                             |   22 +-
 kernel/rtmutex-tester.c                            |   24 +-
 kernel/sched/auto_group.c                          |    4 +-
 kernel/sched/core.c                                |   51 +-
 kernel/sched/fair.c                                |    4 +-
 kernel/sched/sched.h                               |    2 +-
 kernel/signal.c                                    |   12 +-
 kernel/smp.c                                       |    2 +-
 kernel/smpboot.c                                   |    4 +-
 kernel/softirq.c                                   |   18 +-
 kernel/srcu.c                                      |    4 +-
 kernel/sys.c                                       |   10 +-
 kernel/sysctl.c                                    |   39 +-
 kernel/time.c                                      |    2 +-
 kernel/time/alarmtimer.c                           |    2 +-
 kernel/time/tick-broadcast.c                       |    2 +-
 kernel/time/timer_stats.c                          |   10 +-
 kernel/timer.c                                     |    6 +-
 kernel/trace/blktrace.c                            |    6 +-
 kernel/trace/ftrace.c                              |   18 +-
 kernel/trace/ring_buffer.c                         |   76 +-
 kernel/trace/trace.c                               |    2 +-
 kernel/trace/trace.h                               |    2 +-
 kernel/trace/trace_events.c                        |   25 +-
 kernel/trace/trace_mmiotrace.c                     |    8 +-
 kernel/trace/trace_output.c                        |   12 +-
 kernel/trace/trace_stack.c                         |    2 +-
 kernel/user_namespace.c                            |    2 +-
 kernel/utsname_sysctl.c                            |    2 +-
 kernel/watchdog.c                                  |    2 +-
 kernel/workqueue.c                                 |    2 +-
 lib/Kconfig.debug                                  |    8 +-
 lib/Makefile                                       |    2 +-
 lib/bitmap.c                                       |    8 +-
 lib/bug.c                                          |    2 +
 lib/debugobjects.c                                 |    2 +-
 lib/devres.c                                       |    4 +-
 lib/div64.c                                        |    4 +-
 lib/dma-debug.c                                    |    4 +-
 lib/inflate.c                                      |    2 +-
 lib/ioremap.c                                      |    4 +-
 lib/kobject.c                                      |    6 +-
 lib/list_debug.c                                   |  126 +-
 lib/radix-tree.c                                   |    2 +-
 lib/strncpy_from_user.c                            |    2 +-
 lib/strnlen_user.c                                 |    2 +-
 lib/swiotlb.c                                      |    2 +-
 lib/usercopy.c                                     |    6 +
 lib/vsprintf.c                                     |   12 +-
 mm/Kconfig                                         |    6 +-
 mm/backing-dev.c                                   |    4 +-
 mm/filemap.c                                       |    2 +-
 mm/fremap.c                                        |    5 +
 mm/highmem.c                                       |    7 +-
 mm/hugetlb.c                                       |   70 +-
 mm/internal.h                                      |    1 +
 mm/maccess.c                                       |    4 +-
 mm/madvise.c                                       |   41 +
 mm/memory-failure.c                                |   26 +-
 mm/memory.c                                        |  424 ++-
 mm/mempolicy.c                                     |   26 +
 mm/mlock.c                                         |   15 +-
 mm/mmap.c                                          |  606 ++-
 mm/mprotect.c                                      |  139 +-
 mm/mremap.c                                        |   44 +-
 mm/nommu.c                                         |   21 +-
 mm/page-writeback.c                                |    4 +-
 mm/page_alloc.c                                    |   41 +-
 mm/page_io.c                                       |    2 +-
 mm/percpu.c                                        |    2 +-
 mm/process_vm_access.c                             |   14 +-
 mm/rmap.c                                          |   38 +-
 mm/shmem.c                                         |   19 +-
 mm/slab.c                                          |   79 +-
 mm/slab.h                                          |    5 +-
 mm/slab_common.c                                   |   46 +-
 mm/slob.c                                          |  201 +-
 mm/slub.c                                          |   79 +-
 mm/sparse-vmemmap.c                                |    4 +-
 mm/sparse.c                                        |    2 +-
 mm/swap.c                                          |    3 +
 mm/swapfile.c                                      |   12 +-
 mm/util.c                                          |    6 +
 mm/vmalloc.c                                       |   77 +-
 mm/vmstat.c                                        |   12 +-
 net/8021q/vlan.c                                   |    5 +-
 net/9p/mod.c                                       |    4 +-
 net/9p/trans_fd.c                                  |    2 +-
 net/atm/atm_misc.c                                 |    8 +-
 net/atm/lec.h                                      |    2 +-
 net/atm/proc.c                                     |    6 +-
 net/atm/resources.c                                |    4 +-
 net/ax25/sysctl_net_ax25.c                         |    2 +-
 net/batman-adv/bat_iv_ogm.c                        |    8 +-
 net/batman-adv/hard-interface.c                    |    4 +-
 net/batman-adv/soft-interface.c                    |    4 +-
 net/batman-adv/types.h                             |    6 +-
 net/batman-adv/unicast.c                           |    2 +-
 net/bluetooth/hci_core.c                           |    8 +-
 net/bluetooth/hci_sock.c                           |    2 +-
 net/bluetooth/l2cap_core.c                         |    6 +-
 net/bluetooth/l2cap_sock.c                         |   12 +-
 net/bluetooth/rfcomm/sock.c                        |    4 +-
 net/bluetooth/rfcomm/tty.c                         |   10 +-
 net/bridge/netfilter/ebtables.c                    |    6 +-
 net/caif/cfctrl.c                                  |   11 +-
 net/can/af_can.c                                   |    2 +-
 net/can/gw.c                                       |    6 +-
 net/compat.c                                       |   34 +-
 net/core/datagram.c                                |    2 +-
 net/core/dev.c                                     |   16 +-
 net/core/flow.c                                    |    8 +-
 net/core/iovec.c                                   |    4 +-
 net/core/neighbour.c                               |    2 +-
 net/core/net-sysfs.c                               |    2 +-
 net/core/net_namespace.c                           |    8 +-
 net/core/rtnetlink.c                               |   13 +-
 net/core/scm.c                                     |    8 +-
 net/core/sock.c                                    |   24 +-
 net/core/sock_diag.c                               |    9 +-
 net/core/sysctl_net_core.c                         |   18 +-
 net/decnet/af_decnet.c                             |    1 +
 net/decnet/sysctl_net_decnet.c                     |    4 +-
 net/ipv4/af_inet.c                                 |    8 +-
 net/ipv4/ah4.c                                     |    2 +-
 net/ipv4/devinet.c                                 |   18 +-
 net/ipv4/esp4.c                                    |    2 +-
 net/ipv4/fib_frontend.c                            |    6 +-
 net/ipv4/fib_semantics.c                           |    2 +-
 net/ipv4/inet_connection_sock.c                    |    2 +-
 net/ipv4/inetpeer.c                                |    4 +-
 net/ipv4/ip_fragment.c                             |   15 +-
 net/ipv4/ip_gre.c                                  |    6 +-
 net/ipv4/ip_sockglue.c                             |    2 +-
 net/ipv4/ip_vti.c                                  |    4 +-
 net/ipv4/ipcomp.c                                  |    2 +-
 net/ipv4/ipconfig.c                                |    6 +-
 net/ipv4/ipip.c                                    |    4 +-
 net/ipv4/netfilter/arp_tables.c                    |   12 +-
 net/ipv4/netfilter/ip_tables.c                     |   12 +-
 net/ipv4/ping.c                                    |    2 +-
 net/ipv4/raw.c                                     |   14 +-
 net/ipv4/route.c                                   |   18 +-
 net/ipv4/sysctl_net_ipv4.c                         |   45 +-
 net/ipv4/tcp_input.c                               |    2 +-
 net/ipv4/tcp_probe.c                               |    2 +-
 net/ipv4/udp.c                                     |   10 +-
 net/ipv4/xfrm4_policy.c                            |   14 +-
 net/ipv6/addrconf.c                                |   12 +-
 net/ipv6/icmp.c                                    |    2 +-
 net/ipv6/ip6_gre.c                                 |    8 +-
 net/ipv6/ip6_tunnel.c                              |    4 +-
 net/ipv6/ipv6_sockglue.c                           |    2 +-
 net/ipv6/netfilter/ip6_tables.c                    |   12 +-
 net/ipv6/netfilter/nf_conntrack_reasm.c            |   14 +-
 net/ipv6/raw.c                                     |   19 +-
 net/ipv6/reassembly.c                              |   13 +-
 net/ipv6/route.c                                   |    2 +-
 net/ipv6/sit.c                                     |    4 +-
 net/ipv6/sysctl_net_ipv6.c                         |    2 +-
 net/ipv6/udp.c                                     |    8 +-
 net/ipv6/xfrm6_policy.c                            |   13 +-
 net/irda/ircomm/ircomm_tty.c                       |   18 +-
 net/iucv/af_iucv.c                                 |    4 +-
 net/iucv/iucv.c                                    |    2 +-
 net/key/af_key.c                                   |    4 +-
 net/mac80211/cfg.c                                 |    8 +-
 net/mac80211/ieee80211_i.h                         |    3 +-
 net/mac80211/iface.c                               |   16 +-
 net/mac80211/main.c                                |    2 +-
 net/mac80211/pm.c                                  |    6 +-
 net/mac80211/rate.c                                |    2 +-
 net/mac80211/rc80211_pid_debugfs.c                 |    2 +-
 net/mac80211/util.c                                |    4 +-
 net/netfilter/ipset/ip_set_core.c                  |    2 +-
 net/netfilter/ipvs/ip_vs_conn.c                    |    6 +-
 net/netfilter/ipvs/ip_vs_core.c                    |    4 +-
 net/netfilter/ipvs/ip_vs_ctl.c                     |   14 +-
 net/netfilter/ipvs/ip_vs_lblc.c                    |    2 +-
 net/netfilter/ipvs/ip_vs_lblcr.c                   |    2 +-
 net/netfilter/ipvs/ip_vs_sync.c                    |    6 +-
 net/netfilter/ipvs/ip_vs_xmit.c                    |    4 +-
 net/netfilter/nf_conntrack_acct.c                  |    2 +-
 net/netfilter/nf_conntrack_ecache.c                |    2 +-
 net/netfilter/nf_conntrack_helper.c                |    2 +-
 net/netfilter/nf_conntrack_proto.c                 |    2 +-
 net/netfilter/nf_conntrack_proto_dccp.c            |    4 +-
 net/netfilter/nf_conntrack_standalone.c            |    2 +-
 net/netfilter/nf_conntrack_timestamp.c             |    2 +-
 net/netfilter/nf_log.c                             |   10 +-
 net/netfilter/nf_sockopt.c                         |    4 +-
 net/netfilter/nfnetlink_log.c                      |    4 +-
 net/netfilter/xt_statistic.c                       |    8 +-
 net/netlink/af_netlink.c                           |    4 +-
 net/netlink/genetlink.c                            |   16 +-
 net/packet/af_packet.c                             |   12 +-
 net/phonet/pep.c                                   |    6 +-
 net/phonet/socket.c                                |    2 +-
 net/phonet/sysctl.c                                |    2 +-
 net/rds/cong.c                                     |    6 +-
 net/rds/ib.h                                       |    2 +-
 net/rds/ib_cm.c                                    |    2 +-
 net/rds/ib_recv.c                                  |    4 +-
 net/rds/iw.h                                       |    2 +-
 net/rds/iw_cm.c                                    |    2 +-
 net/rds/iw_recv.c                                  |    4 +-
 net/rds/rds.h                                      |    2 +-
 net/rds/tcp.c                                      |    2 +-
 net/rds/tcp_send.c                                 |    2 +-
 net/rxrpc/af_rxrpc.c                               |    2 +-
 net/rxrpc/ar-ack.c                                 |   14 +-
 net/rxrpc/ar-call.c                                |    2 +-
 net/rxrpc/ar-connection.c                          |    2 +-
 net/rxrpc/ar-connevent.c                           |    2 +-
 net/rxrpc/ar-input.c                               |    4 +-
 net/rxrpc/ar-internal.h                            |    8 +-
 net/rxrpc/ar-local.c                               |    2 +-
 net/rxrpc/ar-output.c                              |    4 +-
 net/rxrpc/ar-peer.c                                |    2 +-
 net/rxrpc/ar-proc.c                                |    4 +-
 net/rxrpc/ar-transport.c                           |    2 +-
 net/rxrpc/rxkad.c                                  |    4 +-
 net/sctp/ipv6.c                                    |    6 +-
 net/sctp/protocol.c                                |   10 +-
 net/sctp/sm_sideeffect.c                           |    2 +-
 net/sctp/socket.c                                  |   21 +-
 net/sctp/sysctl.c                                  |    4 +-
 net/socket.c                                       |   18 +-
 net/sunrpc/clnt.c                                  |    4 +-
 net/sunrpc/sched.c                                 |    4 +-
 net/sunrpc/svc.c                                   |    6 +-
 net/sunrpc/xprtrdma/svc_rdma.c                     |   38 +-
 net/sunrpc/xprtrdma/svc_rdma_recvfrom.c            |    6 +-
 net/sunrpc/xprtrdma/svc_rdma_sendto.c              |    2 +-
 net/sunrpc/xprtrdma/svc_rdma_transport.c           |   10 +-
 net/tipc/link.c                                    |    6 +-
 net/tipc/msg.c                                     |    2 +-
 net/tipc/subscr.c                                  |    2 +-
 net/unix/sysctl_net_unix.c                         |    2 +-
 net/wireless/wext-core.c                           |   19 +-
 net/xfrm/xfrm_policy.c                             |   27 +-
 net/xfrm/xfrm_state.c                              |   29 +-
 net/xfrm/xfrm_sysctl.c                             |    2 +-
 scripts/Makefile.build                             |    2 +-
 scripts/Makefile.clean                             |    3 +-
 scripts/Makefile.host                              |   28 +-
 scripts/basic/fixdep.c                             |   12 +-
 scripts/gcc-plugin.sh                              |   17 +
 scripts/headers_install.sh                         |    1 +
 scripts/link-vmlinux.sh                            |    2 +-
 scripts/mod/file2alias.c                           |   14 +-
 scripts/mod/modpost.c                              |   25 +-
 scripts/mod/modpost.h                              |    6 +-
 scripts/mod/sumversion.c                           |    2 +-
 scripts/package/builddeb                           |    1 +
 scripts/pnmtologo.c                                |    6 +-
 scripts/sortextable.h                              |    6 +-
 security/Kconfig                                   |  676 +++-
 security/apparmor/lsm.c                            |    2 +-
 security/integrity/ima/ima.h                       |    4 +-
 security/integrity/ima/ima_api.c                   |    2 +-
 security/integrity/ima/ima_fs.c                    |    4 +-
 security/integrity/ima/ima_queue.c                 |    2 +-
 security/keys/compat.c                             |    2 +-
 security/keys/internal.h                           |    2 +-
 security/keys/key.c                                |   18 +-
 security/keys/keyctl.c                             |    8 +-
 security/keys/keyring.c                            |    6 +-
 security/security.c                                |    9 +-
 security/selinux/hooks.c                           |    2 +-
 security/selinux/include/xfrm.h                    |    2 +-
 security/smack/smack_lsm.c                         |    2 +-
 security/tomoyo/tomoyo.c                           |    2 +-
 security/yama/yama_lsm.c                           |   22 +-
 sound/aoa/codecs/onyx.c                            |    7 +-
 sound/aoa/codecs/onyx.h                            |    1 +
 sound/core/oss/pcm_oss.c                           |   18 +-
 sound/core/pcm_compat.c                            |    2 +-
 sound/core/pcm_native.c                            |    4 +-
 sound/core/seq/seq_device.c                        |    8 +-
 sound/core/sound.c                                 |    2 +-
 sound/drivers/mts64.c                              |   14 +-
 sound/drivers/opl4/opl4_lib.c                      |    2 +-
 sound/drivers/portman2x4.c                         |    3 +-
 sound/firewire/amdtp.c                             |    4 +-
 sound/firewire/amdtp.h                             |    2 +-
 sound/firewire/isight.c                            |   10 +-
 sound/firewire/scs1x.c                             |    8 +-
 sound/oss/sb_audio.c                               |    2 +-
 sound/oss/swarm_cs4297a.c                          |    6 +-
 sound/pci/ymfpci/ymfpci.h                          |    2 +-
 sound/pci/ymfpci/ymfpci_main.c                     |   12 +-
 sound/soc/fsl/fsl_ssi.c                            |    2 +-
 sound/sound_core.c                                 |    2 +-
 tools/gcc/.gitignore                               |    1 +
 tools/gcc/Makefile                                 |   45 +
 tools/gcc/checker_plugin.c                         |  172 +
 tools/gcc/colorize_plugin.c                        |  151 +
 tools/gcc/constify_plugin.c                        |  560 ++
 tools/gcc/generate_size_overflow_hash.sh           |   94 +
 tools/gcc/kallocstat_plugin.c                      |  170 +
 tools/gcc/kernexec_plugin.c                        |  465 ++
 tools/gcc/latent_entropy_plugin.c                  |  327 ++
 tools/gcc/size_overflow_hash.data                  | 5893 ++++++++++++++++++++
 tools/gcc/size_overflow_plugin.c                   | 2114 +++++++
 tools/gcc/stackleak_plugin.c                       |  327 ++
 tools/gcc/structleak_plugin.c                      |  277 +
 tools/perf/util/include/asm/alternative-asm.h      |    3 +
 tools/perf/util/include/linux/compiler.h           |    8 +
 virt/kvm/kvm_main.c                                |   32 +-
 1607 files changed, 30734 insertions(+), 7318 deletions(-)
commit a00016a11e35e91aec8e2d9b6ec4c6fbb11d6d2b
Merge: 0949bd4 fc53d63
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 22 19:03:44 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit fc53d6338964741b368070ec5c935bc579b8c2a6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 22 19:02:45 2012 -0400

    Update to pax-linux-3.2.12-test33.patch

commit 0949bd46a6455b308f66ad7c993bfee62412db35
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 22 16:56:09 2012 -0400

    Use current_umask() instead of current->fs->umask

commit 22f6432d0fe733619cfcb523782ed7d80c46d645
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 21 19:42:42 2012 -0400

    compile fix

commit 0cad49d6b8fbb32395da924c1665a1110a9a9eef
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 21 19:34:56 2012 -0400

    Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain
    uses of domains with particular hash collisions

commit 47fc52e0a068a29d6cca2f809daf0679cba33c44
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 20:25:49 2012 -0400

    zero kernel_role

commit b00953b43c69238d181d21121ef1577c988d5f6b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 19:29:34 2012 -0400

    zero real_root after releasing it

commit 0b3ab73ce5d34a2c3206955cd65eddd6bdfd32a1
Merge: b724f59 273f98e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 19:11:26 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit 273f98e58cdac555d3b5dce5c1ca168349f95878
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 19:10:52 2012 -0400

    Temporary workaround for (most) size_overflow plugin false-positives
    Increase randomization for brk-managed heap to 21 bits
    Update to pax-linux-3.2.12-test32.patch

commit b724f59125304460c2af8bd4b02921993afbb5d3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 18:58:53 2012 -0400

    compile fix

commit 329f1a9d0f137d0a973316c53bbec18a6eeecd4f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 18:52:23 2012 -0400

    Require default and kernel role

commit a7c5c4f55bdd61cfcd0fb1be7a67160429409878
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 18:47:28 2012 -0400

    Allow policies without special roles
    don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles)

commit 402ec3d24d66d38403dc543c84851f5e72d39e22
Merge: 8e012dc f14661a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 19 18:06:59 2012 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        fs/namei.c

commit f14661aaf202155c97f66626cea0269017bb7775
Merge: eae671f 058b017
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 19 18:05:44 2012 -0400

    Merge branch 'linux-3.2.y' into pax-test

commit 8e012dcf7a50b7cde34c2cec93ecedd049123b75
Author: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
Date:   Fri Mar 16 17:08:39 2012 -0700

    nilfs2: fix NULL pointer dereference in nilfs_load_super_block()
    
    According to the report from Slicky Devil, nilfs caused kernel oops at
    nilfs_load_super_block function during mount after he shrank the
    partition without resizing the filesystem:
    
     BUG: unable to handle kernel NULL pointer dereference at 00000048
     IP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2]
     *pde = 00000000
     Oops: 0000 [#1] PREEMPT SMP
     ...
     Call Trace:
      [<d0d7a87b>] init_nilfs+0x4b/0x2e0 [nilfs2]
      [<d0d6f707>] nilfs_mount+0x447/0x5b0 [nilfs2]
      [<c0226636>] mount_fs+0x36/0x180
      [<c023d961>] vfs_kern_mount+0x51/0xa0
      [<c023ddae>] do_kern_mount+0x3e/0xe0
      [<c023f189>] do_mount+0x169/0x700
      [<c023fa9b>] sys_mount+0x6b/0xa0
      [<c04abd1f>] sysenter_do_call+0x12/0x28
     Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43
     20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72
     48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00
     EIP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc
     CR2: 0000000000000048
    
    This turned out due to a defect in an error path which runs if the
    calculated location of the secondary super block was invalid.
    
    This patch fixes it and eliminates the reported oops.
    
    Reported-by: Slicky Devil <slicky.dvl@gmail.com>
    Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
    Tested-by: Slicky Devil <slicky.dvl@gmail.com>
    Cc: <stable@vger.kernel.org>        [2.6.30+]
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 8067d7f69bf27dc08057a771cf125e71e4575bf2
Author: Haogang Chen <haogangchen@gmail.com>
Date:   Fri Mar 16 17:08:38 2012 -0700

    nilfs2: clamp ns_r_segments_percentage to [1, 99]
    
    ns_r_segments_percentage is read from the disk.  Bogus or malicious
    value could cause integer overflow and malfunction due to meaningless
    disk usage calculation.  This patch reports error when mounting such
    bogus volumes.
    
    Signed-off-by: Haogang Chen <haogangchen@gmail.com>
    Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit e1a90645643f9b0194a5984ec8febd06360d5c8b
Author: Eric Dumazet <eric.dumazet@gmail.com>
Date:   Sat Mar 10 09:20:21 2012 +0000

    tcp: fix syncookie regression
    
    commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit())
    added a serious regression on synflood handling.
    
    Simon Kirby discovered a successful connection was delayed by 20 seconds
    before being responsive.
    
    In my tests, I discovered that xmit frames were lost, and needed ~4
    retransmits and a socket dst rebuild before being really sent.
    
    In case of syncookie initiated connection, we use a different path to
    initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared.
    
    As ip_queue_xmit() now depends on inet flow being setup, fix this by
    copying the temp flowi4 we use in cookie_v4_check().
    
    Reported-by: Simon Kirby <sim@netnation.com>
    Bisected-by: Simon Kirby <sim@netnation.com>
    Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
    Tested-by: Eric Dumazet <eric.dumazet@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 06c6c8628bf38b08b4d97f4c55cde9fdecfb5d65
Author: Stanislav Kinsbursky <skinsbursky@parallels.com>
Date:   Mon Mar 12 02:59:41 2012 +0000

    tun: don't hold network namespace by tun sockets
    
    v3: added previously removed sock_put() to the tun_release() callback, because
    sk_release_kernel() doesn't drop the socket reference.
    
    v2: sk_release_kernel() used for socket release. Dummy tun_release() is
    required for sk_release_kernel() ---> sock_release() ---> sock->ops->release()
    call.
    
    TUN was designed to destroy it's socket on network namesapce shutdown. But this
    will never happen for persistent device, because it's socket holds network
    namespace.
    This patch removes of holding network namespace by TUN socket and replaces it
    by creating socket in init_net and then changing it's net it to desired one. On
    shutdown socket is moved back to init_net prior to final put.
    
    Signed-off-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 46ae7374bd387c58d673a9e58852a9fd31042c5c
Author: Tyler Hicks <tyhicks@canonical.com>
Date:   Mon Dec 12 10:02:30 2011 -0600

    vfs: Correctly set the dir i_mutex lockdep class
    
    9a7aa12f3911853a introduced additional logic around setting the i_mutex
    lockdep class for directory inodes. The idea was that some filesystems
    may want their own special lockdep class for different directory
    inodes and calling unlock_new_inode() should not clobber one of
    those special classes.
    
    I believe that the added conditional, around the *negated* return value
    of lockdep_match_class(), caused directory inodes to be placed in the
    wrong lockdep class.
    
    inode_init_always() sets the i_mutex lockdep class with i_mutex_key for
    all inodes. If the filesystem did not change the class during inode
    initialization, then the conditional mentioned above was false and the
    directory inode was incorrectly left in the non-directory lockdep class.
    If the filesystem did set a special lockdep class, then the conditional
    mentioned above was true and that class was clobbered with
    i_mutex_dir_key.
    
    This patch removes the negation from the conditional so that the i_mutex
    lockdep class is properly set for directory inodes. Special classes are
    preserved and directory inodes with unmodified classes are set with
    i_mutex_dir_key.
    
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Reviewed-by: Jan Kara <jack@suse.cz>
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

commit 603590b0d2eca61ce26499eac9c563bc567a18c9
Author: Jan Kara <jack@suse.cz>
Date:   Mon Feb 20 17:54:00 2012 +0100

    udf: Fix deadlock in udf_release_file()
    
    udf_release_file() can be called from munmap() path with mmap_sem held.  Thus
    we cannot take i_mutex there because that ranks above mmap_sem. Luckily,
    i_mutex is not needed in udf_release_file() anymore since protection by
    i_data_sem is enough to protect from races with write and truncate.
    
    Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
    Reviewed-by: Namjae Jeon <linkinjeon@gmail.com>
    Signed-off-by: Jan Kara <jack@suse.cz>
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

commit ca79ab9034f3c2f7e3f65c35e0d9ed3ecea529bf
Author: Miklos Szeredi <mszeredi@suse.cz>
Date:   Tue Mar 6 13:56:33 2012 +0100

    vfs: fix double put after complete_walk()
    
    complete_walk() already puts nd->path, no need to do it again at cleanup time.
    
    This would result in Oopses if triggered, apparently the codepath is not too
    well exercised.
    
    Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
    CC: stable@vger.kernel.org
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

commit 13885ba2b18400f3ef6540497d30f1af896605e5
Author: Miklos Szeredi <mszeredi@suse.cz>
Date:   Tue Mar 6 13:56:34 2012 +0100

    vfs: fix return value from do_last()
    
    complete_walk() returns either ECHILD or ESTALE.  do_last() turns this into
    ECHILD unconditionally.  If not in RCU mode, this error will reach userspace
    which is complete nonsense.
    
    Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
    CC: stable@vger.kernel.org
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    
    Conflicts:
    
        fs/namei.c

commit f5ab7572c99ffb58953eb1070622307e904c3b7f
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Sat Mar 10 17:07:28 2012 -0500

    restore smp_mb() in unlock_new_inode()
    
    wait_on_inode() doesn't have ->i_lock
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

commit f3e758cd08e3881982d4b78eb72fe8a1ead6b872
Author: David S. Miller <davem@davemloft.net>
Date:   Tue Mar 13 18:19:51 2012 -0700

    sparc32: Add -Av8 to assembler command line.
    
    Newer version of binutils are more strict about specifying the
    correct options to enable certain classes of instructions.
    
    The sparc32 build is done for v7 in order to support sun4c systems
    which lack hardware integer multiply and divide instructions.
    
    So we have to pass -Av8 when building the assembler routines that
    use these instructions and get patched into the kernel when we find
    out that we have a v8 capable cpu.
    
    Reported-by: Paul Gortmaker <paul.gortmaker@windriver.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 66276ec78b2a971d2e704e5ef963cdc8b6a049a4
Author: Thomas Gleixner <tglx@linutronix.de>
Date:   Fri Mar 9 20:55:10 2012 +0100

    x86: Derandom delay_tsc for 64 bit
    
    Commit f0fbf0abc093 ("x86: integrate delay functions") converted
    delay_tsc() into a random delay generator for 64 bit.  The reason is
    that it merged the mostly identical versions of delay_32.c and
    delay_64.c.  Though the subtle difference of the result was:
    
     static void delay_tsc(unsigned long loops)
     {
    -   unsigned bclock, now;
    +   unsigned long bclock, now;
    
    Now the function uses rdtscl() which returns the lower 32bit of the
    TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64
    bit this fails when the lower 32bit are close to wrap around when
    bclock is read, because the following check
    
           if ((now - bclock) >= loops)
                        break;
    
    evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0
    because the unsigned long (now - bclock) of these values results in
    0xffffffff00000001 which is definitely larger than the loops
    value. That explains Tvortkos observation:
    
    "Because I am seeing udelay(500) (_occasionally_) being short, and
     that by delaying for some duration between 0us (yep) and 491us."
    
    Make those variables explicitely u32 again, so this works for both 32
    and 64 bit.
    
    Reported-by: Tvrtko Ursulin <tvrtko.ursulin@onelan.co.uk>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Cc: stable@vger.kernel.org # >= 2.6.27
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 2d0ddb60f5031bdf79b4d51225f9f2d5856255bf
Author: Al Viro <viro@ZenIV.linux.org.uk>
Date:   Thu Mar 8 17:51:19 2012 +0000

    aio: fix the "too late munmap()" race
    
    Current code has put_ioctx() called asynchronously from aio_fput_routine();
    that's done *after* we have killed the request that used to pin ioctx,
    so there's nothing to stop io_destroy() waiting in wait_for_all_aios()
    from progressing.  As the result, we can end up with async call of
    put_ioctx() being the last one and possibly happening during exit_mmap()
    or elf_core_dump(), neither of which expects stray munmap() being done
    to them...
    
    We do need to prevent _freeing_ ioctx until aio_fput_routine() is done
    with that, but that's all we care about - neither io_destroy() nor
    exit_aio() will progress past wait_for_all_aios() until aio_fput_routine()
    does really_put_req(), so the ioctx teardown won't be done until then
    and we don't care about the contents of ioctx past that point.
    
    Since actual freeing of these suckers is RCU-delayed, we don't need to
    bump ioctx refcount when request goes into list for async removal.
    All we need is rcu_read_lock held just over the ->ctx_lock-protected
    area in aio_fput_routine().
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
    Acked-by: Benjamin LaHaise <bcrl@kvack.org>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 002124c055afbf09b52226af65621999e8316448
Author: Al Viro <viro@ZenIV.linux.org.uk>
Date:   Wed Mar 7 05:16:35 2012 +0000

    aio: fix io_setup/io_destroy race
    
    Have ioctx_alloc() return an extra reference, so that caller would drop it
    on success and not bother with re-grabbing it on failure exit.  The current
    code is obviously broken - io_destroy() from another thread that managed
    to guess the address io_setup() would've returned would free ioctx right
    under us; gets especially interesting if aio_context_t * we pass to
    io_setup() points to PROT_READ mapping, so put_user() fails and we end
    up doing io_destroy() on kioctx another thread has just got freed...
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Acked-by: Benjamin LaHaise <bcrl@kvack.org>
    Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit a1cd2719b8ed8e40dbd98c87713ac23a2169f6d8
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Thu Mar 15 15:17:12 2012 -0700

    drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode
    
    strict_strtoul() writes a long but ->gamma_mode only has space to store an
    int, so on 64 bit systems we end up scribbling over ->gamma_table_count as
    well.  I've changed it to use kstrtouint() instead.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Acked-by: Inki Dae <inki.dae@samsung.com>
    Signed-off-by: Florian Tobias Schandinat <FlorianSchandinat@gmx.de>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit cf83f735a5571f4341ee6eab947a1f7d833cea6e
Merge: e4b05b6 eae671f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 16 21:04:27 2012 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        security/Kconfig

commit eae671fafe93f04685c04a089cc13efebc05d600
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 16 20:58:01 2012 -0400

    Update to pax-linux-3.2.11-test31.patch
    Introduction of the size_overflow plugin from Emese Revfy
    Many thanks to Emese for her hard work :)

commit e4b05b65c645c412eceb9c950ee7b4771627e6b1
Merge: e55aa68 258c015
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 15 20:59:19 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit 258c0159fa6dd5044ca984eeaad57bb6e21bacea
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 15 20:59:05 2012 -0400

    fix ARM compilation

commit e55aa68f4bb20e75cd7423123aa612c2a69590c0
Merge: 8f95ea9 55b7573
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 14 19:33:41 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit 55b7573f6c2f3be26fb39c7bd6a9d742d02811ca
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 14 19:33:15 2012 -0400

    Update to pax-linux-3.2.10-test28.patch

commit 8f95ea9f718c293794a1f6bdd2a5f5f336f7bd64
Merge: c8786a2 886ac5e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 13 17:38:13 2012 -0400

    Merge branch 'pax-test' into grsec-test
    
    Greets and thanks to snq for his assistance in testing/debugging REFCOUNT on ARM :)

commit 886ac5eeb1835e87cf7398b8aae9e9ba6b36bf77
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 13 17:37:44 2012 -0400

    Update to pax-linux-3.2.10-test26.patch

commit c8786a2abed5e5327f68efa520c04db99bb6a63a
Merge: 219c982 c061fcf
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 13 17:25:06 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit c061fcfa6b78f3774800821144d8ac2d94d7da3e
Merge: 89373d2 3f4b3b2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 13 17:25:02 2012 -0400

    Merge branch 'linux-3.2.y' into pax-test

commit 219c982a05abe47be4ea7d749e1b408e0cb86f1f
Merge: 54e19a3 89373d2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 12 17:23:57 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit 89373d2abafb9bda97f78bdb157d1d05cf21e008
Merge: a778588 7459f11
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 12 17:23:49 2012 -0400

    Merge branch 'linux-3.2.y' into pax-test

commit 54e19a3979978fca902b14ae25125f26fbbbc7a7
Merge: c4650f1 a778588
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 12 16:51:25 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit a778588c9d1b75c48c1f09aac98c1b28bd87a749
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 12 16:51:12 2012 -0400

    Update to pax-linux-3.2.9-test24.patch

commit c4650f14b13f84735fe3de06a1f3ff5776473eff
Merge: fb2abee 1015790
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 11 21:08:28 2012 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        security/Kconfig

commit 101579028a736c224e590c7e12a7357018c424e1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 11 21:07:27 2012 -0400

    Update to pax-linux-3.2.9-test22.patch

commit fb2abee4b9b49f5f18342a8cdf7aa3ba2b7c9100
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 11 11:02:17 2012 -0400

    Allow 4096 CPUs

commit 96bae28cbe6a41d48e3b56e5904814096e956000
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 11 10:25:58 2012 -0400

    Use a per-cpu 48-bit counter instead of a global atomic64
    Initialize each counter to have the cpu number in the lower 16 bits
    instead of incrementing the counter each time by 1, perform the increments
    above the cpu number so that wrapping/exhausting the counter doesn't corrupt
    any state
    idea from PaX Team

commit b975688101da6e966aebb1bc6b8c5c5983974f9c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 10 20:33:12 2012 -0500

    Special vnsec edition! :)
    Further reduce argv/env allowance for suid/sgid apps to 512KB
    Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap)
    Clear 3GB personality on suid/sgid binaries
    Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64)
      with the main purpose of throwing off program stack -> arg/env alignment
    Update documentation

commit e5cfa902c4e891d11dd2086543d2555aa0c27d33
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 10 19:54:47 2012 -0500

    Resolve skbuff.h warnings that turn into errors during compilation in
    the grsecurity directory with -Werror

commit 2023210ad43a944033fcacc660ce410888f562ee
Merge: ece4383 5f66adf
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 9 19:48:01 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 5f66adf72f83730a07bc79a2fab56afed6dbbd0e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 9 19:47:06 2012 -0500

    Add colorize plugin

commit ece4383e5e91c92d138c4df84225a70b552f4d69
Merge: a366d0e ab4a5a1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 9 17:56:46 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit ab4a5a1a67289c3585e2ff8aa64ecece7bd17eea
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 9 17:56:26 2012 -0500

    Update to pax-linux-3.2.9-test21.patch

commit a366d0ed963ce93fce10121c1100989d5f064e75
Author: Mikulas Patocka <mpatocka@redhat.com>
Date:   Sun Mar 4 19:52:03 2012 -0500

    mm: fix find_vma_prev
    
    Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory
    management on PA-RISC.
    
    After application of the patch, programs that allocate big arrays on the
    stack crash with segfault, for example, this will crash if compiled
    without optimization:
    
      int main()
      {
        char array[200000];
        array[199999] = 0;
        return 0;
      }
    
    The reason is that PA-RISC has up-growing stack and the stack is usually
    the last memory area.  In the above example, a page fault happens above
    the stack.
    
    Previously, if we passed too high address to find_vma_prev, it returned
    NULL and stored the last VMA in *pprev.  After "simplify find_vma_prev"
    change, it stores NULL in *pprev.  Consequently, the stack area is not
    found and it is not expanded, as it used to be before the change.
    
    This patch restores the old behavior and makes it return the last VMA in
    *pprev if the requested address is higher than address of any other VMA.
    
    Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
    Acked-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 9cd8dd4d56051099f11563f72fcd91cd0ce19604
Author: Hugh Dickins <hughd@google.com>
Date:   Tue Mar 6 12:28:52 2012 -0800

    mmap: EINVAL not ENOMEM when rejecting VM_GROWS
    
    Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP
    from shared anonymous: hoist the file case's -EINVAL up for both.
    
    Signed-off-by: Hugh Dickins <hughd@google.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 97745dce6c87f9d9ca5b4be9bd4c2fc1684ca04c
Author: Al Viro <viro@ZenIV.linux.org.uk>
Date:   Mon Mar 5 06:38:42 2012 +0000

    aout: move setup_arg_pages() prior to reading/mapping the binary
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 3b20ce55ae8cffee43cb4afdf5be438b5ac4fef0
Author: Jan Beulich <JBeulich@suse.com>
Date:   Mon Mar 5 16:49:24 2012 +0000

    vsprintf: make %pV handling compatible with kasprintf()
    
    kasprintf() (and potentially other functions that I didn't run across so
    far) want to evaluate argument lists twice.  Caring to do so for the
    primary list is obviously their job, but they can't reasonably be
    expected to check the format string for instances of %pV, which however
    need special handling too: On architectures like x86-64 (as opposed to
    e.g.  ix86), using the same argument list twice doesn't produce the
    expected results, as an internally managed cursor gets updated during
    the first run.
    
    Fix the problem by always acting on a copy of the original list when
    handling %pV.
    
    Signed-off-by: Jan Beulich <jbeulich@suse.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 4146896ab9674f51d4909f3a52bc7fe80f04e4cb
Author: Al Viro <viro@ZenIV.linux.org.uk>
Date:   Mon Mar 5 06:39:47 2012 +0000

    VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit a831bd53764695ea680cc1fa3c98759a610ed2ac
Author: Christian König <deathsimple@vodafone.de>
Date:   Tue Feb 28 23:19:20 2012 +0100

    drm/radeon: fix uninitialized variable
    
    Without this fix the driver randomly treats
    textures as arrays and I'm really wondering
    why gcc isn't complaining about it.
    
    Signed-off-by: Christian König <deathsimple@vodafone.de>
    Reviewed-by: Jerome Glisse <jglisse@redhat.com>
    Signed-off-by: Dave Airlie <airlied@redhat.com>

commit aa2cd55f97f3cc03bdd895b6e8ba99619ee69dfc
Author: H. Peter Anvin <hpa@zytor.com>
Date:   Fri Mar 2 10:43:48 2012 -0800

    regset: Prevent null pointer reference on readonly regsets
    
    The regset common infrastructure assumed that regsets would always
    have .get and .set methods, but not necessarily .active methods.
    Unfortunately people have since written regsets without .set methods.
    
    Rather than putting in stub functions everywhere, handle regsets with
    null .get or .set methods explicitly.
    
    Signed-off-by: H. Peter Anvin <hpa@zytor.com>
    Reviewed-by: Oleg Nesterov <oleg@redhat.com>
    Acked-by: Roland McGrath <roland@hack.frob.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 072ddd99401c79b53c6bf6bff9deb93022124c79
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 5 18:12:57 2012 -0500

    Fix compiler errors reported on forums

commit 1606774b48af24e6f99d99c624c0e447d4b66474
Merge: 3127bd5 4ca2ffd
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 5 17:31:35 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 4ca2ffd9da024f4ba2d0cb6245ba1b2726169452
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 5 17:31:21 2012 -0500

    Update to pax-linux-3.2.9-test20.patch

commit 3127bd581a292966b1057c7433219dac188c3720
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 2 21:30:37 2012 -0500

    Fix memory leak on logged exec_id check failure in /proc/pid/statm
    Thanks to Djalal Harouni for the report

commit d9f1a3be0e97e0632f97379322712d8deeb3ce23
Merge: 0a56be8 9aa8288
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 2 18:38:22 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 9aa8288a09e6e03ce37c08136b26bff17a093b5c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 2 18:37:43 2012 -0500

    Update to pax-linux-3.2.9-test19.patch

commit 0a56be884bbd7ce733cac0b879c45383494d73b0
Merge: 9e66745 3f5c52a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 1 20:18:01 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 3f5c52aba100b3bb252980f9d363aafde52da1a2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 1 20:16:56 2012 -0500

    Update to pax-linux-3.2.9-test18.patch

commit ae53ec231d12719a36bf871f8c5841020ed692ee
Merge: b255baf 44fb317
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 1 20:15:31 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test

commit 9e667456c03eadea2f305be761abe4de9a5877a3
Merge: 5e4e200 b255baf
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 27 20:53:59 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit b255baf50365d39b406f43aab2c64745607baaa2
Merge: 340ce90 1de504e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 27 20:53:29 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test
    Update to pax-linux-3.2.8-test17.patch
    
    Conflicts:
        arch/x86/include/asm/i387.h
        arch/x86/kernel/process_32.c
        arch/x86/kernel/traps.c

commit 5e4e200ac530452884b625cb75de240e1e98c731
Merge: 44306d7 340ce90
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 27 18:02:13 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 340ce90d98a043fa8e4ed9ffc229d4c1f86e2fec
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 27 18:01:48 2012 -0500

    Update to pax-linux-3.2.7-test17.patch

commit 44306d7b3097f77e73040dd25f4f6750751bae7a
Merge: 29d0b07 521c411
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 26 19:04:15 2012 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        Makefile

commit 521c411bb4ca66ce01146fde8bac9dd22414076d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 26 19:03:33 2012 -0500

    Update to pax-linux-3.2.7-test16.patch

commit 29d0b07290bb9a10cdfcc3c30058e16265330dea
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 26 17:12:44 2012 -0500

    fix typo

commit 344f6d84e5d3fdc6ec40a078fc2f5861d340b2ef
Merge: f45b3be caa8f83
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 20:59:27 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit caa8f83456c4d0b204beefffaa1d1993f2348d08
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 20:59:12 2012 -0500

    Update to pax-linux-3.2.7-test15.patch

commit f45b3be34a345502a302e736af9a65742ddef7cb
Merge: 62f35fd 9f1309b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 11:40:15 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 9f1309b0b935e3b30fc87a9e3009b84cf943ef47
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 11:39:57 2012 -0500

    Update to pax-linux-3.2.7-test14.patch

commit 62f35fdbecc58f2988fe13638d907b87a15776bb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 09:08:55 2012 -0500

    We could log on attempted exploits of writing /proc/self/mem, but the current
    log function declares the access a read, so just swap the ordering for now

commit 066ee8f9c26f1549b4ad893508777b549c8d4b79
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 08:46:14 2012 -0500

    Log /proc/pid/mem attempts

commit 674471e581893a94d475acac3e3c4496209b3ac9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 08:15:00 2012 -0500

    Make use of f_version for protecting /proc file structs (fine since we're not a directory
    or seq_file)

commit eab42cfdd237ffcdd8ec24bedecc275a3a9e987f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 24 20:02:19 2012 -0500

    Fix ia64 compilation

commit 50dfea412fd395e0183c2ade368efa525d38b267
Merge: 12db845 4c6f99b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 24 19:00:53 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 4c6f99bf338e03966356b147d0360cb3b522a44f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 24 19:00:36 2012 -0500

    (6:57:09 PM) pipacs: but you can be proactive
    (Fix other-arch atomic64/REFCOUNT compilation failures)

commit 12db8453f6bb0a756f369c9151668ba1249bc478
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 23 21:10:12 2012 -0500

    Remove unnecessary copies, as suggested by solar

commit cc02cab84368467ea03cb35f861a8a7092d91ab4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 23 20:59:35 2012 -0500

    Make global_exec_counter static, as suggested by solar

commit e642091a475ebb3a30e81f85e7751233d0c2af43
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 23 19:00:26 2012 -0500

    sync with stable tree

commit 6df09c3d8e371905b7b8fe90c4188f23614c6be5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 23 18:48:47 2012 -0500

    Remove unneeded gr_acl_handle_fchmod, as the code is shared now by gr_acl_handle_chmod
    Remove handling of old kludge in chmod/fchmod

commit 815cb62f2ca7b58efc39778b3a855feb675ab56c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 23 18:18:49 2012 -0500

    Apply umask checks to chmod/fchmod as well, as requested by sponsor
    Union the enforced umask with the existing one to produce minimal privilege
    Change umask type to u16

commit 0e7668c6abbdbcd3f7f9759e3994d6f4bc9953f0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 22 18:16:11 2012 -0500

    Add per-role umask enforcement to RBAC, requested by a sponsor

commit ad5ac943fe58199f1cc475912a39edb157acb77b
Merge: dda0bb5 41722e3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 20 20:04:42 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 41722e342e116d95f3d3556d66c97c888d752d39
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 20 20:04:00 2012 -0500

    Merge changes from pax-linux-3.2.7-test12.patch, fixes KVM incompatibility with
    KERNEXEC plugin

commit dda0bb57137846a476a866c60db2681aaf6052c0
Merge: 4fd554e d70927a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 20 20:01:41 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit d70927afec977d489a54c106a3c3ddc32e953050
Merge: 1daebf1 9d0231c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 20 20:01:33 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test

commit 4fd554e3a097b22c5049fcdc423897477deff5ef
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 20 09:17:57 2012 -0500

    Fix wrong logic on capability checks for switching roles, broke policies
    Thanks to Richard Kojedzinszky for reporting

commit 12f97d52ac603f24344f8d71569c412a307e9422
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 21:20:10 2012 -0500

    sparc64 compile fix

commit 07af3d8e76a6a47ce1836e5b20ed8c0f879c8201
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 18:38:32 2012 -0500

    Update configuration help and name for GRKERNSEC_PROC_MEMMAP

commit 5ced6f8def06c2176b40b5fa07345fc723dc4dcb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 18:18:01 2012 -0500

    optimize the check a bit

commit 03159050f64989be44ae03be769cbed62a7cd2e5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 18:00:45 2012 -0500

    smile VUPEN :D
    (limit argv+env to 1MB for suid/sgid binaries)

commit dd759d8800d225a397e4de49fe729c7d601298d2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 17:49:33 2012 -0500

    Address Space Protection -> Memory Protections (suggested on IRC for consistency)

commit 4de635bda8ebfb85312e3bf851bdbff93de400da
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 17:45:06 2012 -0500

    Change the long long type for exec_id to the proper u64

commit 4feb07e7cb64b3d0f0f8cca1aef70bc725cae6fa
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Thu Feb 9 00:46:47 2012 +0000

    isdn: type bug in isdn_net_header()
    
    We use len to store the return value from eth_header().  eth_header()
    can return -ETH_HLEN (-14).  We want to pass this back instead of
    truncating it to 65522 and returning that.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Acked-by: Neil Horman <nhorman@tuxdriver.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 134ac8545b47f0f27d550ea6e1edb3a1ed7a9748
Author: Heiko Carstens <heiko.carstens@de.ibm.com>
Date:   Sat Feb 4 10:47:10 2012 +0100

    exec: fix use-after-free bug in setup_new_exec()
    
    Setting the task name is done within setup_new_exec() by accessing
    bprm->filename. However this happens after flush_old_exec().
    This may result in a use after free bug, flush_old_exec() may
    "complete" vfork_done, which will wake up the parent which in turn
    may free the passed in filename.
    To fix this add a new tcomm field in struct linux_binprm which
    contains the now early generated task name until it is used.
    
    Fixes this bug on s390:
    
      Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000
      Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818)
      Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374)
      Call Trace:
      ([<0000000000282e2c>] setup_new_exec+0x38/0x374)
       [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4
       [<0000000000280a42>] search_binary_handler+0x38e/0x5bc
       [<0000000000282b6c>] do_execve_common+0x410/0x514
       [<0000000000282cb6>] do_execve+0x46/0x58
       [<00000000005bce58>] kernel_execve+0x28/0x70
       [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140
       [<00000000005bc8da>] kernel_thread_starter+0x6/0xc
       [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc
      Last Breaking-Event-Address:
       [<00000000002830f0>] setup_new_exec+0x2fc/0x374
    
      Kernel panic - not syncing: Fatal exception: panic_on_oops
    
    Reported-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
    Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit d758ee9f5230893dabb5aab737b3109684bde196
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Fri Feb 10 09:03:58 2012 +0100

    relay: prevent integer overflow in relay_open()
    
    "subbuf_size" and "n_subbufs" come from the user and they need to be
    capped to prevent an integer overflow.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Cc: stable@kernel.org
    Signed-off-by: Jens Axboe <axboe@kernel.dk>

commit 40ed7b34848b8e0d7bf9a3fc21a7c75ce1ae507c
Merge: b1baadf 1daebf1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 13 17:47:04 2012 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        fs/proc/base.c

commit 1daebf1d623fe5b0efdd329f78562eb7078bc772
Merge: 1413df2 c2db2e2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 13 17:45:54 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test

commit b1baadf5047ab67cf61cd20bf58c6afb09c37c7d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 12 16:44:05 2012 -0500

    add missing declaration

commit 3981059c35e8463002517935c28f3d74b8e3703c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 12 16:36:04 2012 -0500

    Require CAP_SETUID/CAP_SETGID in a subject in order to change roles
    in addition to existing checks (this handles the setresuid ruid = euid case)

commit 0beab03263c773f463412c350ad9064b44b6ede0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 12 16:13:40 2012 -0500

    Revert setreuid changes when RBAC is enabled, breaks freeradius
    I'll fix the learning issue Lavish reported a different way through
    gradm modifications
    
    This reverts commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111.

commit 0c61cb1cfbbfec7d07647268c922d51434d22621
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 11 14:22:46 2012 -0500

    copy exec_id on fork

commit 000c08e0890630086b2ed04084050ed856a7ec31
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 10 20:00:36 2012 -0500

    compile fix

commit 54b8c8f54484e5ee18040657827158bc4b63bccc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 10 19:19:52 2012 -0500

    Introduce enhancement to CONFIG_GRKERNSEC_PROC_MEMMAP
    denies reading of sensitive /proc/pid entries where the file descriptor
    was opened in a different task than the one performing the read

commit dd19579049186e2648b9ae5e42af04cfda7ab2dc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 10 17:43:24 2012 -0500

    Remove duplicate signal check

commit 6ff60c34155bb73a4eec7bbfe6f59e9d35e1c0c6
Merge: 4eba97e 1413df2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 8 19:24:34 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 1413df258d4664d928b876ffb57e1bdc1ccd06f6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 8 19:24:08 2012 -0500

    Merge changes from pax-linux-3.2.4-test11.patch

commit 4eba97eda7f7d25b7ab6ad5c9de094545e749044
Merge: 0e058dd 8dd90a2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 6 17:50:12 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 8dd90a21adfeefd86134d1fedf77b958bc59eaa3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 6 17:49:07 2012 -0500

    Merge changes from pax-linux-3.2.4-test10.patch, fixes BPF JIT double-free

commit a6b5dfed0937a0eb386b4b519a387f8e8177ffdc
Merge: 7e4169c 6133971
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 6 17:48:57 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test

commit 0e058dd6d14e0c67c44dd332a871f1fe1bb06095
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 5 19:24:45 2012 -0500

    We now allow configurations with no PaX markings, giving the system no way to override the defaults

commit 9afb0110287e31c3c56d861b4927f64f8dbd7857
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 5 10:01:23 2012 -0500

    Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory

commit a6a0ad24a5f7bef90236d94c1bdfe21d291fc834
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 4 21:01:16 2012 -0500

    Improve security of ptrace-based monitoring/sandboxing
    See:
    http://article.gmane.org/gmane.linux.kernel.lsm/15156

commit ca4ca5a1027b41f9528794e52a53ce9c47926101
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 20:42:55 2012 -0500

    fix typo

commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 20:25:38 2012 -0500

    Reported by lavish on IRC:
    If a suid/sgid binary did not learn any setuid/setgid call during learning,
    we would not any CAP_SETUID/CAP_SETGID capability to the task, nor
    any restrictions on uid/gid changes.  uid and gid can however be changed
    within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to
    euid/egid.
    
    My fix:
    POSIX doesn't specify whether unprivileged users can perform the above
    setresuid/setresgid as an unprivileged user, though Linux has historically
    permitted them.  Modify this behavior when RBAC is enabled to require
    CAP_SETUID/CAP_SETGID for these operations.
    
    Thanks to Lavish for the report!
    
    Conflicts:
    
        kernel/sys.c

commit e55be1f30908f1ad4450cb0558cde71ff5c7247f
Merge: ba586eb 7e4169c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 20:10:21 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 7e4169c6c880ec9641f1178c88545913c8a21e1f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 20:10:05 2012 -0500

    Merge changes from pax-linux-3.2.4-test9.patch

commit ba586ebbcd0ed781e38a99c580a757a00347c6eb
Author: Christopher Yeoh <cyeoh@au1.ibm.com>
Date:   Thu Feb 2 11:34:09 2012 +1030

    Fix race in process_vm_rw_core
    
    This fixes the race in process_vm_core found by Oleg (see
    
      http://article.gmane.org/gmane.linux.kernel/1235667/
    
    for details).
    
    This has been updated since I last sent it as the creation of the new
    mm_access() function did almost exactly the same thing as parts of the
    previous version of this patch did.
    
    In order to use mm_access() even when /proc isn't enabled, we move it to
    kernel/fork.c where other related process mm access functions already
    are.
    
    Signed-off-by: Chris Yeoh <yeohc@au1.ibm.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    Conflicts:
    
        fs/proc/base.c
        mm/process_vm_access.c

commit b9194d60fb9fe579f5c34817ed822abde18939a0
Author: Oleg Nesterov <oleg@redhat.com>
Date:   Tue Jan 31 17:15:11 2012 +0100

    proc: make sure mem_open() doesn't pin the target's memory
    
    Once /proc/pid/mem is opened, the memory can't be released until
    mem_release() even if its owner exits.
    
    Change mem_open() to do atomic_inc(mm_count) + mmput(), this only
    pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count)
    before access_remote_vm(), this verifies that this mm is still alive.
    
    I am not sure what should mem_rw() return if atomic_inc_not_zero()
    fails. With this patch it returns zero to match the "mm == NULL" case,
    may be it should return -EINVAL like it did before e268337d.
    
    Perhaps it makes sense to add the additional fatal_signal_pending()
    check into the main loop, to ensure we do not hold this memory if
    the target task was oom-killed.
    
    Cc: stable@kernel.org
    Signed-off-by: Oleg Nesterov <oleg@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit d4500134f9363bc79556e0e7a1fd811cd8552cc4
Author: Oleg Nesterov <oleg@redhat.com>
Date:   Tue Jan 31 17:14:38 2012 +0100

    proc: mem_release() should check mm != NULL
    
    mem_release() can hit mm == NULL, add the necessary check.
    
    Cc: stable@kernel.org
    Signed-off-by: Oleg Nesterov <oleg@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 5d1c11221a86f233fdbb232312a561f85d0a3a05
Author: Oleg Nesterov <oleg@redhat.com>
Date:   Tue Jan 31 17:14:54 2012 +0100

    note: redisabled mem_write
    
    proc: unify mem_read() and mem_write()
    
    No functional changes, cleanup and preparation.
    
    mem_read() and mem_write() are very similar. Move this code into the
    new common helper, mem_rw(), which takes the additional "int write"
    argument.
    
    Cc: stable@kernel.org
    Signed-off-by: Oleg Nesterov <oleg@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    Conflicts:
    
        fs/proc/base.c

commit af966b421d9f55ab7e1a8b2741beba44b22bc2e0
Merge: 3903f01 01fee18
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 19:50:40 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 01fee1851aef26b898ccba5312cabf1f919b74cb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 19:49:46 2012 -0500

    Merge changes from pax-linux-3.2.4-test8.patch

commit c2490ddbfc3f5dd664dd0e1b8575856c3be01879
Merge: 201c0db 141936c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 19:49:01 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test

commit 3903f0172ecadf7a575ba3535402a1506133640a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jan 30 23:26:44 2012 -0500

    Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT
    
    We'll whitelist required directories for compatibility instead of requiring
    that people disable the feature entirely if they use SELinux, fuse, etc
    
    Conflicts:
    
        fs/sysfs/mount.c

commit e3618feaa7e63807f1b88c199882075b3ec9bd05
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 29 01:12:19 2012 -0500

    perform RBAC check if TPE is on but match fails, matches previous behavior

commit 627b7fe22799a86e2f81a74f0e0c53474bec3100
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jan 28 13:17:06 2012 -0500

    log more information about the reason for a TPE denial for novice users, requested by a sponsor

commit efefd67008cbad8a8591e2484410966a300a39a5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:58:53 2012 -0500

    merge upstream sha512 changes

commit 8a79280377db78fb2091fe01eddb9e24f75d9fe1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:49:07 2012 -0500

    drop lock on error in xfs_readlink
    
    http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0

commit aa5f2f63e37f426bf2211c5fb8f7bc70de14f08a
Author: Li Wang <liwang@nudt.edu.cn>
Date:   Thu Jan 19 09:44:36 2012 +0800

    eCryptfs: Infinite loop due to overflow in ecryptfs_write()
    
    ecryptfs_write() can enter an infinite loop when truncating a file to a
    size larger than 4G. This only happens on architectures where size_t is
    represented by 32 bits.
    
    This was caused by a size_t overflow due to it incorrectly being used to
    store the result of a calculation which uses potentially large values of
    type loff_t.
    
    [tyhicks@canonical.com: rewrite subject and commit message]
    Signed-off-by: Li Wang <liwang@nudt.edu.cn>
    Signed-off-by: Yunchuan Wen <wenyunchuan@kylinos.com.cn>
    Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>

commit a7607747d0f74f357d78bb796d70635dd05f46e8
Author: Tyler Hicks <tyhicks@canonical.com>
Date:   Thu Jan 19 20:33:44 2012 -0600

    eCryptfs: Check inode changes in setattr
    
    Most filesystems call inode_change_ok() very early in ->setattr(), but
    eCryptfs didn't call it at all. It allowed the lower filesystem to make
    the call in its ->setattr() function. Then, eCryptfs would copy the
    appropriate inode attributes from the lower inode to the eCryptfs inode.
    
    This patch changes that and actually calls inode_change_ok() on the
    eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call
    would happen earlier in ecryptfs_setattr(), but there are some possible
    inode initialization steps that must happen first.
    
    Since the call was already being made on the lower inode, the change in
    functionality should be minimal, except for the case of a file extending
    truncate call. In that case, inode_newsize_ok() was never being
    called on the eCryptfs inode. Rather than inode_newsize_ok() catching
    maximum file size errors early on, eCryptfs would encrypt zeroed pages
    and write them to the lower filesystem until the lower filesystem's
    write path caught the error in generic_write_checks(). This patch
    introduces a new function, called ecryptfs_inode_newsize_ok(), which
    checks if the new lower file size is within the appropriate limits when
    the truncate operation will be growing the lower file.
    
    In summary this change prevents eCryptfs truncate operations (and the
    resulting page encryptions), which would exceed the lower filesystem
    limits or FSIZE rlimits, from ever starting.
    
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Reviewed-by: Li Wang <liwang@nudt.edu.cn>
    Cc: <stable@vger.kernel.org>

commit 0d96f190a39505254ace4e9330219aaeda9b64e3
Author: Tyler Hicks <tyhicks@canonical.com>
Date:   Wed Jan 18 18:30:04 2012 -0600

    eCryptfs: Make truncate path killable
    
    ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a
    page, zeroes out the appropriate portions, and then encrypts the page
    before writing it to the lower filesystem. It was unkillable and due to
    the lack of sparse file support could result in tying up a large portion
    of system resources, while encrypting pages of zeros, with no way for
    the truncate operation to be stopped from userspace.
    
    This patch adds the ability for ecryptfs_write() to detect a pending
    fatal signal and return as gracefully as possible. The intent is to
    leave the lower file in a useable state, while still allowing a user to
    break out of the encryption loop. If a pending fatal signal is detected,
    the eCryptfs inode size is updated to reflect the modified inode size
    and then -EINTR is returned.
    
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Cc: <stable@vger.kernel.org>

commit a02d0d2516b9e92edffeb8fca87462bca49c1f6f
Author: Tyler Hicks <tyhicks@canonical.com>
Date:   Tue Jan 24 10:02:22 2012 -0600

    eCryptfs: Fix oops when printing debug info in extent crypto functions
    
    If pages passed to the eCryptfs extent-based crypto functions are not
    mapped and the module parameter ecryptfs_verbosity=1 was specified at
    loading time, a NULL pointer dereference will occur.
    
    Note that this wouldn't happen on a production system, as you wouldn't
    pass ecryptfs_verbosity=1 on a production system. It leaks private
    information to the system logs and is for debugging only.
    
    The debugging info printed in these messages is no longer very useful
    and rather than doing a kmap() in these debugging paths, it will be
    better to simply remove the debugging paths completely.
    
    https://launchpad.net/bugs/913651
    
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Reported-by: Daniel DeFreez
    Cc: <stable@vger.kernel.org>

commit b1c44d3054dc7f293b2e0a98c0e9e5e03e01f04c
Author: Tyler Hicks <tyhicks@canonical.com>
Date:   Thu Jan 12 11:30:44 2012 +0100

    eCryptfs: Sanitize write counts of /dev/ecryptfs
    
    A malicious count value specified when writing to /dev/ecryptfs may
    result in a a very large kernel memory allocation.
    
    This patch peeks at the specified packet payload size, adds that to the
    size of the packet headers and compares the result with the write count
    value. The resulting maximum memory allocation size is approximately 532
    bytes.
    
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Reported-by: Sasha Levin <levinsasha928@gmail.com>
    Cc: <stable@vger.kernel.org>

commit 96dcb7282d323813181a1791f51c0ab7696b675b
Merge: 6c09fa5 201c0db
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:44:15 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 201c0dbf177527367676028151e36d340923f033
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:43:24 2012 -0500

    Merge changes from pax-linux-3.2.2-test6.patch, fixes 0 order vmalloc allocation errors
    on loading modules with empty sections

commit 6c09fa566a7c29f00556ca12f343f2db91c4f42b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:42:13 2012 -0500

    compile fix

commit 917ae526b4fcec2b3e1afefa13de9dff7d8a5423
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:39:28 2012 -0500

    use LSM flags instead of duplicating checks

commit 0cf3be2ea2ae43c9dd4933fb26c0429041b8acb8
Merge: 44b9f11 558718b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 18:56:23 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 558718b2217beff69edf60f34a6f9893d910e9ac
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 18:56:04 2012 -0500

    Merge changes from pax-linux-3.2.2-test6.patch

commit 44b9f1132b2de7cbf5f57525fe0f7f9fb0a76507
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 18:53:55 2012 -0500

    don't increase the size of task_struct when unnecessary
    change ptrace_readexec log message

commit a9c9626e054adb885883aa64f85506852894dd33
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 18:16:28 2012 -0500

    Update documentation for CONFIG_GRKERNSEC_PTRACE_READEXEC --
    the protection applies to all unreadable binaries.

commit 98fdf4ab69eba7a72efb2054295daafdbbc2fb8f
Merge: 7b3f3af 05a1349
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 25 20:52:09 2012 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        block/scsi_ioctl.c
        drivers/scsi/sd.c
        fs/proc/base.c

commit 05a134966efb9cb9346ad3422888969ffc79ac1d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 25 20:47:36 2012 -0500

    Resync with pax-linux-3.2.2-test5.patch

commit 5ecaafd81b229aeeb5656df36f9c8da86307f82a
Merge: c6d443d 3499d64
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 25 20:45:16 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test (and pax-linux-3.2.2-test5.patch)
    
    Conflicts:
        ipc/shm.c

commit 7b3f3afd7444613c759d68ff8c2efaebfae3bab1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 24 19:42:01 2012 -0500

    Add two new features, one is automatic by enabling CONFIG_GRKERNSEC
    (may be changed if it breaks some userland), the other has its own
    config option
    
    First feature requires CAP_SYS_ADMIN to write to any sysctl entry via
    the syscall or /proc/sys.
    
    Second feature requires read access to a suid/sgid binary in order
    to ptrace it, preventing infoleaking of binaries in situations where
    the admin has specified 4711 or 2711 perms.  Feature has been
    given the config option CONFIG_GRKERNSEC_PTRACE_READEXEC and
    a sysctl entry of ptrace_readexec

commit 11a7bb25c411c9dccfdca5718639b4becdffd388
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 22 14:37:10 2012 -0500

    Compilation fixes

commit cd400e21c7c352baba47d6f375297a7847afb33a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 22 14:20:27 2012 -0500

    Initial port of grsecurity 2.2.2 for Linux 3.2.1
    Note that the new syscalls added to this kernel for remote process read/write
    are subject to ptrace hardening/other relevant RBAC features
    /proc/slabinfo is S_IRUSR via mainline now, so I made slab_allocators S_IRUSR by default
    as well
    pax_track_stack has been removed from support for this kernel -- if you're running this kernel
    you should be using a version of gcc with plugin support

commit c6d443d1270f455c56a4ffe0f1dd3d3e7ec12a2f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 22 11:47:31 2012 -0500

    Import pax-linux-3.2.1-test5.patch
commit bfd7db842f835f9837cd43644459b3a95b0b488d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 22 11:02:02 2012 -0500

    Allow processes to access others' /proc/pid/maps files (subject to the normal modification of data)
    instead of returning -EACCES
    thanks to Wraith from irc for the report

commit 873ac13576506cd48ddb527c2540f274e249da50
Merge: 34083dd 8a44fcc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 20 18:04:02 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 8a44fcc90cf3368003dc84e1ed013b2e4248c9b2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 20 18:02:15 2012 -0500

    Merge the diff between pax-linux-3.2.1-test4.patch and pax-linux-3.2.1-test5.patch
    Denies executable shared memory when MPROTECT is active
    Fixes ia32 emulation crash on 64bit host introduced in a recent patch

commit 34083ddf5c0b2b1c0f5e9f7d9e32ddcba223446b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jan 19 20:23:14 2012 -0500

    Introduce new GRKERNSEC_SETXID implementation
    We're not able to change the credentials of other threads in the process until at most
    one syscall after the first thread does it, since we mark the threads as needing rescheduling
    and such work occurs on syscall exit.
    This does however ensure that we're only modifying the current task's credentials
    which upholds RCU expectations
    
    Many thanks to corsac for testing

commit 5f900ad54d3992a4e1cda88273acc2f897a42e71
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jan 19 17:42:48 2012 -0500

    Simplify backport

commit f02e444f7b2fb286f99d3b4031ff4e44a4606c37
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jan 19 17:08:16 2012 -0500

    Commit the latest silent fix for a local privilege escalation from Linus
    Also disable writing to /proc/pid/mem
    http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc

commit 814d38c72b1ee3338294576a05af4f6ca9cffa6c
Merge: 0394a3f 7e6299b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 18 20:22:09 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 7e6299b4733c082dde930375dd207b63237751ec
Merge: 83555fb 9bb1282
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 18 20:21:37 2012 -0500

    Merge branch 'linux-3.1.y' into pax-test

commit 0394a3f36c6195dcaf22e265c94d11bb7338c6f7
Author: Jesper Juhl <jj@chaosbits.net>
Date:   Sun Jan 8 22:44:29 2012 +0100

    audit: always follow va_copy() with va_end()
    
    A call to va_copy() should always be followed by a call to va_end() in
    the same function.  In kernel/autit.c::audit_log_vformat() this is not
    always done.  This patch makes sure va_end() is always called.
    
    Signed-off-by: Jesper Juhl <jj@chaosbits.net>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: Eric Paris <eparis@redhat.com>
    Cc: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit fcbb39319e88bfdf70efe3931cf80a9f23b1a4d9
Author: Andi Kleen <ak@linux.intel.com>
Date:   Thu Jan 12 17:20:30 2012 -0800

    panic: don't print redundant backtraces on oops
    
    When an oops causes a panic and panic prints another backtrace it's pretty
    common to have the original oops data be scrolled away on a 80x50 screen.
    
    The second backtrace is quite redundant and not needed anyways.
    
    So don't print the panic backtrace when oops_in_progress is true.
    
    [akpm@linux-foundation.org: add comment]
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
    Cc: Michael Holzheu <holzheu@linux.vnet.ibm.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 22e4717d04333e2aff6d5d1b2c1b16045f367a1f
Author: Miklos Szeredi <mszeredi@suse.cz>
Date:   Thu Jan 12 17:59:46 2012 +0100

    fsnotify: don't BUG in fsnotify_destroy_mark()
    
    Removing the parent of a watched file results in "kernel BUG at
    fs/notify/mark.c:139".
    
    To reproduce
    
      add "-w /tmp/audit/dir/watched_file" to audit.rules
      rm -rf /tmp/audit/dir
    
    This is caused by fsnotify_destroy_mark() being called without an
    extra reference taken by the caller.
    
    Reported by Francesco Cosoleto here:
    
      https://bugzilla.novell.com/show_bug.cgi?id=689860
    
    Fix by removing the BUG_ON and adding a comment about not accessing mark after
    the iput.
    
    Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
    CC: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 1a90cff66ed00cd57bf00a990d13e95060fa362c
Author: Paolo Bonzini <pbonzini@redhat.com>
Date:   Thu Jan 12 16:01:28 2012 +0100

    block: fail SCSI passthrough ioctls on partition devices
    
    Linux allows executing the SG_IO ioctl on a partition or LVM volume, and
    will pass the command to the underlying block device.  This is
    well-known, but it is also a large security problem when (via Unix
    permissions, ACLs, SELinux or a combination thereof) a program or user
    needs to be granted access only to part of the disk.
    
    This patch lets partitions forward a small set of harmless ioctls;
    others are logged with printk so that we can see which ioctls are
    actually sent.  In my tests only CDROM_GET_CAPABILITY actually occurred.
    Of course it was being sent to a (partition on a) hard disk, so it would
    have failed with ENOTTY and the patch isn't changing anything in
    practice.  Still, I'm treating it specially to avoid spamming the logs.
    
    In principle, this restriction should include programs running with
    CAP_SYS_RAWIO.  If for example I let a program access /dev/sda2 and
    /dev/sdb, it still should not be able to read/write outside the
    boundaries of /dev/sda2 independent of the capabilities.  However, for
    now programs with CAP_SYS_RAWIO will still be allowed to send the
    ioctls.  Their actions will still be logged.
    
    This patch does not affect the non-libata IDE driver.  That driver
    however already tests for bd != bd->bd_contains before issuing some
    ioctl; it could be restricted further to forbid these ioctls even for
    programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO.
    
    Cc: linux-scsi@vger.kernel.org
    Cc: Jens Axboe <axboe@kernel.dk>
    Cc: James Bottomley <JBottomley@parallels.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    [ Make it also print the command name when warning - Linus ]
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit b41a1178caa15bd7d6d5b36c04c7b1ead05717e2
Author: Paolo Bonzini <pbonzini@redhat.com>
Date:   Thu Jan 12 16:01:27 2012 +0100

    block: add and use scsi_blk_cmd_ioctl
    
    Introduce a wrapper around scsi_cmd_ioctl that takes a block device.
    
    The function will then be enhanced to detect partition block devices
    and, in that case, subject the ioctls to whitelisting.
    
    Cc: linux-scsi@vger.kernel.org
    Cc: Jens Axboe <axboe@kernel.dk>
    Cc: James Bottomley <JBottomley@parallels.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 97a79814903fc350e1d13704ea31528a42705401
Author: Kees Cook <keescook@chromium.org>
Date:   Sat Jan 7 10:41:04 2012 -0800

    audit: treat s_id as an untrusted string
    
    The use of s_id should go through the untrusted string path, just to be
    extra careful.
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Acked-by: Mimi Zohar <zohar@us.ibm.com>
    Signed-off-by: Eric Paris <eparis@redhat.com>

commit 2d3f39e9dd73f26a8248fd4442f110d983c5b419
Author: Xi Wang <xi.wang@gmail.com>
Date:   Tue Dec 20 18:39:41 2011 -0500

    audit: fix signedness bug in audit_log_execve_info()
    
    In the loop, a size_t "len" is used to hold the return value of
    audit_log_single_execve_arg(), which returns -1 on error.  In that
    case the error handling (len <= 0) will be bypassed since "len" is
    unsigned, and the loop continues with (p += len) being wrapped.
    Change the type of "len" to signed int to fix the error handling.
    
        size_t len;
        ...
        for (...) {
                len = audit_log_single_execve_arg(...);
                if (len <= 0)
                        break;
                p += len;
        }
    
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Signed-off-by: Eric Paris <eparis@redhat.com>

commit 1b3dc2ea3204fb22b9d0d30b2b7953991f5be594
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Tue Jan 17 03:28:51 2012 -0300

    [media] ds3000: using logical && instead of bitwise &
    
    The intent here was to test if the FE_HAS_LOCK was set.  The current
    test is equivalent to "if (status) { ..."
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>

commit 36522330dc59d2fc70c042f3f081d75c32b6259a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jan 16 13:10:38 2012 -0500

    Ignore the 0 signal for protected task RBAC checks

commit d513acd55f7a683f6e146a4f570cdb63300479ab
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jan 16 11:56:13 2012 -0500

    whitespace cleanup

commit ced261c4b82818c700aff8487f647f6f3e5b5122
Merge: d48751f 83555fb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 13 20:12:54 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 83555fb431e5be6c0e09687ff3bdc583f0caf9d9
Merge: fcd8129 93dad39
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 13 20:12:43 2012 -0500

    Merge branch 'linux-3.1.y' into pax-test

commit d48751f3919ae855fda0ff6c149db82442329253
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 11 19:05:47 2012 -0500

    Call our own set_user when forcing change to new id

commit 26d9d497f6b926bc1699980aa18c360a3d3c52a0
Merge: e6578ff fcd8129
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 10 16:00:10 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit fcd8129277601f2e2d5a2066120cf8b2472d7d1f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 10 15:58:43 2012 -0500

    Merge changes from pax-linux-3.1.8-test23.patch

commit e6578ff3e7629c432ed9b99bde6af2a1c00279b5
Merge: 8859ec3 a120549
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 21:45:56 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit a12054967a77090de1caa07c41e694a77db4e237
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 21:45:30 2012 -0500

    Merge changes from pax-linux-3.1.8-test22.patch

commit 8859ec32f9815c274df65448f9f2960176c380d3
Merge: a5016b4 ddd4114
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 21:26:08 2012 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        fs/binfmt_elf.c
        security/Kconfig

commit ddd41147e158a79704983a409b7433eba797cf66
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 21:12:42 2012 -0500

    Resync with PaX patch (whitespace difference)

commit 29e569df8205c5f0e043fe4803aa984406c8b118
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 21:09:47 2012 -0500

    Merge changes from pax-linux-3.1.8-test21.patch

commit a5016b4f9c09c337b17e063a7f369af1e86d944d
Merge: 0124c92 04231d5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 18:52:20 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 04231d52dc8d0d6788a6bc6709dc046d3eb37097
Merge: 7bdddeb a919904
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 18:51:50 2012 -0500

    Merge branch 'linux-3.1.y' into pax-test
    
    Conflicts:
        include/net/flow.h

commit 0124c9264234c450904a0a5fa2f8c608ab8e3796
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 18:33:05 2012 -0500

    Make GRKERNSEC_SETXID option compatible with credential debugging

commit 69919c6da7cf8a781439da15b597a7d6bc9b3abe
Author: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Date:   Wed Dec 28 15:57:11 2011 -0800

    mm/mempolicy.c: refix mbind_range() vma issue
    
    commit 8aacc9f550 ("mm/mempolicy.c: fix pgoff in mbind vma merge") is the
    slightly incorrect fix.
    
    Why? Think following case.
    
    1. map 4 pages of a file at offset 0
    
       [0123]
    
    2. map 2 pages just after the first mapping of the same file but with
       page offset 2
    
       [0123][23]
    
    3. mbind() 2 pages from the first mapping at offset 2.
       mbind_range() should treat new vma is,
    
       [0123][23]
         |23|
         mbind vma
    
       but it does
    
       [0123][23]
         |01|
         mbind vma
    
       Oops. then, it makes wrong vma merge and splitting ([01][0123] or similar).
    
    This patch fixes it.
    
    [testcase]
      test result - before the patch
    
        case4: 126: test failed. expect '2,4', actual '2,2,2'
                case5: passed
        case6: passed
        case7: passed
        case8: passed
        case_n: 246: test failed. expect '4,2', actual '1,4'
    
        ------------[ cut here ]------------
        kernel BUG at mm/filemap.c:135!
        invalid opcode: 0000 [#4] SMP DEBUG_PAGEALLOC
    
        (snip long bug on messages)
    
      test result - after the patch
    
        case4: passed
                case5: passed
        case6: passed
        case7: passed
        case8: passed
        case_n: passed
    
      source:  mbind_vma_test.c
    ============================================================
     #include <numaif.h>
     #include <numa.h>
     #include <sys/mman.h>
     #include <stdio.h>
     #include <unistd.h>
     #include <stdlib.h>
     #include <string.h>
    
    static unsigned long pagesize;
    void* mmap_addr;
    struct bitmask *nmask;
    char buf[1024];
    FILE *file;
    char retbuf[10240] = "";
    int mapped_fd;
    
    char *rubysrc = "ruby -e '\
      pid = %d; \
      vstart = 0x%llx; \
      vend = 0x%llx; \
      s = `pmap -q #{pid}`; \
      rary = []; \
      s.each_line {|line|; \
        ary=line.split(\" \"); \
        addr = ary[0].to_i(16); \
        if(vstart <= addr && addr < vend) then \
          rary.push(ary[1].to_i()/4); \
        end; \
      }; \
      print rary.join(\",\"); \
    '";
    
    void init(void)
    {
        void* addr;
        char buf[128];
    
        nmask = numa_allocate_nodemask();
        numa_bitmask_setbit(nmask, 0);
    
        pagesize = getpagesize();
    
        sprintf(buf, "%s", "mbind_vma_XXXXXX");
        mapped_fd = mkstemp(buf);
        if (mapped_fd == -1)
                perror("mkstemp "), exit(1);
        unlink(buf);
    
        if (lseek(mapped_fd, pagesize*8, SEEK_SET) < 0)
                perror("lseek "), exit(1);
        if (write(mapped_fd, "\0", 1) < 0)
                perror("write "), exit(1);
    
        addr = mmap(NULL, pagesize*8, PROT_NONE,
                    MAP_SHARED, mapped_fd, 0);
        if (addr == MAP_FAILED)
                perror("mmap "), exit(1);
    
        if (mprotect(addr+pagesize, pagesize*6, PROT_READ|PROT_WRITE) < 0)
                perror("mprotect "), exit(1);
    
        mmap_addr = addr + pagesize;
    
        /* make page populate */
        memset(mmap_addr, 0, pagesize*6);
    }
    
    void fin(void)
    {
        void* addr = mmap_addr - pagesize;
        munmap(addr, pagesize*8);
    
        memset(buf, 0, sizeof(buf));
        memset(retbuf, 0, sizeof(retbuf));
    }
    
    void mem_bind(int index, int len)
    {
        int err;
    
        err = mbind(mmap_addr+pagesize*index, pagesize*len,
                    MPOL_BIND, nmask->maskp, nmask->size, 0);
        if (err)
                perror("mbind "), exit(err);
    }
    
    void mem_interleave(int index, int len)
    {
        int err;
    
        err = mbind(mmap_addr+pagesize*index, pagesize*len,
                    MPOL_INTERLEAVE, nmask->maskp, nmask->size, 0);
        if (err)
                perror("mbind "), exit(err);
    }
    
    void mem_unbind(int index, int len)
    {
        int err;
    
        err = mbind(mmap_addr+pagesize*index, pagesize*len,
                    MPOL_DEFAULT, NULL, 0, 0);
        if (err)
                perror("mbind "), exit(err);
    }
    
    void Assert(char *expected, char *value, char *name, int line)
    {
        if (strcmp(expected, value) == 0) {
                fprintf(stderr, "%s: passed\n", name);
                return;
        }
        else {
                fprintf(stderr, "%s: %d: test failed. expect '%s', actual '%s'\n",
                        name, line,
                        expected, value);
    //          exit(1);
        }
    }
    
    /*
          AAAA
        PPPPPPNNNNNN
        might become
        PPNNNNNNNNNN
        case 4 below
    */
    void case4(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        mem_bind(0, 4);
        mem_unbind(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("2,4", retbuf, "case4", __LINE__);
    
        fin();
    }
    
    /*
           AAAA
     PPPPPPNNNNNN
     might become
     PPPPPPPPPPNN
     case 5 below
    */
    void case5(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        mem_bind(0, 2);
        mem_bind(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("4,2", retbuf, "case5", __LINE__);
    
        fin();
    }
    
    /*
            AAAA
        PPPPNNNNXXXX
        might become
        PPPPPPPPPPPP 6
    */
    void case6(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        mem_bind(0, 2);
        mem_bind(4, 2);
        mem_bind(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("6", retbuf, "case6", __LINE__);
    
        fin();
    }
    
    /*
        AAAA
    PPPPNNNNXXXX
    might become
    PPPPPPPPXXXX 7
    */
    void case7(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        mem_bind(0, 2);
        mem_interleave(4, 2);
        mem_bind(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("4,2", retbuf, "case7", __LINE__);
    
        fin();
    }
    
    /*
        AAAA
    PPPPNNNNXXXX
    might become
    PPPPNNNNNNNN 8
    */
    void case8(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        mem_bind(0, 2);
        mem_interleave(4, 2);
        mem_interleave(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("2,4", retbuf, "case8", __LINE__);
    
        fin();
    }
    
    void case_n(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        /* make redundunt mappings [0][1234][34][7] */
        mmap(mmap_addr + pagesize*4, pagesize*2, PROT_READ|PROT_WRITE,
             MAP_FIXED|MAP_SHARED, mapped_fd, pagesize*3);
    
        /* Expect to do nothing. */
        mem_unbind(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("4,2", retbuf, "case_n", __LINE__);
    
        fin();
    }
    
    int main(int argc, char** argv)
    {
        case4();
        case5();
        case6();
        case7();
        case8();
        case_n();
    
        return 0;
    }
    =============================================================
    
    Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
    Acked-by: Johannes Weiner <hannes@cmpxchg.org>
    Cc: Minchan Kim <minchan.kim@gmail.com>
    Cc: Caspar Zhang <caspar@casparzhang.com>
    Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
    Cc: Christoph Lameter <cl@linux.com>
    Cc: Hugh Dickins <hugh.dickins@tiscali.co.uk>
    Cc: Mel Gorman <mel@csn.ul.ie>
    Cc: Lee Schermerhorn <lee.schermerhorn@hp.com>
    Cc: <stable@vger.kernel.org>                [3.1.x]
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit f3a1082005781777086df235049f8c0b7efe524e
Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Date:   Tue Dec 27 22:32:41 2011 -0500

    packet: fix possible dev refcnt leak when bind fail
    
    If bind is fail when bind is called after set PACKET_FANOUT
    sock option, the dev refcnt will leak.
    
    Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 915f8b08dac68839dc7204ee81cf9852fda16d24
Author: Haogang Chen <haogangchen@gmail.com>
Date:   Mon Dec 19 17:11:56 2011 -0800

    nilfs2: potential integer overflow in nilfs_ioctl_clean_segments()
    
    There is a potential integer overflow in nilfs_ioctl_clean_segments().
    When a large argv[n].v_nmembs is passed from the userspace, the subsequent
    call to vmalloc() will allocate a buffer smaller than expected, which
    leads to out-of-bound access in nilfs_ioctl_move_blocks() and
    lfs_clean_segments().
    
    The following check does not prevent the overflow because nsegs is also
    controlled by the userspace and could be very large.
    
                if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment)
                        goto out_free;
    
    This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and
    returns -EINVAL when overflow.
    
    Signed-off-by: Haogang Chen <haogangchen@gmail.com>
    Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 006afb6eb7a7398edc0068c3a7b9510ffaf80f72
Author: Kautuk Consul <consul.kautuk@gmail.com>
Date:   Mon Dec 19 17:12:04 2011 -0800

    mm/vmalloc.c: remove static declaration of va from __get_vm_area_node
    
    Static storage is not required for the struct vmap_area in
    __get_vm_area_node.
    
    Removing "static" to store this variable on the stack instead.
    
    Signed-off-by: Kautuk Consul <consul.kautuk@gmail.com>
    Acked-by: David Rientjes <rientjes@google.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 461ecdf221edb089e5fa0d5563e1688cd0a36f66
Author: Michel Lespinasse <walken@google.com>
Date:   Mon Dec 19 17:12:06 2011 -0800

    binary_sysctl(): fix memory leak
    
    binary_sysctl() calls sysctl_getname() which allocates from names_cache
    slab usin __getname()
    
    The matching function to free the name is __putname(), and not putname()
    which should be used only to match getname() allocations.
    
    This is because when auditing is enabled, putname() calls audit_putname
    *instead* (not in addition) to __putname().  Then, if a syscall is in
    progress, audit_putname does not release the name - instead, it expects
    the name to get released when the syscall completes, but that will happen
    only if audit_getname() was called previously, i.e.  if the name was
    allocated with getname() rather than the naked __getname().  So,
    __getname() followed by putname() ends up leaking memory.
    
    Signed-off-by: Michel Lespinasse <walken@google.com>
    Acked-by: Al Viro <viro@zeniv.linux.org.uk>
    Cc: Christoph Hellwig <hch@infradead.org>
    Cc: Eric Paris <eparis@redhat.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 0a2cd3ef50c0bae70d59c74a77db0455d26fde56
Author: Sean Hefty <sean.hefty@intel.com>
Date:   Tue Dec 6 21:17:11 2011 +0000

    RDMA/cma: Verify private data length
    
    private_data_len is defined as a u8.  If the user specifies a large
    private_data size (> 220 bytes), we will calculate a total length that
    exceeds 255, resulting in private_data_len wrapping back to 0.  This
    can lead to overwriting random kernel memory.  Avoid this by verifying
    that the resulting size fits into a u8.
    
    Reported-by: B. Thery <benjamin.thery@bull.net>
    Addresses: <http://bugs.openfabrics.org/bugzilla/show_bug.cgi?id=2335>
    Signed-off-by: Sean Hefty <sean.hefty@intel.com>
    Signed-off-by: Roland Dreier <roland@purestorage.com>

commit 6b618c54aaec99078629ec5b9575cb7d6fc31176
Author: Xi Wang <xi.wang@gmail.com>
Date:   Sun Dec 11 23:40:56 2011 -0800

    Input: cma3000_d0x - fix signedness bug in cma3000_thread_irq()
    
    The error check (intr_status < 0) didn't work because intr_status is
    a u8.  Change its type to signed int.
    
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Signed-off-by: Dmitry Torokhov <dtor@mail.ru>

commit e27f34e383d7863b2528a63b81b23db09781f6b6
Author: Xi Wang <xi.wang@gmail.com>
Date:   Fri Dec 16 12:44:15 2011 +0000

    sctp: fix incorrect overflow check on autoclose
    
    Commit 8ffd3208 voids the previous patches f6778aab and 810c0719 for
    limiting the autoclose value.  If userspace passes in -1 on 32-bit
    platform, the overflow check didn't work and autoclose would be set
    to 0xffffffff.
    
    This patch defines a max_autoclose (in seconds) for limiting the value
    and exposes it through sysctl, with the following intentions.
    
    1) Avoid overflowing autoclose * HZ.
    
    2) Keep the default autoclose bound consistent across 32- and 64-bit
       platforms (INT_MAX / HZ in this patch).
    
    3) Keep the autoclose value consistent between setsockopt() and
       getsockopt() calls.
    
    Suggested-by: Vlad Yasevich <vladislav.yasevich@hp.com>
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 8ebdfaad2f46ff0ac9fef9858e436bcc712a1ac8
Author: Xi Wang <xi.wang@gmail.com>
Date:   Wed Dec 21 05:18:33 2011 -0500

    vmwgfx: fix incorrect VRAM size check in vmw_kms_fb_create()
    
    Commit e133e737 didn't correctly fix the integer overflow issue.
    
    -   unsigned int required_size;
    +   u64 required_size;
        ...
        required_size = mode_cmd->pitch * mode_cmd->height;
    -   if (unlikely(required_size > dev_priv->vram_size)) {
    +   if (unlikely(required_size > (u64) dev_priv->vram_size)) {
    
    Note that both pitch and height are u32.  Their product is still u32 and
    would overflow before being assigned to required_size.  A correct way is
    to convert pitch and height to u64 before the multiplication.
    
        required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height;
    
    This patch calls the existing vmw_kms_validate_mode_vram() for
    validation.
    
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Reviewed-and-tested-by: Thomas Hellstrom <thellstrom@vmware.com>
    Signed-off-by: Dave Airlie <airlied@redhat.com>
    
    Conflicts:
    
        drivers/gpu/drm/vmwgfx/vmwgfx_kms.c

commit eb8f0bd01fb994c9abc77dc84729794cd841753d
Author: Xi Wang <xi.wang@gmail.com>
Date:   Thu Dec 22 13:35:22 2011 +0000

    rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt()
    
    Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will
    cause a kernel oops due to insufficient bounds checking.
    
        if (count > 1<<30) {
                /* Enforce a limit to prevent overflow */
                return -EINVAL;
        }
        count = roundup_pow_of_two(count);
        table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count));
    
    Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as:
    
        ... + (count * sizeof(struct rps_dev_flow))
    
    where sizeof(struct rps_dev_flow) is 8.  (1 << 30) * 8 will overflow
    32 bits.
    
    This patch replaces the magic number (1 << 30) with a symbolic bound.
    
    Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 648188958672024b616c42c1f6c98c8cfc85619d
Author: Xi Wang <xi.wang@gmail.com>
Date:   Fri Dec 30 10:40:17 2011 -0500

    netfilter: ctnetlink: fix timeout calculation
    
    The sanity check (timeout < 0) never works; the dividend is unsigned
    and so is the division, which should have been a signed division.
    
        long timeout = (ct->timeout.expires - jiffies) / HZ;
        if (timeout < 0)
                timeout = 0;
    
    This patch converts the time values to signed for the division.
    
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

commit ab03a0973cee73f88655ff4981812ad316a6cd59
Merge: 76f82df 7bdddeb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 3 17:42:50 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 7bdddebd9d274a344a1c57a561152160c9e9a32a
Merge: 3e59cb5 55cc81a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 3 17:42:36 2012 -0500

    Merge branch 'linux-3.1.y' into pax-test

commit 76f82df18ba181687f454426fa9ced7a92b2ac1f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 22 20:15:02 2011 -0500

    Only further restrict futex targeting another process -- our modified
    permission check also happened to allow a case where a process retaining
    uid 0 could issue futex syscalls against other uid 0 tasks, despite the euid
    being non-zero (reported on forums by ben_w)

commit 6b235a4450a5fea41663ec35fa0608988b6078c6
Merge: 97c16f0 3e59cb5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 22 19:11:06 2011 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        fs/hfs/btree.c

commit 3e59cb503d4ca6ce0954b8d3eb508cf7d1a31f50
Merge: 285eb4e c26f60b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 22 19:09:57 2011 -0500

    Merge branch 'linux-3.1.y' into pax-test
    
    Conflicts:
        arch/x86/kernel/process.c

commit 97c16f0fcff592160c1787bd1c56ae7ad070ac17
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Dec 19 21:54:01 2011 -0500

    Add new option: "Enforce consistent multithreaded privileges"

commit 7d125a16a5245b2bafc9184b8f93e864394ba1cb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Dec 7 19:58:31 2011 -0500

    Remove harmless duplicate code -- exec_file would be null already so the
    second check would never pass.

commit 4e3304e94aa72737810bc50169519af157dce4ce
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Dec 7 19:50:39 2011 -0500

    Revert back to (possibly?) undocumented /proc/pid behavior that gdb
    depended on for attaching to a thread.  Entries exist in /proc for
    threads, but are not visible in a readdir.

commit 1bd899335f23815cfe8deac44c6b346398f3b95e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 18:03:28 2011 -0500

    Put the already-walked path if in RCU-walk mode

commit ec7ae36b7159f10649709779443a988662965d66
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 17:35:21 2011 -0500

    Fix memory leak introduced by recent (unpublished) commit
    75ab998b94a29d464518d6d501bdde3fbfcbfa14

commit 1e2318a8ea2e67eaf17236be374b5da8a5ba5e04
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 13:56:10 2011 -0500

    Explicitly check size copied to userland in override_release to silence gcc

commit c30a85d0fff67e0724e726febb934c0b6fa01c6c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 13:54:02 2011 -0500

    Initialize variable to silence erroneous gcc warning

commit 2cf8e7a3bf4e97b2cd3de9ebc453bc505dc7eb78
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 13:47:47 2011 -0500

    Future-proof other potential RCU-aware locations where we can log.

commit 0c904e8c7ea0338c47c7ae825e093a152dc8f8a8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 13:02:54 2011 -0500

    Fix freeze reported by 'vs' on the forums.  Bug occurred due to
    MAY_NOT_BLOCK added to Linux 3.1.  Our logging code, when a capability used
    in generic_permission() was in the task's effective set but disallowed by
    RBAC, would block when acquiring locks resulting in the freeze.
    
    Also update the ordering of checks so that CAP_DAC_READ_SEARCH isn't logged
    as being required when CAP_DAC_OVERRIDE is present (consistent with
    older patches).

commit ab694e5eccfbc369baa593ebc1269d1908cf16dc
Author: Xi Wang <xi.wang@gmail.com>
Date:   Tue Nov 29 09:26:30 2011 +0000

    sctp: better integer overflow check in sctp_auth_create_key()
    
    The check from commit 30c2235c is incomplete and cannot prevent
    cases like key_len = 0x80000000 (INT_MAX + 1).  In that case, the
    left-hand side of the check (INT_MAX - key_len), which is unsigned,
    becomes 0xffffffff (UINT_MAX) and bypasses the check.
    
    However this shouldn't be a security issue.  The function is called
    from the following two code paths:
    
     1) setsockopt()
    
     2) sctp_auth_asoc_set_secret()
    
    In case (1), sca_keylength is never going to exceed 65535 since it's
    bounded by a u16 from the user API.  As such, the key length will
    never overflow.
    
    In case (2), sca_keylength is computed based on the user key (1 short)
    and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still
    will not overflow.
    
    In other words, this overflow check is not really necessary.  Just
    make it more correct.
    
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Cc: Vlad Yasevich <vladislav.yasevich@hp.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit e565e28c3635a1d50f80541fbf6b606d742fec76
Author: Josh Boyer <jwboyer@redhat.com>
Date:   Fri Aug 19 14:50:26 2011 -0400

    fs/minix: Verify bitmap block counts before mounting
    
    Newer versions of MINIX can create filesystems that allocate an extra
    bitmap block.  Mounting of this succeeds, but doing a statfs call will
    result in an oops in count_free because of a negative number being used
    for the bh index.
    
    Avoid this by verifying the number of allocated blocks at mount time,
    erroring out if there are not enough and make statfs ignore the extras
    if there are too many.
    
    This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792
    
    Signed-off-by: Josh Boyer <jwboyer@redhat.com>
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

commit 6e134e398ec1a3f428261680e83df4319e64bed9
Author: Julia Lawall <julia@diku.dk>
Date:   Tue Nov 15 14:53:11 2011 -0800

    drivers/gpu/vga/vgaarb.c: add missing kfree
    
    kbuf is a buffer that is local to this function, so all of the error paths
    leaving the function should release it.
    
    Signed-off-by: Julia Lawall <julia@diku.dk>
    Cc: Jesper Juhl <jj@chaosbits.net>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Dave Airlie <airlied@redhat.com>

commit 2b9057b321e36860e8d63985b5c4e496f254b717
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Dec 3 21:33:28 2011 -0500

    Import changes between pax-linux-3.1.4-test18.patch and grsecurity-2.2.2-3.1.4-201112021740.patch

commit 5dfe6091dca281a456eaff5e7b4692d768a05cfd
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Dec 3 21:29:37 2011 -0500

    Import pax-linux-3.1.4-test18.patch

commit 285eb4ea45d853ae00426b3315a61c1368080dad
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Dec 10 18:33:46 2011 -0500

    Import changes from pax-linux-3.1.5-test20.patch

commit a6bda918fc90ec1d5c387e978d147ad2044153f1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 8 20:55:54 2011 -0500

    Import changes from pax-linux-3.1.4-test19.patch

commit e6d987bdb782b280f882cc20055e3d9cb28ad3a5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Dec 3 21:29:37 2011 -0500

    Import pax-linux-3.1.4-test18.patch
commit d92091aac493a547d85ddf1b98bd9aaa8c7112a5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 4 23:05:14 2013 -0400

    always enforce a non-zero gap for RAND_THREADSTACK

 mm/mmap.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 40d67e38a42d4e94b43b3d7400addc662b9857dc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 4 16:09:28 2013 -0400

    fix up file comparisons

 grsecurity/gracl_segv.c    |    2 +-
 grsecurity/grsec_sig.c     |    4 ++--
 include/linux/grinternal.h |   12 ++++++++++++
 3 files changed, 15 insertions(+), 3 deletions(-)

commit a1fff2c95162314626dd96bec71d951a8c1c4708
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 4 15:33:18 2013 -0400

    fix suid binary matching

 grsecurity/grsec_sig.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 00131c458eea5200971c8fc326e90fdb6c2d0baa
Merge: 37b97a9 47beb61
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 4 15:02:31 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 47beb61be9d430ab3fdb79a3b1e2099b4cfcf798
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 4 15:01:37 2013 -0400

    Update to pax-linux-3.9.9-test13.patch:
    - hopefully fixed the EFI boot regression (https://bugs.gentoo.org/show_bug.cgi?id=471626)
    - fixed some arm compilation issues (http://forums.grsecurity.net/viewtopic.php?f=1&t=3586 and http://forums.grsecurity.net/viewtopic.php?f=1&t=3587)

 arch/arm/include/asm/uaccess.h |   20 ++++++++++----------
 arch/arm/kernel/armksyms.c     |    2 +-
 arch/arm/kernel/entry-armv.S   |    4 ++--
 arch/arm/mm/Kconfig            |    2 +-
 arch/x86/ia32/ia32entry.S      |    4 ++--
 arch/x86/include/asm/page.h    |    1 +
 arch/x86/kernel/entry_32.S     |    4 ++--
 arch/x86/kernel/entry_64.S     |    8 ++++----
 arch/x86/kernel/head64.c       |   12 ++++++------
 arch/x86/kernel/head_64.S      |   16 ++++++++++++----
 arch/x86/mm/init.c             |    8 ++++++++
 arch/x86/mm/init_32.c          |    6 ------
 arch/x86/mm/init_64.c          |    6 ------
 arch/x86/platform/efi/efi_32.c |    5 +++++
 arch/x86/platform/efi/efi_64.c |   10 ++++++++++
 15 files changed, 64 insertions(+), 44 deletions(-)

commit 89085d2d0643813a62f23d1199a335dc1e129bc0
Merge: 963af7f 0adf2e7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 4 14:55:44 2013 -0400

    Merge branch 'linux-3.9.y' into pax-test

commit 37b97a95e97badc79cc8b6e092f0f94ac24e4ae4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 4 13:46:02 2013 -0400

    fix typo

 grsecurity/gracl.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 32538dba4959a290a1de81a7f8eeaba99f952aa6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 4 13:29:51 2013 -0400

    update log arguments

 grsecurity/grsec_sig.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 5c7ee197d6ecb3ec9b3b9588d2b0cb8541d9fa71
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 4 13:20:23 2013 -0400

    Update logging of suid exec ban
    
    Conflicts:
    
        grsecurity/grsec_sig.c

 grsecurity/grsec_sig.c |    3 +--
 include/linux/grmsg.h  |    1 +
 2 files changed, 2 insertions(+), 2 deletions(-)

commit ef808866c070aa1901bd2224521baaf5d145a3a7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 4 12:58:33 2013 -0400

    Additional improvements to the user banning code:
    
    Separate the kernel-bruteforcing case from the suid bruteforcing case
    In the suid bruteforcing case, only kill existing copies of the bruteforced
    binary.  Instead of preventing all future execs by this user, prevent them
    from executing any suid/sgid binaries for the next 15 minutes.
    
    Kernel case is mostly unchanged from before, except the task trying to change
    real uid to the banned user will be terminated instead of failing the setuid
    call.
    
    Configuration help has been updated to reflect the new changes.

 fs/exec.c                  |   13 +++++---
 grsecurity/Kconfig         |    5 ++-
 grsecurity/gracl.c         |    6 ++--
 grsecurity/grsec_sig.c     |   76 ++++++++++++++++++++++++++------------------
 include/linux/grsecurity.h |    1 -
 include/linux/sched.h      |    9 +++--
 6 files changed, 65 insertions(+), 45 deletions(-)

commit 0f0b6c9d67d429364621b8784ef4a048b7e40736
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jul 3 16:14:09 2013 -0400

    fix renamed export of csum_partial_copy_from_user, as reported by fabled
    on the forums

 arch/arm/kernel/armksyms.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 318235973c2a548c3d25562645d6b69f66e85934
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jul 3 16:09:16 2013 -0400

    make CPU_USE_DOMAINS depend on !PAX_MEMORY_UDEREF, fixes compile error
    reported on the forums by fabled

 arch/arm/mm/Kconfig |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit b569a7f60fab7a522d8c142765c8b847bbce8a1e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jul 3 15:53:12 2013 -0400

    Revise the user ban code to kill the process issuing a banned
    set*id instead of returning an error.  For the sake of keeping
    unified user banning between the suid and kernel bruteforce case,
    we will apply this killing to the suid bruteforce case, despite
    a check just at exec time (that already existed) being sufficient.
    
    Returning an error could enable exploitation of the "failure to check
    setuid return value" case which was recently effectively closed
    upstream, albeit in a rare situation with a suitable binary and
    two colluding users.
    
    Many thanks to stealth for reviewing the user ban code.

 grsecurity/gracl.c     |    4 ++--
 grsecurity/grsec_sig.c |   16 +++++++++++++---
 2 files changed, 15 insertions(+), 5 deletions(-)

commit 4a0808a0aa34bf3692f9ade0f11f6fbe30418c4f
Author: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
Date:   Fri Jun 28 14:15:15 2013 +0300

    Upstream commit: 605c912bb843c024b1ed173dc427cd5c08e5d54d
    
    UBIFS: fix a horrid bug
    
    Al Viro pointed me to the fact that '->readdir()' and '->llseek()' have no
    mutual exclusion, which means the 'ubifs_dir_llseek()' can be run while we are
    in the middle of 'ubifs_readdir()'.
    
    This means that 'file->private_data' can be freed while 'ubifs_readdir()' uses
    it, and this is a very bad bug: not only 'ubifs_readdir()' can return garbage,
    but this may corrupt memory and lead to all kinds of problems like crashes an
    security holes.
    
    This patch fixes the problem by using the 'file->f_version' field, which
    '->llseek()' always unconditionally sets to zero. We set it to 1 in
    'ubifs_readdir()' and whenever we detect that it became 0, we know there was a
    seek and it is time to clear the state saved in 'file->private_data'.
    
    I tested this patch by writing a user-space program which runds readdir and
    seek in parallell. I could easily crash the kernel without these patches, but
    could not crash it with these patches.
    
    Cc: stable@vger.kernel.org
    Reported-by: Al Viro <viro@zeniv.linux.org.uk>
    Tested-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
    Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

 fs/ubifs/dir.c |   30 +++++++++++++++++++++++++++---
 1 files changed, 27 insertions(+), 3 deletions(-)

commit c22280b85088978bd8b45bd23096879459b48008
Author: Stephane Eranian <eranian@google.com>
Date:   Thu Jun 20 11:36:28 2013 +0200

    Upstream commit: 2976b10f05bd7f6dab9f9e7524451ddfed656a89
    
    perf: Disable monitoring on setuid processes for regular users
    
    There was a a bug in setup_new_exec(), whereby
    the test to disabled perf monitoring was not
    correct because the new credentials for the
    process were not yet committed and therefore
    the get_dumpable() test was never firing.
    
    The patch fixes the problem by moving the
    perf_event test until after the credentials
    are committed.
    
    Signed-off-by: Stephane Eranian <eranian@google.com>
    Tested-by: Jiri Olsa <jolsa@redhat.com>
    Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
    Cc: <stable@kernel.org>
    Signed-off-by: Ingo Molnar <mingo@kernel.org>

 fs/exec.c |   16 +++++++++-------
 1 files changed, 9 insertions(+), 7 deletions(-)

commit 16e6a61c34ae5ed0fbfa9151b24dc6a751cca7c0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jun 29 13:10:02 2013 -0400

    on context switch, make sure we switch DACR when domain support and
    KERNEXEC is disabled but UDEREF is enabled

 arch/arm/kernel/entry-armv.S |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 08d017fa51370921694ce087b28c96fec92993d4
Author: Michael S. Tsirkin <mst@redhat.com>
Date:   Sun Jun 23 17:26:58 2013 +0300

    Upstream commit: 4c7ab054ab4f5d63625508ed6f8a607184cae7c2
    
    macvtap: fix recovery from gup errors
    
    get user pages might fail partially in macvtap zero copy
    mode. To recover we need to put all pages that we got,
    but code used a wrong index resulting in double-free
    errors.
    
    Reported-by: Brad Hubbard <bhubbard@redhat.com>
    Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
    Acked-by: Jason Wang <jasowang@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/macvtap.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

commit 8118c60e6478b9d0687c2aa7779e45ac7859b1be
Author: Michael S. Tsirkin <mst@redhat.com>
Date:   Sun Jun 23 17:19:03 2013 +0300

    Upstream commit: 7e24bfbe43b545b1689a5f134ed83645b9e34b86
    
    tun: fix recovery from gup errors
    
    get user pages might fail partially in tun zero copy
    mode. To recover we need to put all pages that we got,
    but code used a wrong index resulting in double-free
    errors.
    
    Reported-by: Brad Hubbard <bhubbard@redhat.com>
    Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
    Acked-by: Jason Wang <jasowang@redhat.com>
    Acked-by: Neil Horman <nhorman@tuxdriver.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/tun.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

commit c71e53d3b87fba6f7ba29a440d4c835f03aadf28
Author: Balazs Peter Odor <balazs@obiserver.hu>
Date:   Sat Jun 22 19:24:43 2013 +0200

    Upstream commit: 5aed93875cd88502f04a0d4517b8a2d89a849773
    
    netfilter: nf_nat_sip: fix mangling
    
    In (b20ab9c netfilter: nf_ct_helper: better logging for dropped packets)
    there were some missing brackets around the logging information, thus
    always returning drop.
    
    Closes https://bugzilla.kernel.org/show_bug.cgi?id=60061
    
    Signed-off-by: Balazs Peter Odor <balazs@obiserver.hu>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

 net/netfilter/nf_nat_sip.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 87c18924aecb841586b8972fabb20c5b75ca2fc9
Author: Anderson Lizardo <anderson.lizardo@openbossa.org>
Date:   Sun Jun 2 16:30:40 2013 -0400

    Upstream commit: 300b962e5244a1ea010df7e88595faa0085b461d
    
    Bluetooth: Fix crash in l2cap_build_cmd() with small MTU
    
    If a too small MTU value is set with ioctl(HCISETACLMTU) or by a bogus
    controller, memory corruption happens due to a memcpy() call with
    negative length.
    
    Fix this crash on either incoming or outgoing connections with a MTU
    smaller than L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE:
    
    [   46.885433] BUG: unable to handle kernel paging request at f56ad000
    [   46.888037] IP: [<c03d94cd>] memcpy+0x1d/0x40
    [   46.888037] *pdpt = 0000000000ac3001 *pde = 00000000373f8067 *pte = 80000000356ad060
    [   46.888037] Oops: 0002 [#1] SMP DEBUG_PAGEALLOC
    [   46.888037] Modules linked in: hci_vhci bluetooth virtio_balloon i2c_piix4 uhci_hcd usbcore usb_common
    [   46.888037] CPU: 0 PID: 1044 Comm: kworker/u3:0 Not tainted 3.10.0-rc1+ #12
    [   46.888037] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007
    [   46.888037] Workqueue: hci0 hci_rx_work [bluetooth]
    [   46.888037] task: f59b15b0 ti: f55c4000 task.ti: f55c4000
    [   46.888037] EIP: 0060:[<c03d94cd>] EFLAGS: 00010212 CPU: 0
    [   46.888037] EIP is at memcpy+0x1d/0x40
    [   46.888037] EAX: f56ac1c0 EBX: fffffff8 ECX: 3ffffc6e EDX: f55c5cf2
    [   46.888037] ESI: f55c6b32 EDI: f56ad000 EBP: f55c5c68 ESP: f55c5c5c
    [   46.888037]  DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
    [   46.888037] CR0: 8005003b CR2: f56ad000 CR3: 3557d000 CR4: 000006f0
    [   46.888037] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
    [   46.888037] DR6: ffff0ff0 DR7: 00000400
    [   46.888037] Stack:
    [   46.888037]  fffffff8 00000010 00000003 f55c5cac f8c6a54c ffffffff f8c69eb2 00000000
    [   46.888037]  f4783cdc f57f0070 f759c590 1001c580 00000003 0200000a 00000000 f5a88560
    [   46.888037]  f5ba2600 f5a88560 00000041 00000000 f55c5d90 f8c6f4c7 00000008 f55c5cf2
    [   46.888037] Call Trace:
    [   46.888037]  [<f8c6a54c>] l2cap_send_cmd+0x1cc/0x230 [bluetooth]
    [   46.888037]  [<f8c69eb2>] ? l2cap_global_chan_by_psm+0x152/0x1a0 [bluetooth]
    [   46.888037]  [<f8c6f4c7>] l2cap_connect+0x3f7/0x540 [bluetooth]
    [   46.888037]  [<c019b37b>] ? trace_hardirqs_off+0xb/0x10
    [   46.888037]  [<c01a0ff8>] ? mark_held_locks+0x68/0x110
    [   46.888037]  [<c064ad20>] ? mutex_lock_nested+0x280/0x360
    [   46.888037]  [<c064b9d9>] ? __mutex_unlock_slowpath+0xa9/0x150
    [   46.888037]  [<c01a118c>] ? trace_hardirqs_on_caller+0xec/0x1b0
    [   46.888037]  [<c064ad08>] ? mutex_lock_nested+0x268/0x360
    [   46.888037]  [<c01a125b>] ? trace_hardirqs_on+0xb/0x10
    [   46.888037]  [<f8c72f8d>] l2cap_recv_frame+0xb2d/0x1d30 [bluetooth]
    [   46.888037]  [<c01a0ff8>] ? mark_held_locks+0x68/0x110
    [   46.888037]  [<c064b9d9>] ? __mutex_unlock_slowpath+0xa9/0x150
    [   46.888037]  [<c01a118c>] ? trace_hardirqs_on_caller+0xec/0x1b0
    [   46.888037]  [<f8c754f1>] l2cap_recv_acldata+0x2a1/0x320 [bluetooth]
    [   46.888037]  [<f8c491d8>] hci_rx_work+0x518/0x810 [bluetooth]
    [   46.888037]  [<f8c48df2>] ? hci_rx_work+0x132/0x810 [bluetooth]
    [   46.888037]  [<c0158979>] process_one_work+0x1a9/0x600
    [   46.888037]  [<c01588fb>] ? process_one_work+0x12b/0x600
    [   46.888037]  [<c015922e>] ? worker_thread+0x19e/0x320
    [   46.888037]  [<c015922e>] ? worker_thread+0x19e/0x320
    [   46.888037]  [<c0159187>] worker_thread+0xf7/0x320
    [   46.888037]  [<c0159090>] ? rescuer_thread+0x290/0x290
    [   46.888037]  [<c01602f8>] kthread+0xa8/0xb0
    [   46.888037]  [<c0656777>] ret_from_kernel_thread+0x1b/0x28
    [   46.888037]  [<c0160250>] ? flush_kthread_worker+0x120/0x120
    [   46.888037] Code: c3 90 8d 74 26 00 e8 63 fc ff ff eb e8 90 55 89 e5 83 ec 0c 89 5d f4 89 75 f8 89 7d fc 3e 8d 74 26 00 89 cb 89 c7 c1 e9 02 89 d6 <f3> a5 89 d9 83 e1 03 74 02 f3 a4 8b 5d f4 8b 75 f8 8b 7d fc 89
    [   46.888037] EIP: [<c03d94cd>] memcpy+0x1d/0x40 SS:ESP 0068:f55c5c5c
    [   46.888037] CR2: 00000000f56ad000
    [   46.888037] ---[ end trace 0217c1f4d78714a9 ]---
    
    Signed-off-by: Anderson Lizardo <anderson.lizardo@openbossa.org>
    Cc: stable@vger.kernel.org
    Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
    Signed-off-by: John W. Linville <linville@tuxdriver.com>

 net/bluetooth/l2cap_core.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit b0471b6c1160858fc646d8e94628fd1299f61692
Author: Jaganath Kanakkassery <jaganath.k@samsung.com>
Date:   Fri Jun 21 19:55:11 2013 +0530

    Upstream commit: 3f6fa3d489e127ca5a5b298eabac3ff5dbe0e112
    
    Bluetooth: Fix invalid length check in l2cap_information_rsp()
    
    The length check is invalid since the length varies with type of
    info response.
    
    This was introduced by the commit cb3b3152b2f5939d67005cff841a1ca748b19888
    
    Because of this, l2cap info rsp is not handled and command reject is sent.
    
    > ACL data: handle 11 flags 0x02 dlen 16
            L2CAP(s): Info rsp: type 2 result 0
              Extended feature mask 0x00b8
                Enhanced Retransmission mode
                Streaming mode
                FCS Option
                Fixed Channels
    < ACL data: handle 11 flags 0x00 dlen 10
            L2CAP(s): Command rej: reason 0
              Command not understood
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Jaganath Kanakkassery <jaganath.k@samsung.com>
    Signed-off-by: Chan-Yeol Park <chanyeol.park@samsung.com>
    Acked-by: Johan Hedberg <johan.hedberg@intel.com>
    Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>

 net/bluetooth/l2cap_core.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 4184af98c360d825e638b268b1a9847232e8d299
Author: Eric Dumazet <edumazet@google.com>
Date:   Wed Jun 26 04:15:07 2013 -0700

    Upstream commit: a963a37d384d71ad43b3e9e79d68d42fbe0901f3
    
    ipv6: ip6_sk_dst_check() must not assume ipv6 dst
    
    It's possible to use AF_INET6 sockets and to connect to an IPv4
    destination. After this, socket dst cache is a pointer to a rtable,
    not rt6_info.
    
    ip6_sk_dst_check() should check the socket dst cache is IPv6, or else
    various corruptions/crashes can happen.
    
    Dave Jones can reproduce immediate crash with
    trinity -q -l off -n -c sendmsg -c connect
    
    With help from Hannes Frederic Sowa
    
    Reported-by: Dave Jones <davej@redhat.com>
    Reported-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv6/ip6_output.c |    8 +++++++-
 1 files changed, 7 insertions(+), 1 deletions(-)

commit a9909c4993e8547ebeeafc4a4f5ff8570a941eb2
Author: Zefan Li <lizefan@huawei.com>
Date:   Wed Jun 26 15:29:54 2013 +0800

    Upstream commit: 11eb2645cbf38a08ae491bf6c602eea900ec0bb5
    
    dlci: acquire rtnl_lock before calling __dev_get_by_name()
    
    Otherwise the net device returned can be freed at anytime.
    
    Signed-off-by: Li Zefan <lizefan@huawei.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/wan/dlci.c |   14 +++++++++-----
 1 files changed, 9 insertions(+), 5 deletions(-)

commit 1fe6f23c9acd14d832d056909ff326bde418e645
Author: Zefan Li <lizefan@huawei.com>
Date:   Wed Jun 26 15:31:58 2013 +0800

    Upstream commit: 578a1310f2592ba90c5674bca21c1dbd1adf3f0a
    
    dlci: validate the net device in dlci_del()
    
    We triggered an oops while running trinity with 3.4 kernel:
    
    BUG: unable to handle kernel paging request at 0000000100000d07
    IP: [<ffffffffa0109738>] dlci_ioctl+0xd8/0x2d4 [dlci]
    PGD 640c0d067 PUD 0
    Oops: 0000 [#1] PREEMPT SMP
    CPU 3
    ...
    Pid: 7302, comm: trinity-child3 Not tainted 3.4.24.09+ 40 Huawei Technologies Co., Ltd. Tecal RH2285          /BC11BTSA
    RIP: 0010:[<ffffffffa0109738>]  [<ffffffffa0109738>] dlci_ioctl+0xd8/0x2d4 [dlci]
    ...
    Call Trace:
      [<ffffffff8137c5c3>] sock_ioctl+0x153/0x280
      [<ffffffff81195494>] do_vfs_ioctl+0xa4/0x5e0
      [<ffffffff8118354a>] ? fget_light+0x3ea/0x490
      [<ffffffff81195a1f>] sys_ioctl+0x4f/0x80
      [<ffffffff81478b69>] system_call_fastpath+0x16/0x1b
    ...
    
    It's because the net device is not a dlci device.
    
    Reported-by: Li Jinyue <lijinyue@huawei.com>
    Signed-off-by: Li Zefan <lizefan@huawei.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/wan/dlci.c |   12 ++++++++++++
 1 files changed, 12 insertions(+), 0 deletions(-)

commit 4d4464407611527ef6b6b5475cfcab6121b3da66
Merge: 59571a9 963af7f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jun 27 18:54:52 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 963af7f7f591759b731ce6325ceb583a72fcf423
Merge: c51e25a 55db48a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jun 27 18:54:42 2013 -0400

    Merge branch 'linux-3.9.y' into pax-test

commit 59571a9db7485f530a1e865a13cacc4c991ec41f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jun 26 18:39:08 2013 -0400

    From: Mathias Krause <minipli@googlemail.com>
    To: Steffen Klassert <steffen.klassert@secunet.com>,
            "David S. Miller" <davem@davemloft.net>
    Cc: Mathias Krause <minipli@googlemail.com>, netdev@vger.kernel.org,
            Herbert Xu <herbert@gondor.apana.org.au>
    Subject: [PATCH] af_key: fix info leaks in notify messages
    
    key_notify_sa_flush() and key_notify_policy_flush() miss to initialize
    the sadb_msg_reserved member of the broadcasted message and thereby
    leak 2 bytes of heap memory to listeners. Fix that.
    
    Signed-off-by: Mathias Krause <minipli@googlemail.com>
    Cc: Steffen Klassert <steffen.klassert@secunet.com>
    Cc: "David S. Miller" <davem@davemloft.net>
    Cc: Herbert Xu <herbert@gondor.apana.org.au>

 net/key/af_key.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit e1dd9fb168b3597f15fd5bd4bc88a7dd4cce5fd9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jun 26 18:33:06 2013 -0400

    update rand_threadstack code to continue the search for a gap if the first
    choice doesn't have enough space, instead of returning ENOMEM

 mm/mmap.c |   17 ++++++++++-------
 1 files changed, 10 insertions(+), 7 deletions(-)

commit 87020d4a4d83038d65ff1fd519938840f6888b9e
Merge: 2682346 c51e25a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jun 26 18:25:32 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit c51e25a23f30a1198076bd085f19b2073caf164d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jun 26 18:24:54 2013 -0400

    Update to pax-linux-3.9.7-test12.patch:
    - fixed a regression on PARAVIRT/amd64 kernels
    - simplified the recent vm_unmapped_area_info based change

 arch/x86/kernel/entry_64.S |    8 ++++----
 mm/mmap.c                  |   22 ++++++++++++----------
 2 files changed, 16 insertions(+), 14 deletions(-)

commit 26823469a08e59cb67bea18d448d9e8c65f82e08
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jun 25 21:26:51 2013 -0400

    re-enable GRKERNSEC_RAND_THREADSTACK now that the generic PaX
    vm_unmapped_area code is complete

 arch/x86/kernel/sys_i386_32.c |    5 +++++
 grsecurity/Kconfig            |    2 +-
 mm/mmap.c                     |   11 ++++++++++-
 3 files changed, 16 insertions(+), 2 deletions(-)

commit bcd93cc348a8faba1716f5cc137a48f25d6a67e7
Merge: e58fe8c c4e0704
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jun 25 19:08:52 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        arch/x86/kernel/sys_i386_32.c

commit c4e07040c2c32c9eb2b093e5ae6e5bb050cb7511
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jun 25 19:05:39 2013 -0400

    Update to pax-linux-3.9.7-test11.patch:
    - fixed some fallout from the recent executable vmalloc changes (http://forums.grsecurity.net/viewtopic.php?t=3562#p13111)
    - moved the PaX specific heap-stack gap check code over to the vm_unmapped_area_info based infrastructure
    - fixed the recent nested nmi related fixes some more
    - fixed a regression in kernel memory initialization on relocatable i386 kernels
    - empty_zero_page can be read-only on amd64 as well

 arch/arm/mm/mmap.c            |    6 --
 arch/x86/kernel/entry_64.S    |    8 +--
 arch/x86/kernel/head_64.S     |    1 -
 arch/x86/kernel/setup.c       |    2 +-
 arch/x86/kernel/sys_i386_32.c |  160 ++++++++++++----------------------------
 drivers/lguest/core.c         |    2 +-
 include/linux/mm.h            |    6 +-
 include/linux/vmalloc.h       |    2 +-
 mm/mmap.c                     |   30 +++++++-
 9 files changed, 83 insertions(+), 134 deletions(-)

commit e58fe8c43f6ee7047ac830ebfa9a70626b7ed11d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jun 23 14:37:14 2013 -0400

    second compile fix, reported by forsaken on forums

 include/linux/vmalloc.h |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 0ee10d89b09b56b46bc242ce760a1d9598276e2f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jun 23 14:36:35 2013 -0400

    compile fix, reported by KDE on forums

 kernel/printk.c |    7 -------
 1 files changed, 0 insertions(+), 7 deletions(-)

commit 1fc9a5e2e267205d28302e1e86ca0da434561111
Author: Ben Hutchings <ben@decadent.org.uk>
Date:   Sun Jun 16 21:27:12 2013 +0100

    Upstream commit: b8cb62f82103083a6e8fa5470bfe634a2c06514d
    
    x86/efi: Fix dummy variable buffer allocation
    
    1. Check for allocation failure
    2. Clear the buffer contents, as they may actually be written to flash
    3. Don't leak the buffer
    
    Compile-tested only.
    
    [ Tested successfully on my buggy ASUS machine - Matt ]
    
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
    Cc: stable@vger.kernel.org
    Signed-off-by: Matt Fleming <matt.fleming@intel.com>

 arch/x86/platform/efi/efi.c |    7 ++++++-
 1 files changed, 6 insertions(+), 1 deletions(-)

commit 83e15c8baaa620d8c777e84aa037b4302f0487c5
Author: Dave Kleikamp <dave.kleikamp@oracle.com>
Date:   Tue Jun 18 09:05:36 2013 -0500

    Upstream commit: 23a01138efe216f8084cfaa74b0b90dd4b097441
    
    sparc: tsb must be flushed before tlb
    
    This fixes a race where a cpu may re-load a tlb from a stale tsb right
    after it has been flushed by a remote function call.
    
    I still see some instability when stressing the system with parallel
    kernel builds while creating memory pressure by writing to
    /proc/sys/vm/nr_hugepages, but this patch improves the stability
    significantly.
    
    Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
    Acked-by: Bob Picco <bob.picco@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 arch/sparc/mm/tlb.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit d93b62f6485db9aadda34322a6867868db07f56f
Merge: 4ef62f5 71d83e9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jun 21 16:52:55 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        security/Kconfig

commit 71d83e97c936563913bcfb5a25c45b2021a331eb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jun 21 16:48:42 2013 -0400

    Update to pax-linux-3.9.7-test10.patch:
    - fixed a few format string problems uncovered by -Wformat-nonliteral
    - another attempt at fixing the nested nmi/cr0.wp problem
    - fixed vmalloc when used for allocating executable memory on non-modular kernels, reported by Lorand Kelemen (https://bugs.gentoo.org/show_bug.cgi?id=473866)
    - worked around an intentional gcc overflow in nfscache that tripped up the size overflow plugin (https://bugs.gentoo.org/show_bug.cgi?id=472274)
    - fixed a locking issue with track_exec_limit reported by spender
    - hunger reported a size overflow event in kobj_map that turned out to be a real bug, fix by Tejun Heo (https://patchwork.kernel.org/patch/2676631/)

 Documentation/dontdiff                  |    1 +
 arch/x86/boot/compressed/efi_stub_32.S  |   16 ++-----
 arch/x86/kernel/cpu/mcheck/mce.c        |    2 +-
 arch/x86/kernel/e820.c                  |    4 +-
 arch/x86/kernel/entry_64.S              |   74 ++++++++++++++++++------------
 arch/x86/kernel/vmlinux.lds.S           |    2 +-
 block/genhd.c                           |   11 +++--
 crypto/algapi.c                         |    2 +-
 crypto/pcrypt.c                         |    6 +-
 drivers/base/attribute_container.c      |    2 +-
 drivers/base/power/sysfs.c              |    2 +-
 drivers/block/nbd.c                     |    2 +-
 drivers/cdrom/cdrom.c                   |    2 +-
 drivers/char/hw_random/intel-rng.c      |    2 +-
 drivers/char/mem.c                      |    2 +-
 drivers/devfreq/devfreq.c               |    2 +-
 drivers/gpu/drm/drm_encoder_slave.c     |    6 +--
 drivers/gpu/drm/drm_sysfs.c             |    2 +-
 drivers/gpu/drm/ttm/ttm_memory.c        |    4 +-
 drivers/iommu/irq_remapping.c           |    2 +-
 drivers/video/output.c                  |    2 +-
 fs/ext4/mmp.c                           |    2 +-
 fs/ext4/super.c                         |    2 +-
 fs/lockd/svc.c                          |    2 +-
 fs/nfs/callback.c                       |    4 +-
 fs/nfs/nfs4state.c                      |    2 +-
 fs/nfsd/nfscache.c                      |    3 +-
 init/initramfs.c                        |    2 +-
 kernel/rcutree.c                        |    2 +-
 lib/kobject.c                           |    2 +-
 mm/backing-dev.c                        |    4 +-
 mm/mmap.c                               |    4 +-
 mm/slub.c                               |    2 +-
 mm/vmalloc.c                            |   15 +++----
 net/bluetooth/hci_core.c                |    8 ++--
 net/netfilter/nf_conntrack_proto_dccp.c |    4 +-
 net/sunrpc/svc.c                        |    2 +-
 security/Kconfig                        |   15 +++---
 sound/core/sound.c                      |    2 +-
 sound/sound_core.c                      |    2 +-
 40 files changed, 116 insertions(+), 111 deletions(-)

commit 4ef62f52ab23ed87aaf0106be3eddf2019bc7d2c
Merge: 39efd8f 256eff7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jun 21 16:45:15 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        kernel/printk.c

commit 256eff7a817d5faa18cd56fb97cc8c25112ec0a6
Merge: e6e3059 485f25f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jun 20 22:14:24 2013 -0400

    Merge branch 'linux-3.9.y' into pax-test

commit 39efd8f4b9573d1ce31f47cdbea00b6c12054d4d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jun 18 17:20:18 2013 -0400

    add apparmor compat patch

 security/apparmor/Kconfig      |    9 ++
 security/apparmor/apparmorfs.c |  231 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 240 insertions(+), 0 deletions(-)

commit 49bee3c5341687504669bf62becf4a419a226ba0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jun 17 18:48:04 2013 -0400

    Revert "Upstream commit: cf7df378aa4ff7da3a44769b7ff6e9eef1a9f3db"
    
    This reverts commit 066d9226bc6c569d5f420c978b758e0bddd23444.

 kernel/sys.c |   29 +++--------------------------
 1 files changed, 3 insertions(+), 26 deletions(-)

commit bece88b4276babb2039a3e4f3e3b0cdeb8cd8328
Author: Al Viro <viro@ZenIV.linux.org.uk>
Date:   Sun Jun 16 18:06:06 2013 +0100

    Upstream commit: 8177a9d79c0e942dcac3312f15585d0344d505a5
    
    lseek(fd, n, SEEK_END) does *not* go to eof - n
    
    When you copy some code, you are supposed to read it.  If nothing else,
    there's a chance to spot and fix an obvious bug instead of sharing it...
    
    X-Song: "I Got It From Agnes", by Tom Lehrer
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    [ Tom Lehrer? You're dating yourself, Al ]
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 drivers/net/ethernet/brocade/bna/bnad_debugfs.c |    2 +-
 drivers/scsi/bfa/bfad_debugfs.c                 |    2 +-
 drivers/scsi/fnic/fnic_debugfs.c                |    2 +-
 drivers/scsi/lpfc/lpfc_debugfs.c                |    2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

commit 5a450f1c46f0c84379518aee878993d3f4a331b6
Author: Theodore Ts'o <tytso@mit.edu>
Date:   Thu Jun 6 11:14:31 2013 -0400

    Upstream commit: 40c87e7a5404861cef33f6ced9809525a5ee2c50
    
    ext4: verify group number in verify_group_input() before using it
    
    Check the group number for sanity earilier, before calling routines
    such as ext4_bg_has_super() or ext4_group_overhead_blocks().
    
    Reported-by: Jonathan Salwan <jonathan.salwan@gmail.com>
    Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>

 fs/ext4/resize.c |   17 +++++++++++------
 1 files changed, 11 insertions(+), 6 deletions(-)

commit e2700ce1305cc746d2d9000392f00d96fdf28fb8
Author: Neil Horman <nhorman@tuxdriver.com>
Date:   Wed Jun 12 14:26:44 2013 -0400

    Upstream commit: c5c7774d7eb4397891edca9ebdf750ba90977a69
    
    sctp: fully initialize sctp_outq in sctp_outq_init
    
    In commit 2f94aabd9f6c925d77aecb3ff020f1cc12ed8f86
    (refactor sctp_outq_teardown to insure proper re-initalization)
    we modified sctp_outq_teardown to use sctp_outq_init to fully re-initalize the
    outq structure.  Steve West recently asked me why I removed the q->error = 0
    initalization from sctp_outq_teardown.  I did so because I was operating under
    the impression that sctp_outq_init would properly initalize that value for us,
    but it doesn't.  sctp_outq_init operates under the assumption that the outq
    struct is all 0's (as it is when called from sctp_association_init), but using
    it in __sctp_outq_teardown violates that assumption. We should do a memset in
    sctp_outq_init to ensure that the entire structure is in a known state there
    instead.
    
    Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
    Reported-by: "West, Steve (NSN - US/Fort Worth)" <steve.west@nsn.com>
    CC: Vlad Yasevich <vyasevich@gmail.com>
    CC: netdev@vger.kernel.org
    CC: davem@davemloft.net
    Acked-by: Vlad Yasevich <vyasevich@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    
    Conflicts:
    
        net/sctp/outqueue.c

 net/sctp/outqueue.c |    8 ++------
 1 files changed, 2 insertions(+), 6 deletions(-)

commit e13515ad7a9c7634599a105b2527752e527a905d
Author: Saurabh Mohan <saurabh@vyatta.com>
Date:   Mon Jun 10 17:45:10 2013 -0700

    Upstream commit: baafc77b32f647daa7c45825f7af8cdd55d00817
    
    net/ipv4: ip_vti clear skb cb before tunneling.
    
    If users apply shaper to vti tunnel then it will cause a kernel crash. The
    problem seems to be due to the vti_tunnel_xmit function not clearing
    skb->opt field before passing the packet to xfrm tunneling code.
    
    Signed-off-by: Saurabh Mohan <saurabh@vyatta.com>
    Acked-by: Stephen Hemminger <stephen@networkplumber.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/ip_vti.c |    3 +--
 1 files changed, 1 insertions(+), 2 deletions(-)

commit e63056a252ed6fc0f16ab158d7c34cb57bd762e4
Author: Guillaume Nault <g.nault@alphalink.fr>
Date:   Wed Jun 12 16:07:36 2013 +0200

    Upstream commit: a6f79d0f26704214b5b702bbac525cb72997f984
    
    l2tp: Fix sendmsg() return value
    
    PPPoL2TP sockets should comply with the standard send*() return values
    (i.e. return number of bytes sent instead of 0 upon success).
    
    Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/l2tp/l2tp_ppp.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit af361b412e816e894fb42ddff7a0545b7def64c0
Author: Guillaume Nault <g.nault@alphalink.fr>
Date:   Wed Jun 12 16:07:23 2013 +0200

    Upstream commit: 55b92b7a11690bc377b5d373872a6b650ae88e64
    
    l2tp: Fix PPP header erasure and memory leak
    
    Copy user data after PPP framing header. This prevents erasure of the
    added PPP header and avoids leaking two bytes of uninitialised memory
    at the end of skb's data buffer.
    
    Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/l2tp/l2tp_ppp.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 1f43aca088c35dda35abf76e08544e534c71fed4
Author: Daniel Borkmann <dborkman@redhat.com>
Date:   Wed Jun 12 16:02:27 2013 +0200

    Upstream commit: 2dc85bf323515e59e15dfa858d1472bb25cad0fe
    
    packet: packet_getname_spkt: make sure string is always 0-terminated
    
    uaddr->sa_data is exactly of size 14, which is hard-coded here and
    passed as a size argument to strncpy(). A device name can be of size
    IFNAMSIZ (== 16), meaning we might leave the destination string
    unterminated. Thus, use strlcpy() and also sizeof() while we're
    at it. We need to memset the data area beforehand, since strlcpy
    does not padd the remaining buffer with zeroes for user space, so
    that we do not possibly leak anything.
    
    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/packet/af_packet.c |    5 ++---
 1 files changed, 2 insertions(+), 3 deletions(-)

commit d0ae62fae5528bf2a393377f50b8dd9888d1e49f
Author: Andy Lutomirski <luto@amacapital.net>
Date:   Wed Jun 5 19:38:26 2013 +0000

    Upstream commit: a7526eb5d06b0084ef12d7b168d008fcf516caab
    
    net: Unbreak compat_sys_{send,recv}msg
    
    I broke them in this commit:
    
        commit 1be374a0518a288147c6a7398792583200a67261
        Author: Andy Lutomirski <luto@amacapital.net>
        Date:   Wed May 22 14:07:44 2013 -0700
    
            net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg
    
    This patch adds __sys_sendmsg and __sys_sendmsg as common helpers that accept
    MSG_CMSG_COMPAT and blocks MSG_CMSG_COMPAT at the syscall entrypoints.  It
    also reverts some unnecessary checks in sys_socketcall.
    
    Apparently I was suffering from underscore blindness the first time around.
    
    Signed-off-by: Andy Lutomirski <luto@amacapital.net>
    Tested-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 include/linux/socket.h |    3 ++
 net/compat.c           |   13 +++++++-
 net/socket.c           |   72 ++++++++++++++++++++++--------------------------
 3 files changed, 47 insertions(+), 41 deletions(-)

commit b481a366021e5db07a9ea138bc0c1fe598a5ba2f
Author: Andy Lutomirski <luto@amacapital.net>
Date:   Wed May 22 14:07:44 2013 -0700

    Upstream commit: 1be374a0518a288147c6a7398792583200a67261
    
    net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg
    
    To: linux-kernel@vger.kernel.org
    Cc: x86@kernel.org, trinity@vger.kernel.org, Andy Lutomirski <luto@amacapital.net>, netdev@vger.kernel.org, "David S.
        Miller" <davem@davemloft.net>
    Subject: [PATCH 5/5] net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg
    
    MSG_CMSG_COMPAT is (AFAIK) not intended to be part of the API --
    it's a hack that steals a bit to indicate to other networking code
    that a compat entry was used.  So don't allow it from a non-compat
    syscall.
    
    This prevents an oops when running this code:
    
    int main()
    {
        int s;
        struct sockaddr_in addr;
        struct msghdr *hdr;
    
        char *highpage = mmap((void*)(TASK_SIZE_MAX - 4096), 4096,
                              PROT_READ | PROT_WRITE,
                              MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0);
        if (highpage == MAP_FAILED)
                err(1, "mmap");
    
        s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
        if (s == -1)
                err(1, "socket");
    
            addr.sin_family = AF_INET;
            addr.sin_port = htons(1);
            addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
        if (connect(s, (struct sockaddr*)&addr, sizeof(addr)) != 0)
                err(1, "connect");
    
        void *evil = highpage + 4096 - COMPAT_MSGHDR_SIZE;
        printf("Evil address is %p\n", evil);
    
        if (syscall(__NR_sendmmsg, s, evil, 1, MSG_CMSG_COMPAT) < 0)
                err(1, "sendmmsg");
    
        return 0;
    }
    
    Cc: David S. Miller <davem@davemloft.net>
    Signed-off-by: Andy Lutomirski <luto@amacapital.net>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/socket.c |   33 +++++++++++++++++++++++++++++++--
 1 files changed, 31 insertions(+), 2 deletions(-)

commit 6ccb09f408cc4ff23adbf68c7d2307f5fffcf88e
Author: Kees Cook <keescook@chromium.org>
Date:   Fri May 10 14:48:21 2013 -0700

    Upstream commit: e0e29b683d6784ef59bbc914eac85a04b650e63c
    
    b43: stop format string leaking into error msgs
    
    The module parameter "fwpostfix" is userspace controllable, unfiltered,
    and is used to define the firmware filename. b43_do_request_fw() populates
    ctx->errors[] on error, containing the firmware filename. b43err()
    parses its arguments as a format string. For systems with b43 hardware,
    this could lead to a uid-0 to ring-0 escalation.
    
    CVE-2013-2852
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@vger.kernel.org
    Signed-off-by: John W. Linville <linville@tuxdriver.com>

 drivers/net/wireless/b43/main.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit dfb67a67049ace7b94ad7e2febfac69816d50d85
Author: Mark A. Greer <mgreer@animalcreek.com>
Date:   Wed May 29 12:25:34 2013 -0700

    Upstream commit: f873ded213d6d8c36354c0fc903af44da4fd6ac5
    
    mwifiex: debugfs: Fix out of bounds array access
    
    When reading the contents of '/sys/kernel/debug/mwifiex/p2p0/info',
    the following panic occurs:
    
    $ cat /sys/kernel/debug/mwifiex/p2p0/info
    Unable to handle kernel paging request at virtual address 74706164
    pgd = de530000
    [74706164] *pgd=00000000
    Internal error: Oops: 5 [#1] SMP ARM
    Modules linked in: phy_twl4030_usb omap2430 musb_hdrc mwifiex_sdio mwifiex
    CPU: 0 PID: 1635 Comm: cat Not tainted 3.10.0-rc1-00010-g1268390 #1
    task: de16b6c0 ti: de048000 task.ti: de048000
    PC is at strnlen+0xc/0x4c
    LR is at string+0x3c/0xf8
    pc : [<c02c123c>]    lr : [<c02c2d1c>]    psr: a0000013
    sp : de049e10  ip : c06efba0  fp : de6d2092
    r10: bf01a260  r9 : ffffffff  r8 : 74706164
    r7 : 0000ffff  r6 : ffffffff  r5 : de6d209c  r4 : 00000000
    r3 : ff0a0004  r2 : 74706164  r1 : ffffffff  r0 : 74706164
    Flags: NzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
    Control: 10c5387d  Table: 9e530019  DAC: 00000015
    Process cat (pid: 1635, stack limit = 0xde048240)
    Stack: (0xde049e10 to 0xde04a000)
    9e00:                                     de6d2092 00000002 bf01a25e de6d209c
    9e20: de049e80 c02c438c 0000000a ff0a0004 ffffffff 00000000 00000000 de049e48
    9e40: 00000000 2192df6d ff0a0004 ffffffff 00000000 de6d2092 de049ef8 bef3cc00
    9e60: de6b0000 dc358000 de6d2000 00000000 00000003 c02c45a4 bf01790c bf01a254
    9e80: 74706164 bf018698 00000000 de59c3c0 de048000 de049f80 00001000 bef3cc00
    9ea0: 00000008 00000000 00000000 00000000 00000000 00000000 00000000 00000000
    9ec0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
    9ee0: 00000000 00000000 00000000 00000001 00000000 00000000 6669776d 20786569
    9f00: 20302e31 2e343128 392e3636 3231702e 00202933 00000000 00000003 c0294898
    9f20: 00000000 00000000 00000000 00000000 de59c3c0 c0107c04 de554000 de59c3c0
    9f40: 00001000 bef3cc00 de049f80 bef3cc00 de049f80 00000000 00000003 c0108a00
    9f60: de048000 de59c3c0 00000000 00000000 de59c3c0 00001000 bef3cc00 c0108b60
    9f80: 00000000 00000000 00001000 bef3cc00 00000003 00000003 c0014128 de048000
    9fa0: 00000000 c0013f80 00001000 bef3cc00 00000003 bef3cc00 00001000 00000000
    9fc0: 00001000 bef3cc00 00000003 00000003 00000001 00000001 00000001 00000003
    9fe0: 00000000 bef3cbdc 00011984 b6f1127c 60000010 00000003 18dbdd2c 7f7bfffd
    [<c02c123c>] (strnlen+0xc/0x4c) from [<c02c2d1c>] (string+0x3c/0xf8)
    [<c02c2d1c>] (string+0x3c/0xf8) from [<c02c438c>] (vsnprintf+0x1e8/0x3e8)
    [<c02c438c>] (vsnprintf+0x1e8/0x3e8) from [<c02c45a4>] (sprintf+0x18/0x24)
    [<c02c45a4>] (sprintf+0x18/0x24) from [<bf01790c>] (mwifiex_info_read+0xfc/0x3e8 [mwifiex])
    [<bf01790c>] (mwifiex_info_read+0xfc/0x3e8 [mwifiex]) from [<c0108a00>] (vfs_read+0xb0/0x144)
    [<c0108a00>] (vfs_read+0xb0/0x144) from [<c0108b60>] (SyS_read+0x44/0x70)
    [<c0108b60>] (SyS_read+0x44/0x70) from [<c0013f80>] (ret_fast_syscall+0x0/0x30)
    Code: e12fff1e e3510000 e1a02000 0a00000d (e5d03000)
    ---[ end trace ca98273dc605a04f ]---
    
    The panic is caused by the mwifiex_info_read() routine assuming that
    there can only be four modes (0-3) which is an invalid assumption.
    For example, when testing P2P, the mode is '8' (P2P_CLIENT) so the
    code accesses data beyond the bounds of the bss_modes[] array which
    causes the panic.  Fix this by updating bss_modes[] to support the
    current list of modes and adding a check to prevent the out-of-bounds
    access from occuring in the future when more modes are added.
    
    Signed-off-by: Mark A. Greer <mgreer@animalcreek.com>
    Acked-by: Bing Zhao <bzhao@marvell.com>
    Signed-off-by: John W. Linville <linville@tuxdriver.com>

 drivers/net/wireless/mwifiex/debugfs.c |   22 +++++++++++++++++-----
 1 files changed, 17 insertions(+), 5 deletions(-)

commit 04152dec6e99ca4c0fc52219f7cf2152dafe6b52
Author: Johan Hedberg <johan.hedberg@intel.com>
Date:   Tue May 28 13:46:30 2013 +0300

    Upstream commit: cb3b3152b2f5939d67005cff841a1ca748b19888
    
    Bluetooth: Fix missing length checks for L2CAP signalling PDUs
    
    There has been code in place to check that the L2CAP length header
    matches the amount of data received, but many PDU handlers have not been
    checking that the data received actually matches that expected by the
    specific PDU. This patch adds passing the length header to the specific
    handler functions and ensures that those functions fail cleanly in the
    case of an incorrect amount of data.
    
    Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
    Signed-off-by: John W. Linville <linville@tuxdriver.com>

 net/bluetooth/l2cap_core.c |   70 ++++++++++++++++++++++++++++++++-----------
 1 files changed, 52 insertions(+), 18 deletions(-)

commit 628be2427afb241b5a1aa24bc5907d05287e1f25
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Mon Jun 3 12:00:49 2013 +0300

    Upstream commit: a8241c63517ec0b900695daa9003cddc41c536a1
    
    ipvs: info leak in __ip_vs_get_dest_entries()
    
    The entry struct has a 2 byte hole after ->port and another 4 byte
    hole after ->stats.outpkts.  You must have CAP_NET_ADMIN in your
    namespace to hit this information leak.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Acked-by: Julian Anastasov <ja@ssi.bg>
    Signed-off-by: Simon Horman <horms@verge.net.au>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

 net/netfilter/ipvs/ip_vs_ctl.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 066d9226bc6c569d5f420c978b758e0bddd23444
Author: Robin Holt <holt@sgi.com>
Date:   Wed Jun 12 14:04:37 2013 -0700

    Upstream commit: cf7df378aa4ff7da3a44769b7ff6e9eef1a9f3db
    
    reboot: rigrate shutdown/reboot to boot cpu
    
    We recently noticed that reboot of a 1024 cpu machine takes approx 16
    minutes of just stopping the cpus.  The slowdown was tracked to commit
    f96972f2dc63 ("kernel/sys.c: call disable_nonboot_cpus() in
    kernel_restart()").
    
    The current implementation does all the work of hot removing the cpus
    before halting the system.  We are switching to just migrating to the
    boot cpu and then continuing with shutdown/reboot.
    
    This also has the effect of not breaking x86's command line parameter
    for specifying the reboot cpu.  Note, this code was shamelessly copied
    from arch/x86/kernel/reboot.c with bits removed pertaining to the
    reboot_cpu command line parameter.
    
    Signed-off-by: Robin Holt <holt@sgi.com>
    Tested-by: Shawn Guo <shawn.guo@linaro.org>
    Cc: "Srivatsa S. Bhat" <srivatsa.bhat@linux.vnet.ibm.com>
    Cc: H. Peter Anvin <hpa@zytor.com>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: Ingo Molnar <mingo@elte.hu>
    Cc: Russ Anderson <rja@sgi.com>
    Cc: Robin Holt <holt@sgi.com>
    Cc: Russell King <linux@arm.linux.org.uk>
    Cc: Guan Xuetao <gxt@mprc.pku.edu.cn>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 kernel/sys.c |   29 ++++++++++++++++++++++++++---
 1 files changed, 26 insertions(+), 3 deletions(-)

commit 94e2a91600b07d39825e7059195f35eb611a39a2
Merge: 20cc761 e6e3059
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jun 13 16:23:46 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit e6e3059de5525ebcd55af43b20c9cdbf43b9d30a
Merge: c6aadb1 4b73feb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jun 13 16:23:39 2013 -0400

    Merge branch 'linux-3.9.y' into pax-test

commit 20cc7613e38cde07adc73179a91d6c15292e8d43
Author: Daniel Borkmann <dborkman@redhat.com>
Date:   Thu Jun 6 15:53:47 2013 +0200

    Upstream commit: 1abd165ed757db1afdefaac0a4bc8a70f97d258c
    
    net: sctp: fix NULL pointer dereference in socket destruction
    
    While stress testing sctp sockets, I hit the following panic:
    
    BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
    IP: [<ffffffffa0490c4e>] sctp_endpoint_free+0xe/0x40 [sctp]
    PGD 7cead067 PUD 7ce76067 PMD 0
    Oops: 0000 [#1] SMP
    Modules linked in: sctp(F) libcrc32c(F) [...]
    CPU: 7 PID: 2950 Comm: acc Tainted: GF            3.10.0-rc2+ #1
    Hardware name: Dell Inc. PowerEdge T410/0H19HD, BIOS 1.6.3 02/01/2011
    task: ffff88007ce0e0c0 ti: ffff88007b568000 task.ti: ffff88007b568000
    RIP: 0010:[<ffffffffa0490c4e>]  [<ffffffffa0490c4e>] sctp_endpoint_free+0xe/0x40 [sctp]
    RSP: 0018:ffff88007b569e08  EFLAGS: 00010292
    RAX: 0000000000000000 RBX: ffff88007db78a00 RCX: dead000000200200
    RDX: ffffffffa049fdb0 RSI: ffff8800379baf38 RDI: 0000000000000000
    RBP: ffff88007b569e18 R08: ffff88007c230da0 R09: 0000000000000001
    R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
    R13: ffff880077990d00 R14: 0000000000000084 R15: ffff88007db78a00
    FS:  00007fc18ab61700(0000) GS:ffff88007fc60000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
    CR2: 0000000000000020 CR3: 000000007cf9d000 CR4: 00000000000007e0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
    Stack:
     ffff88007b569e38 ffff88007db78a00 ffff88007b569e38 ffffffffa049fded
     ffffffff81abf0c0 ffff88007db78a00 ffff88007b569e58 ffffffff8145b60e
     0000000000000000 0000000000000000 ffff88007b569eb8 ffffffff814df36e
    Call Trace:
     [<ffffffffa049fded>] sctp_destroy_sock+0x3d/0x80 [sctp]
     [<ffffffff8145b60e>] sk_common_release+0x1e/0xf0
     [<ffffffff814df36e>] inet_create+0x2ae/0x350
     [<ffffffff81455a6f>] __sock_create+0x11f/0x240
     [<ffffffff81455bf0>] sock_create+0x30/0x40
     [<ffffffff8145696c>] SyS_socket+0x4c/0xc0
     [<ffffffff815403be>] ? do_page_fault+0xe/0x10
     [<ffffffff8153cb32>] ? page_fault+0x22/0x30
     [<ffffffff81544e02>] system_call_fastpath+0x16/0x1b
    Code: 0c c9 c3 66 2e 0f 1f 84 00 00 00 00 00 e8 fb fe ff ff c9 c3 66 0f
          1f 84 00 00 00 00 00 55 48 89 e5 53 48 83 ec 08 66 66 66 66 90 <48>
          8b 47 20 48 89 fb c6 47 1c 01 c6 40 12 07 e8 9e 68 01 00 48
    RIP  [<ffffffffa0490c4e>] sctp_endpoint_free+0xe/0x40 [sctp]
     RSP <ffff88007b569e08>
    CR2: 0000000000000020
    ---[ end trace e0d71ec1108c1dd9 ]---
    
    I did not hit this with the lksctp-tools functional tests, but with a
    small, multi-threaded test program, that heavily allocates, binds,
    listens and waits in accept on sctp sockets, and then randomly kills
    some of them (no need for an actual client in this case to hit this).
    Then, again, allocating, binding, etc, and then killing child processes.
    
    This panic then only occurs when ``echo 1 > /proc/sys/net/sctp/auth_enable''
    is set. The cause for that is actually very simple: in sctp_endpoint_init()
    we enter the path of sctp_auth_init_hmacs(). There, we try to allocate
    our crypto transforms through crypto_alloc_hash(). In our scenario,
    it then can happen that crypto_alloc_hash() fails with -EINTR from
    crypto_larval_wait(), thus we bail out and release the socket via
    sk_common_release(), sctp_destroy_sock() and hit the NULL pointer
    dereference as soon as we try to access members in the endpoint during
    sctp_endpoint_free(), since endpoint at that time is still NULL. Now,
    if we have that case, we do not need to do any cleanup work and just
    leave the destruction handler.
    
    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
    Acked-by: Neil Horman <nhorman@tuxdriver.com>
    Acked-by: Vlad Yasevich <vyasevich@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/sctp/socket.c |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

commit 386ba837978cc8a1111440bdcd8600f2df4634a4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jun 12 20:37:48 2013 -0400

    fix deadlock when booting i386 kernel without NX

 mm/mmap.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

commit fe96e11acb36fcda9a9e6f6439557db4aa4e8da0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jun 11 22:18:07 2013 -0400

    fix elif / elif defined() typo in recent change

 kernel/events/core.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit bc43377e1e757cd37a06be0187884a42af718aab
Merge: 3cdea63 c6aadb1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jun 11 18:50:39 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit c6aadb12ae8dd3d12c2d6b8fbe80d29e514d60c0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jun 11 18:49:36 2013 -0400

    Update to pax-linux-3.9.4-test9.patch:
    - fixed a KERNEXEC regression resulting in unusable RAM regions (http://forums.grsecurity.net/viewtopic.php?f=3&t=3506)
    - removed a user-triggerable BUG_ON, fixing it properly wasn't worth the effort

 arch/x86/kernel/setup.c |    2 +-
 mm/mlock.c              |    1 -
 2 files changed, 1 insertions(+), 2 deletions(-)

commit 3cdea63e90607d8d55820b101854091623feedb8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jun 10 21:21:44 2013 -0400

    Fix fanotify infoleak reported by Dan Carpenter at:
    https://lkml.org/lkml/2013/6/3/128
    
    Requires CAP_SYS_ADMIN, so this is about as low priority as it gets

 fs/notify/fanotify/fanotify_user.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 373a2b5df78f82b9d3db72bd6577e29a71591323
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jun 10 21:16:46 2013 -0400

    Backport infoleak fix by Dan Carpenter in cpqarray:
    https://lkml.org/lkml/2013/6/3/131

 drivers/block/cpqarray.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 251e84b9b05e063981b20be154c9389862f94759
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jun 10 21:04:17 2013 -0400

    Backport 050e4b8fb7cdd7096c987a9cd556029c622c7fe2

 drivers/cdrom/cdrom.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 383d89bf95818b05a485a6e8b118963b5bcbc83e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jun 10 18:34:32 2013 -0400

    change const to __read_only

 kernel/sysctl.c |   18 +++++++++---------
 1 files changed, 9 insertions(+), 9 deletions(-)

commit 8f08f803f605649e63f0857a1b9a9805b629eaa4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jun 10 17:34:13 2013 -0400

    compile fix, make const values const

 kernel/sysctl.c |   18 +++++++++---------
 1 files changed, 9 insertions(+), 9 deletions(-)

commit 6b90c228f6d4a3c2cc9c2b9a6a7ac14534ebd42d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jun 10 17:37:13 2013 -0400

    Backport upstream commit: af733960ca59f7d59ea337e1f633771c9e67101a

 drivers/char/mwave/tp3780i.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 1c590aa70c95ebd76ba9672aa23d800b81780615
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jun 9 19:50:35 2013 -0400

    allow -1 perf_event_paranoid

 kernel/sysctl.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit defdc4a2bd3efda4af2bb6f3aa8f495fa8078584
Merge: 4e85539 117c3fa
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jun 9 17:30:12 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 117c3fa8d26c3806103123560f807d99071b60b6
Merge: ed9b427 5dd2e98
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jun 9 17:30:00 2013 -0400

    Merge branch 'linux-3.9.y' into pax-test

commit 4e8553989b0406f15be4a2dccdbc7599cc2b4f42
Author: Eric Dumazet <edumazet@google.com>
Date:   Mon May 13 21:25:52 2013 +0000

    Upstream commit: 54d27fcb338bd9c42d1dfc5a39e18f6f9d373c2e
    
    tcp: fix tcp_md5_hash_skb_data()
    
    TCP md5 communications fail [1] for some devices, because sg/crypto code
    assume page offsets are below PAGE_SIZE.
    
    This was discovered using mlx4 driver [2], but I suspect loopback
    might trigger the same bug now we use order-3 pages in tcp_sendmsg()
    
    [1] Failure is giving following messages.
    
    huh, entered softirq 3 NET_RX ffffffff806ad230 preempt_count 00000100,
    exited with 00000101?
    
    [2] mlx4 driver uses order-2 pages to allocate RX frags
    
    Reported-by: Matt Schnall <mischnal@google.com>
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Cc: Bernhard Beck <bbeck@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/tcp.c |    7 +++++--
 1 files changed, 5 insertions(+), 2 deletions(-)

commit 4f1ed254c28a1b3e03c0b0b744c5042661c295eb
Author: Eric Dumazet <edumazet@google.com>
Date:   Fri May 17 04:53:13 2013 +0000

    Upstream commit: 284041ef21fdf2e0d216ab6b787bc9072b4eb58a
    
    ipv6: fix possible crashes in ip6_cork_release()
    
    commit 0178b695fd6b4 ("ipv6: Copy cork options in ip6_append_data")
    added some code duplication and bad error recovery, leading to potential
    crash in ip6_cork_release() as kfree() could be called with garbage.
    
    use kzalloc() to make sure this wont happen.
    
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Cc: Herbert Xu <herbert@gondor.apana.org.au>
    Cc: Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>
    Cc: Neal Cardwell <ncardwell@google.com>

 net/ipv6/ip6_output.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 5771263fe368cd384127dd17d7596a7e1a4e2eec
Author: Chen Gang <gang.chen@asianux.com>
Date:   Thu May 16 23:13:04 2013 +0000

    Upstream commit: ff0102ee104847023c36357e2b9f133f3f40d211
    
    net: irda: using kzalloc() instead of kmalloc() to avoid strncpy() issue.
    
    'discovery->data.info' length is 22, NICKNAME_MAX_LEN is 21, so the
    strncpy() will always left the last byte of 'discovery->data.info'
    uninitialized.
    
    When 'text' length is longer than 21 (NICKNAME_MAX_LEN), if still left
    the last byte of 'discovery->data.info' uninitialized, the next
    strlen() will cause issue.
    
    Also 'discovery->data' is 'struct irda_device_info' which defined in
    "include/uapi/...", it may copy to user mode, so need whole initialized.
    
    All together, need use kzalloc() instead of kmalloc() to initialize all
    members firstly.
    
    Signed-off-by: Chen Gang <gang.chen@asianux.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/irda/irlap_frame.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit c01c9af268cb066f240aec53454b8b74d8d01688
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Sun May 19 08:36:36 2013 +0000

    Upstream commit: 25dff94ff9df40d4d663bb6ea3193a7758cc50e5
    
    isdn/kcapi: fix a small underflow
    
    In get_capi_ctr_by_nr() and get_capi_appl_by_nr() the parameter comes
    from skb->data.  The current code can underflow to one space before the
    start of the array.
    
    The sanity check isn't needed in __get_capi_appl_by_nr() but I changed
    it to match the others.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/isdn/capi/kcapi.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

commit 4a3f12a9df775147b0c4b0277de1aa99eddc5c66
Author: Timo Teräs <timo.teras@iki.fi>
Date:   Wed May 22 01:40:47 2013 +0000

    Upstream commit: 497574c72c9922cf20c12aed15313c389f722fa0
    
    xfrm: properly handle invalid states as an error
    
    The error exit path needs err explicitly set. Otherwise it
    returns success and the only caller, xfrm_output_resume(),
    would oops in skb_dst(skb)->ops derefence as skb_dst(skb) is
    NULL.
    
    Bug introduced in commit bb65a9cb (xfrm: removes a superfluous
    check and add a statistic).
    
    Signed-off-by: Timo Teräs <timo.teras@iki.fi>
    Cc: Li RongQing <roy.qing.li@gmail.com>
    Cc: Steffen Klassert <steffen.klassert@secunet.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/xfrm/xfrm_output.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 61d8e1e848afa93cd971f6d1da875ad98b6ddfbd
Author: Jeff Mahoney <jeffm@jeffreymahoney.com>
Date:   Fri May 31 15:07:52 2013 -0400

    Upstream commit: 0bdc7acba56a7ca4232f15f37b16f7ec079385ab
    
    reiserfs: fix spurious multiple-fill in reiserfs_readdir_dentry
    
    After sleeping for filldir(), we check to see if the file system has
    changed and research. The next_pos pointer is updated but its value
    isn't pushed into the key used for the search itself. As a result,
    the search returns the same item that the last cycle of the loop did
    and filldir() is called multiple times with the same data.
    
    The end result is that the buffer can contain the same name multiple
    times. This can be returned to userspace or used internally in the
    xattr code where it can manifest with the following warning:
    
    jdm-20004 reiserfs_delete_xattrs: Couldn't delete all xattrs (-2)
    
    reiserfs_for_each_xattr uses reiserfs_readdir_dentry to iterate over
    the xattr names and ends up trying to unlink the same name twice. The
    second attempt fails with -ENOENT and the error is returned. At some
    point I'll need to add support into reiserfsck to remove the orphaned
    directories left behind when this occurs.
    
    The fix is to push the value into the key before researching.
    
    Signed-off-by: Jeff Mahoney <jeffm@suse.com>
    Signed-off-by: Jan Kara <jack@suse.cz>

 fs/reiserfs/dir.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit ca0746bf380eec77d75d1741ac4742ded0e55ec7
Author: Jeff Mahoney <jeffm@suse.com>
Date:   Fri May 31 15:51:17 2013 -0400

    Upstream commit: a1457c0ce976bad1356b9b0437f2a5c3ab8a9cfc
    
    reiserfs: fix deadlock with nfs racing on create/lookup
    
    Reiserfs is currently able to be deadlocked by having two NFS clients
    where one has removed and recreated a file and another is accessing the
    file with an open file handle.
    
    If one client deletes and recreates a file with timing such that the
    recreated file obtains the same [dirid, objectid] pair as the original
    file while another client accesses the file via file handle, the create
    and lookup can race and deadlock if the lookup manages to create the
    in-memory inode first.
    
    The create thread, in insert_inode_locked4, will hold the write lock
    while waiting on the other inode to be unlocked. The lookup thread,
    anywhere in the iget path, will release and reacquire the write lock while
    it schedules. If it needs to reacquire the lock while the create thread
    has it, it will never be able to make forward progress because it needs
    to reacquire the lock before ultimately unlocking the inode.
    
    This patch drops the write lock across the insert_inode_locked4 call so
    that the ordering of inode_wait -> write lock is retained. Since this
    would have been the case before the BKL push-down, this is safe.
    
    Signed-off-by: Jeff Mahoney <jeffm@suse.com>
    Signed-off-by: Jan Kara <jack@suse.cz>

 fs/reiserfs/inode.c |    9 +++++++--
 1 files changed, 7 insertions(+), 2 deletions(-)

commit cd21c0eb4950498be46a07257426c0cea4aa2bf1
Author: Jeff Mahoney <jeffm@suse.com>
Date:   Fri May 31 15:54:17 2013 -0400

    Upstream commit: 4a8570112b76a63ad21cfcbe2783f98f7fd5ba1b
    
    reiserfs: fix problems with chowning setuid file w/ xattrs
    
    reiserfs_chown_xattrs() takes the iattr struct passed into ->setattr
    and uses it to iterate over all the attrs associated with a file to change
    ownership of xattrs (and transfer quota associated with the xattr files).
    
    When the setuid bit is cleared during chown, ATTR_MODE and iattr->ia_mode
    are passed to all the xattrs as well. This means that the xattr directory
    will have S_IFREG added to its mode bits.
    
    This has been prevented in practice by a missing IS_PRIVATE check
    in reiserfs_acl_chmod, which caused a double-lock to occur while holding
    the write lock. Since the file system was completely locked up, the
    writeout of the corrupted mode never happened.
    
    This patch temporarily clears everything but ATTR_UID|ATTR_GID for the
    calls to reiserfs_setattr and adds the missing IS_PRIVATE check.
    
    Signed-off-by: Jeff Mahoney <jeffm@suse.com>
    Signed-off-by: Jan Kara <jack@suse.cz>

 fs/reiserfs/xattr.c     |   14 +++++++++++++-
 fs/reiserfs/xattr_acl.c |    3 +++
 2 files changed, 16 insertions(+), 1 deletions(-)

commit c18cef940310c06bdf86d64d8cb227e56e165300
Author: Dave Chinner <dchinner@redhat.com>
Date:   Mon May 27 16:38:25 2013 +1000

    Upstream commit: 2962f5a5dcc56f69cbf62121a7be67cc15d6940b
    
    xfs: kill suid/sgid through the truncate path.
    
    XFS has failed to kill suid/sgid bits correctly when truncating
    files of non-zero size since commit c4ed4243 ("xfs: split
    xfs_setattr") introduced in the 3.1 kernel. Fix it.
    
    Fix it.
    
    cc: stable kernel <stable@vger.kernel.org>
    Signed-off-by: Dave Chinner <dchinner@redhat.com>
    Reviewed-by: Brian Foster <bfoster@redhat.com>
    Signed-off-by: Ben Myers <bpm@sgi.com>
    
    (cherry picked from commit 56c19e89b38618390addfc743d822f99519055c6)

 fs/xfs/xfs_iops.c |   47 ++++++++++++++++++++++++++++++++---------------
 1 files changed, 32 insertions(+), 15 deletions(-)

commit 8e62c6a0946a4b11a55540094a0ee5d3a222dbcc
Author: Trond Myklebust <Trond.Myklebust@netapp.com>
Date:   Wed May 29 15:36:40 2013 -0400

    Upstream commit: f448badd34700ae728a32ba024249626d49c10e1
    
    NFSv4: Fix a thinko in nfs4_try_open_cached
    
    We need to pass the full open mode flags to nfs_may_open() when doing
    a delegated open.
    
    Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
    Cc: stable@vger.kernel.org

 fs/nfs/nfs4proc.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit c47de62893a9f269be0a272c2840aac1e2a35c68
Author: Chen Gang <gang.chen@asianux.com>
Date:   Thu May 30 01:18:43 2013 +0000

    Upstream commit: ea99b1adf22abd62bdcf14b1c9a0a4d3664eefd8
    
    parisc: kernel: using strlcpy() instead of strcpy()
    
    'boot_args' is an input args, and 'boot_command_line' has a fix length.
    So use strlcpy() instead of strcpy() to avoid memory overflow.
    
    Signed-off-by: Chen Gang <gang.chen@asianux.com>
    Acked-by: Kyle McMartin <kyle@mcmartin.ca>
    Signed-off-by: Helge Deller <deller@gmx.de>

 arch/parisc/kernel/setup.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit ce869e6f799f95fcac340420ba3612503df80dbf
Author: Chen Gang <gang.chen@asianux.com>
Date:   Mon May 27 04:57:09 2013 +0000

    Upstream commit: 3f108de96ba449a8df3d7e3c053bf890fee2cb95
    
    parisc: memory overflow, 'name' length is too short for using
    
    'path.bc[i]' can be asigned by PCI_SLOT() which can '> 10', so sizeof(6
    * "%u:" + "%u" + '\0') may be 21.
    
    Since 'name' length is 20, it may be memory overflow.
    
    And 'path.bc[i]' is 'unsigned char' for printing, we can be sure the
    max length of 'name' must be less than 28.
    
    So simplify thinking, we can use 28 instead of 20 directly, and do not
    think of whether 'patchc.bc[i]' can '> 100'.
    
    Signed-off-by: Chen Gang <gang.chen@asianux.com>
    Signed-off-by: Helge Deller <deller@gmx.de>

 arch/parisc/kernel/drivers.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 5dc65cd34d442783118a17c518e2daedb90a31d0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jun 4 17:52:23 2013 -0400

    add PERF_HARDEN recommendation

 grsecurity/Kconfig |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit 45b0f6e97666ca330b9a69e7fd2d2d9345d9618c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jun 4 17:22:44 2013 -0400

    Introduce new feature: CONFIG_GRKERNSEC_PERF_HARDEN

 grsecurity/Kconfig         |   19 +++++++++++++++++++
 include/linux/perf_event.h |    5 +++++
 kernel/events/core.c       |   10 +++++++++-
 kernel/sysctl.c            |    9 ++++++++-
 4 files changed, 41 insertions(+), 2 deletions(-)

commit 84619a3501fd38285a72d9e963f58d1827beedd6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jun 1 14:23:31 2013 -0400

    remove user-triggerable BUG_ON in do_munlockall()

 mm/mlock.c |    1 -
 1 files changed, 0 insertions(+), 1 deletions(-)

commit f4bcf6087bd7b9a5b9c9021790396865c5362da0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jun 1 13:44:05 2013 -0400

    Upstream commit: cea4dcfdad926a27a18e188720efe0f2c9403456
    
    From: Kees Cook <keescook@chromium.org>
    Date: Thu, 23 May 2013 17:32:17 +0000
    Subject: iscsi-target: fix heap buffer overflow on error
    
    If a key was larger than 64 bytes, as checked by iscsi_check_key(), the
    error response packet, generated by iscsi_add_notunderstood_response(),
    would still attempt to copy the entire key into the packet, overflowing
    the structure on the heap.
    
    Remote preauthentication kernel memory corruption was possible if a
    target was configured and listening on the network.
    
    CVE-2013-2850
    
    Embargo-screwup-by: Kees Cook <keescook@chromium.org>
    Cc: stable@vger.kernel.org
    Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>

 drivers/target/iscsi/iscsi_target_parameters.c |    8 +++-----
 drivers/target/iscsi/iscsi_target_parameters.h |    4 +++-
 2 files changed, 6 insertions(+), 6 deletions(-)

commit 2fdc3e0a0ecd44f22d49ea2230638ed650dd5e7e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jun 1 13:43:26 2013 -0400

    Revert "Fix distro-embargoed bug CVE-2013-2850, bad strncpy parameters"
    Applying upstream fix instead
    
    This reverts commit 8c237f4a53a038ab0f1c4fdc3656bdb3d77b7291.

 drivers/target/iscsi/iscsi_target_parameters.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

commit 8ad50b7b6bbaaec7f07f894c15d76abe801f0769
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Sun May 19 21:52:20 2013 +0300

    Upstream commit: e75b61897276c5100e61c9c74fd55ded28f31431
    
    USB: cxacru: potential underflow in cxacru_cm_get_array()
    
    commit 2a0ebf80aa95cc758d4725f74a7016e992606a39 upstream.
    
    The value of "offd" comes off the instance->rcv_buf[] and we used it as
    the offset into an array.  The problem is that we check the upper bound
    but not for negative values.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

 drivers/usb/atm/cxacru.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 8c237f4a53a038ab0f1c4fdc3656bdb3d77b7291
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jun 1 11:30:17 2013 -0400

    Fix distro-embargoed bug CVE-2013-2850, bad strncpy parameters

 drivers/target/iscsi/iscsi_target_parameters.c |    5 ++---
 1 files changed, 2 insertions(+), 3 deletions(-)

commit 8578566969d91678a3d7d5251b4eafc6d7775314
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu May 30 17:44:15 2013 -0400

    Apply compatibility fix to previous RLIMIT_NPROC change
    don't enforce the rlimit check at exec time if the user is root
    Prevents problems with sudo if root is listed as part of a group
    in limits.conf with process limits enforced

 kernel/sys.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 0ed0c927ce3db94e2d0c0f328e24a28fe4f143e7
Merge: 643b294 ed9b427
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed May 29 19:19:28 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit ed9b4276488528d0c3803df1dc0df804238241e0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed May 29 19:18:45 2013 -0400

    Updated to pax-linux-3.9.4-test8.patch:
    - fixed some fallout detected by the checker plugin

 arch/x86/kernel/crash_dump_64.c               |    2 +-
 drivers/base/devtmpfs.c                       |    6 +++---
 drivers/char/agp/compat_ioctl.c               |    2 +-
 drivers/char/agp/frontend.c                   |    2 +-
 drivers/char/mem.c                            |    2 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c         |    4 ++--
 drivers/i2c/i2c-dev.c                         |    2 +-
 drivers/media/v4l2-core/v4l2-compat-ioctl32.c |    6 +++---
 drivers/media/v4l2-core/v4l2-ioctl.c          |   20 ++++++++++++--------
 fs/9p/vfs_addr.c                              |    2 +-
 fs/binfmt_elf.c                               |    4 ++--
 fs/compat_ioctl.c                             |    4 ++--
 fs/exec.c                                     |    2 +-
 fs/namespace.c                                |    8 ++++----
 fs/proc/vmcore.c                              |   12 ++++++++----
 fs/read_write.c                               |    2 +-
 include/linux/syscalls.h                      |    8 ++++----
 init/do_mounts_initrd.c                       |    8 ++++----
 init/main.c                                   |    4 ++--
 kernel/events/core.c                          |    2 +-
 kernel/events/internal.h                      |   10 +++++-----
 mm/page_io.c                                  |    2 +-
 security/keys/internal.h                      |    2 +-
 tools/gcc/checker_plugin.c                    |    1 +
 24 files changed, 63 insertions(+), 54 deletions(-)

commit 643b294b41c6adcad1cf107efe4ae52a834e6f15
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed May 29 18:51:31 2013 -0400

    eliminate gcc warning

 fs/exec.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit cf6f73059387ffeddb7b1de3e97a3cf588bcef86
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed May 29 18:30:20 2013 -0400

    use BUILD_BUG() instead of BUILD_BUG_ON(1)

 arch/x86/net/bpf_jit_comp.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 5343410354267368e5809f3ad8d9a264f141be18
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed May 29 17:57:41 2013 -0400

    defensively handle additions to the BPF JIT by introducing a BUILD_BUG_ON
    for unknown opcodes

 arch/x86/net/bpf_jit_comp.c |   11 +++++++----
 1 files changed, 7 insertions(+), 4 deletions(-)

commit 01f78a604b47c93fb26e8aeb68ef619bb3b8579d
Author: Xiao Guangrong <xiaoguangrong@linux.vnet.ibm.com>
Date:   Fri May 24 15:55:11 2013 -0700

    Upstream commit: d34883d4e35c0a994e91dd847a82b4c9e0c31d83
    
    mm: mmu_notifier: re-fix freed page still mapped in secondary MMU
    
    Commit 751efd8610d3 ("mmu_notifier_unregister NULL Pointer deref and
    multiple ->release()") breaks the fix 3ad3d901bbcf ("mm: mmu_notifier:
    fix freed page still mapped in secondary MMU").
    
    Since hlist_for_each_entry_rcu() is changed now, we can not revert that
    patch directly, so this patch reverts the commit and simply fix the bug
    spotted by that patch
    
    This bug spotted by commit 751efd8610d3 is:
    
        There is a race condition between mmu_notifier_unregister() and
        __mmu_notifier_release().
    
        Assume two tasks, one calling mmu_notifier_unregister() as a result
        of a filp_close() ->flush() callout (task A), and the other calling
        mmu_notifier_release() from an mmput() (task B).
    
                            A                               B
        t1                                            srcu_read_lock()
        t2            if (!hlist_unhashed())
        t3                                            srcu_read_unlock()
        t4            srcu_read_lock()
        t5                                            hlist_del_init_rcu()
        t6                                            synchronize_srcu()
        t7            srcu_read_unlock()
        t8            hlist_del_rcu()  <--- NULL pointer deref.
    
    This can be fixed by using hlist_del_init_rcu instead of hlist_del_rcu.
    
    The another issue spotted in the commit is "multiple ->release()
    callouts", we needn't care it too much because it is really rare (e.g,
    can not happen on kvm since mmu-notify is unregistered after
    exit_mmap()) and the later call of multiple ->release should be fast
    since all the pages have already been released by the first call.
    Anyway, this issue should be fixed in a separate patch.
    
    -stable suggestions: Any version that has commit 751efd8610d3 need to be
    backported.  I find the oldest version has this commit is 3.0-stable.
    
    [akpm@linux-foundation.org: tweak comments]
    Signed-off-by: Xiao Guangrong <xiaoguangrong@linux.vnet.ibm.com>
    Tested-by: Robin Holt <holt@sgi.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 mm/mmu_notifier.c |   79 ++++++++++++++++++++++++++---------------------------
 1 files changed, 39 insertions(+), 40 deletions(-)

commit 163a5539b36247865d39b2bcfa8efc03a62124a6
Author: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
Date:   Fri May 24 15:55:21 2013 -0700

    Upstream commit: 7c3425123ddfdc5f48e7913ff59d908789712b18
    
    mm/THP: use pmd_populate() to update the pmd with pgtable_t pointer
    
    We should not use set_pmd_at to update pmd_t with pgtable_t pointer.
    set_pmd_at is used to set pmd with huge pte entries and architectures
    like ppc64, clear few flags from the pte when saving a new entry.
    Without this change we observe bad pte errors like below on ppc64 with
    THP enabled.
    
      BUG: Bad page map in process ld mm=0xc000001ee39f4780 pte:7fc3f37848000001 pmd:c000001ec0000000
    
    Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
    Cc: Hugh Dickins <hughd@google.com>
    Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
    Reviewed-by: Andrea Arcangeli <aarcange@redhat.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 mm/huge_memory.c |    7 ++++++-
 1 files changed, 6 insertions(+), 1 deletions(-)

commit 3e54faf888d324d5f362dcba16173ea7bba61e8a
Author: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
Date:   Fri May 24 15:55:08 2013 -0700

    Upstream commit: 7b92d03c3239f43e5b86c9cc9630f026d36ee995
    
    fat: fix possible overflow for fat_clusters
    
    Intermediate value of fat_clusters can be overflowed on 32bits arch.
    
    Reported-by: Krzysztof Strasburger <strasbur@chkw386.ch.pwr.wroc.pl>
    Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 fs/fat/inode.c |   15 ++++++++++++++-
 1 files changed, 14 insertions(+), 1 deletions(-)

commit 2d9fc67d9d63641e6bbf389edba8d8514c68655d
Author: Jarod Wilson <jarod@redhat.com>
Date:   Fri May 24 15:55:31 2013 -0700

    Upstream commit: 1e7e2e05c179a68aaf8830fe91547a87f4589e53
    
    drivers/char/random.c: fix priming of last_data
    
    Commit ec8f02da9ea5 ("random: prime last_data value per fips
    requirements") added priming of last_data per fips requirements.
    
    Unfortuantely, it did so in a way that can lead to multiple threads all
    incrementing nbytes, but only one actually doing anything with the extra
    data, which leads to some fun random corruption and panics.
    
    The fix is to simply do everything needed to prime last_data in a single
    shot, so there's no window for multiple cpus to increment nbytes -- in
    fact, we won't even increment or decrement nbytes anymore, we'll just
    extract the needed EXTRACT_SIZE one time per pool and then carry on with
    the normal routine.
    
    All these changes have been tested across multiple hosts and
    architectures where panics were previously encoutered.  The code changes
    are are strictly limited to areas only touched when when booted in fips
    mode.
    
    This change should also go into 3.8-stable, to make the myriads of fips
    users on 3.8.x happy.
    
    Signed-off-by: Jarod Wilson <jarod@redhat.com>
    Tested-by: Jan Stancek <jstancek@redhat.com>
    Tested-by: Jan Stodola <jstodola@redhat.com>
    Cc: Herbert Xu <herbert@gondor.apana.org.au>
    Acked-by: Neil Horman <nhorman@tuxdriver.com>
    Cc: "David S. Miller" <davem@davemloft.net>
    Cc: Matt Mackall <mpm@selenic.com>
    Cc: "Theodore Ts'o" <tytso@mit.edu>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 drivers/char/random.c |   30 +++++++++++++++---------------
 1 files changed, 15 insertions(+), 15 deletions(-)

commit 2d74639040ba6ce47f57ec010714ec06529c4b42
Author: Jiri Kosina <jkosina@suse.cz>
Date:   Fri May 24 15:55:33 2013 -0700

    Upstream commit: 10b3a32d292c21ea5b3ad5ca5975e88bb20b8d68
    
    random: fix accounting race condition with lockless irq entropy_count update
    
    Commit 902c098a3663 ("random: use lockless techniques in the interrupt
    path") turned IRQ path from being spinlock protected into lockless
    cmpxchg-retry update.
    
    That commit removed r->lock serialization between crediting entropy bits
    from IRQ context and accounting when extracting entropy on userspace
    read path, but didn't turn the r->entropy_count reads/updates in
    account() to use cmpxchg as well.
    
    It has been observed, that under certain circumstances this leads to
    read() on /dev/urandom to return 0 (EOF), as r->entropy_count gets
    corrupted and becomes negative, which in turn results in propagating 0
    all the way from account() to the actual read() call.
    
    Convert the accounting code to be the proper lockless counterpart of
    what has been partially done by 902c098a3663.
    
    Signed-off-by: Jiri Kosina <jkosina@suse.cz>
    Cc: Theodore Ts'o <tytso@mit.edu>
    Cc: Greg KH <greg@kroah.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 drivers/char/random.c |   26 +++++++++++++++++---------
 1 files changed, 17 insertions(+), 9 deletions(-)

commit 65d05c7ea468c23c175105526dd4f163302a92cf
Merge: 1a98d0a 6ce3a135
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat May 25 07:48:15 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        arch/x86/kernel/vm86_32.c

commit 6ce3a13567ec17c1e72a88871ddf46da61ad5166
Merge: 79bdd65 0bfd8ff
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat May 25 07:46:55 2013 -0400

    Merge branch 'linux-3.9.y' into pax-test

commit 1a98d0a10ede55ae99fabfb2d67eb536d3de9444
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu May 23 18:42:23 2013 -0400

    use existing local variable

 fs/exec.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit b2b80ef8586061e32e986b31608717c25d1e7c54
Merge: cb45fbd 79bdd65
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu May 23 17:58:53 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 79bdd65dac68267bc1b201c6b4a99966a373c305
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu May 23 17:57:46 2013 -0400

    Update to pax-linux-3.9.3-test7.patch:
    - fixed some size overflow related warnings (hash table, attributes)
    - fixed a gcc bug/feature exposed by constification, the investigation was prompted by http://rikiji.it/2013/05/10/CVE-2013-2094-x86.html

 arch/x86/include/asm/page_64.h    |    2 +-
 arch/x86/kernel/head64.c          |    2 +-
 tools/gcc/constify_plugin.c       |   48 ++-
 tools/gcc/size_overflow_hash.data | 1191 +++++++++++++++++++------------------
 4 files changed, 651 insertions(+), 592 deletions(-)

commit cb45fbda4967b1b544a754fbdc92d73283379522
Merge: 62588fa 57c11b8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon May 20 17:32:17 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 57c11b85acd841a088aa4df8e60be337880df8cd
Merge: 0598b37 4bb0869
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon May 20 17:32:08 2013 -0400

    Merge branch 'linux-3.9.y' into pax-test

commit 62588fa72b82a8ff7027f52dc2a05729f41e0f53
Merge: e261c7b 0598b37
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri May 17 22:57:36 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 0598b3778624dbc6c3887af025c040dbd6e92ba5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri May 17 22:57:07 2013 -0400

    Update to pax-linux-3.9.2-test6.patch:
    - fixed a gcc assert in the structleak plugin, reported by Emese Revfy
    - fixed pfn extraction from pud/pgd entries, reported by ousado

 arch/x86/include/asm/pgtable.h |    9 +++++++--
 tools/gcc/structleak_plugin.c  |    3 ++-
 2 files changed, 9 insertions(+), 3 deletions(-)

commit e261c7bc611e9127bbb7bd95cddd51524bf255ae
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu May 16 22:54:12 2013 -0400

    add offset to topdown check, fixes compilation

 arch/x86/kernel/sys_x86_64.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 455c5ed5279cf546f5d5c3844fb16f17300b2219
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu May 16 20:57:41 2013 -0400

    CONFIG_GRKERNSEC depends on the recently-introduced CONFIG_TTY,
    reported by lulzh3ad on irc

 security/Kconfig |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 0d4593e84707cdf6deb6b925c18c676a476b1613
Merge: 43cd0c0 39a877f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu May 16 20:39:11 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 39a877f192ed305d88edac10a14a9e8e1e161f3f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu May 16 20:37:35 2013 -0400

    Update to pax-linux-3.9.2-test105.patch:
    - fixed !EFI boot problem, reported by spender
    - fixed a few compile warnings
    - fixed some more compile errors due to constification
    - fixed some arm fallout, reported by Michael Tremer

 arch/arm/include/asm/psci.h                        |    2 +-
 arch/arm/kernel/psci.c                             |    2 +-
 arch/x86/kernel/sys_x86_64.c                       |    3 +--
 arch/x86/realmode/init.c                           |    2 +-
 drivers/hwmon/pmbus/pmbus_core.c                   |   10 +++++-----
 drivers/irqchip/irq-gic.c                          |    2 +-
 .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c  |    4 +++-
 .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c  |   12 +++++++++---
 drivers/platform/x86/chromeos_laptop.c             |    2 +-
 fs/jfs/super.c                                     |    4 ++--
 include/linux/irqchip/arm-gic.h                    |    2 ++
 include/sound/compress_driver.h                    |    2 +-
 net/mac80211/cfg.c                                 |    4 ++--
 sound/soc/fsl/fsl_ssi.c                            |    2 +-
 14 files changed, 31 insertions(+), 22 deletions(-)

commit 43cd0c0c7bf3f3331689f88130a8e8ce58fc8540
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu May 16 20:35:22 2013 -0400

    Fix usercopy false positive under gcc 4.1

 arch/x86/kernel/signal.c |    9 +++++++--
 1 files changed, 7 insertions(+), 2 deletions(-)

commit 56a166129d817f6634c8c230e6ec497669bdfaca
Author: Amerigo Wang <amwang@redhat.com>
Date:   Thu May 9 21:56:37 2013 +0000

    Upstream commit: 5dbd5068430b8bd1c19387d46d6c1a88b261257f
    
    ipv6,gre: do not leak info to user-space
    
    There is a hole in struct ip6_tnl_parm2, so we have to
    zero the struct on stack before copying it to user-space.
    
    Cc: David S. Miller <davem@davemloft.net>
    Signed-off-by: Cong Wang <amwang@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv6/ip6_gre.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit d6f50dae2653ad912952da40417a8ccbd59c7699
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue May 14 16:52:35 2013 -0400

    disable unprivileged kernel profiling under HIDESYM, rename
    the variable to something more appropriate

 include/linux/perf_event.h |    8 ++++----
 kernel/events/core.c       |    6 +++++-
 kernel/sysctl.c            |    4 ++--
 3 files changed, 11 insertions(+), 7 deletions(-)

commit 01322c6951bed4eedefbd2178dbd99292b365d99
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon May 13 17:19:57 2013 -0400

    mark GRKERNSEC_RAND_THREADSTACK broken until PaX fixes its
    existing stack-heap gap code for the new unified vm_unmapped_area

 grsecurity/Kconfig |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 8e576ddc2196770ba2b86ba8f7b9e76c141d1083
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon May 13 15:40:32 2013 -0400

    fix NX fault on early boot

 arch/x86/realmode/init.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 85ce9b6f668f9b02f21d23ae61a1bacc8804f615
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon May 13 10:48:13 2013 -0400

    compile fix, we weren't using %pa anyway and it's now being used
    by upstream for physical address printing

 lib/vsprintf.c |    3 +--
 1 files changed, 1 insertions(+), 2 deletions(-)

commit 4eeaeea04d4776b8263f0e9b018edcdbe66c929d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon May 13 10:39:52 2013 -0400

    compile fix

 grsecurity/grsec_chroot.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 155fe84d0b966e41b077781e6b3bc6f6ed5b294b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon May 13 10:35:36 2013 -0400

    compile fixes

 grsecurity/grsec_chroot.c  |    2 +-
 include/linux/grinternal.h |    8 ++++----
 include/linux/grsecurity.h |    4 ++--
 3 files changed, 7 insertions(+), 7 deletions(-)

commit f92047409f0a843ec0b44033ca4c37e539f9a1d5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon May 13 10:27:18 2013 -0400

    compile fix

 fs/exec.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

commit 0e4123608755ab6af3f448cca6f6a8a57dbdcff1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon May 13 10:23:17 2013 -0400

    Initial port of grsecurity for 3.9.2

 Documentation/kernel-parameters.txt                |    4 +
 Makefile                                           |    8 +-
 arch/alpha/include/asm/cache.h                     |    4 +-
 arch/alpha/kernel/osf_sys.c                        |   12 +-
 arch/arm/include/asm/thread_info.h                 |    9 +-
 arch/arm/kernel/process.c                          |    4 +-
 arch/arm/kernel/ptrace.c                           |    9 +
 arch/arm/kernel/traps.c                            |    7 +-
 arch/arm/mm/fault.c                                |   29 +-
 arch/arm/mm/mmap.c                                 |    8 +-
 arch/avr32/include/asm/cache.h                     |    4 +-
 arch/blackfin/include/asm/cache.h                  |    3 +-
 arch/cris/include/arch-v10/arch/cache.h            |    3 +-
 arch/cris/include/arch-v32/arch/cache.h            |    3 +-
 arch/frv/include/asm/cache.h                       |    3 +-
 arch/frv/mm/elf-fdpic.c                            |    4 +-
 arch/hexagon/include/asm/cache.h                   |    6 +-
 arch/ia64/include/asm/cache.h                      |    3 +-
 arch/ia64/kernel/sys_ia64.c                        |    2 +
 arch/ia64/mm/hugetlbpage.c                         |    2 +
 arch/m32r/include/asm/cache.h                      |    4 +-
 arch/m68k/include/asm/cache.h                      |    4 +-
 arch/metag/mm/hugetlbpage.c                        |    1 +
 arch/microblaze/include/asm/cache.h                |    3 +-
 arch/mips/include/asm/cache.h                      |    3 +-
 arch/mips/include/asm/thread_info.h                |    9 +-
 arch/mips/kernel/ptrace.c                          |    9 +
 arch/mips/kernel/scall32-o32.S                     |    2 +-
 arch/mips/kernel/scall64-64.S                      |    2 +-
 arch/mips/kernel/scall64-n32.S                     |    2 +-
 arch/mips/kernel/scall64-o32.S                     |    2 +-
 arch/mips/mm/mmap.c                                |    4 +-
 arch/mn10300/proc-mn103e010/include/proc/cache.h   |    4 +-
 arch/mn10300/proc-mn2ws0050/include/proc/cache.h   |    4 +-
 arch/openrisc/include/asm/cache.h                  |    4 +-
 arch/parisc/include/asm/cache.h                    |    5 +-
 arch/parisc/kernel/sys_parisc.c                    |   17 +-
 arch/powerpc/include/asm/cache.h                   |    3 +-
 arch/powerpc/include/asm/thread_info.h             |    8 +-
 arch/powerpc/kernel/process.c                      |   10 +-
 arch/powerpc/kernel/ptrace.c                       |   14 +
 arch/powerpc/kernel/traps.c                        |    5 +
 arch/powerpc/mm/slice.c                            |    8 +-
 arch/s390/include/asm/cache.h                      |    4 +-
 arch/score/include/asm/cache.h                     |    4 +-
 arch/sh/include/asm/cache.h                        |    3 +-
 arch/sh/mm/mmap.c                                  |    6 +-
 arch/sparc/include/asm/cache.h                     |    4 +-
 arch/sparc/include/asm/thread_info_64.h            |    9 +-
 arch/sparc/kernel/process_32.c                     |    6 +-
 arch/sparc/kernel/process_64.c                     |    8 +-
 arch/sparc/kernel/ptrace_64.c                      |   14 +
 arch/sparc/kernel/sys_sparc_64.c                   |    8 +-
 arch/sparc/kernel/syscalls.S                       |    8 +-
 arch/sparc/kernel/traps_32.c                       |    8 +-
 arch/sparc/kernel/traps_64.c                       |   28 +-
 arch/sparc/kernel/unaligned_64.c                   |    2 +-
 arch/sparc/mm/fault_64.c                           |    2 +-
 arch/sparc/mm/hugetlbpage.c                        |    3 +-
 arch/tile/include/asm/cache.h                      |    3 +-
 arch/tile/mm/hugetlbpage.c                         |    2 +
 arch/um/defconfig                                  |    1 -
 arch/um/include/asm/cache.h                        |    3 +-
 arch/unicore32/include/asm/cache.h                 |    6 +-
 arch/x86/Kconfig                                   |    5 +-
 arch/x86/Kconfig.debug                             |    2 +-
 arch/x86/ia32/ia32_aout.c                          |    2 +
 arch/x86/include/asm/thread_info.h                 |    8 +-
 arch/x86/kernel/dumpstack.c                        |    8 +
 arch/x86/kernel/entry_32.S                         |    2 +-
 arch/x86/kernel/entry_64.S                         |    2 +-
 arch/x86/kernel/ioport.c                           |   13 +
 arch/x86/kernel/ptrace.c                           |   14 +
 arch/x86/kernel/smpboot.c                          |    3 +
 arch/x86/kernel/sys_i386_32.c                      |   14 +-
 arch/x86/kernel/sys_x86_64.c                       |    6 +-
 arch/x86/kernel/verify_cpu.S                       |    1 +
 arch/x86/kernel/vm86_32.c                          |   16 +
 arch/x86/mm/fault.c                                |   12 +-
 arch/x86/mm/hugetlbpage.c                          |   15 +-
 arch/x86/mm/init.c                                 |   66 +-
 arch/x86/net/bpf_jit_comp.c                        |  126 +-
 arch/xtensa/variants/dc232b/include/variant/core.h |    2 +-
 arch/xtensa/variants/fsf/include/variant/core.h    |    3 +-
 arch/xtensa/variants/s6000/include/variant/core.h  |    3 +-
 drivers/block/cciss.c                              |    2 +
 drivers/char/Kconfig                               |    4 +-
 drivers/char/genrtc.c                              |    1 +
 drivers/char/mem.c                                 |   17 +
 drivers/char/random.c                              |   12 +
 drivers/gpu/drm/drm_info.c                         |    4 +
 drivers/hid/hid-wiimote-debug.c                    |    2 +-
 drivers/media/radio/radio-cadet.c                  |    2 +-
 drivers/message/fusion/mptbase.c                   |    9 +
 drivers/net/bonding/bond_main.c                    |    2 +-
 drivers/net/phy/mdio-bitbang.c                     |    1 +
 drivers/net/wireless/zd1211rw/zd_usb.c             |    2 +-
 drivers/pci/proc.c                                 |    9 +
 drivers/rtc/rtc-dev.c                              |    3 +
 drivers/tty/sysrq.c                                |    2 +-
 drivers/tty/vt/keyboard.c                          |   22 +-
 drivers/usb/storage/realtek_cr.c                   |    2 +-
 drivers/video/logo/logo_linux_clut224.ppm          | 2721 ++++++--------
 drivers/xen/xenfs/xenstored.c                      |    5 +
 fs/attr.c                                          |    1 +
 fs/autofs4/waitq.c                                 |    9 +
 fs/binfmt_aout.c                                   |    7 +
 fs/binfmt_elf.c                                    |    8 +-
 fs/btrfs/ioctl.c                                   |    6 +-
 fs/compat.c                                        |   20 +-
 fs/coredump.c                                      |   10 +-
 fs/debugfs/inode.c                                 |    4 +
 fs/exec.c                                          |  181 +-
 fs/ext2/balloc.c                                   |    4 +-
 fs/ext3/balloc.c                                   |    4 +-
 fs/ext4/balloc.c                                   |    4 +-
 fs/fcntl.c                                         |    5 +
 fs/file.c                                          |    4 +
 fs/filesystems.c                                   |    4 +
 fs/fs_struct.c                                     |   13 +-
 fs/hugetlbfs/inode.c                               |    5 +-
 fs/namei.c                                         |  241 ++-
 fs/namespace.c                                     |   24 +
 fs/open.c                                          |   38 +
 fs/pipe.c                                          |    2 +-
 fs/proc/Kconfig                                    |   10 +-
 fs/proc/array.c                                    |   59 +-
 fs/proc/base.c                                     |  168 +-
 fs/proc/cmdline.c                                  |    4 +
 fs/proc/devices.c                                  |    4 +
 fs/proc/fd.c                                       |   17 +-
 fs/proc/inode.c                                    |   17 +
 fs/proc/internal.h                                 |    3 +
 fs/proc/kcore.c                                    |    3 +
 fs/proc/proc_net.c                                 |   12 +
 fs/proc/proc_sysctl.c                              |   43 +-
 fs/proc/root.c                                     |    8 +
 fs/proc/task_mmu.c                                 |   75 +-
 fs/readdir.c                                       |   19 +
 fs/select.c                                        |    2 +
 fs/seq_file.c                                      |   12 +-
 fs/stat.c                                          |   19 +-
 fs/sysfs/dir.c                                     |   12 +
 fs/utimes.c                                        |    7 +
 fs/xattr.c                                         |   19 +-
 grsecurity/Kconfig                                 | 1031 +++++
 grsecurity/Makefile                                |   38 +
 grsecurity/gracl.c                                 | 4073 ++++++++++++++++++++
 grsecurity/gracl_alloc.c                           |  105 +
 grsecurity/gracl_cap.c                             |  110 +
 grsecurity/gracl_fs.c                              |  431 +++
 grsecurity/gracl_ip.c                              |  387 ++
 grsecurity/gracl_learn.c                           |  207 +
 grsecurity/gracl_res.c                             |   68 +
 grsecurity/gracl_segv.c                            |  305 ++
 grsecurity/gracl_shm.c                             |   40 +
 grsecurity/grsec_chdir.c                           |   19 +
 grsecurity/grsec_chroot.c                          |  370 ++
 grsecurity/grsec_disabled.c                        |  434 +++
 grsecurity/grsec_exec.c                            |  187 +
 grsecurity/grsec_fifo.c                            |   24 +
 grsecurity/grsec_fork.c                            |   23 +
 grsecurity/grsec_init.c                            |  283 ++
 grsecurity/grsec_link.c                            |   58 +
 grsecurity/grsec_log.c                             |  326 ++
 grsecurity/grsec_mem.c                             |   40 +
 grsecurity/grsec_mount.c                           |   62 +
 grsecurity/grsec_pax.c                             |   36 +
 grsecurity/grsec_ptrace.c                          |   30 +
 grsecurity/grsec_sig.c                             |  222 ++
 grsecurity/grsec_sock.c                            |  244 ++
 grsecurity/grsec_sysctl.c                          |  469 +++
 grsecurity/grsec_time.c                            |   16 +
 grsecurity/grsec_tpe.c                             |   73 +
 grsecurity/grsum.c                                 |   61 +
 include/linux/capability.h                         |    5 +
 include/linux/cred.h                               |    3 +
 include/linux/fs.h                                 |   10 +
 include/linux/fsnotify.h                           |    6 +
 include/linux/gracl.h                              |  319 ++
 include/linux/gralloc.h                            |    9 +
 include/linux/grdefs.h                             |  140 +
 include/linux/grinternal.h                         |  215 +
 include/linux/grmsg.h                              |  111 +
 include/linux/grsecurity.h                         |  242 ++
 include/linux/grsock.h                             |   19 +
 include/linux/kallsyms.h                           |   14 +-
 include/linux/kmod.h                               |    2 +
 include/linux/mm.h                                 |    1 +
 include/linux/netfilter/xt_gradm.h                 |    9 +
 include/linux/printk.h                             |    3 +-
 include/linux/proc_fs.h                            |   12 +
 include/linux/sched.h                              |   68 +-
 include/linux/security.h                           |    1 +
 include/linux/seq_file.h                           |    3 +
 include/linux/shm.h                                |    4 +
 include/linux/skbuff.h                             |    3 +
 include/linux/slab.h                               |    9 -
 include/linux/sysctl.h                             |    2 +
 include/linux/thread_info.h                        |    2 +
 include/linux/uidgid.h                             |    5 +
 include/linux/vermagic.h                           |    9 +-
 include/net/secure_seq.h                           |    1 +
 include/trace/events/fs.h                          |   53 +
 include/uapi/linux/personality.h                   |    1 +
 init/Kconfig                                       |    3 +-
 init/main.c                                        |   14 +
 ipc/mqueue.c                                       |    1 +
 ipc/shm.c                                          |   28 +
 kernel/capability.c                                |   39 +-
 kernel/cgroup.c                                    |    2 +-
 kernel/compat.c                                    |    1 +
 kernel/configs.c                                   |   11 +
 kernel/cred.c                                      |  110 +-
 kernel/exit.c                                      |   10 +-
 kernel/fork.c                                      |   41 +-
 kernel/futex.c                                     |    1 +
 kernel/kallsyms.c                                  |    9 +
 kernel/kcmp.c                                      |    4 +
 kernel/kmod.c                                      |   71 +-
 kernel/kprobes.c                                   |    4 +-
 kernel/ksysfs.c                                    |    2 +
 kernel/lockdep_proc.c                              |   10 +-
 kernel/module.c                                    |   81 +-
 kernel/panic.c                                     |    4 +-
 kernel/pid.c                                       |   19 +-
 kernel/posix-timers.c                              |    8 +
 kernel/printk.c                                    |   13 +-
 kernel/ptrace.c                                    |   20 +-
 kernel/resource.c                                  |   10 +
 kernel/sched/core.c                                |    6 +-
 kernel/signal.c                                    |   37 +-
 kernel/sys.c                                       |   45 +-
 kernel/sysctl.c                                    |   39 +-
 kernel/taskstats.c                                 |    6 +
 kernel/time.c                                      |    5 +
 kernel/time/timekeeping.c                          |    3 +
 kernel/time/timer_list.c                           |   12 +
 kernel/time/timer_stats.c                          |   10 +-
 lib/Kconfig.debug                                  |    5 +-
 lib/is_single_threaded.c                           |    3 +
 lib/vsprintf.c                                     |   35 +-
 localversion-grsec                                 |    1 +
 mm/Kconfig                                         |    4 +-
 mm/filemap.c                                       |    1 +
 mm/kmemleak.c                                      |    4 +-
 mm/mempolicy.c                                     |   12 +-
 mm/migrate.c                                       |    3 +-
 mm/mlock.c                                         |    3 +
 mm/mmap.c                                          |   64 +-
 mm/mprotect.c                                      |    8 +
 mm/process_vm_access.c                             |    6 +
 mm/shmem.c                                         |    2 +-
 mm/slab.c                                          |    2 +-
 mm/slub.c                                          |   14 +-
 mm/vmalloc.c                                       |    4 +
 mm/vmstat.c                                        |   18 +-
 net/8021q/vlan.c                                   |    7 +
 net/core/dev_ioctl.c                               |    4 +
 net/core/net-procfs.c                              |    5 +
 net/core/secure_seq.c                              |    4 +-
 net/core/sock_diag.c                               |    7 +
 net/ipv4/af_inet.c                                 |    5 +-
 net/ipv4/inet_hashtables.c                         |    5 +
 net/ipv4/ip_sockglue.c                             |    3 +-
 net/ipv4/tcp_input.c                               |    4 +-
 net/ipv4/tcp_ipv4.c                                |   24 +-
 net/ipv4/tcp_minisocks.c                           |    9 +-
 net/ipv4/tcp_timer.c                               |   11 +
 net/ipv4/udp.c                                     |   24 +
 net/ipv6/tcp_ipv6.c                                |   23 +-
 net/ipv6/udp.c                                     |    7 +
 net/netfilter/Kconfig                              |   10 +
 net/netfilter/Makefile                             |    1 +
 net/netfilter/nf_conntrack_core.c                  |    8 +
 net/netfilter/xt_gradm.c                           |   51 +
 net/netrom/af_netrom.c                             |    2 +-
 net/phonet/af_phonet.c                             |    2 +-
 net/sctp/probe.c                                   |    2 +-
 net/sctp/proc.c                                    |    3 +-
 net/socket.c                                       |   66 +-
 net/sysctl_net.c                                   |    2 +-
 net/tipc/link.c                                    |   11 +-
 net/unix/af_unix.c                                 |   31 +-
 security/Kconfig                                   |  342 ++-
 security/commoncap.c                               |   29 +
 security/min_addr.c                                |    2 +
 security/security.c                                |    2 -
 security/selinux/hooks.c                           |    2 -
 security/tomoyo/mount.c                            |    4 +
 security/yama/Kconfig                              |    2 +-
 291 files changed, 15221 insertions(+), 2052 deletions(-)

commit 88854c350c899bceca4a94598c42bed44d0dc91b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon May 13 07:37:47 2013 -0400

    Initial import of pax-linux-3.9.2-test2.patch

 Documentation/dontdiff                           |   45 +-
 Documentation/kernel-parameters.txt              |   12 +
 Makefile                                         |  100 +-
 arch/alpha/include/asm/atomic.h                  |   10 +
 arch/alpha/include/asm/elf.h                     |    7 +
 arch/alpha/include/asm/pgalloc.h                 |    6 +
 arch/alpha/include/asm/pgtable.h                 |   11 +
 arch/alpha/kernel/module.c                       |    2 +-
 arch/alpha/kernel/osf_sys.c                      |    8 +-
 arch/alpha/mm/fault.c                            |  141 +-
 arch/arm/Kconfig                                 |    2 +-
 arch/arm/include/asm/atomic.h                    |  421 ++-
 arch/arm/include/asm/cache.h                     |    5 +-
 arch/arm/include/asm/cacheflush.h                |    2 +-
 arch/arm/include/asm/checksum.h                  |   14 +-
 arch/arm/include/asm/cmpxchg.h                   |    2 +
 arch/arm/include/asm/domain.h                    |   33 +-
 arch/arm/include/asm/elf.h                       |   13 +-
 arch/arm/include/asm/fncpy.h                     |    2 +
 arch/arm/include/asm/futex.h                     |   10 +
 arch/arm/include/asm/kmap_types.h                |    2 +-
 arch/arm/include/asm/mach/dma.h                  |    2 +-
 arch/arm/include/asm/mach/map.h                  |    7 +-
 arch/arm/include/asm/outercache.h                |    2 +-
 arch/arm/include/asm/page.h                      |    2 +-
 arch/arm/include/asm/pgalloc.h                   |   22 +-
 arch/arm/include/asm/pgtable-2level-hwdef.h      |    5 +
 arch/arm/include/asm/pgtable-2level.h            |    1 +
 arch/arm/include/asm/pgtable-3level-hwdef.h      |    2 +
 arch/arm/include/asm/pgtable-3level.h            |    2 +
 arch/arm/include/asm/pgtable.h                   |   56 +-
 arch/arm/include/asm/proc-fns.h                  |    2 +-
 arch/arm/include/asm/processor.h                 |    5 +-
 arch/arm/include/asm/smp.h                       |    2 +-
 arch/arm/include/asm/thread_info.h               |    6 +-
 arch/arm/include/asm/uaccess.h                   |   92 +-
 arch/arm/include/uapi/asm/ptrace.h               |    2 +-
 arch/arm/kernel/armksyms.c                       |    6 +-
 arch/arm/kernel/entry-armv.S                     |  107 +-
 arch/arm/kernel/entry-common.S                   |   41 +-
 arch/arm/kernel/entry-header.S                   |   60 +
 arch/arm/kernel/fiq.c                            |    2 +
 arch/arm/kernel/head.S                           |    6 +-
 arch/arm/kernel/hw_breakpoint.c                  |    2 +-
 arch/arm/kernel/module.c                         |   29 +-
 arch/arm/kernel/patch.c                          |    2 +
 arch/arm/kernel/perf_event_cpu.c                 |    2 +-
 arch/arm/kernel/process.c                        |   15 +-
 arch/arm/kernel/setup.c                          |   22 +-
 arch/arm/kernel/signal.c                         |   24 +-
 arch/arm/kernel/smp.c                            |    2 +-
 arch/arm/kernel/traps.c                          |   15 +-
 arch/arm/kernel/vmlinux.lds.S                    |   22 +-
 arch/arm/lib/clear_user.S                        |    6 +-
 arch/arm/lib/copy_from_user.S                    |    6 +-
 arch/arm/lib/copy_page.S                         |    1 +
 arch/arm/lib/copy_to_user.S                      |    6 +-
 arch/arm/lib/csumpartialcopyuser.S               |    4 +-
 arch/arm/lib/delay.c                             |    2 +-
 arch/arm/lib/uaccess_with_memcpy.c               |    2 +-
 arch/arm/mach-kirkwood/common.c                  |   19 +-
 arch/arm/mach-omap2/board-n8x0.c                 |    2 +-
 arch/arm/mach-omap2/gpmc.c                       |   22 +-
 arch/arm/mach-omap2/omap-wakeupgen.c             |    2 +-
 arch/arm/mach-omap2/omap_device.c                |    4 +-
 arch/arm/mach-omap2/omap_device.h                |    4 +-
 arch/arm/mach-omap2/omap_hwmod.c                 |    4 +-
 arch/arm/mach-omap2/wd_timer.c                   |    6 +-
 arch/arm/mach-ux500/include/mach/setup.h         |    7 -
 arch/arm/mm/Kconfig                              |    3 +-
 arch/arm/mm/alignment.c                          |    8 +
 arch/arm/mm/fault.c                              |   91 +
 arch/arm/mm/fault.h                              |   12 +
 arch/arm/mm/init.c                               |   41 +
 arch/arm/mm/ioremap.c                            |    4 +-
 arch/arm/mm/mmap.c                               |   36 +-
 arch/arm/mm/mmu.c                                |  187 +-
 arch/arm/mm/proc-v7-2level.S                     |    3 +
 arch/arm/plat-omap/sram.c                        |    2 +
 arch/arm/plat-samsung/include/plat/dma-ops.h     |    2 +-
 arch/arm64/kernel/debug-monitors.c               |    2 +-
 arch/arm64/kernel/hw_breakpoint.c                |    2 +-
 arch/avr32/include/asm/elf.h                     |    8 +-
 arch/avr32/include/asm/kmap_types.h              |    4 +-
 arch/avr32/mm/fault.c                            |   27 +
 arch/frv/include/asm/atomic.h                    |   10 +
 arch/frv/include/asm/kmap_types.h                |    2 +-
 arch/frv/mm/elf-fdpic.c                          |    3 +-
 arch/ia64/include/asm/atomic.h                   |   10 +
 arch/ia64/include/asm/elf.h                      |    7 +
 arch/ia64/include/asm/pgalloc.h                  |   12 +
 arch/ia64/include/asm/pgtable.h                  |   13 +-
 arch/ia64/include/asm/spinlock.h                 |    2 +-
 arch/ia64/include/asm/uaccess.h                  |   26 +-
 arch/ia64/kernel/err_inject.c                    |    2 +-
 arch/ia64/kernel/mca.c                           |    2 +-
 arch/ia64/kernel/module.c                        |   48 +-
 arch/ia64/kernel/palinfo.c                       |    2 +-
 arch/ia64/kernel/salinfo.c                       |    2 +-
 arch/ia64/kernel/sys_ia64.c                      |    7 +
 arch/ia64/kernel/topology.c                      |    2 +-
 arch/ia64/kernel/vmlinux.lds.S                   |    2 +-
 arch/ia64/mm/fault.c                             |   32 +-
 arch/ia64/mm/init.c                              |   13 +
 arch/m32r/lib/usercopy.c                         |    6 +
 arch/mips/include/asm/atomic.h                   |   14 +
 arch/mips/include/asm/elf.h                      |   11 +-
 arch/mips/include/asm/exec.h                     |    2 +-
 arch/mips/include/asm/page.h                     |    2 +-
 arch/mips/include/asm/pgalloc.h                  |    5 +
 arch/mips/kernel/binfmt_elfn32.c                 |    7 +
 arch/mips/kernel/binfmt_elfo32.c                 |    7 +
 arch/mips/kernel/process.c                       |   12 -
 arch/mips/mm/fault.c                             |   17 +
 arch/mips/mm/mmap.c                              |   51 +-
 arch/parisc/include/asm/atomic.h                 |   10 +
 arch/parisc/include/asm/elf.h                    |    7 +
 arch/parisc/include/asm/pgalloc.h                |    6 +
 arch/parisc/include/asm/pgtable.h                |   11 +
 arch/parisc/include/asm/uaccess.h                |    4 +-
 arch/parisc/kernel/module.c                      |   50 +-
 arch/parisc/kernel/sys_parisc.c                  |    9 +-
 arch/parisc/kernel/traps.c                       |    4 +-
 arch/parisc/mm/fault.c                           |  140 +-
 arch/powerpc/include/asm/atomic.h                |   10 +
 arch/powerpc/include/asm/elf.h                   |   19 +-
 arch/powerpc/include/asm/exec.h                  |    2 +-
 arch/powerpc/include/asm/kmap_types.h            |    2 +-
 arch/powerpc/include/asm/mman.h                  |    2 +-
 arch/powerpc/include/asm/page.h                  |    8 +-
 arch/powerpc/include/asm/page_64.h               |    7 +-
 arch/powerpc/include/asm/pgalloc-64.h            |    7 +
 arch/powerpc/include/asm/pgtable.h               |    1 +
 arch/powerpc/include/asm/pte-hash32.h            |    1 +
 arch/powerpc/include/asm/reg.h                   |    1 +
 arch/powerpc/include/asm/smp.h                   |    2 +-
 arch/powerpc/include/asm/uaccess.h               |  140 +-
 arch/powerpc/kernel/exceptions-64e.S             |    4 +-
 arch/powerpc/kernel/exceptions-64s.S             |    2 +-
 arch/powerpc/kernel/module_32.c                  |   13 +-
 arch/powerpc/kernel/process.c                    |   55 -
 arch/powerpc/kernel/signal_32.c                  |    2 +-
 arch/powerpc/kernel/signal_64.c                  |    2 +-
 arch/powerpc/kernel/sysfs.c                      |    2 +-
 arch/powerpc/kernel/vdso.c                       |    5 +-
 arch/powerpc/lib/usercopy_64.c                   |   18 -
 arch/powerpc/mm/fault.c                          |   54 +-
 arch/powerpc/mm/mmap_64.c                        |   16 +
 arch/powerpc/mm/mmu_context_nohash.c             |    2 +-
 arch/powerpc/mm/numa.c                           |    2 +-
 arch/powerpc/mm/slice.c                          |   23 +-
 arch/powerpc/platforms/cell/spufs/file.c         |    4 +-
 arch/powerpc/platforms/powermac/smp.c            |    2 +-
 arch/s390/include/asm/atomic.h                   |   10 +
 arch/s390/include/asm/elf.h                      |   13 +-
 arch/s390/include/asm/exec.h                     |    2 +-
 arch/s390/include/asm/uaccess.h                  |   15 +-
 arch/s390/kernel/module.c                        |   22 +-
 arch/s390/kernel/process.c                       |   36 -
 arch/s390/mm/mmap.c                              |   24 +
 arch/score/include/asm/exec.h                    |    2 +-
 arch/score/kernel/process.c                      |    5 -
 arch/sh/kernel/cpu/sh4a/smp-shx3.c               |    2 +-
 arch/sh/mm/mmap.c                                |   22 +-
 arch/sparc/include/asm/atomic_64.h               |  106 +-
 arch/sparc/include/asm/cache.h                   |    2 +-
 arch/sparc/include/asm/elf_32.h                  |    7 +
 arch/sparc/include/asm/elf_64.h                  |    7 +
 arch/sparc/include/asm/pgalloc_32.h              |    1 +
 arch/sparc/include/asm/pgalloc_64.h              |    1 +
 arch/sparc/include/asm/pgtable_32.h              |   15 +-
 arch/sparc/include/asm/pgtsrmmu.h                |    5 +
 arch/sparc/include/asm/spinlock_64.h             |   35 +-
 arch/sparc/include/asm/thread_info_32.h          |    2 +
 arch/sparc/include/asm/thread_info_64.h          |    2 +
 arch/sparc/include/asm/uaccess.h                 |    1 +
 arch/sparc/include/asm/uaccess_32.h              |   27 +-
 arch/sparc/include/asm/uaccess_64.h              |   19 +-
 arch/sparc/kernel/Makefile                       |    2 +-
 arch/sparc/kernel/prom_common.c                  |    2 +-
 arch/sparc/kernel/sys_sparc_32.c                 |    2 +-
 arch/sparc/kernel/sys_sparc_64.c                 |   48 +-
 arch/sparc/kernel/sysfs.c                        |    2 +-
 arch/sparc/kernel/traps_64.c                     |   13 +-
 arch/sparc/kernel/us3_cpufreq.c                  |   69 +-
 arch/sparc/lib/Makefile                          |    2 +-
 arch/sparc/lib/atomic_64.S                       |  136 +-
 arch/sparc/lib/ksyms.c                           |    6 +
 arch/sparc/mm/Makefile                           |    2 +-
 arch/sparc/mm/fault_32.c                         |  292 ++
 arch/sparc/mm/fault_64.c                         |  486 ++
 arch/sparc/mm/hugetlbpage.c                      |   21 +-
 arch/tile/include/asm/atomic_64.h                |   10 +
 arch/tile/include/asm/uaccess.h                  |    4 +-
 arch/um/Makefile                                 |    4 +
 arch/um/include/asm/kmap_types.h                 |    2 +-
 arch/um/include/asm/page.h                       |    3 +
 arch/um/include/asm/pgtable-3level.h             |    1 +
 arch/um/kernel/process.c                         |   16 -
 arch/x86/Kconfig                                 |   10 +-
 arch/x86/Kconfig.cpu                             |    6 +-
 arch/x86/Kconfig.debug                           |    6 +-
 arch/x86/Makefile                                |   10 +
 arch/x86/boot/Makefile                           |    3 +
 arch/x86/boot/bitops.h                           |    4 +-
 arch/x86/boot/boot.h                             |    4 +-
 arch/x86/boot/compressed/Makefile                |    3 +
 arch/x86/boot/compressed/eboot.c                 |    2 -
 arch/x86/boot/compressed/head_32.S               |    7 +-
 arch/x86/boot/compressed/head_64.S               |    8 +-
 arch/x86/boot/compressed/misc.c                  |    4 +-
 arch/x86/boot/cpucheck.c                         |   28 +-
 arch/x86/boot/header.S                           |    6 +-
 arch/x86/boot/memory.c                           |    2 +-
 arch/x86/boot/video-vesa.c                       |    1 +
 arch/x86/boot/video.c                            |    2 +-
 arch/x86/crypto/aes-x86_64-asm_64.S              |    4 +
 arch/x86/crypto/aesni-intel_asm.S                |   21 +
 arch/x86/crypto/blowfish-x86_64-asm_64.S         |    7 +
 arch/x86/crypto/camellia-x86_64-asm_64.S         |    7 +
 arch/x86/crypto/cast5-avx-x86_64-asm_64.S        |    7 +
 arch/x86/crypto/cast6-avx-x86_64-asm_64.S        |    7 +
 arch/x86/crypto/salsa20-x86_64-asm_64.S          |    4 +
 arch/x86/crypto/serpent-avx-x86_64-asm_64.S      |    7 +
 arch/x86/crypto/serpent-sse2-x86_64-asm_64.S     |    4 +
 arch/x86/crypto/sha1_ssse3_asm.S                 |    2 +
 arch/x86/crypto/twofish-avx-x86_64-asm_64.S      |    7 +
 arch/x86/crypto/twofish-x86_64-asm_64-3way.S     |    4 +
 arch/x86/crypto/twofish-x86_64-asm_64.S          |    3 +
 arch/x86/ia32/ia32_signal.c                      |   14 +-
 arch/x86/ia32/ia32entry.S                        |  141 +-
 arch/x86/ia32/sys_ia32.c                         |    6 +-
 arch/x86/include/asm/alternative-asm.h           |   39 +
 arch/x86/include/asm/alternative.h               |    4 +-
 arch/x86/include/asm/apic.h                      |    2 +-
 arch/x86/include/asm/apm.h                       |    4 +-
 arch/x86/include/asm/atomic.h                    |  307 ++-
 arch/x86/include/asm/atomic64_32.h               |  100 +
 arch/x86/include/asm/atomic64_64.h               |  202 +-
 arch/x86/include/asm/bitops.h                    |    4 +-
 arch/x86/include/asm/boot.h                      |    7 +-
 arch/x86/include/asm/cache.h                     |    5 +-
 arch/x86/include/asm/cacheflush.h                |    2 +-
 arch/x86/include/asm/checksum_32.h               |   12 +-
 arch/x86/include/asm/cmpxchg.h                   |   35 +
 arch/x86/include/asm/compat.h                    |    2 +-
 arch/x86/include/asm/cpufeature.h                |    4 +-
 arch/x86/include/asm/desc.h                      |   67 +-
 arch/x86/include/asm/desc_defs.h                 |    6 +
 arch/x86/include/asm/div64.h                     |    2 +-
 arch/x86/include/asm/elf.h                       |   31 +-
 arch/x86/include/asm/emergency-restart.h         |    2 +-
 arch/x86/include/asm/fpu-internal.h              |    6 +-
 arch/x86/include/asm/futex.h                     |   16 +-
 arch/x86/include/asm/hw_irq.h                    |    4 +-
 arch/x86/include/asm/i8259.h                     |    2 +-
 arch/x86/include/asm/io.h                        |   21 +-
 arch/x86/include/asm/irqflags.h                  |    5 +
 arch/x86/include/asm/kprobes.h                   |    9 +-
 arch/x86/include/asm/local.h                     |  142 +-
 arch/x86/include/asm/mman.h                      |   15 +
 arch/x86/include/asm/mmu.h                       |   16 +-
 arch/x86/include/asm/mmu_context.h               |   76 +-
 arch/x86/include/asm/module.h                    |   17 +-
 arch/x86/include/asm/nmi.h                       |    6 +-
 arch/x86/include/asm/page_64.h                   |    2 +-
 arch/x86/include/asm/paravirt.h                  |   46 +-
 arch/x86/include/asm/paravirt_types.h            |   17 +-
 arch/x86/include/asm/pgalloc.h                   |   23 +
 arch/x86/include/asm/pgtable-2level.h            |    2 +
 arch/x86/include/asm/pgtable-3level.h            |    4 +
 arch/x86/include/asm/pgtable.h                   |  113 +-
 arch/x86/include/asm/pgtable_32.h                |   14 +-
 arch/x86/include/asm/pgtable_32_types.h          |   15 +-
 arch/x86/include/asm/pgtable_64.h                |   19 +-
 arch/x86/include/asm/pgtable_64_types.h          |    5 +
 arch/x86/include/asm/pgtable_types.h             |   36 +-
 arch/x86/include/asm/processor.h                 |   39 +-
 arch/x86/include/asm/ptrace.h                    |   26 +-
 arch/x86/include/asm/realmode.h                  |    4 +-
 arch/x86/include/asm/reboot.h                    |   10 +-
 arch/x86/include/asm/rwsem.h                     |   60 +-
 arch/x86/include/asm/segment.h                   |   24 +-
 arch/x86/include/asm/smp.h                       |   14 +-
 arch/x86/include/asm/spinlock.h                  |   36 +-
 arch/x86/include/asm/stackprotector.h            |    4 +-
 arch/x86/include/asm/stacktrace.h                |   32 +-
 arch/x86/include/asm/switch_to.h                 |    4 +-
 arch/x86/include/asm/thread_info.h               |   83 +-
 arch/x86/include/asm/uaccess.h                   |   96 +-
 arch/x86/include/asm/uaccess_32.h                |  106 +-
 arch/x86/include/asm/uaccess_64.h                |  232 +-
 arch/x86/include/asm/word-at-a-time.h            |    2 +-
 arch/x86/include/asm/x86_init.h                  |   10 +-
 arch/x86/include/asm/xsave.h                     |   10 +-
 arch/x86/include/uapi/asm/e820.h                 |    2 +-
 arch/x86/kernel/Makefile                         |    2 +-
 arch/x86/kernel/acpi/boot.c                      |    4 +-
 arch/x86/kernel/acpi/sleep.c                     |    4 +
 arch/x86/kernel/acpi/wakeup_32.S                 |    6 +-
 arch/x86/kernel/alternative.c                    |   65 +-
 arch/x86/kernel/apic/apic.c                      |    4 +-
 arch/x86/kernel/apic/apic_flat_64.c              |    4 +-
 arch/x86/kernel/apic/apic_noop.c                 |    2 +-
 arch/x86/kernel/apic/bigsmp_32.c                 |    2 +-
 arch/x86/kernel/apic/es7000_32.c                 |    5 +-
 arch/x86/kernel/apic/io_apic.c                   |    8 +-
 arch/x86/kernel/apic/numaq_32.c                  |    3 +-
 arch/x86/kernel/apic/probe_32.c                  |    2 +-
 arch/x86/kernel/apic/summit_32.c                 |    2 +-
 arch/x86/kernel/apic/x2apic_cluster.c            |    4 +-
 arch/x86/kernel/apic/x2apic_phys.c               |    2 +-
 arch/x86/kernel/apic/x2apic_uv_x.c               |    2 +-
 arch/x86/kernel/apm_32.c                         |   19 +-
 arch/x86/kernel/asm-offsets.c                    |   20 +
 arch/x86/kernel/asm-offsets_64.c                 |    1 +
 arch/x86/kernel/cpu/Makefile                     |    4 -
 arch/x86/kernel/cpu/amd.c                        |    2 +-
 arch/x86/kernel/cpu/common.c                     |   75 +-
 arch/x86/kernel/cpu/intel.c                      |    2 +-
 arch/x86/kernel/cpu/intel_cacheinfo.c            |   50 +-
 arch/x86/kernel/cpu/mcheck/mce.c                 |   31 +-
 arch/x86/kernel/cpu/mcheck/p5.c                  |    3 +
 arch/x86/kernel/cpu/mcheck/therm_throt.c         |    2 +-
 arch/x86/kernel/cpu/mcheck/winchip.c             |    3 +
 arch/x86/kernel/cpu/mtrr/main.c                  |    2 +-
 arch/x86/kernel/cpu/mtrr/mtrr.h                  |    2 +-
 arch/x86/kernel/cpu/perf_event.c                 |    8 +-
 arch/x86/kernel/cpu/perf_event_intel.c           |    6 +-
 arch/x86/kernel/cpu/perf_event_intel_uncore.c    |    4 +-
 arch/x86/kernel/cpu/perf_event_intel_uncore.h    |    2 +-
 arch/x86/kernel/cpuid.c                          |    2 +-
 arch/x86/kernel/crash.c                          |    4 +-
 arch/x86/kernel/doublefault_32.c                 |    8 +-
 arch/x86/kernel/dumpstack.c                      |   30 +-
 arch/x86/kernel/dumpstack_32.c                   |   34 +-
 arch/x86/kernel/dumpstack_64.c                   |   63 +-
 arch/x86/kernel/early_printk.c                   |    1 +
 arch/x86/kernel/entry_32.S                       |  354 ++-
 arch/x86/kernel/entry_64.S                       |  530 ++-
 arch/x86/kernel/ftrace.c                         |   14 +-
 arch/x86/kernel/head64.c                         |    1 -
 arch/x86/kernel/head_32.S                        |  237 +-
 arch/x86/kernel/head_64.S                        |  120 +-
 arch/x86/kernel/i386_ksyms_32.c                  |    8 +
 arch/x86/kernel/i387.c                           |    2 +-
 arch/x86/kernel/i8259.c                          |   10 +-
 arch/x86/kernel/io_delay.c                       |    2 +-
 arch/x86/kernel/ioport.c                         |    2 +-
 arch/x86/kernel/irq.c                            |    8 +-
 arch/x86/kernel/irq_32.c                         |   69 +-
 arch/x86/kernel/irq_64.c                         |    2 +-
 arch/x86/kernel/kdebugfs.c                       |    2 +-
 arch/x86/kernel/kgdb.c                           |   25 +-
 arch/x86/kernel/kprobes/core.c                   |   30 +-
 arch/x86/kernel/kprobes/opt.c                    |   16 +-
 arch/x86/kernel/kvm.c                            |    2 +-
 arch/x86/kernel/ldt.c                            |   31 +-
 arch/x86/kernel/machine_kexec_32.c               |    6 +-
 arch/x86/kernel/microcode_core.c                 |    2 +-
 arch/x86/kernel/microcode_intel.c                |    4 +-
 arch/x86/kernel/module.c                         |   76 +-
 arch/x86/kernel/msr.c                            |    2 +-
 arch/x86/kernel/nmi.c                            |   19 +-
 arch/x86/kernel/nmi_selftest.c                   |    4 +-
 arch/x86/kernel/paravirt-spinlocks.c             |    2 +-
 arch/x86/kernel/paravirt.c                       |   43 +-
 arch/x86/kernel/pci-calgary_64.c                 |    2 +-
 arch/x86/kernel/pci-iommu_table.c                |    2 +-
 arch/x86/kernel/pci-swiotlb.c                    |    2 +-
 arch/x86/kernel/process.c                        |   57 +-
 arch/x86/kernel/process_32.c                     |   29 +-
 arch/x86/kernel/process_64.c                     |   15 +-
 arch/x86/kernel/ptrace.c                         |   25 +-
 arch/x86/kernel/pvclock.c                        |    8 +-
 arch/x86/kernel/reboot.c                         |   44 +-
 arch/x86/kernel/relocate_kernel_64.S             |    4 +-
 arch/x86/kernel/setup.c                          |   19 +-
 arch/x86/kernel/setup_percpu.c                   |   29 +-
 arch/x86/kernel/signal.c                         |   15 +-
 arch/x86/kernel/smp.c                            |    2 +-
 arch/x86/kernel/smpboot.c                        |   15 +-
 arch/x86/kernel/step.c                           |   10 +-
 arch/x86/kernel/sys_i386_32.c                    |  248 +
 arch/x86/kernel/sys_x86_64.c                     |   19 +-
 arch/x86/kernel/tboot.c                          |   14 +-
 arch/x86/kernel/time.c                           |   10 +-
 arch/x86/kernel/tls.c                            |    7 +-
 arch/x86/kernel/traps.c                          |   64 +-
 arch/x86/kernel/uprobes.c                        |    2 +-
 arch/x86/kernel/vm86_32.c                        |    6 +-
 arch/x86/kernel/vmlinux.lds.S                    |  148 +-
 arch/x86/kernel/vsyscall_64.c                    |   12 +-
 arch/x86/kernel/x8664_ksyms_64.c                 |    2 -
 arch/x86/kernel/x86_init.c                       |    8 +-
 arch/x86/kernel/xsave.c                          |    2 +
 arch/x86/kvm/cpuid.c                             |   21 +-
 arch/x86/kvm/emulate.c                           |    4 +-
 arch/x86/kvm/lapic.c                             |    2 +-
 arch/x86/kvm/paging_tmpl.h                       |    2 +-
 arch/x86/kvm/svm.c                               |    8 +
 arch/x86/kvm/vmx.c                               |   57 +-
 arch/x86/kvm/x86.c                               |   10 +-
 arch/x86/lguest/boot.c                           |    3 +-
 arch/x86/lib/atomic64_386_32.S                   |  164 +
 arch/x86/lib/atomic64_cx8_32.S                   |  103 +-
 arch/x86/lib/checksum_32.S                       |  100 +-
 arch/x86/lib/clear_page_64.S                     |    5 +-
 arch/x86/lib/cmpxchg16b_emu.S                    |    2 +
 arch/x86/lib/copy_page_64.S                      |   24 +-
 arch/x86/lib/copy_user_64.S                      |   47 +-
 arch/x86/lib/copy_user_nocache_64.S              |   20 +-
 arch/x86/lib/csum-copy_64.S                      |    2 +
 arch/x86/lib/csum-wrappers_64.c                  |    4 +-
 arch/x86/lib/getuser.S                           |   70 +-
 arch/x86/lib/insn.c                              |    6 +-
 arch/x86/lib/iomap_copy_64.S                     |    2 +
 arch/x86/lib/memcpy_64.S                         |   18 +-
 arch/x86/lib/memmove_64.S                        |   34 +-
 arch/x86/lib/memset_64.S                         |    7 +-
 arch/x86/lib/mmx_32.c                            |  243 +-
 arch/x86/lib/msr-reg.S                           |   18 +-
 arch/x86/lib/putuser.S                           |   90 +-
 arch/x86/lib/rwlock.S                            |   42 +
 arch/x86/lib/rwsem.S                             |    6 +-
 arch/x86/lib/thunk_64.S                          |    2 +
 arch/x86/lib/usercopy_32.c                       |  376 +-
 arch/x86/lib/usercopy_64.c                       |   25 +-
 arch/x86/mm/extable.c                            |   25 +-
 arch/x86/mm/fault.c                              |  556 ++-
 arch/x86/mm/gup.c                                |    2 +-
 arch/x86/mm/highmem_32.c                         |    4 +
 arch/x86/mm/hugetlbpage.c                        |   30 +-
 arch/x86/mm/init.c                               |   90 +-
 arch/x86/mm/init_32.c                            |  119 +-
 arch/x86/mm/init_64.c                            |   44 +-
 arch/x86/mm/iomap_32.c                           |    4 +
 arch/x86/mm/ioremap.c                            |   15 +-
 arch/x86/mm/kmemcheck/kmemcheck.c                |    4 +-
 arch/x86/mm/mmap.c                               |   41 +-
 arch/x86/mm/mmio-mod.c                           |   10 +-
 arch/x86/mm/numa.c                               |    2 +-
 arch/x86/mm/pageattr-test.c                      |    2 +-
 arch/x86/mm/pageattr.c                           |   33 +-
 arch/x86/mm/pat.c                                |   12 +-
 arch/x86/mm/pf_in.c                              |   10 +-
 arch/x86/mm/pgtable.c                            |  137 +-
 arch/x86/mm/pgtable_32.c                         |    3 +
 arch/x86/mm/physaddr.c                           |    4 +-
 arch/x86/mm/setup_nx.c                           |    7 +
 arch/x86/mm/tlb.c                                |    4 +
 arch/x86/net/bpf_jit.S                           |   14 +
 arch/x86/net/bpf_jit_comp.c                      |   37 +-
 arch/x86/oprofile/backtrace.c                    |    8 +-
 arch/x86/oprofile/nmi_int.c                      |    8 +-
 arch/x86/oprofile/op_model_amd.c                 |    8 +-
 arch/x86/oprofile/op_model_ppro.c                |    7 +-
 arch/x86/oprofile/op_x86_model.h                 |    2 +-
 arch/x86/pci/amd_bus.c                           |    2 +-
 arch/x86/pci/irq.c                               |    8 +-
 arch/x86/pci/mrst.c                              |    4 +-
 arch/x86/pci/pcbios.c                            |  144 +-
 arch/x86/platform/efi/efi_32.c                   |   19 +
 arch/x86/platform/efi/efi_stub_32.S              |   64 +-
 arch/x86/platform/efi/efi_stub_64.S              |    8 +
 arch/x86/platform/mrst/mrst.c                    |    6 +-
 arch/x86/platform/olpc/olpc_dt.c                 |    2 +-
 arch/x86/power/cpu.c                             |    4 +-
 arch/x86/realmode/init.c                         |    8 +-
 arch/x86/realmode/rm/Makefile                    |    3 +
 arch/x86/realmode/rm/header.S                    |    4 +-
 arch/x86/realmode/rm/trampoline_32.S             |   12 +-
 arch/x86/realmode/rm/trampoline_64.S             |    2 +-
 arch/x86/tools/relocs.c                          |   95 +-
 arch/x86/vdso/Makefile                           |    2 +-
 arch/x86/vdso/vdso32-setup.c                     |   23 +-
 arch/x86/vdso/vma.c                              |   29 +-
 arch/x86/xen/enlighten.c                         |   47 +-
 arch/x86/xen/mmu.c                               |    9 +
 arch/x86/xen/smp.c                               |   18 +-
 arch/x86/xen/xen-asm_32.S                        |   12 +-
 arch/x86/xen/xen-head.S                          |   11 +
 arch/x86/xen/xen-ops.h                           |    2 -
 block/blk-iopoll.c                               |    4 +-
 block/blk-map.c                                  |    2 +-
 block/blk-softirq.c                              |    4 +-
 block/bsg.c                                      |   12 +-
 block/compat_ioctl.c                             |    2 +-
 block/partitions/efi.c                           |    8 +-
 block/scsi_ioctl.c                               |   27 +-
 crypto/cryptd.c                                  |    4 +-
 drivers/acpi/apei/apei-internal.h                |    2 +-
 drivers/acpi/apei/cper.c                         |    8 +-
 drivers/acpi/bgrt.c                              |    6 +-
 drivers/acpi/blacklist.c                         |    4 +-
 drivers/acpi/ec_sys.c                            |   12 +-
 drivers/acpi/processor_idle.c                    |    2 +-
 drivers/acpi/sysfs.c                             |    4 +-
 drivers/ata/libahci.c                            |    2 +-
 drivers/ata/libata-core.c                        |    8 +-
 drivers/ata/pata_arasan_cf.c                     |    4 +-
 drivers/atm/adummy.c                             |    2 +-
 drivers/atm/ambassador.c                         |    8 +-
 drivers/atm/atmtcp.c                             |   14 +-
 drivers/atm/eni.c                                |   10 +-
 drivers/atm/firestream.c                         |    8 +-
 drivers/atm/fore200e.c                           |   14 +-
 drivers/atm/he.c                                 |   18 +-
 drivers/atm/horizon.c                            |    4 +-
 drivers/atm/idt77252.c                           |   36 +-
 drivers/atm/iphase.c                             |   34 +-
 drivers/atm/lanai.c                              |   12 +-
 drivers/atm/nicstar.c                            |   46 +-
 drivers/atm/solos-pci.c                          |    4 +-
 drivers/atm/suni.c                               |    4 +-
 drivers/atm/uPD98402.c                           |   16 +-
 drivers/atm/zatm.c                               |    6 +-
 drivers/base/bus.c                               |    4 +-
 drivers/base/devtmpfs.c                          |    2 +-
 drivers/base/node.c                              |    2 +-
 drivers/base/power/domain.c                      |    4 +-
 drivers/base/power/wakeup.c                      |    8 +-
 drivers/base/syscore.c                           |    4 +-
 drivers/block/cciss.c                            |   28 +-
 drivers/block/cciss.h                            |    2 +-
 drivers/block/cpqarray.c                         |   28 +-
 drivers/block/cpqarray.h                         |    2 +-
 drivers/block/drbd/drbd_int.h                    |    6 +-
 drivers/block/drbd/drbd_main.c                   |    8 +-
 drivers/block/drbd/drbd_receiver.c               |   22 +-
 drivers/block/loop.c                             |    2 +-
 drivers/block/pktcdvd.c                          |    2 +-
 drivers/cdrom/cdrom.c                            |    9 +-
 drivers/cdrom/gdrom.c                            |    1 -
 drivers/char/agp/frontend.c                      |    2 +-
 drivers/char/hpet.c                              |    2 +-
 drivers/char/ipmi/ipmi_msghandler.c              |    8 +-
 drivers/char/ipmi/ipmi_si_intf.c                 |    8 +-
 drivers/char/mem.c                               |   41 +-
 drivers/char/nvram.c                             |    2 +-
 drivers/char/pcmcia/synclink_cs.c                |   18 +-
 drivers/char/random.c                            |   10 +-
 drivers/char/sonypi.c                            |    9 +-
 drivers/char/tpm/tpm_acpi.c                      |    3 +-
 drivers/char/tpm/tpm_eventlog.c                  |    7 +-
 drivers/char/virtio_console.c                    |    4 +-
 drivers/clocksource/arm_arch_timer.c             |    2 +-
 drivers/clocksource/metag_generic.c              |    2 +-
 drivers/cpufreq/acpi-cpufreq.c                   |   20 +-
 drivers/cpufreq/cpufreq.c                        |    9 +-
 drivers/cpufreq/cpufreq_governor.c               |    4 +-
 drivers/cpufreq/cpufreq_governor.h               |    2 +-
 drivers/cpufreq/cpufreq_stats.c                  |    2 +-
 drivers/cpufreq/p4-clockmod.c                    |   12 +-
 drivers/cpufreq/speedstep-centrino.c             |    7 +-
 drivers/cpuidle/cpuidle.c                        |    2 +-
 drivers/cpuidle/governor.c                       |    4 +-
 drivers/cpuidle/sysfs.c                          |    2 +-
 drivers/devfreq/devfreq.c                        |    4 +-
 drivers/dma/sh/shdma.c                           |    2 +-
 drivers/edac/edac_mc_sysfs.c                     |   12 +-
 drivers/edac/edac_pci_sysfs.c                    |   22 +-
 drivers/edac/mce_amd.h                           |    2 +-
 drivers/firewire/core-card.c                     |    2 +-
 drivers/firewire/core-cdev.c                     |    3 +-
 drivers/firewire/core-device.c                   |    2 +-
 drivers/firewire/core-transaction.c              |    1 +
 drivers/firewire/core.h                          |    1 +
 drivers/firmware/dmi-id.c                        |    2 +-
 drivers/firmware/dmi_scan.c                      |    7 +-
 drivers/firmware/efivars.c                       |    4 +-
 drivers/firmware/google/memconsole.c             |    4 +-
 drivers/gpio/gpio-ich.c                          |    2 +-
 drivers/gpio/gpio-vr41xx.c                       |    2 +-
 drivers/gpu/drm/drm_crtc_helper.c                |    2 +-
 drivers/gpu/drm/drm_drv.c                        |    6 +-
 drivers/gpu/drm/drm_fops.c                       |   18 +-
 drivers/gpu/drm/drm_global.c                     |   14 +-
 drivers/gpu/drm/drm_info.c                       |   14 +-
 drivers/gpu/drm/drm_ioc32.c                      |   13 +-
 drivers/gpu/drm/drm_ioctl.c                      |    2 +-
 drivers/gpu/drm/drm_lock.c                       |    4 +-
 drivers/gpu/drm/drm_stub.c                       |    2 +-
 drivers/gpu/drm/i810/i810_dma.c                  |    8 +-
 drivers/gpu/drm/i810/i810_drv.h                  |    4 +-
 drivers/gpu/drm/i915/i915_debugfs.c              |    2 +-
 drivers/gpu/drm/i915/i915_dma.c                  |    2 +-
 drivers/gpu/drm/i915/i915_drv.h                  |    4 +-
 drivers/gpu/drm/i915/i915_gem_execbuffer.c       |    6 +-
 drivers/gpu/drm/i915/i915_ioc32.c                |   11 +-
 drivers/gpu/drm/i915/i915_irq.c                  |   22 +-
 drivers/gpu/drm/i915/intel_display.c             |   26 +-
 drivers/gpu/drm/mga/mga_drv.h                    |    4 +-
 drivers/gpu/drm/mga/mga_ioc32.c                  |   11 +-
 drivers/gpu/drm/mga/mga_irq.c                    |    8 +-
 drivers/gpu/drm/nouveau/nouveau_bios.c           |    2 +-
 drivers/gpu/drm/nouveau/nouveau_drm.h            |    2 +-
 drivers/gpu/drm/nouveau/nouveau_gem.c            |    4 +-
 drivers/gpu/drm/nouveau/nouveau_ioc32.c          |    2 +-
 drivers/gpu/drm/nouveau/nouveau_vga.c            |    2 +-
 drivers/gpu/drm/r128/r128_cce.c                  |    2 +-
 drivers/gpu/drm/r128/r128_drv.h                  |    4 +-
 drivers/gpu/drm/r128/r128_ioc32.c                |   11 +-
 drivers/gpu/drm/r128/r128_irq.c                  |    4 +-
 drivers/gpu/drm/r128/r128_state.c                |    4 +-
 drivers/gpu/drm/radeon/mkregtable.c              |    4 +-
 drivers/gpu/drm/radeon/radeon_device.c           |    2 +-
 drivers/gpu/drm/radeon/radeon_drv.h              |    2 +-
 drivers/gpu/drm/radeon/radeon_ioc32.c            |   13 +-
 drivers/gpu/drm/radeon/radeon_irq.c              |    6 +-
 drivers/gpu/drm/radeon/radeon_state.c            |    4 +-
 drivers/gpu/drm/radeon/radeon_ttm.c              |   37 +-
 drivers/gpu/drm/radeon/rs690.c                   |    4 +-
 drivers/gpu/drm/ttm/ttm_page_alloc.c             |    4 +-
 drivers/gpu/drm/udl/udl_fb.c                     |    1 -
 drivers/gpu/drm/via/via_drv.h                    |    4 +-
 drivers/gpu/drm/via/via_irq.c                    |   18 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_drv.h              |    2 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c             |    8 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_irq.c              |    4 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_marker.c           |    2 +-
 drivers/hid/hid-core.c                           |    4 +-
 drivers/hv/channel.c                             |    4 +-
 drivers/hv/hv.c                                  |    2 +-
 drivers/hv/hyperv_vmbus.h                        |    2 +-
 drivers/hv/vmbus_drv.c                           |    4 +-
 drivers/hwmon/acpi_power_meter.c                 |    4 +-
 drivers/hwmon/applesmc.c                         |    2 +-
 drivers/hwmon/asus_atk0110.c                     |   10 +-
 drivers/hwmon/coretemp.c                         |    2 +-
 drivers/hwmon/ibmaem.c                           |    2 +-
 drivers/hwmon/sht15.c                            |   12 +-
 drivers/hwmon/via-cputemp.c                      |    2 +-
 drivers/i2c/busses/i2c-amd756-s4882.c            |    2 +-
 drivers/i2c/busses/i2c-nforce2-s4985.c           |    2 +-
 drivers/ide/ide-cd.c                             |    2 +-
 drivers/iio/industrialio-core.c                  |    2 +-
 drivers/infiniband/core/cm.c                     |   32 +-
 drivers/infiniband/core/fmr_pool.c               |   20 +-
 drivers/infiniband/hw/cxgb4/mem.c                |    4 +-
 drivers/infiniband/hw/ipath/ipath_rc.c           |    6 +-
 drivers/infiniband/hw/ipath/ipath_ruc.c          |    6 +-
 drivers/infiniband/hw/mthca/mthca_cmd.c          |    2 +-
 drivers/infiniband/hw/mthca/mthca_mr.c           |    2 +-
 drivers/infiniband/hw/nes/nes.c                  |    4 +-
 drivers/infiniband/hw/nes/nes.h                  |   40 +-
 drivers/infiniband/hw/nes/nes_cm.c               |   62 +-
 drivers/infiniband/hw/nes/nes_mgt.c              |    8 +-
 drivers/infiniband/hw/nes/nes_nic.c              |   40 +-
 drivers/infiniband/hw/nes/nes_verbs.c            |   10 +-
 drivers/infiniband/hw/qib/qib.h                  |    1 +
 drivers/input/gameport/gameport.c                |    4 +-
 drivers/input/input.c                            |    4 +-
 drivers/input/joystick/sidewinder.c              |    1 +
 drivers/input/joystick/xpad.c                    |    4 +-
 drivers/input/mouse/psmouse.h                    |    2 +-
 drivers/input/mousedev.c                         |    2 +-
 drivers/input/serio/serio.c                      |    4 +-
 drivers/iommu/iommu.c                            |    2 +-
 drivers/iommu/irq_remapping.c                    |   10 +-
 drivers/irqchip/irq-gic.c                        |    4 +-
 drivers/isdn/capi/capi.c                         |   10 +-
 drivers/isdn/gigaset/interface.c                 |    8 +-
 drivers/isdn/hardware/avm/b1.c                   |    4 +-
 drivers/isdn/i4l/isdn_tty.c                      |   22 +-
 drivers/isdn/icn/icn.c                           |    2 +-
 drivers/leds/leds-clevo-mail.c                   |    2 +-
 drivers/leds/leds-ss4200.c                       |    2 +-
 drivers/lguest/core.c                            |   10 +-
 drivers/lguest/page_tables.c                     |    2 +-
 drivers/lguest/x86/core.c                        |   12 +-
 drivers/lguest/x86/switcher_32.S                 |   27 +-
 drivers/md/bitmap.c                              |    2 +-
 drivers/md/dm-ioctl.c                            |    2 +-
 drivers/md/dm-raid1.c                            |   16 +-
 drivers/md/dm-stripe.c                           |   10 +-
 drivers/md/dm-table.c                            |    2 +-
 drivers/md/dm-thin-metadata.c                    |    4 +-
 drivers/md/dm.c                                  |   16 +-
 drivers/md/md.c                                  |   26 +-
 drivers/md/md.h                                  |    6 +-
 drivers/md/persistent-data/dm-space-map.h        |    1 +
 drivers/md/raid1.c                               |    4 +-
 drivers/md/raid10.c                              |   16 +-
 drivers/md/raid5.c                               |   10 +-
 drivers/media/dvb-core/dvbdev.c                  |    2 +-
 drivers/media/dvb-frontends/dib3000.h            |    2 +-
 drivers/media/pci/cx88/cx88-video.c              |    6 +-
 drivers/media/platform/omap/omap_vout.c          |   11 +-
 drivers/media/platform/s5p-tv/mixer.h            |    2 +-
 drivers/media/platform/s5p-tv/mixer_grp_layer.c  |    2 +-
 drivers/media/platform/s5p-tv/mixer_reg.c        |    2 +-
 drivers/media/platform/s5p-tv/mixer_video.c      |   24 +-
 drivers/media/platform/s5p-tv/mixer_vp_layer.c   |    2 +-
 drivers/media/radio/radio-cadet.c                |    2 +
 drivers/media/usb/dvb-usb/cxusb.c                |    2 +-
 drivers/media/usb/dvb-usb/dw2102.c               |    2 +-
 drivers/media/v4l2-core/v4l2-ioctl.c             |    5 +-
 drivers/message/fusion/mptsas.c                  |   34 +-
 drivers/message/fusion/mptscsih.c                |   19 +-
 drivers/message/i2o/i2o_proc.c                   |   51 +-
 drivers/message/i2o/iop.c                        |    8 +-
 drivers/mfd/janz-cmodio.c                        |    1 +
 drivers/mfd/twl4030-irq.c                        |    9 +-
 drivers/mfd/twl6030-irq.c                        |   10 +-
 drivers/misc/c2port/core.c                       |    4 +-
 drivers/misc/kgdbts.c                            |    4 +-
 drivers/misc/lis3lv02d/lis3lv02d.c               |    8 +-
 drivers/misc/lis3lv02d/lis3lv02d.h               |    2 +-
 drivers/misc/sgi-gru/gruhandles.c                |    4 +-
 drivers/misc/sgi-gru/gruprocfs.c                 |    8 +-
 drivers/misc/sgi-gru/grutables.h                 |  154 +-
 drivers/misc/sgi-xp/xp.h                         |    2 +-
 drivers/misc/sgi-xp/xpc.h                        |    3 +-
 drivers/misc/sgi-xp/xpc_main.c                   |    4 +-
 drivers/mmc/core/mmc_ops.c                       |    2 +-
 drivers/mmc/host/dw_mmc.h                        |    2 +-
 drivers/mmc/host/sdhci-s3c.c                     |    8 +-
 drivers/mtd/devices/doc2000.c                    |    2 +-
 drivers/mtd/nand/denali.c                        |    1 +
 drivers/mtd/nftlmount.c                          |    1 +
 drivers/mtd/sm_ftl.c                             |    2 +-
 drivers/net/bonding/bond_main.c                  |    2 +-
 drivers/net/ethernet/8390/ax88796.c              |    4 +-
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h  |    2 +-
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c   |   11 +-
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h   |    3 +-
 drivers/net/ethernet/broadcom/tg3.h              |    1 +
 drivers/net/ethernet/chelsio/cxgb3/l2t.h         |    2 +-
 drivers/net/ethernet/dec/tulip/de4x5.c           |    4 +-
 drivers/net/ethernet/emulex/benet/be_main.c      |    2 +-
 drivers/net/ethernet/faraday/ftgmac100.c         |    2 +
 drivers/net/ethernet/faraday/ftmac100.c          |    2 +
 drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c     |    2 +-
 drivers/net/ethernet/neterion/vxge/vxge-config.c |    7 +-
 drivers/net/ethernet/realtek/r8169.c             |    8 +-
 drivers/net/ethernet/sfc/ptp.c                   |    2 +-
 drivers/net/ethernet/stmicro/stmmac/mmc_core.c   |    4 +-
 drivers/net/hyperv/hyperv_net.h                  |    2 +-
 drivers/net/hyperv/rndis_filter.c                |    4 +-
 drivers/net/ieee802154/fakehard.c                |    2 +-
 drivers/net/macvlan.c                            |   18 +-
 drivers/net/macvtap.c                            |    2 +-
 drivers/net/ppp/ppp_generic.c                    |    4 +-
 drivers/net/slip/slhc.c                          |    2 +-
 drivers/net/team/team.c                          |    2 +-
 drivers/net/tun.c                                |    5 +-
 drivers/net/usb/hso.c                            |   23 +-
 drivers/net/vxlan.c                              |    2 +-
 drivers/net/wireless/at76c50x-usb.c              |    2 +-
 drivers/net/wireless/ath/ath9k/ar9002_mac.c      |   30 +-
 drivers/net/wireless/ath/ath9k/ar9003_mac.c      |   58 +-
 drivers/net/wireless/ath/ath9k/hw.h              |    4 +-
 drivers/net/wireless/iwlegacy/3945-mac.c         |    4 +-
 drivers/net/wireless/iwlwifi/dvm/debugfs.c       |   26 +-
 drivers/net/wireless/iwlwifi/pcie/trans.c        |    4 +-
 drivers/net/wireless/mac80211_hwsim.c            |   32 +-
 drivers/net/wireless/rndis_wlan.c                |    2 +-
 drivers/net/wireless/rt2x00/rt2x00.h             |    2 +-
 drivers/net/wireless/rt2x00/rt2x00queue.c        |    4 +-
 drivers/net/wireless/ti/wl1251/sdio.c            |   12 +-
 drivers/net/wireless/ti/wl12xx/main.c            |    8 +-
 drivers/net/wireless/ti/wl18xx/main.c            |    6 +-
 drivers/oprofile/buffer_sync.c                   |    8 +-
 drivers/oprofile/event_buffer.c                  |    2 +-
 drivers/oprofile/oprof.c                         |    2 +-
 drivers/oprofile/oprofile_files.c                |    2 +-
 drivers/oprofile/oprofile_stats.c                |   10 +-
 drivers/oprofile/oprofile_stats.h                |   10 +-
 drivers/oprofile/oprofilefs.c                    |    2 +-
 drivers/oprofile/timer_int.c                     |    2 +-
 drivers/parport/procfs.c                         |    4 +-
 drivers/pci/hotplug/acpiphp_ibm.c                |    4 +-
 drivers/pci/hotplug/cpcihp_generic.c             |    6 +-
 drivers/pci/hotplug/cpcihp_zt5550.c              |   14 +-
 drivers/pci/hotplug/cpqphp_nvram.c               |    4 +
 drivers/pci/hotplug/pci_hotplug_core.c           |    6 +-
 drivers/pci/hotplug/pciehp_core.c                |    2 +-
 drivers/pci/pci-sysfs.c                          |    6 +-
 drivers/pci/pci.h                                |    2 +-
 drivers/pci/pcie/aspm.c                          |    6 +-
 drivers/pci/probe.c                              |    2 +-
 drivers/platform/x86/msi-laptop.c                |   14 +-
 drivers/platform/x86/sony-laptop.c               |    2 +-
 drivers/platform/x86/thinkpad_acpi.c             |   70 +-
 drivers/pnp/pnpbios/bioscalls.c                  |   14 +-
 drivers/pnp/resource.c                           |    4 +-
 drivers/power/pda_power.c                        |    7 +-
 drivers/power/power_supply.h                     |    4 +-
 drivers/power/power_supply_core.c                |    7 +-
 drivers/power/power_supply_sysfs.c               |    6 +-
 drivers/regulator/max8660.c                      |    6 +-
 drivers/regulator/max8973-regulator.c            |    8 +-
 drivers/regulator/mc13892-regulator.c            |    6 +-
 drivers/rtc/rtc-cmos.c                           |    4 +-
 drivers/rtc/rtc-ds1307.c                         |    2 +-
 drivers/rtc/rtc-m48t59.c                         |    4 +-
 drivers/scsi/bfa/bfa_fcpim.h                     |    2 +-
 drivers/scsi/bfa/bfa_ioc.h                       |    4 +-
 drivers/scsi/hosts.c                             |    4 +-
 drivers/scsi/hpsa.c                              |   30 +-
 drivers/scsi/hpsa.h                              |    2 +-
 drivers/scsi/libfc/fc_exch.c                     |   50 +-
 drivers/scsi/libsas/sas_ata.c                    |    2 +-
 drivers/scsi/lpfc/lpfc.h                         |    8 +-
 drivers/scsi/lpfc/lpfc_debugfs.c                 |   18 +-
 drivers/scsi/lpfc/lpfc_init.c                    |    6 +-
 drivers/scsi/lpfc/lpfc_scsi.c                    |   16 +-
 drivers/scsi/pmcraid.c                           |   20 +-
 drivers/scsi/pmcraid.h                           |    8 +-
 drivers/scsi/qla2xxx/qla_attr.c                  |    4 +-
 drivers/scsi/qla2xxx/qla_gbl.h                   |    4 +-
 drivers/scsi/qla2xxx/qla_os.c                    |    6 +-
 drivers/scsi/qla4xxx/ql4_def.h                   |    2 +-
 drivers/scsi/qla4xxx/ql4_os.c                    |    6 +-
 drivers/scsi/scsi.c                              |    2 +-
 drivers/scsi/scsi_lib.c                          |    6 +-
 drivers/scsi/scsi_sysfs.c                        |    2 +-
 drivers/scsi/scsi_tgt_lib.c                      |    2 +-
 drivers/scsi/scsi_transport_fc.c                 |    8 +-
 drivers/scsi/scsi_transport_iscsi.c              |    6 +-
 drivers/scsi/scsi_transport_srp.c                |    6 +-
 drivers/scsi/sd.c                                |    2 +-
 drivers/scsi/sg.c                                |    2 +-
 drivers/spi/spi.c                                |    2 +-
 drivers/staging/iio/iio_hwmon.c                  |    2 +-
 drivers/staging/octeon/ethernet-rx.c             |   12 +-
 drivers/staging/octeon/ethernet.c                |    8 +-
 drivers/staging/rtl8712/rtl871x_io.h             |    2 +-
 drivers/staging/sbe-2t3e3/netdev.c               |    2 +-
 drivers/staging/usbip/vhci.h                     |    2 +-
 drivers/staging/usbip/vhci_hcd.c                 |    6 +-
 drivers/staging/usbip/vhci_rx.c                  |    2 +-
 drivers/staging/vt6655/hostap.c                  |    7 +-
 drivers/staging/vt6656/hostap.c                  |    7 +-
 drivers/staging/zcache/tmem.c                    |    4 +-
 drivers/staging/zcache/tmem.h                    |    2 +
 drivers/target/target_core_device.c              |    2 +-
 drivers/target/target_core_transport.c           |    2 +-
 drivers/tty/cyclades.c                           |    6 +-
 drivers/tty/hvc/hvc_console.c                    |   14 +-
 drivers/tty/hvc/hvcs.c                           |   21 +-
 drivers/tty/ipwireless/tty.c                     |   27 +-
 drivers/tty/moxa.c                               |    2 +-
 drivers/tty/n_gsm.c                              |    4 +-
 drivers/tty/n_tty.c                              |    3 +-
 drivers/tty/pty.c                                |    4 +-
 drivers/tty/rocket.c                             |    6 +-
 drivers/tty/serial/kgdboc.c                      |   32 +-
 drivers/tty/serial/samsung.c                     |    9 +-
 drivers/tty/serial/serial_core.c                 |    8 +-
 drivers/tty/synclink.c                           |   34 +-
 drivers/tty/synclink_gt.c                        |   28 +-
 drivers/tty/synclinkmp.c                         |   34 +-
 drivers/tty/tty_io.c                             |    2 +-
 drivers/tty/tty_ldisc.c                          |   10 +-
 drivers/tty/tty_port.c                           |   22 +-
 drivers/uio/uio.c                                |   21 +-
 drivers/usb/atm/cxacru.c                         |    2 +-
 drivers/usb/atm/usbatm.c                         |   24 +-
 drivers/usb/core/devices.c                       |    6 +-
 drivers/usb/core/hcd.c                           |    4 +-
 drivers/usb/core/message.c                       |    2 +-
 drivers/usb/core/sysfs.c                         |    2 +-
 drivers/usb/core/usb.c                           |    2 +-
 drivers/usb/early/ehci-dbgp.c                    |   16 +-
 drivers/usb/gadget/u_serial.c                    |   22 +-
 drivers/usb/serial/console.c                     |    6 +-
 drivers/usb/storage/usb.h                        |    2 +-
 drivers/usb/wusbcore/wa-hc.h                     |    4 +-
 drivers/usb/wusbcore/wa-xfer.c                   |    2 +-
 drivers/video/aty/aty128fb.c                     |    2 +-
 drivers/video/aty/atyfb_base.c                   |    8 +-
 drivers/video/aty/mach64_cursor.c                |    5 +-
 drivers/video/backlight/kb3886_bl.c              |    2 +-
 drivers/video/fb_defio.c                         |    6 +-
 drivers/video/fbcmap.c                           |    3 +-
 drivers/video/fbmem.c                            |    6 +-
 drivers/video/i810/i810_accel.c                  |    1 +
 drivers/video/mb862xx/mb862xxfb_accel.c          |   16 +-
 drivers/video/nvidia/nvidia.c                    |   27 +-
 drivers/video/s1d13xxxfb.c                       |    6 +-
 drivers/video/smscufx.c                          |    4 +-
 drivers/video/udlfb.c                            |   36 +-
 drivers/video/uvesafb.c                          |   53 +-
 drivers/video/vesafb.c                           |   58 +-
 drivers/video/via/via_clock.h                    |    2 +-
 fs/9p/vfs_inode.c                                |    2 +-
 fs/Kconfig.binfmt                                |    2 +-
 fs/aio.c                                         |   11 +-
 fs/autofs4/waitq.c                               |    2 +-
 fs/befs/endian.h                                 |    4 +-
 fs/befs/linuxvfs.c                               |    2 +-
 fs/binfmt_aout.c                                 |   23 +-
 fs/binfmt_elf.c                                  |  605 +++-
 fs/binfmt_flat.c                                 |    6 +
 fs/bio.c                                         |    6 +-
 fs/block_dev.c                                   |    2 +-
 fs/btrfs/ctree.c                                 |    9 +-
 fs/btrfs/super.c                                 |    2 +-
 fs/cachefiles/bind.c                             |    6 +-
 fs/cachefiles/daemon.c                           |    8 +-
 fs/cachefiles/internal.h                         |   12 +-
 fs/cachefiles/namei.c                            |    2 +-
 fs/cachefiles/proc.c                             |   12 +-
 fs/cachefiles/rdwr.c                             |    2 +-
 fs/ceph/dir.c                                    |    2 +-
 fs/cifs/cifs_debug.c                             |   12 +-
 fs/cifs/cifsfs.c                                 |    8 +-
 fs/cifs/cifsglob.h                               |   54 +-
 fs/cifs/link.c                                   |    2 +-
 fs/cifs/misc.c                                   |    4 +-
 fs/cifs/smb1ops.c                                |   80 +-
 fs/cifs/smb2ops.c                                |   84 +-
 fs/cifs/smb2pdu.c                                |    3 +-
 fs/coda/cache.c                                  |   10 +-
 fs/compat.c                                      |    6 +-
 fs/compat_binfmt_elf.c                           |    2 +
 fs/compat_ioctl.c                                |    8 +-
 fs/configfs/dir.c                                |   10 +-
 fs/coredump.c                                    |   24 +-
 fs/dcache.c                                      |    2 +-
 fs/ecryptfs/inode.c                              |    4 +-
 fs/ecryptfs/miscdev.c                            |    2 +-
 fs/ecryptfs/read_write.c                         |    2 +-
 fs/exec.c                                        |  362 ++-
 fs/ext4/ext4.h                                   |   20 +-
 fs/ext4/mballoc.c                                |   44 +-
 fs/ext4/super.c                                  |    2 +-
 fs/fhandle.c                                     |    3 +-
 fs/fifo.c                                        |   22 +-
 fs/fs_struct.c                                   |    8 +-
 fs/fscache/cookie.c                              |   36 +-
 fs/fscache/internal.h                            |  196 +-
 fs/fscache/object.c                              |   28 +-
 fs/fscache/operation.c                           |   30 +-
 fs/fscache/page.c                                |  110 +-
 fs/fscache/stats.c                               |  344 +-
 fs/fuse/cuse.c                                   |   10 +-
 fs/fuse/dev.c                                    |    2 +-
 fs/fuse/dir.c                                    |    2 +-
 fs/gfs2/inode.c                                  |    2 +-
 fs/hugetlbfs/inode.c                             |   13 +-
 fs/inode.c                                       |    4 +-
 fs/jffs2/erase.c                                 |    3 +-
 fs/jffs2/wbuf.c                                  |    3 +-
 fs/jfs/super.c                                   |    6 +-
 fs/libfs.c                                       |   10 +-
 fs/lockd/clntproc.c                              |    4 +-
 fs/locks.c                                       |    8 +-
 fs/namei.c                                       |   15 +-
 fs/namespace.c                                   |    2 +-
 fs/nfs/callback_xdr.c                            |    2 +-
 fs/nfs/inode.c                                   |    6 +-
 fs/nfsd/nfs4proc.c                               |    2 +-
 fs/nfsd/nfs4xdr.c                                |    6 +-
 fs/nfsd/nfscache.c                               |    8 +-
 fs/nfsd/vfs.c                                    |    6 +-
 fs/nls/nls_base.c                                |   18 +-
 fs/nls/nls_euc-jp.c                              |    6 +-
 fs/nls/nls_koi8-ru.c                             |    6 +-
 fs/notify/fanotify/fanotify_user.c               |    4 +-
 fs/notify/notification.c                         |    4 +-
 fs/ntfs/dir.c                                    |    2 +-
 fs/ntfs/file.c                                   |    4 +-
 fs/ocfs2/localalloc.c                            |    2 +-
 fs/ocfs2/ocfs2.h                                 |   10 +-
 fs/ocfs2/suballoc.c                              |   12 +-
 fs/ocfs2/super.c                                 |   20 +-
 fs/pipe.c                                        |   33 +-
 fs/proc/array.c                                  |   20 +
 fs/proc/base.c                                   |    4 +-
 fs/proc/kcore.c                                  |   32 +-
 fs/proc/meminfo.c                                |    2 +-
 fs/proc/nommu.c                                  |    2 +-
 fs/proc/proc_sysctl.c                            |   18 +-
 fs/proc/self.c                                   |    2 +-
 fs/proc/task_mmu.c                               |   39 +-
 fs/proc/task_nommu.c                             |    4 +-
 fs/qnx6/qnx6.h                                   |    4 +-
 fs/quota/netlink.c                               |    4 +-
 fs/readdir.c                                     |    2 +-
 fs/reiserfs/do_balan.c                           |    2 +-
 fs/reiserfs/procfs.c                             |    2 +-
 fs/reiserfs/reiserfs.h                           |    4 +-
 fs/seq_file.c                                    |    2 +-
 fs/splice.c                                      |   36 +-
 fs/sysfs/bin.c                                   |    6 +-
 fs/sysfs/dir.c                                   |    2 +-
 fs/sysfs/file.c                                  |   10 +-
 fs/sysfs/symlink.c                               |    2 +-
 fs/sysv/sysv.h                                   |    2 +-
 fs/ubifs/io.c                                    |    2 +-
 fs/udf/misc.c                                    |    2 +-
 fs/ufs/swab.h                                    |    4 +-
 fs/xattr.c                                       |   21 +
 fs/xattr_acl.c                                   |    4 +-
 fs/xfs/xfs_bmap.c                                |    2 +-
 fs/xfs/xfs_dir2_sf.c                             |   10 +-
 fs/xfs/xfs_ioctl.c                               |    2 +-
 fs/xfs/xfs_iops.c                                |    2 +-
 include/asm-generic/4level-fixup.h               |    2 +
 include/asm-generic/atomic-long.h                |  210 +
 include/asm-generic/atomic.h                     |    2 +-
 include/asm-generic/atomic64.h                   |   12 +
 include/asm-generic/cache.h                      |    4 +-
 include/asm-generic/emergency-restart.h          |    2 +-
 include/asm-generic/kmap_types.h                 |    4 +-
 include/asm-generic/local.h                      |   13 +
 include/asm-generic/pgtable-nopmd.h              |   18 +-
 include/asm-generic/pgtable-nopud.h              |   15 +-
 include/asm-generic/pgtable.h                    |    8 +
 include/asm-generic/vmlinux.lds.h                |   10 +-
 include/crypto/algapi.h                          |    2 +-
 include/drm/drmP.h                               |   17 +-
 include/drm/drm_crtc_helper.h                    |    2 +-
 include/drm/ttm/ttm_memory.h                     |    2 +-
 include/keys/asymmetric-subtype.h                |    2 +-
 include/linux/atmdev.h                           |    4 +-
 include/linux/binfmts.h                          |    3 +-
 include/linux/blkdev.h                           |    2 +-
 include/linux/blktrace_api.h                     |    2 +-
 include/linux/cache.h                            |    4 +
 include/linux/cdrom.h                            |    1 -
 include/linux/cleancache.h                       |    2 +-
 include/linux/compat.h                           |    6 +-
 include/linux/compiler-gcc4.h                    |   20 +
 include/linux/compiler.h                         |   65 +-
 include/linux/completion.h                       |    6 +-
 include/linux/configfs.h                         |    2 +-
 include/linux/cpu.h                              |    2 +-
 include/linux/cpufreq.h                          |    3 +-
 include/linux/cpuidle.h                          |    5 +-
 include/linux/cpumask.h                          |   12 +-
 include/linux/crypto.h                           |    6 +-
 include/linux/ctype.h                            |    2 +-
 include/linux/decompress/mm.h                    |    2 +-
 include/linux/devfreq.h                          |    2 +-
 include/linux/device.h                           |    7 +-
 include/linux/dma-mapping.h                      |    2 +-
 include/linux/dmaengine.h                        |    4 +-
 include/linux/efi.h                              |    1 +
 include/linux/elf.h                              |    2 +
 include/linux/err.h                              |    4 +-
 include/linux/extcon.h                           |    2 +-
 include/linux/fb.h                               |    2 +-
 include/linux/filter.h                           |    4 +
 include/linux/frontswap.h                        |    2 +-
 include/linux/fs.h                               |    3 +-
 include/linux/fs_struct.h                        |    2 +-
 include/linux/fscache-cache.h                    |    4 +-
 include/linux/fscache.h                          |    2 +-
 include/linux/fsnotify.h                         |    2 +-
 include/linux/ftrace_event.h                     |    2 +-
 include/linux/genhd.h                            |    2 +-
 include/linux/genl_magic_func.h                  |    2 +-
 include/linux/gfp.h                              |   12 +-
 include/linux/highmem.h                          |   12 +
 include/linux/hwmon-sysfs.h                      |    5 +-
 include/linux/i2c.h                              |    1 +
 include/linux/i2o.h                              |    2 +-
 include/linux/if_pppox.h                         |    2 +-
 include/linux/init.h                             |   33 +-
 include/linux/init_task.h                        |    7 +
 include/linux/interrupt.h                        |    8 +-
 include/linux/iommu.h                            |    2 +-
 include/linux/ioport.h                           |    2 +-
 include/linux/irq.h                              |    3 +-
 include/linux/irqchip/arm-gic.h                  |    2 +-
 include/linux/key-type.h                         |    2 +-
 include/linux/kgdb.h                             |    6 +-
 include/linux/kobject.h                          |    3 +-
 include/linux/kobject_ns.h                       |    2 +-
 include/linux/kref.h                             |    2 +-
 include/linux/kvm_host.h                         |    4 +-
 include/linux/libata.h                           |    2 +-
 include/linux/list.h                             |   15 +
 include/linux/math64.h                           |    6 +-
 include/linux/mm.h                               |  110 +-
 include/linux/mm_types.h                         |   20 +
 include/linux/mmiotrace.h                        |    4 +-
 include/linux/mmzone.h                           |    2 +-
 include/linux/mod_devicetable.h                  |    6 +-
 include/linux/module.h                           |   60 +-
 include/linux/moduleloader.h                     |   16 +
 include/linux/moduleparam.h                      |    4 +-
 include/linux/namei.h                            |    6 +-
 include/linux/net.h                              |    2 +-
 include/linux/netdevice.h                        |    3 +-
 include/linux/netfilter.h                        |    2 +-
 include/linux/netfilter/ipset/ip_set.h           |    2 +-
 include/linux/netfilter/nfnetlink.h              |    2 +-
 include/linux/nls.h                              |    2 +-
 include/linux/notifier.h                         |    3 +-
 include/linux/oprofile.h                         |    4 +-
 include/linux/pci_hotplug.h                      |    3 +-
 include/linux/perf_event.h                       |   12 +-
 include/linux/pipe_fs_i.h                        |    6 +-
 include/linux/platform_data/usb-ehci-s5p.h       |    2 +-
 include/linux/platform_data/usb-exynos.h         |    2 +-
 include/linux/pm_domain.h                        |    2 +-
 include/linux/pm_runtime.h                       |    2 +-
 include/linux/pnp.h                              |    2 +-
 include/linux/poison.h                           |    4 +-
 include/linux/power/smartreflex.h                |    2 +-
 include/linux/ppp-comp.h                         |    2 +-
 include/linux/proc_fs.h                          |    2 +-
 include/linux/random.h                           |    5 +
 include/linux/rculist.h                          |   16 +
 include/linux/reboot.h                           |   14 +-
 include/linux/regset.h                           |    3 +-
 include/linux/relay.h                            |    2 +-
 include/linux/rio.h                              |    2 +-
 include/linux/rmap.h                             |    4 +-
 include/linux/sched.h                            |   67 +-
 include/linux/sched/sysctl.h                     |    1 +
 include/linux/seq_file.h                         |    1 +
 include/linux/skbuff.h                           |   12 +-
 include/linux/slab.h                             |   36 +-
 include/linux/slab_def.h                         |   33 +-
 include/linux/slob_def.h                         |    4 +-
 include/linux/slub_def.h                         |   10 +-
 include/linux/sock_diag.h                        |    2 +-
 include/linux/sonet.h                            |    2 +-
 include/linux/sunrpc/addr.h                      |    8 +-
 include/linux/sunrpc/clnt.h                      |    2 +-
 include/linux/sunrpc/svc.h                       |    2 +-
 include/linux/sunrpc/svc_rdma.h                  |   18 +-
 include/linux/sunrpc/svcauth.h                   |    2 +-
 include/linux/swiotlb.h                          |    3 +-
 include/linux/syscalls.h                         |    2 +-
 include/linux/syscore_ops.h                      |    2 +-
 include/linux/sysctl.h                           |    6 +-
 include/linux/sysfs.h                            |   10 +-
 include/linux/sysrq.h                            |    3 +-
 include/linux/thread_info.h                      |    7 +
 include/linux/tty.h                              |    4 +-
 include/linux/tty_driver.h                       |    2 +-
 include/linux/tty_ldisc.h                        |    2 +-
 include/linux/types.h                            |   16 +
 include/linux/uaccess.h                          |    6 +-
 include/linux/unaligned/access_ok.h              |   24 +-
 include/linux/usb.h                              |    4 +-
 include/linux/usb/renesas_usbhs.h                |    2 +-
 include/linux/vermagic.h                         |   21 +-
 include/linux/vmalloc.h                          |   11 +-
 include/linux/vmstat.h                           |   20 +-
 include/linux/xattr.h                            |    5 +-
 include/linux/zlib.h                             |    3 +-
 include/media/v4l2-dev.h                         |    2 +-
 include/media/v4l2-ioctl.h                       |    1 -
 include/net/9p/transport.h                       |    2 +-
 include/net/bluetooth/l2cap.h                    |    2 +-
 include/net/caif/cfctrl.h                        |    6 +-
 include/net/flow.h                               |    2 +-
 include/net/genetlink.h                          |    2 +-
 include/net/gro_cells.h                          |    2 +-
 include/net/inet_connection_sock.h               |    2 +-
 include/net/inetpeer.h                           |    8 +-
 include/net/ip.h                                 |    2 +-
 include/net/ip_fib.h                             |    2 +-
 include/net/ip_vs.h                              |    8 +-
 include/net/irda/ircomm_tty.h                    |    1 +
 include/net/iucv/af_iucv.h                       |    2 +-
 include/net/llc_c_ac.h                           |    2 +-
 include/net/llc_c_ev.h                           |    4 +-
 include/net/llc_c_st.h                           |    2 +-
 include/net/llc_s_ac.h                           |    2 +-
 include/net/llc_s_st.h                           |    2 +-
 include/net/mac80211.h                           |    2 +-
 include/net/neighbour.h                          |    2 +-
 include/net/net_namespace.h                      |   12 +-
 include/net/netdma.h                             |    2 +-
 include/net/netlink.h                            |    2 +-
 include/net/netns/conntrack.h                    |    6 +-
 include/net/netns/ipv4.h                         |    2 +-
 include/net/protocol.h                           |    4 +-
 include/net/rtnetlink.h                          |    2 +-
 include/net/sctp/sctp.h                          |    6 +-
 include/net/sctp/sm.h                            |    4 +-
 include/net/sctp/structs.h                       |    2 +-
 include/net/sock.h                               |    6 +-
 include/net/tcp.h                                |    8 +-
 include/net/xfrm.h                               |    8 +-
 include/rdma/iw_cm.h                             |    2 +-
 include/scsi/libfc.h                             |    3 +-
 include/scsi/scsi_device.h                       |    6 +-
 include/scsi/scsi_transport_fc.h                 |    3 +-
 include/sound/soc.h                              |    4 +-
 include/target/target_core_base.h                |    2 +-
 include/trace/events/irq.h                       |    4 +-
 include/uapi/linux/a.out.h                       |    8 +
 include/uapi/linux/byteorder/little_endian.h     |   28 +-
 include/uapi/linux/elf.h                         |   28 +
 include/uapi/linux/screen_info.h                 |    3 +-
 include/uapi/linux/swab.h                        |    6 +-
 include/uapi/linux/sysctl.h                      |    6 +-
 include/uapi/linux/xattr.h                       |    4 +
 include/video/udlfb.h                            |    8 +-
 include/video/uvesafb.h                          |    1 +
 init/Kconfig                                     |    2 +-
 init/Makefile                                    |    3 +
 init/do_mounts.c                                 |   14 +-
 init/do_mounts.h                                 |    8 +-
 init/do_mounts_initrd.c                          |   22 +-
 init/do_mounts_md.c                              |    6 +-
 init/init_task.c                                 |    4 +
 init/initramfs.c                                 |   40 +-
 init/main.c                                      |   77 +-
 ipc/ipc_sysctl.c                                 |   10 +-
 ipc/mq_sysctl.c                                  |    2 +-
 ipc/msg.c                                        |   11 +-
 ipc/sem.c                                        |   11 +-
 ipc/shm.c                                        |   17 +-
 kernel/acct.c                                    |    2 +-
 kernel/audit.c                                   |    8 +-
 kernel/auditsc.c                                 |    4 +-
 kernel/capability.c                              |    3 +
 kernel/compat.c                                  |   40 +-
 kernel/debug/debug_core.c                        |   16 +-
 kernel/debug/kdb/kdb_main.c                      |    4 +-
 kernel/events/core.c                             |   28 +-
 kernel/exit.c                                    |    4 +-
 kernel/fork.c                                    |  167 +-
 kernel/futex.c                                   |    9 +
 kernel/futex_compat.c                            |    2 +-
 kernel/gcov/base.c                               |    7 +-
 kernel/hrtimer.c                                 |    4 +-
 kernel/irq_work.c                                |    7 +-
 kernel/jump_label.c                              |    5 +
 kernel/kallsyms.c                                |   39 +-
 kernel/kexec.c                                   |    3 +-
 kernel/kmod.c                                    |    4 +-
 kernel/kprobes.c                                 |    8 +-
 kernel/ksysfs.c                                  |    2 +-
 kernel/lockdep.c                                 |    7 +-
 kernel/module.c                                  |  337 +-
 kernel/mutex-debug.c                             |   12 +-
 kernel/mutex-debug.h                             |    4 +-
 kernel/mutex.c                                   |    7 +-
 kernel/notifier.c                                |   17 +-
 kernel/panic.c                                   |    3 +-
 kernel/pid.c                                     |    2 +-
 kernel/pid_namespace.c                           |    2 +-
 kernel/posix-cpu-timers.c                        |    4 +-
 kernel/posix-timers.c                            |   20 +-
 kernel/power/process.c                           |   12 +-
 kernel/profile.c                                 |   14 +-
 kernel/ptrace.c                                  |    8 +-
 kernel/rcupdate.c                                |    4 +-
 kernel/rcutiny.c                                 |    4 +-
 kernel/rcutiny_plugin.h                          |    2 +-
 kernel/rcutorture.c                              |   56 +-
 kernel/rcutree.c                                 |   68 +-
 kernel/rcutree.h                                 |   24 +-
 kernel/rcutree_plugin.h                          |   20 +-
 kernel/rcutree_trace.c                           |   22 +-
 kernel/rtmutex-tester.c                          |   24 +-
 kernel/sched/auto_group.c                        |    4 +-
 kernel/sched/core.c                              |   51 +-
 kernel/sched/fair.c                              |    4 +-
 kernel/signal.c                                  |   12 +-
 kernel/smp.c                                     |    2 +-
 kernel/smpboot.c                                 |    4 +-
 kernel/softirq.c                                 |   18 +-
 kernel/srcu.c                                    |    4 +-
 kernel/sys.c                                     |   10 +-
 kernel/sysctl.c                                  |   39 +-
 kernel/time.c                                    |    2 +-
 kernel/time/alarmtimer.c                         |    2 +-
 kernel/time/tick-broadcast.c                     |    2 +-
 kernel/time/timer_stats.c                        |   10 +-
 kernel/timer.c                                   |    6 +-
 kernel/trace/blktrace.c                          |    6 +-
 kernel/trace/ftrace.c                            |   20 +-
 kernel/trace/ring_buffer.c                       |   76 +-
 kernel/trace/trace.c                             |    8 +-
 kernel/trace/trace.h                             |    2 +-
 kernel/trace/trace_events.c                      |   25 +-
 kernel/trace/trace_mmiotrace.c                   |    8 +-
 kernel/trace/trace_output.c                      |   12 +-
 kernel/trace/trace_stack.c                       |    2 +-
 kernel/user_namespace.c                          |    2 +-
 kernel/utsname_sysctl.c                          |    2 +-
 kernel/watchdog.c                                |    2 +-
 lib/Kconfig.debug                                |    6 +-
 lib/Makefile                                     |    2 +-
 lib/bitmap.c                                     |    8 +-
 lib/bug.c                                        |    2 +
 lib/debugobjects.c                               |    2 +-
 lib/devres.c                                     |    4 +-
 lib/div64.c                                      |    4 +-
 lib/dma-debug.c                                  |    4 +-
 lib/inflate.c                                    |    2 +-
 lib/ioremap.c                                    |    4 +-
 lib/kobject.c                                    |    4 +-
 lib/list_debug.c                                 |  126 +-
 lib/radix-tree.c                                 |    2 +-
 lib/strncpy_from_user.c                          |    2 +-
 lib/strnlen_user.c                               |    2 +-
 lib/swiotlb.c                                    |    2 +-
 lib/vsprintf.c                                   |   12 +-
 mm/Kconfig                                       |    6 +-
 mm/filemap.c                                     |    2 +-
 mm/fremap.c                                      |    5 +
 mm/highmem.c                                     |    7 +-
 mm/hugetlb.c                                     |   70 +-
 mm/internal.h                                    |    1 +
 mm/maccess.c                                     |    4 +-
 mm/madvise.c                                     |   41 +
 mm/memory-failure.c                              |   26 +-
 mm/memory.c                                      |  424 ++-
 mm/mempolicy.c                                   |   26 +
 mm/mlock.c                                       |   16 +-
 mm/mmap.c                                        |  576 ++-
 mm/mprotect.c                                    |  139 +-
 mm/mremap.c                                      |   44 +-
 mm/nommu.c                                       |   21 +-
 mm/page-writeback.c                              |    4 +-
 mm/page_alloc.c                                  |   41 +-
 mm/percpu.c                                      |    2 +-
 mm/process_vm_access.c                           |   14 +-
 mm/rmap.c                                        |   38 +-
 mm/shmem.c                                       |   19 +-
 mm/slab.c                                        |  105 +-
 mm/slab.h                                        |    5 +-
 mm/slab_common.c                                 |   11 +-
 mm/slob.c                                        |  201 +-
 mm/slub.c                                        |   99 +-
 mm/sparse-vmemmap.c                              |    4 +-
 mm/sparse.c                                      |    2 +-
 mm/swap.c                                        |    3 +
 mm/swapfile.c                                    |   12 +-
 mm/util.c                                        |    6 +
 mm/vmalloc.c                                     |   82 +-
 mm/vmstat.c                                      |   12 +-
 net/8021q/vlan.c                                 |    5 +-
 net/9p/mod.c                                     |    4 +-
 net/9p/trans_fd.c                                |    2 +-
 net/atm/atm_misc.c                               |    8 +-
 net/atm/lec.h                                    |    2 +-
 net/atm/proc.c                                   |    6 +-
 net/atm/resources.c                              |    4 +-
 net/ax25/sysctl_net_ax25.c                       |    2 +-
 net/batman-adv/bat_iv_ogm.c                      |    8 +-
 net/batman-adv/hard-interface.c                  |    4 +-
 net/batman-adv/soft-interface.c                  |    4 +-
 net/batman-adv/types.h                           |    6 +-
 net/batman-adv/unicast.c                         |    2 +-
 net/bluetooth/hci_sock.c                         |    2 +-
 net/bluetooth/l2cap_core.c                       |    6 +-
 net/bluetooth/l2cap_sock.c                       |   12 +-
 net/bluetooth/rfcomm/sock.c                      |    4 +-
 net/bluetooth/rfcomm/tty.c                       |   10 +-
 net/bridge/netfilter/ebtables.c                  |    6 +-
 net/caif/cfctrl.c                                |   11 +-
 net/can/af_can.c                                 |    2 +-
 net/can/gw.c                                     |    6 +-
 net/compat.c                                     |   34 +-
 net/core/datagram.c                              |    2 +-
 net/core/dev.c                                   |   16 +-
 net/core/flow.c                                  |    8 +-
 net/core/iovec.c                                 |    4 +-
 net/core/neighbour.c                             |    2 +-
 net/core/net-sysfs.c                             |    2 +-
 net/core/net_namespace.c                         |    8 +-
 net/core/rtnetlink.c                             |   13 +-
 net/core/scm.c                                   |    8 +-
 net/core/sock.c                                  |   24 +-
 net/core/sock_diag.c                             |    9 +-
 net/core/sysctl_net_core.c                       |   18 +-
 net/decnet/af_decnet.c                           |    1 +
 net/decnet/sysctl_net_decnet.c                   |    4 +-
 net/ipv4/af_inet.c                               |    8 +-
 net/ipv4/ah4.c                                   |    2 +-
 net/ipv4/devinet.c                               |   14 +-
 net/ipv4/esp4.c                                  |    2 +-
 net/ipv4/fib_frontend.c                          |    6 +-
 net/ipv4/fib_semantics.c                         |    2 +-
 net/ipv4/inet_connection_sock.c                  |    2 +-
 net/ipv4/inetpeer.c                              |    4 +-
 net/ipv4/ip_fragment.c                           |   15 +-
 net/ipv4/ip_gre.c                                |    6 +-
 net/ipv4/ip_sockglue.c                           |    2 +-
 net/ipv4/ip_vti.c                                |    4 +-
 net/ipv4/ipcomp.c                                |    2 +-
 net/ipv4/ipconfig.c                              |    6 +-
 net/ipv4/ipip.c                                  |    4 +-
 net/ipv4/netfilter/arp_tables.c                  |   12 +-
 net/ipv4/netfilter/ip_tables.c                   |   12 +-
 net/ipv4/ping.c                                  |    2 +-
 net/ipv4/raw.c                                   |   14 +-
 net/ipv4/route.c                                 |   18 +-
 net/ipv4/sysctl_net_ipv4.c                       |   45 +-
 net/ipv4/tcp_input.c                             |    2 +-
 net/ipv4/tcp_probe.c                             |    2 +-
 net/ipv4/udp.c                                   |   10 +-
 net/ipv4/xfrm4_policy.c                          |   14 +-
 net/ipv6/addrconf.c                              |    6 +-
 net/ipv6/icmp.c                                  |    2 +-
 net/ipv6/ip6_gre.c                               |    8 +-
 net/ipv6/ip6_tunnel.c                            |    4 +-
 net/ipv6/ipv6_sockglue.c                         |    2 +-
 net/ipv6/netfilter/ip6_tables.c                  |   12 +-
 net/ipv6/netfilter/nf_conntrack_reasm.c          |   14 +-
 net/ipv6/raw.c                                   |   19 +-
 net/ipv6/reassembly.c                            |   13 +-
 net/ipv6/route.c                                 |    2 +-
 net/ipv6/sit.c                                   |    4 +-
 net/ipv6/sysctl_net_ipv6.c                       |    2 +-
 net/ipv6/udp.c                                   |    8 +-
 net/ipv6/xfrm6_policy.c                          |   13 +-
 net/irda/ircomm/ircomm_tty.c                     |   18 +-
 net/iucv/af_iucv.c                               |    4 +-
 net/iucv/iucv.c                                  |    2 +-
 net/key/af_key.c                                 |    4 +-
 net/mac80211/cfg.c                               |    8 +-
 net/mac80211/ieee80211_i.h                       |    3 +-
 net/mac80211/iface.c                             |   14 +-
 net/mac80211/main.c                              |    2 +-
 net/mac80211/pm.c                                |    6 +-
 net/mac80211/rate.c                              |    2 +-
 net/mac80211/rc80211_pid_debugfs.c               |    2 +-
 net/mac80211/util.c                              |    2 +-
 net/netfilter/ipset/ip_set_core.c                |    2 +-
 net/netfilter/ipvs/ip_vs_conn.c                  |    6 +-
 net/netfilter/ipvs/ip_vs_core.c                  |    4 +-
 net/netfilter/ipvs/ip_vs_ctl.c                   |   14 +-
 net/netfilter/ipvs/ip_vs_lblc.c                  |    2 +-
 net/netfilter/ipvs/ip_vs_lblcr.c                 |    2 +-
 net/netfilter/ipvs/ip_vs_sync.c                  |    6 +-
 net/netfilter/ipvs/ip_vs_xmit.c                  |    4 +-
 net/netfilter/nf_conntrack_acct.c                |    2 +-
 net/netfilter/nf_conntrack_ecache.c              |    2 +-
 net/netfilter/nf_conntrack_helper.c              |    2 +-
 net/netfilter/nf_conntrack_proto.c               |    2 +-
 net/netfilter/nf_conntrack_standalone.c          |    2 +-
 net/netfilter/nf_conntrack_timestamp.c           |    2 +-
 net/netfilter/nf_log.c                           |   10 +-
 net/netfilter/nf_sockopt.c                       |    4 +-
 net/netfilter/nfnetlink_log.c                    |    4 +-
 net/netfilter/xt_statistic.c                     |    8 +-
 net/netlink/af_netlink.c                         |    4 +-
 net/netlink/genetlink.c                          |   16 +-
 net/packet/af_packet.c                           |   12 +-
 net/phonet/pep.c                                 |    6 +-
 net/phonet/socket.c                              |    2 +-
 net/phonet/sysctl.c                              |    2 +-
 net/rds/cong.c                                   |    6 +-
 net/rds/ib.h                                     |    2 +-
 net/rds/ib_cm.c                                  |    2 +-
 net/rds/ib_recv.c                                |    4 +-
 net/rds/iw.h                                     |    2 +-
 net/rds/iw_cm.c                                  |    2 +-
 net/rds/iw_recv.c                                |    4 +-
 net/rds/rds.h                                    |    2 +-
 net/rds/tcp.c                                    |    2 +-
 net/rds/tcp_send.c                               |    2 +-
 net/rxrpc/af_rxrpc.c                             |    2 +-
 net/rxrpc/ar-ack.c                               |   14 +-
 net/rxrpc/ar-call.c                              |    2 +-
 net/rxrpc/ar-connection.c                        |    2 +-
 net/rxrpc/ar-connevent.c                         |    2 +-
 net/rxrpc/ar-input.c                             |    4 +-
 net/rxrpc/ar-internal.h                          |    8 +-
 net/rxrpc/ar-local.c                             |    2 +-
 net/rxrpc/ar-output.c                            |    4 +-
 net/rxrpc/ar-peer.c                              |    2 +-
 net/rxrpc/ar-proc.c                              |    4 +-
 net/rxrpc/ar-transport.c                         |    2 +-
 net/rxrpc/rxkad.c                                |    4 +-
 net/sctp/ipv6.c                                  |    6 +-
 net/sctp/protocol.c                              |   10 +-
 net/sctp/sm_sideeffect.c                         |    2 +-
 net/sctp/socket.c                                |   21 +-
 net/sctp/sysctl.c                                |    4 +-
 net/socket.c                                     |   18 +-
 net/sunrpc/clnt.c                                |    4 +-
 net/sunrpc/sched.c                               |    4 +-
 net/sunrpc/svc.c                                 |    4 +-
 net/sunrpc/xprtrdma/svc_rdma.c                   |   38 +-
 net/sunrpc/xprtrdma/svc_rdma_recvfrom.c          |    6 +-
 net/sunrpc/xprtrdma/svc_rdma_sendto.c            |    2 +-
 net/sunrpc/xprtrdma/svc_rdma_transport.c         |   10 +-
 net/tipc/link.c                                  |    6 +-
 net/tipc/msg.c                                   |    2 +-
 net/tipc/subscr.c                                |    2 +-
 net/unix/sysctl_net_unix.c                       |    2 +-
 net/wireless/wext-core.c                         |   19 +-
 net/xfrm/xfrm_policy.c                           |   27 +-
 net/xfrm/xfrm_state.c                            |   29 +-
 net/xfrm/xfrm_sysctl.c                           |    2 +-
 scripts/Makefile.build                           |    2 +-
 scripts/Makefile.clean                           |    3 +-
 scripts/Makefile.host                            |   28 +-
 scripts/basic/fixdep.c                           |   12 +-
 scripts/gcc-plugin.sh                            |   17 +
 scripts/headers_install.pl                       |    1 +
 scripts/link-vmlinux.sh                          |    2 +-
 scripts/mod/file2alias.c                         |   14 +-
 scripts/mod/modpost.c                            |   25 +-
 scripts/mod/modpost.h                            |    6 +-
 scripts/mod/sumversion.c                         |    2 +-
 scripts/package/builddeb                         |    1 +
 scripts/pnmtologo.c                              |    6 +-
 scripts/sortextable.h                            |    6 +-
 security/Kconfig                                 |  675 +++-
 security/apparmor/lsm.c                          |    2 +-
 security/integrity/ima/ima.h                     |    4 +-
 security/integrity/ima/ima_api.c                 |    2 +-
 security/integrity/ima/ima_fs.c                  |    4 +-
 security/integrity/ima/ima_queue.c               |    2 +-
 security/keys/compat.c                           |    2 +-
 security/keys/key.c                              |   18 +-
 security/keys/keyctl.c                           |    8 +-
 security/keys/keyring.c                          |    6 +-
 security/security.c                              |    9 +-
 security/selinux/hooks.c                         |    2 +-
 security/selinux/include/xfrm.h                  |    2 +-
 security/smack/smack_lsm.c                       |    2 +-
 security/tomoyo/tomoyo.c                         |    2 +-
 security/yama/yama_lsm.c                         |   22 +-
 sound/aoa/codecs/onyx.c                          |    7 +-
 sound/aoa/codecs/onyx.h                          |    1 +
 sound/core/oss/pcm_oss.c                         |   18 +-
 sound/core/pcm_compat.c                          |    2 +-
 sound/core/pcm_native.c                          |    4 +-
 sound/core/seq/seq_device.c                      |    8 +-
 sound/drivers/mts64.c                            |   14 +-
 sound/drivers/opl4/opl4_lib.c                    |    2 +-
 sound/drivers/portman2x4.c                       |    3 +-
 sound/firewire/amdtp.c                           |    4 +-
 sound/firewire/amdtp.h                           |    2 +-
 sound/firewire/isight.c                          |   10 +-
 sound/firewire/scs1x.c                           |    8 +-
 sound/oss/sb_audio.c                             |    2 +-
 sound/oss/swarm_cs4297a.c                        |    6 +-
 sound/pci/ymfpci/ymfpci.h                        |    2 +-
 sound/pci/ymfpci/ymfpci_main.c                   |   12 +-
 tools/gcc/.gitignore                             |    1 +
 tools/gcc/Makefile                               |   45 +
 tools/gcc/checker_plugin.c                       |  171 +
 tools/gcc/colorize_plugin.c                      |  151 +
 tools/gcc/constify_plugin.c                      |  518 ++
 tools/gcc/generate_size_overflow_hash.sh         |   94 +
 tools/gcc/kallocstat_plugin.c                    |  170 +
 tools/gcc/kernexec_plugin.c                      |  465 ++
 tools/gcc/latent_entropy_plugin.c                |  327 ++
 tools/gcc/size_overflow_hash.data                | 5876 ++++++++++++++++++++++
 tools/gcc/size_overflow_plugin.c                 | 2114 ++++++++
 tools/gcc/stackleak_plugin.c                     |  327 ++
 tools/gcc/structleak_plugin.c                    |  276 +
 tools/perf/util/include/asm/alternative-asm.h    |    3 +
 tools/perf/util/include/linux/compiler.h         |    8 +
 virt/kvm/kvm_main.c                              |   32 +-
 1555 files changed, 30474 insertions(+), 7126 deletions(-)
commit a00016a11e35e91aec8e2d9b6ec4c6fbb11d6d2b
Merge: 0949bd4 fc53d63
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 22 19:03:44 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit fc53d6338964741b368070ec5c935bc579b8c2a6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 22 19:02:45 2012 -0400

    Update to pax-linux-3.2.12-test33.patch

commit 0949bd46a6455b308f66ad7c993bfee62412db35
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 22 16:56:09 2012 -0400

    Use current_umask() instead of current->fs->umask

commit 22f6432d0fe733619cfcb523782ed7d80c46d645
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 21 19:42:42 2012 -0400

    compile fix

commit 0cad49d6b8fbb32395da924c1665a1110a9a9eef
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 21 19:34:56 2012 -0400

    Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain
    uses of domains with particular hash collisions

commit 47fc52e0a068a29d6cca2f809daf0679cba33c44
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 20:25:49 2012 -0400

    zero kernel_role

commit b00953b43c69238d181d21121ef1577c988d5f6b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 19:29:34 2012 -0400

    zero real_root after releasing it

commit 0b3ab73ce5d34a2c3206955cd65eddd6bdfd32a1
Merge: b724f59 273f98e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 19:11:26 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit 273f98e58cdac555d3b5dce5c1ca168349f95878
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 19:10:52 2012 -0400

    Temporary workaround for (most) size_overflow plugin false-positives
    Increase randomization for brk-managed heap to 21 bits
    Update to pax-linux-3.2.12-test32.patch

commit b724f59125304460c2af8bd4b02921993afbb5d3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 18:58:53 2012 -0400

    compile fix

commit 329f1a9d0f137d0a973316c53bbec18a6eeecd4f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 18:52:23 2012 -0400

    Require default and kernel role

commit a7c5c4f55bdd61cfcd0fb1be7a67160429409878
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 18:47:28 2012 -0400

    Allow policies without special roles
    don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles)

commit 402ec3d24d66d38403dc543c84851f5e72d39e22
Merge: 8e012dc f14661a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 19 18:06:59 2012 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        fs/namei.c

commit f14661aaf202155c97f66626cea0269017bb7775
Merge: eae671f 058b017
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 19 18:05:44 2012 -0400

    Merge branch 'linux-3.2.y' into pax-test

commit 8e012dcf7a50b7cde34c2cec93ecedd049123b75
Author: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
Date:   Fri Mar 16 17:08:39 2012 -0700

    nilfs2: fix NULL pointer dereference in nilfs_load_super_block()
    
    According to the report from Slicky Devil, nilfs caused kernel oops at
    nilfs_load_super_block function during mount after he shrank the
    partition without resizing the filesystem:
    
     BUG: unable to handle kernel NULL pointer dereference at 00000048
     IP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2]
     *pde = 00000000
     Oops: 0000 [#1] PREEMPT SMP
     ...
     Call Trace:
      [<d0d7a87b>] init_nilfs+0x4b/0x2e0 [nilfs2]
      [<d0d6f707>] nilfs_mount+0x447/0x5b0 [nilfs2]
      [<c0226636>] mount_fs+0x36/0x180
      [<c023d961>] vfs_kern_mount+0x51/0xa0
      [<c023ddae>] do_kern_mount+0x3e/0xe0
      [<c023f189>] do_mount+0x169/0x700
      [<c023fa9b>] sys_mount+0x6b/0xa0
      [<c04abd1f>] sysenter_do_call+0x12/0x28
     Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43
     20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72
     48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00
     EIP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc
     CR2: 0000000000000048
    
    This turned out due to a defect in an error path which runs if the
    calculated location of the secondary super block was invalid.
    
    This patch fixes it and eliminates the reported oops.
    
    Reported-by: Slicky Devil <slicky.dvl@gmail.com>
    Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
    Tested-by: Slicky Devil <slicky.dvl@gmail.com>
    Cc: <stable@vger.kernel.org>        [2.6.30+]
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 8067d7f69bf27dc08057a771cf125e71e4575bf2
Author: Haogang Chen <haogangchen@gmail.com>
Date:   Fri Mar 16 17:08:38 2012 -0700

    nilfs2: clamp ns_r_segments_percentage to [1, 99]
    
    ns_r_segments_percentage is read from the disk.  Bogus or malicious
    value could cause integer overflow and malfunction due to meaningless
    disk usage calculation.  This patch reports error when mounting such
    bogus volumes.
    
    Signed-off-by: Haogang Chen <haogangchen@gmail.com>
    Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit e1a90645643f9b0194a5984ec8febd06360d5c8b
Author: Eric Dumazet <eric.dumazet@gmail.com>
Date:   Sat Mar 10 09:20:21 2012 +0000

    tcp: fix syncookie regression
    
    commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit())
    added a serious regression on synflood handling.
    
    Simon Kirby discovered a successful connection was delayed by 20 seconds
    before being responsive.
    
    In my tests, I discovered that xmit frames were lost, and needed ~4
    retransmits and a socket dst rebuild before being really sent.
    
    In case of syncookie initiated connection, we use a different path to
    initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared.
    
    As ip_queue_xmit() now depends on inet flow being setup, fix this by
    copying the temp flowi4 we use in cookie_v4_check().
    
    Reported-by: Simon Kirby <sim@netnation.com>
    Bisected-by: Simon Kirby <sim@netnation.com>
    Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
    Tested-by: Eric Dumazet <eric.dumazet@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 06c6c8628bf38b08b4d97f4c55cde9fdecfb5d65
Author: Stanislav Kinsbursky <skinsbursky@parallels.com>
Date:   Mon Mar 12 02:59:41 2012 +0000

    tun: don't hold network namespace by tun sockets
    
    v3: added previously removed sock_put() to the tun_release() callback, because
    sk_release_kernel() doesn't drop the socket reference.
    
    v2: sk_release_kernel() used for socket release. Dummy tun_release() is
    required for sk_release_kernel() ---> sock_release() ---> sock->ops->release()
    call.
    
    TUN was designed to destroy it's socket on network namesapce shutdown. But this
    will never happen for persistent device, because it's socket holds network
    namespace.
    This patch removes of holding network namespace by TUN socket and replaces it
    by creating socket in init_net and then changing it's net it to desired one. On
    shutdown socket is moved back to init_net prior to final put.
    
    Signed-off-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 46ae7374bd387c58d673a9e58852a9fd31042c5c
Author: Tyler Hicks <tyhicks@canonical.com>
Date:   Mon Dec 12 10:02:30 2011 -0600

    vfs: Correctly set the dir i_mutex lockdep class
    
    9a7aa12f3911853a introduced additional logic around setting the i_mutex
    lockdep class for directory inodes. The idea was that some filesystems
    may want their own special lockdep class for different directory
    inodes and calling unlock_new_inode() should not clobber one of
    those special classes.
    
    I believe that the added conditional, around the *negated* return value
    of lockdep_match_class(), caused directory inodes to be placed in the
    wrong lockdep class.
    
    inode_init_always() sets the i_mutex lockdep class with i_mutex_key for
    all inodes. If the filesystem did not change the class during inode
    initialization, then the conditional mentioned above was false and the
    directory inode was incorrectly left in the non-directory lockdep class.
    If the filesystem did set a special lockdep class, then the conditional
    mentioned above was true and that class was clobbered with
    i_mutex_dir_key.
    
    This patch removes the negation from the conditional so that the i_mutex
    lockdep class is properly set for directory inodes. Special classes are
    preserved and directory inodes with unmodified classes are set with
    i_mutex_dir_key.
    
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Reviewed-by: Jan Kara <jack@suse.cz>
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

commit 603590b0d2eca61ce26499eac9c563bc567a18c9
Author: Jan Kara <jack@suse.cz>
Date:   Mon Feb 20 17:54:00 2012 +0100

    udf: Fix deadlock in udf_release_file()
    
    udf_release_file() can be called from munmap() path with mmap_sem held.  Thus
    we cannot take i_mutex there because that ranks above mmap_sem. Luckily,
    i_mutex is not needed in udf_release_file() anymore since protection by
    i_data_sem is enough to protect from races with write and truncate.
    
    Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
    Reviewed-by: Namjae Jeon <linkinjeon@gmail.com>
    Signed-off-by: Jan Kara <jack@suse.cz>
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

commit ca79ab9034f3c2f7e3f65c35e0d9ed3ecea529bf
Author: Miklos Szeredi <mszeredi@suse.cz>
Date:   Tue Mar 6 13:56:33 2012 +0100

    vfs: fix double put after complete_walk()
    
    complete_walk() already puts nd->path, no need to do it again at cleanup time.
    
    This would result in Oopses if triggered, apparently the codepath is not too
    well exercised.
    
    Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
    CC: stable@vger.kernel.org
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

commit 13885ba2b18400f3ef6540497d30f1af896605e5
Author: Miklos Szeredi <mszeredi@suse.cz>
Date:   Tue Mar 6 13:56:34 2012 +0100

    vfs: fix return value from do_last()
    
    complete_walk() returns either ECHILD or ESTALE.  do_last() turns this into
    ECHILD unconditionally.  If not in RCU mode, this error will reach userspace
    which is complete nonsense.
    
    Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
    CC: stable@vger.kernel.org
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    
    Conflicts:
    
        fs/namei.c

commit f5ab7572c99ffb58953eb1070622307e904c3b7f
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Sat Mar 10 17:07:28 2012 -0500

    restore smp_mb() in unlock_new_inode()
    
    wait_on_inode() doesn't have ->i_lock
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

commit f3e758cd08e3881982d4b78eb72fe8a1ead6b872
Author: David S. Miller <davem@davemloft.net>
Date:   Tue Mar 13 18:19:51 2012 -0700

    sparc32: Add -Av8 to assembler command line.
    
    Newer version of binutils are more strict about specifying the
    correct options to enable certain classes of instructions.
    
    The sparc32 build is done for v7 in order to support sun4c systems
    which lack hardware integer multiply and divide instructions.
    
    So we have to pass -Av8 when building the assembler routines that
    use these instructions and get patched into the kernel when we find
    out that we have a v8 capable cpu.
    
    Reported-by: Paul Gortmaker <paul.gortmaker@windriver.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 66276ec78b2a971d2e704e5ef963cdc8b6a049a4
Author: Thomas Gleixner <tglx@linutronix.de>
Date:   Fri Mar 9 20:55:10 2012 +0100

    x86: Derandom delay_tsc for 64 bit
    
    Commit f0fbf0abc093 ("x86: integrate delay functions") converted
    delay_tsc() into a random delay generator for 64 bit.  The reason is
    that it merged the mostly identical versions of delay_32.c and
    delay_64.c.  Though the subtle difference of the result was:
    
     static void delay_tsc(unsigned long loops)
     {
    -   unsigned bclock, now;
    +   unsigned long bclock, now;
    
    Now the function uses rdtscl() which returns the lower 32bit of the
    TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64
    bit this fails when the lower 32bit are close to wrap around when
    bclock is read, because the following check
    
           if ((now - bclock) >= loops)
                        break;
    
    evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0
    because the unsigned long (now - bclock) of these values results in
    0xffffffff00000001 which is definitely larger than the loops
    value. That explains Tvortkos observation:
    
    "Because I am seeing udelay(500) (_occasionally_) being short, and
     that by delaying for some duration between 0us (yep) and 491us."
    
    Make those variables explicitely u32 again, so this works for both 32
    and 64 bit.
    
    Reported-by: Tvrtko Ursulin <tvrtko.ursulin@onelan.co.uk>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Cc: stable@vger.kernel.org # >= 2.6.27
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 2d0ddb60f5031bdf79b4d51225f9f2d5856255bf
Author: Al Viro <viro@ZenIV.linux.org.uk>
Date:   Thu Mar 8 17:51:19 2012 +0000

    aio: fix the "too late munmap()" race
    
    Current code has put_ioctx() called asynchronously from aio_fput_routine();
    that's done *after* we have killed the request that used to pin ioctx,
    so there's nothing to stop io_destroy() waiting in wait_for_all_aios()
    from progressing.  As the result, we can end up with async call of
    put_ioctx() being the last one and possibly happening during exit_mmap()
    or elf_core_dump(), neither of which expects stray munmap() being done
    to them...
    
    We do need to prevent _freeing_ ioctx until aio_fput_routine() is done
    with that, but that's all we care about - neither io_destroy() nor
    exit_aio() will progress past wait_for_all_aios() until aio_fput_routine()
    does really_put_req(), so the ioctx teardown won't be done until then
    and we don't care about the contents of ioctx past that point.
    
    Since actual freeing of these suckers is RCU-delayed, we don't need to
    bump ioctx refcount when request goes into list for async removal.
    All we need is rcu_read_lock held just over the ->ctx_lock-protected
    area in aio_fput_routine().
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
    Acked-by: Benjamin LaHaise <bcrl@kvack.org>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 002124c055afbf09b52226af65621999e8316448
Author: Al Viro <viro@ZenIV.linux.org.uk>
Date:   Wed Mar 7 05:16:35 2012 +0000

    aio: fix io_setup/io_destroy race
    
    Have ioctx_alloc() return an extra reference, so that caller would drop it
    on success and not bother with re-grabbing it on failure exit.  The current
    code is obviously broken - io_destroy() from another thread that managed
    to guess the address io_setup() would've returned would free ioctx right
    under us; gets especially interesting if aio_context_t * we pass to
    io_setup() points to PROT_READ mapping, so put_user() fails and we end
    up doing io_destroy() on kioctx another thread has just got freed...
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Acked-by: Benjamin LaHaise <bcrl@kvack.org>
    Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit a1cd2719b8ed8e40dbd98c87713ac23a2169f6d8
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Thu Mar 15 15:17:12 2012 -0700

    drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode
    
    strict_strtoul() writes a long but ->gamma_mode only has space to store an
    int, so on 64 bit systems we end up scribbling over ->gamma_table_count as
    well.  I've changed it to use kstrtouint() instead.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Acked-by: Inki Dae <inki.dae@samsung.com>
    Signed-off-by: Florian Tobias Schandinat <FlorianSchandinat@gmx.de>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit cf83f735a5571f4341ee6eab947a1f7d833cea6e
Merge: e4b05b6 eae671f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 16 21:04:27 2012 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        security/Kconfig

commit eae671fafe93f04685c04a089cc13efebc05d600
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 16 20:58:01 2012 -0400

    Update to pax-linux-3.2.11-test31.patch
    Introduction of the size_overflow plugin from Emese Revfy
    Many thanks to Emese for her hard work :)

commit e4b05b65c645c412eceb9c950ee7b4771627e6b1
Merge: e55aa68 258c015
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 15 20:59:19 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit 258c0159fa6dd5044ca984eeaad57bb6e21bacea
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 15 20:59:05 2012 -0400

    fix ARM compilation

commit e55aa68f4bb20e75cd7423123aa612c2a69590c0
Merge: 8f95ea9 55b7573
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 14 19:33:41 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit 55b7573f6c2f3be26fb39c7bd6a9d742d02811ca
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 14 19:33:15 2012 -0400

    Update to pax-linux-3.2.10-test28.patch

commit 8f95ea9f718c293794a1f6bdd2a5f5f336f7bd64
Merge: c8786a2 886ac5e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 13 17:38:13 2012 -0400

    Merge branch 'pax-test' into grsec-test
    
    Greets and thanks to snq for his assistance in testing/debugging REFCOUNT on ARM :)

commit 886ac5eeb1835e87cf7398b8aae9e9ba6b36bf77
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 13 17:37:44 2012 -0400

    Update to pax-linux-3.2.10-test26.patch

commit c8786a2abed5e5327f68efa520c04db99bb6a63a
Merge: 219c982 c061fcf
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 13 17:25:06 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit c061fcfa6b78f3774800821144d8ac2d94d7da3e
Merge: 89373d2 3f4b3b2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 13 17:25:02 2012 -0400

    Merge branch 'linux-3.2.y' into pax-test

commit 219c982a05abe47be4ea7d749e1b408e0cb86f1f
Merge: 54e19a3 89373d2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 12 17:23:57 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit 89373d2abafb9bda97f78bdb157d1d05cf21e008
Merge: a778588 7459f11
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 12 17:23:49 2012 -0400

    Merge branch 'linux-3.2.y' into pax-test

commit 54e19a3979978fca902b14ae25125f26fbbbc7a7
Merge: c4650f1 a778588
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 12 16:51:25 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit a778588c9d1b75c48c1f09aac98c1b28bd87a749
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 12 16:51:12 2012 -0400

    Update to pax-linux-3.2.9-test24.patch

commit c4650f14b13f84735fe3de06a1f3ff5776473eff
Merge: fb2abee 1015790
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 11 21:08:28 2012 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        security/Kconfig

commit 101579028a736c224e590c7e12a7357018c424e1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 11 21:07:27 2012 -0400

    Update to pax-linux-3.2.9-test22.patch

commit fb2abee4b9b49f5f18342a8cdf7aa3ba2b7c9100
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 11 11:02:17 2012 -0400

    Allow 4096 CPUs

commit 96bae28cbe6a41d48e3b56e5904814096e956000
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 11 10:25:58 2012 -0400

    Use a per-cpu 48-bit counter instead of a global atomic64
    Initialize each counter to have the cpu number in the lower 16 bits
    instead of incrementing the counter each time by 1, perform the increments
    above the cpu number so that wrapping/exhausting the counter doesn't corrupt
    any state
    idea from PaX Team

commit b975688101da6e966aebb1bc6b8c5c5983974f9c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 10 20:33:12 2012 -0500

    Special vnsec edition! :)
    Further reduce argv/env allowance for suid/sgid apps to 512KB
    Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap)
    Clear 3GB personality on suid/sgid binaries
    Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64)
      with the main purpose of throwing off program stack -> arg/env alignment
    Update documentation

commit e5cfa902c4e891d11dd2086543d2555aa0c27d33
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 10 19:54:47 2012 -0500

    Resolve skbuff.h warnings that turn into errors during compilation in
    the grsecurity directory with -Werror

commit 2023210ad43a944033fcacc660ce410888f562ee
Merge: ece4383 5f66adf
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 9 19:48:01 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 5f66adf72f83730a07bc79a2fab56afed6dbbd0e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 9 19:47:06 2012 -0500

    Add colorize plugin

commit ece4383e5e91c92d138c4df84225a70b552f4d69
Merge: a366d0e ab4a5a1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 9 17:56:46 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit ab4a5a1a67289c3585e2ff8aa64ecece7bd17eea
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 9 17:56:26 2012 -0500

    Update to pax-linux-3.2.9-test21.patch

commit a366d0ed963ce93fce10121c1100989d5f064e75
Author: Mikulas Patocka <mpatocka@redhat.com>
Date:   Sun Mar 4 19:52:03 2012 -0500

    mm: fix find_vma_prev
    
    Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory
    management on PA-RISC.
    
    After application of the patch, programs that allocate big arrays on the
    stack crash with segfault, for example, this will crash if compiled
    without optimization:
    
      int main()
      {
        char array[200000];
        array[199999] = 0;
        return 0;
      }
    
    The reason is that PA-RISC has up-growing stack and the stack is usually
    the last memory area.  In the above example, a page fault happens above
    the stack.
    
    Previously, if we passed too high address to find_vma_prev, it returned
    NULL and stored the last VMA in *pprev.  After "simplify find_vma_prev"
    change, it stores NULL in *pprev.  Consequently, the stack area is not
    found and it is not expanded, as it used to be before the change.
    
    This patch restores the old behavior and makes it return the last VMA in
    *pprev if the requested address is higher than address of any other VMA.
    
    Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
    Acked-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 9cd8dd4d56051099f11563f72fcd91cd0ce19604
Author: Hugh Dickins <hughd@google.com>
Date:   Tue Mar 6 12:28:52 2012 -0800

    mmap: EINVAL not ENOMEM when rejecting VM_GROWS
    
    Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP
    from shared anonymous: hoist the file case's -EINVAL up for both.
    
    Signed-off-by: Hugh Dickins <hughd@google.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 97745dce6c87f9d9ca5b4be9bd4c2fc1684ca04c
Author: Al Viro <viro@ZenIV.linux.org.uk>
Date:   Mon Mar 5 06:38:42 2012 +0000

    aout: move setup_arg_pages() prior to reading/mapping the binary
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 3b20ce55ae8cffee43cb4afdf5be438b5ac4fef0
Author: Jan Beulich <JBeulich@suse.com>
Date:   Mon Mar 5 16:49:24 2012 +0000

    vsprintf: make %pV handling compatible with kasprintf()
    
    kasprintf() (and potentially other functions that I didn't run across so
    far) want to evaluate argument lists twice.  Caring to do so for the
    primary list is obviously their job, but they can't reasonably be
    expected to check the format string for instances of %pV, which however
    need special handling too: On architectures like x86-64 (as opposed to
    e.g.  ix86), using the same argument list twice doesn't produce the
    expected results, as an internally managed cursor gets updated during
    the first run.
    
    Fix the problem by always acting on a copy of the original list when
    handling %pV.
    
    Signed-off-by: Jan Beulich <jbeulich@suse.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 4146896ab9674f51d4909f3a52bc7fe80f04e4cb
Author: Al Viro <viro@ZenIV.linux.org.uk>
Date:   Mon Mar 5 06:39:47 2012 +0000

    VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit a831bd53764695ea680cc1fa3c98759a610ed2ac
Author: Christian König <deathsimple@vodafone.de>
Date:   Tue Feb 28 23:19:20 2012 +0100

    drm/radeon: fix uninitialized variable
    
    Without this fix the driver randomly treats
    textures as arrays and I'm really wondering
    why gcc isn't complaining about it.
    
    Signed-off-by: Christian König <deathsimple@vodafone.de>
    Reviewed-by: Jerome Glisse <jglisse@redhat.com>
    Signed-off-by: Dave Airlie <airlied@redhat.com>

commit aa2cd55f97f3cc03bdd895b6e8ba99619ee69dfc
Author: H. Peter Anvin <hpa@zytor.com>
Date:   Fri Mar 2 10:43:48 2012 -0800

    regset: Prevent null pointer reference on readonly regsets
    
    The regset common infrastructure assumed that regsets would always
    have .get and .set methods, but not necessarily .active methods.
    Unfortunately people have since written regsets without .set methods.
    
    Rather than putting in stub functions everywhere, handle regsets with
    null .get or .set methods explicitly.
    
    Signed-off-by: H. Peter Anvin <hpa@zytor.com>
    Reviewed-by: Oleg Nesterov <oleg@redhat.com>
    Acked-by: Roland McGrath <roland@hack.frob.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 072ddd99401c79b53c6bf6bff9deb93022124c79
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 5 18:12:57 2012 -0500

    Fix compiler errors reported on forums

commit 1606774b48af24e6f99d99c624c0e447d4b66474
Merge: 3127bd5 4ca2ffd
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 5 17:31:35 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 4ca2ffd9da024f4ba2d0cb6245ba1b2726169452
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 5 17:31:21 2012 -0500

    Update to pax-linux-3.2.9-test20.patch

commit 3127bd581a292966b1057c7433219dac188c3720
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 2 21:30:37 2012 -0500

    Fix memory leak on logged exec_id check failure in /proc/pid/statm
    Thanks to Djalal Harouni for the report

commit d9f1a3be0e97e0632f97379322712d8deeb3ce23
Merge: 0a56be8 9aa8288
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 2 18:38:22 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 9aa8288a09e6e03ce37c08136b26bff17a093b5c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 2 18:37:43 2012 -0500

    Update to pax-linux-3.2.9-test19.patch

commit 0a56be884bbd7ce733cac0b879c45383494d73b0
Merge: 9e66745 3f5c52a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 1 20:18:01 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 3f5c52aba100b3bb252980f9d363aafde52da1a2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 1 20:16:56 2012 -0500

    Update to pax-linux-3.2.9-test18.patch

commit ae53ec231d12719a36bf871f8c5841020ed692ee
Merge: b255baf 44fb317
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 1 20:15:31 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test

commit 9e667456c03eadea2f305be761abe4de9a5877a3
Merge: 5e4e200 b255baf
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 27 20:53:59 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit b255baf50365d39b406f43aab2c64745607baaa2
Merge: 340ce90 1de504e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 27 20:53:29 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test
    Update to pax-linux-3.2.8-test17.patch
    
    Conflicts:
        arch/x86/include/asm/i387.h
        arch/x86/kernel/process_32.c
        arch/x86/kernel/traps.c

commit 5e4e200ac530452884b625cb75de240e1e98c731
Merge: 44306d7 340ce90
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 27 18:02:13 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 340ce90d98a043fa8e4ed9ffc229d4c1f86e2fec
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 27 18:01:48 2012 -0500

    Update to pax-linux-3.2.7-test17.patch

commit 44306d7b3097f77e73040dd25f4f6750751bae7a
Merge: 29d0b07 521c411
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 26 19:04:15 2012 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        Makefile

commit 521c411bb4ca66ce01146fde8bac9dd22414076d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 26 19:03:33 2012 -0500

    Update to pax-linux-3.2.7-test16.patch

commit 29d0b07290bb9a10cdfcc3c30058e16265330dea
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 26 17:12:44 2012 -0500

    fix typo

commit 344f6d84e5d3fdc6ec40a078fc2f5861d340b2ef
Merge: f45b3be caa8f83
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 20:59:27 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit caa8f83456c4d0b204beefffaa1d1993f2348d08
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 20:59:12 2012 -0500

    Update to pax-linux-3.2.7-test15.patch

commit f45b3be34a345502a302e736af9a65742ddef7cb
Merge: 62f35fd 9f1309b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 11:40:15 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 9f1309b0b935e3b30fc87a9e3009b84cf943ef47
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 11:39:57 2012 -0500

    Update to pax-linux-3.2.7-test14.patch

commit 62f35fdbecc58f2988fe13638d907b87a15776bb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 09:08:55 2012 -0500

    We could log on attempted exploits of writing /proc/self/mem, but the current
    log function declares the access a read, so just swap the ordering for now

commit 066ee8f9c26f1549b4ad893508777b549c8d4b79
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 08:46:14 2012 -0500

    Log /proc/pid/mem attempts

commit 674471e581893a94d475acac3e3c4496209b3ac9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 08:15:00 2012 -0500

    Make use of f_version for protecting /proc file structs (fine since we're not a directory
    or seq_file)

commit eab42cfdd237ffcdd8ec24bedecc275a3a9e987f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 24 20:02:19 2012 -0500

    Fix ia64 compilation

commit 50dfea412fd395e0183c2ade368efa525d38b267
Merge: 12db845 4c6f99b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 24 19:00:53 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 4c6f99bf338e03966356b147d0360cb3b522a44f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 24 19:00:36 2012 -0500

    (6:57:09 PM) pipacs: but you can be proactive
    (Fix other-arch atomic64/REFCOUNT compilation failures)

commit 12db8453f6bb0a756f369c9151668ba1249bc478
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 23 21:10:12 2012 -0500

    Remove unnecessary copies, as suggested by solar

commit cc02cab84368467ea03cb35f861a8a7092d91ab4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 23 20:59:35 2012 -0500

    Make global_exec_counter static, as suggested by solar

commit e642091a475ebb3a30e81f85e7751233d0c2af43
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 23 19:00:26 2012 -0500

    sync with stable tree

commit 6df09c3d8e371905b7b8fe90c4188f23614c6be5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 23 18:48:47 2012 -0500

    Remove unneeded gr_acl_handle_fchmod, as the code is shared now by gr_acl_handle_chmod
    Remove handling of old kludge in chmod/fchmod

commit 815cb62f2ca7b58efc39778b3a855feb675ab56c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 23 18:18:49 2012 -0500

    Apply umask checks to chmod/fchmod as well, as requested by sponsor
    Union the enforced umask with the existing one to produce minimal privilege
    Change umask type to u16

commit 0e7668c6abbdbcd3f7f9759e3994d6f4bc9953f0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 22 18:16:11 2012 -0500

    Add per-role umask enforcement to RBAC, requested by a sponsor

commit ad5ac943fe58199f1cc475912a39edb157acb77b
Merge: dda0bb5 41722e3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 20 20:04:42 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 41722e342e116d95f3d3556d66c97c888d752d39
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 20 20:04:00 2012 -0500

    Merge changes from pax-linux-3.2.7-test12.patch, fixes KVM incompatibility with
    KERNEXEC plugin

commit dda0bb57137846a476a866c60db2681aaf6052c0
Merge: 4fd554e d70927a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 20 20:01:41 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit d70927afec977d489a54c106a3c3ddc32e953050
Merge: 1daebf1 9d0231c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 20 20:01:33 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test

commit 4fd554e3a097b22c5049fcdc423897477deff5ef
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 20 09:17:57 2012 -0500

    Fix wrong logic on capability checks for switching roles, broke policies
    Thanks to Richard Kojedzinszky for reporting

commit 12f97d52ac603f24344f8d71569c412a307e9422
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 21:20:10 2012 -0500

    sparc64 compile fix

commit 07af3d8e76a6a47ce1836e5b20ed8c0f879c8201
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 18:38:32 2012 -0500

    Update configuration help and name for GRKERNSEC_PROC_MEMMAP

commit 5ced6f8def06c2176b40b5fa07345fc723dc4dcb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 18:18:01 2012 -0500

    optimize the check a bit

commit 03159050f64989be44ae03be769cbed62a7cd2e5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 18:00:45 2012 -0500

    smile VUPEN :D
    (limit argv+env to 1MB for suid/sgid binaries)

commit dd759d8800d225a397e4de49fe729c7d601298d2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 17:49:33 2012 -0500

    Address Space Protection -> Memory Protections (suggested on IRC for consistency)

commit 4de635bda8ebfb85312e3bf851bdbff93de400da
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 17:45:06 2012 -0500

    Change the long long type for exec_id to the proper u64

commit 4feb07e7cb64b3d0f0f8cca1aef70bc725cae6fa
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Thu Feb 9 00:46:47 2012 +0000

    isdn: type bug in isdn_net_header()
    
    We use len to store the return value from eth_header().  eth_header()
    can return -ETH_HLEN (-14).  We want to pass this back instead of
    truncating it to 65522 and returning that.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Acked-by: Neil Horman <nhorman@tuxdriver.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 134ac8545b47f0f27d550ea6e1edb3a1ed7a9748
Author: Heiko Carstens <heiko.carstens@de.ibm.com>
Date:   Sat Feb 4 10:47:10 2012 +0100

    exec: fix use-after-free bug in setup_new_exec()
    
    Setting the task name is done within setup_new_exec() by accessing
    bprm->filename. However this happens after flush_old_exec().
    This may result in a use after free bug, flush_old_exec() may
    "complete" vfork_done, which will wake up the parent which in turn
    may free the passed in filename.
    To fix this add a new tcomm field in struct linux_binprm which
    contains the now early generated task name until it is used.
    
    Fixes this bug on s390:
    
      Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000
      Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818)
      Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374)
      Call Trace:
      ([<0000000000282e2c>] setup_new_exec+0x38/0x374)
       [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4
       [<0000000000280a42>] search_binary_handler+0x38e/0x5bc
       [<0000000000282b6c>] do_execve_common+0x410/0x514
       [<0000000000282cb6>] do_execve+0x46/0x58
       [<00000000005bce58>] kernel_execve+0x28/0x70
       [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140
       [<00000000005bc8da>] kernel_thread_starter+0x6/0xc
       [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc
      Last Breaking-Event-Address:
       [<00000000002830f0>] setup_new_exec+0x2fc/0x374
    
      Kernel panic - not syncing: Fatal exception: panic_on_oops
    
    Reported-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
    Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit d758ee9f5230893dabb5aab737b3109684bde196
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Fri Feb 10 09:03:58 2012 +0100

    relay: prevent integer overflow in relay_open()
    
    "subbuf_size" and "n_subbufs" come from the user and they need to be
    capped to prevent an integer overflow.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Cc: stable@kernel.org
    Signed-off-by: Jens Axboe <axboe@kernel.dk>

commit 40ed7b34848b8e0d7bf9a3fc21a7c75ce1ae507c
Merge: b1baadf 1daebf1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 13 17:47:04 2012 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        fs/proc/base.c

commit 1daebf1d623fe5b0efdd329f78562eb7078bc772
Merge: 1413df2 c2db2e2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 13 17:45:54 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test

commit b1baadf5047ab67cf61cd20bf58c6afb09c37c7d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 12 16:44:05 2012 -0500

    add missing declaration

commit 3981059c35e8463002517935c28f3d74b8e3703c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 12 16:36:04 2012 -0500

    Require CAP_SETUID/CAP_SETGID in a subject in order to change roles
    in addition to existing checks (this handles the setresuid ruid = euid case)

commit 0beab03263c773f463412c350ad9064b44b6ede0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 12 16:13:40 2012 -0500

    Revert setreuid changes when RBAC is enabled, breaks freeradius
    I'll fix the learning issue Lavish reported a different way through
    gradm modifications
    
    This reverts commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111.

commit 0c61cb1cfbbfec7d07647268c922d51434d22621
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 11 14:22:46 2012 -0500

    copy exec_id on fork

commit 000c08e0890630086b2ed04084050ed856a7ec31
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 10 20:00:36 2012 -0500

    compile fix

commit 54b8c8f54484e5ee18040657827158bc4b63bccc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 10 19:19:52 2012 -0500

    Introduce enhancement to CONFIG_GRKERNSEC_PROC_MEMMAP
    denies reading of sensitive /proc/pid entries where the file descriptor
    was opened in a different task than the one performing the read

commit dd19579049186e2648b9ae5e42af04cfda7ab2dc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 10 17:43:24 2012 -0500

    Remove duplicate signal check

commit 6ff60c34155bb73a4eec7bbfe6f59e9d35e1c0c6
Merge: 4eba97e 1413df2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 8 19:24:34 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 1413df258d4664d928b876ffb57e1bdc1ccd06f6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 8 19:24:08 2012 -0500

    Merge changes from pax-linux-3.2.4-test11.patch

commit 4eba97eda7f7d25b7ab6ad5c9de094545e749044
Merge: 0e058dd 8dd90a2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 6 17:50:12 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 8dd90a21adfeefd86134d1fedf77b958bc59eaa3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 6 17:49:07 2012 -0500

    Merge changes from pax-linux-3.2.4-test10.patch, fixes BPF JIT double-free

commit a6b5dfed0937a0eb386b4b519a387f8e8177ffdc
Merge: 7e4169c 6133971
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 6 17:48:57 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test

commit 0e058dd6d14e0c67c44dd332a871f1fe1bb06095
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 5 19:24:45 2012 -0500

    We now allow configurations with no PaX markings, giving the system no way to override the defaults

commit 9afb0110287e31c3c56d861b4927f64f8dbd7857
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 5 10:01:23 2012 -0500

    Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory

commit a6a0ad24a5f7bef90236d94c1bdfe21d291fc834
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 4 21:01:16 2012 -0500

    Improve security of ptrace-based monitoring/sandboxing
    See:
    http://article.gmane.org/gmane.linux.kernel.lsm/15156

commit ca4ca5a1027b41f9528794e52a53ce9c47926101
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 20:42:55 2012 -0500

    fix typo

commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 20:25:38 2012 -0500

    Reported by lavish on IRC:
    If a suid/sgid binary did not learn any setuid/setgid call during learning,
    we would not any CAP_SETUID/CAP_SETGID capability to the task, nor
    any restrictions on uid/gid changes.  uid and gid can however be changed
    within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to
    euid/egid.
    
    My fix:
    POSIX doesn't specify whether unprivileged users can perform the above
    setresuid/setresgid as an unprivileged user, though Linux has historically
    permitted them.  Modify this behavior when RBAC is enabled to require
    CAP_SETUID/CAP_SETGID for these operations.
    
    Thanks to Lavish for the report!
    
    Conflicts:
    
        kernel/sys.c

commit e55be1f30908f1ad4450cb0558cde71ff5c7247f
Merge: ba586eb 7e4169c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 20:10:21 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 7e4169c6c880ec9641f1178c88545913c8a21e1f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 20:10:05 2012 -0500

    Merge changes from pax-linux-3.2.4-test9.patch

commit ba586ebbcd0ed781e38a99c580a757a00347c6eb
Author: Christopher Yeoh <cyeoh@au1.ibm.com>
Date:   Thu Feb 2 11:34:09 2012 +1030

    Fix race in process_vm_rw_core
    
    This fixes the race in process_vm_core found by Oleg (see
    
      http://article.gmane.org/gmane.linux.kernel/1235667/
    
    for details).
    
    This has been updated since I last sent it as the creation of the new
    mm_access() function did almost exactly the same thing as parts of the
    previous version of this patch did.
    
    In order to use mm_access() even when /proc isn't enabled, we move it to
    kernel/fork.c where other related process mm access functions already
    are.
    
    Signed-off-by: Chris Yeoh <yeohc@au1.ibm.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    Conflicts:
    
        fs/proc/base.c
        mm/process_vm_access.c

commit b9194d60fb9fe579f5c34817ed822abde18939a0
Author: Oleg Nesterov <oleg@redhat.com>
Date:   Tue Jan 31 17:15:11 2012 +0100

    proc: make sure mem_open() doesn't pin the target's memory
    
    Once /proc/pid/mem is opened, the memory can't be released until
    mem_release() even if its owner exits.
    
    Change mem_open() to do atomic_inc(mm_count) + mmput(), this only
    pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count)
    before access_remote_vm(), this verifies that this mm is still alive.
    
    I am not sure what should mem_rw() return if atomic_inc_not_zero()
    fails. With this patch it returns zero to match the "mm == NULL" case,
    may be it should return -EINVAL like it did before e268337d.
    
    Perhaps it makes sense to add the additional fatal_signal_pending()
    check into the main loop, to ensure we do not hold this memory if
    the target task was oom-killed.
    
    Cc: stable@kernel.org
    Signed-off-by: Oleg Nesterov <oleg@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit d4500134f9363bc79556e0e7a1fd811cd8552cc4
Author: Oleg Nesterov <oleg@redhat.com>
Date:   Tue Jan 31 17:14:38 2012 +0100

    proc: mem_release() should check mm != NULL
    
    mem_release() can hit mm == NULL, add the necessary check.
    
    Cc: stable@kernel.org
    Signed-off-by: Oleg Nesterov <oleg@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 5d1c11221a86f233fdbb232312a561f85d0a3a05
Author: Oleg Nesterov <oleg@redhat.com>
Date:   Tue Jan 31 17:14:54 2012 +0100

    note: redisabled mem_write
    
    proc: unify mem_read() and mem_write()
    
    No functional changes, cleanup and preparation.
    
    mem_read() and mem_write() are very similar. Move this code into the
    new common helper, mem_rw(), which takes the additional "int write"
    argument.
    
    Cc: stable@kernel.org
    Signed-off-by: Oleg Nesterov <oleg@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    Conflicts:
    
        fs/proc/base.c

commit af966b421d9f55ab7e1a8b2741beba44b22bc2e0
Merge: 3903f01 01fee18
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 19:50:40 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 01fee1851aef26b898ccba5312cabf1f919b74cb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 19:49:46 2012 -0500

    Merge changes from pax-linux-3.2.4-test8.patch

commit c2490ddbfc3f5dd664dd0e1b8575856c3be01879
Merge: 201c0db 141936c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 19:49:01 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test

commit 3903f0172ecadf7a575ba3535402a1506133640a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jan 30 23:26:44 2012 -0500

    Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT
    
    We'll whitelist required directories for compatibility instead of requiring
    that people disable the feature entirely if they use SELinux, fuse, etc
    
    Conflicts:
    
        fs/sysfs/mount.c

commit e3618feaa7e63807f1b88c199882075b3ec9bd05
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 29 01:12:19 2012 -0500

    perform RBAC check if TPE is on but match fails, matches previous behavior

commit 627b7fe22799a86e2f81a74f0e0c53474bec3100
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jan 28 13:17:06 2012 -0500

    log more information about the reason for a TPE denial for novice users, requested by a sponsor

commit efefd67008cbad8a8591e2484410966a300a39a5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:58:53 2012 -0500

    merge upstream sha512 changes

commit 8a79280377db78fb2091fe01eddb9e24f75d9fe1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:49:07 2012 -0500

    drop lock on error in xfs_readlink
    
    http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0

commit aa5f2f63e37f426bf2211c5fb8f7bc70de14f08a
Author: Li Wang <liwang@nudt.edu.cn>
Date:   Thu Jan 19 09:44:36 2012 +0800

    eCryptfs: Infinite loop due to overflow in ecryptfs_write()
    
    ecryptfs_write() can enter an infinite loop when truncating a file to a
    size larger than 4G. This only happens on architectures where size_t is
    represented by 32 bits.
    
    This was caused by a size_t overflow due to it incorrectly being used to
    store the result of a calculation which uses potentially large values of
    type loff_t.
    
    [tyhicks@canonical.com: rewrite subject and commit message]
    Signed-off-by: Li Wang <liwang@nudt.edu.cn>
    Signed-off-by: Yunchuan Wen <wenyunchuan@kylinos.com.cn>
    Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>

commit a7607747d0f74f357d78bb796d70635dd05f46e8
Author: Tyler Hicks <tyhicks@canonical.com>
Date:   Thu Jan 19 20:33:44 2012 -0600

    eCryptfs: Check inode changes in setattr
    
    Most filesystems call inode_change_ok() very early in ->setattr(), but
    eCryptfs didn't call it at all. It allowed the lower filesystem to make
    the call in its ->setattr() function. Then, eCryptfs would copy the
    appropriate inode attributes from the lower inode to the eCryptfs inode.
    
    This patch changes that and actually calls inode_change_ok() on the
    eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call
    would happen earlier in ecryptfs_setattr(), but there are some possible
    inode initialization steps that must happen first.
    
    Since the call was already being made on the lower inode, the change in
    functionality should be minimal, except for the case of a file extending
    truncate call. In that case, inode_newsize_ok() was never being
    called on the eCryptfs inode. Rather than inode_newsize_ok() catching
    maximum file size errors early on, eCryptfs would encrypt zeroed pages
    and write them to the lower filesystem until the lower filesystem's
    write path caught the error in generic_write_checks(). This patch
    introduces a new function, called ecryptfs_inode_newsize_ok(), which
    checks if the new lower file size is within the appropriate limits when
    the truncate operation will be growing the lower file.
    
    In summary this change prevents eCryptfs truncate operations (and the
    resulting page encryptions), which would exceed the lower filesystem
    limits or FSIZE rlimits, from ever starting.
    
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Reviewed-by: Li Wang <liwang@nudt.edu.cn>
    Cc: <stable@vger.kernel.org>

commit 0d96f190a39505254ace4e9330219aaeda9b64e3
Author: Tyler Hicks <tyhicks@canonical.com>
Date:   Wed Jan 18 18:30:04 2012 -0600

    eCryptfs: Make truncate path killable
    
    ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a
    page, zeroes out the appropriate portions, and then encrypts the page
    before writing it to the lower filesystem. It was unkillable and due to
    the lack of sparse file support could result in tying up a large portion
    of system resources, while encrypting pages of zeros, with no way for
    the truncate operation to be stopped from userspace.
    
    This patch adds the ability for ecryptfs_write() to detect a pending
    fatal signal and return as gracefully as possible. The intent is to
    leave the lower file in a useable state, while still allowing a user to
    break out of the encryption loop. If a pending fatal signal is detected,
    the eCryptfs inode size is updated to reflect the modified inode size
    and then -EINTR is returned.
    
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Cc: <stable@vger.kernel.org>

commit a02d0d2516b9e92edffeb8fca87462bca49c1f6f
Author: Tyler Hicks <tyhicks@canonical.com>
Date:   Tue Jan 24 10:02:22 2012 -0600

    eCryptfs: Fix oops when printing debug info in extent crypto functions
    
    If pages passed to the eCryptfs extent-based crypto functions are not
    mapped and the module parameter ecryptfs_verbosity=1 was specified at
    loading time, a NULL pointer dereference will occur.
    
    Note that this wouldn't happen on a production system, as you wouldn't
    pass ecryptfs_verbosity=1 on a production system. It leaks private
    information to the system logs and is for debugging only.
    
    The debugging info printed in these messages is no longer very useful
    and rather than doing a kmap() in these debugging paths, it will be
    better to simply remove the debugging paths completely.
    
    https://launchpad.net/bugs/913651
    
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Reported-by: Daniel DeFreez
    Cc: <stable@vger.kernel.org>

commit b1c44d3054dc7f293b2e0a98c0e9e5e03e01f04c
Author: Tyler Hicks <tyhicks@canonical.com>
Date:   Thu Jan 12 11:30:44 2012 +0100

    eCryptfs: Sanitize write counts of /dev/ecryptfs
    
    A malicious count value specified when writing to /dev/ecryptfs may
    result in a a very large kernel memory allocation.
    
    This patch peeks at the specified packet payload size, adds that to the
    size of the packet headers and compares the result with the write count
    value. The resulting maximum memory allocation size is approximately 532
    bytes.
    
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Reported-by: Sasha Levin <levinsasha928@gmail.com>
    Cc: <stable@vger.kernel.org>

commit 96dcb7282d323813181a1791f51c0ab7696b675b
Merge: 6c09fa5 201c0db
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:44:15 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 201c0dbf177527367676028151e36d340923f033
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:43:24 2012 -0500

    Merge changes from pax-linux-3.2.2-test6.patch, fixes 0 order vmalloc allocation errors
    on loading modules with empty sections

commit 6c09fa566a7c29f00556ca12f343f2db91c4f42b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:42:13 2012 -0500

    compile fix

commit 917ae526b4fcec2b3e1afefa13de9dff7d8a5423
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:39:28 2012 -0500

    use LSM flags instead of duplicating checks

commit 0cf3be2ea2ae43c9dd4933fb26c0429041b8acb8
Merge: 44b9f11 558718b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 18:56:23 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 558718b2217beff69edf60f34a6f9893d910e9ac
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 18:56:04 2012 -0500

    Merge changes from pax-linux-3.2.2-test6.patch

commit 44b9f1132b2de7cbf5f57525fe0f7f9fb0a76507
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 18:53:55 2012 -0500

    don't increase the size of task_struct when unnecessary
    change ptrace_readexec log message

commit a9c9626e054adb885883aa64f85506852894dd33
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 18:16:28 2012 -0500

    Update documentation for CONFIG_GRKERNSEC_PTRACE_READEXEC --
    the protection applies to all unreadable binaries.

commit 98fdf4ab69eba7a72efb2054295daafdbbc2fb8f
Merge: 7b3f3af 05a1349
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 25 20:52:09 2012 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        block/scsi_ioctl.c
        drivers/scsi/sd.c
        fs/proc/base.c

commit 05a134966efb9cb9346ad3422888969ffc79ac1d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 25 20:47:36 2012 -0500

    Resync with pax-linux-3.2.2-test5.patch

commit 5ecaafd81b229aeeb5656df36f9c8da86307f82a
Merge: c6d443d 3499d64
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 25 20:45:16 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test (and pax-linux-3.2.2-test5.patch)
    
    Conflicts:
        ipc/shm.c

commit 7b3f3afd7444613c759d68ff8c2efaebfae3bab1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 24 19:42:01 2012 -0500

    Add two new features, one is automatic by enabling CONFIG_GRKERNSEC
    (may be changed if it breaks some userland), the other has its own
    config option
    
    First feature requires CAP_SYS_ADMIN to write to any sysctl entry via
    the syscall or /proc/sys.
    
    Second feature requires read access to a suid/sgid binary in order
    to ptrace it, preventing infoleaking of binaries in situations where
    the admin has specified 4711 or 2711 perms.  Feature has been
    given the config option CONFIG_GRKERNSEC_PTRACE_READEXEC and
    a sysctl entry of ptrace_readexec

commit 11a7bb25c411c9dccfdca5718639b4becdffd388
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 22 14:37:10 2012 -0500

    Compilation fixes

commit cd400e21c7c352baba47d6f375297a7847afb33a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 22 14:20:27 2012 -0500

    Initial port of grsecurity 2.2.2 for Linux 3.2.1
    Note that the new syscalls added to this kernel for remote process read/write
    are subject to ptrace hardening/other relevant RBAC features
    /proc/slabinfo is S_IRUSR via mainline now, so I made slab_allocators S_IRUSR by default
    as well
    pax_track_stack has been removed from support for this kernel -- if you're running this kernel
    you should be using a version of gcc with plugin support

commit c6d443d1270f455c56a4ffe0f1dd3d3e7ec12a2f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 22 11:47:31 2012 -0500

    Import pax-linux-3.2.1-test5.patch
commit bfd7db842f835f9837cd43644459b3a95b0b488d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 22 11:02:02 2012 -0500

    Allow processes to access others' /proc/pid/maps files (subject to the normal modification of data)
    instead of returning -EACCES
    thanks to Wraith from irc for the report

commit 873ac13576506cd48ddb527c2540f274e249da50
Merge: 34083dd 8a44fcc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 20 18:04:02 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 8a44fcc90cf3368003dc84e1ed013b2e4248c9b2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 20 18:02:15 2012 -0500

    Merge the diff between pax-linux-3.2.1-test4.patch and pax-linux-3.2.1-test5.patch
    Denies executable shared memory when MPROTECT is active
    Fixes ia32 emulation crash on 64bit host introduced in a recent patch

commit 34083ddf5c0b2b1c0f5e9f7d9e32ddcba223446b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jan 19 20:23:14 2012 -0500

    Introduce new GRKERNSEC_SETXID implementation
    We're not able to change the credentials of other threads in the process until at most
    one syscall after the first thread does it, since we mark the threads as needing rescheduling
    and such work occurs on syscall exit.
    This does however ensure that we're only modifying the current task's credentials
    which upholds RCU expectations
    
    Many thanks to corsac for testing

commit 5f900ad54d3992a4e1cda88273acc2f897a42e71
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jan 19 17:42:48 2012 -0500

    Simplify backport

commit f02e444f7b2fb286f99d3b4031ff4e44a4606c37
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jan 19 17:08:16 2012 -0500

    Commit the latest silent fix for a local privilege escalation from Linus
    Also disable writing to /proc/pid/mem
    http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc

commit 814d38c72b1ee3338294576a05af4f6ca9cffa6c
Merge: 0394a3f 7e6299b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 18 20:22:09 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 7e6299b4733c082dde930375dd207b63237751ec
Merge: 83555fb 9bb1282
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 18 20:21:37 2012 -0500

    Merge branch 'linux-3.1.y' into pax-test

commit 0394a3f36c6195dcaf22e265c94d11bb7338c6f7
Author: Jesper Juhl <jj@chaosbits.net>
Date:   Sun Jan 8 22:44:29 2012 +0100

    audit: always follow va_copy() with va_end()
    
    A call to va_copy() should always be followed by a call to va_end() in
    the same function.  In kernel/autit.c::audit_log_vformat() this is not
    always done.  This patch makes sure va_end() is always called.
    
    Signed-off-by: Jesper Juhl <jj@chaosbits.net>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: Eric Paris <eparis@redhat.com>
    Cc: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit fcbb39319e88bfdf70efe3931cf80a9f23b1a4d9
Author: Andi Kleen <ak@linux.intel.com>
Date:   Thu Jan 12 17:20:30 2012 -0800

    panic: don't print redundant backtraces on oops
    
    When an oops causes a panic and panic prints another backtrace it's pretty
    common to have the original oops data be scrolled away on a 80x50 screen.
    
    The second backtrace is quite redundant and not needed anyways.
    
    So don't print the panic backtrace when oops_in_progress is true.
    
    [akpm@linux-foundation.org: add comment]
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
    Cc: Michael Holzheu <holzheu@linux.vnet.ibm.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 22e4717d04333e2aff6d5d1b2c1b16045f367a1f
Author: Miklos Szeredi <mszeredi@suse.cz>
Date:   Thu Jan 12 17:59:46 2012 +0100

    fsnotify: don't BUG in fsnotify_destroy_mark()
    
    Removing the parent of a watched file results in "kernel BUG at
    fs/notify/mark.c:139".
    
    To reproduce
    
      add "-w /tmp/audit/dir/watched_file" to audit.rules
      rm -rf /tmp/audit/dir
    
    This is caused by fsnotify_destroy_mark() being called without an
    extra reference taken by the caller.
    
    Reported by Francesco Cosoleto here:
    
      https://bugzilla.novell.com/show_bug.cgi?id=689860
    
    Fix by removing the BUG_ON and adding a comment about not accessing mark after
    the iput.
    
    Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
    CC: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 1a90cff66ed00cd57bf00a990d13e95060fa362c
Author: Paolo Bonzini <pbonzini@redhat.com>
Date:   Thu Jan 12 16:01:28 2012 +0100

    block: fail SCSI passthrough ioctls on partition devices
    
    Linux allows executing the SG_IO ioctl on a partition or LVM volume, and
    will pass the command to the underlying block device.  This is
    well-known, but it is also a large security problem when (via Unix
    permissions, ACLs, SELinux or a combination thereof) a program or user
    needs to be granted access only to part of the disk.
    
    This patch lets partitions forward a small set of harmless ioctls;
    others are logged with printk so that we can see which ioctls are
    actually sent.  In my tests only CDROM_GET_CAPABILITY actually occurred.
    Of course it was being sent to a (partition on a) hard disk, so it would
    have failed with ENOTTY and the patch isn't changing anything in
    practice.  Still, I'm treating it specially to avoid spamming the logs.
    
    In principle, this restriction should include programs running with
    CAP_SYS_RAWIO.  If for example I let a program access /dev/sda2 and
    /dev/sdb, it still should not be able to read/write outside the
    boundaries of /dev/sda2 independent of the capabilities.  However, for
    now programs with CAP_SYS_RAWIO will still be allowed to send the
    ioctls.  Their actions will still be logged.
    
    This patch does not affect the non-libata IDE driver.  That driver
    however already tests for bd != bd->bd_contains before issuing some
    ioctl; it could be restricted further to forbid these ioctls even for
    programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO.
    
    Cc: linux-scsi@vger.kernel.org
    Cc: Jens Axboe <axboe@kernel.dk>
    Cc: James Bottomley <JBottomley@parallels.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    [ Make it also print the command name when warning - Linus ]
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit b41a1178caa15bd7d6d5b36c04c7b1ead05717e2
Author: Paolo Bonzini <pbonzini@redhat.com>
Date:   Thu Jan 12 16:01:27 2012 +0100

    block: add and use scsi_blk_cmd_ioctl
    
    Introduce a wrapper around scsi_cmd_ioctl that takes a block device.
    
    The function will then be enhanced to detect partition block devices
    and, in that case, subject the ioctls to whitelisting.
    
    Cc: linux-scsi@vger.kernel.org
    Cc: Jens Axboe <axboe@kernel.dk>
    Cc: James Bottomley <JBottomley@parallels.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 97a79814903fc350e1d13704ea31528a42705401
Author: Kees Cook <keescook@chromium.org>
Date:   Sat Jan 7 10:41:04 2012 -0800

    audit: treat s_id as an untrusted string
    
    The use of s_id should go through the untrusted string path, just to be
    extra careful.
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Acked-by: Mimi Zohar <zohar@us.ibm.com>
    Signed-off-by: Eric Paris <eparis@redhat.com>

commit 2d3f39e9dd73f26a8248fd4442f110d983c5b419
Author: Xi Wang <xi.wang@gmail.com>
Date:   Tue Dec 20 18:39:41 2011 -0500

    audit: fix signedness bug in audit_log_execve_info()
    
    In the loop, a size_t "len" is used to hold the return value of
    audit_log_single_execve_arg(), which returns -1 on error.  In that
    case the error handling (len <= 0) will be bypassed since "len" is
    unsigned, and the loop continues with (p += len) being wrapped.
    Change the type of "len" to signed int to fix the error handling.
    
        size_t len;
        ...
        for (...) {
                len = audit_log_single_execve_arg(...);
                if (len <= 0)
                        break;
                p += len;
        }
    
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Signed-off-by: Eric Paris <eparis@redhat.com>

commit 1b3dc2ea3204fb22b9d0d30b2b7953991f5be594
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Tue Jan 17 03:28:51 2012 -0300

    [media] ds3000: using logical && instead of bitwise &
    
    The intent here was to test if the FE_HAS_LOCK was set.  The current
    test is equivalent to "if (status) { ..."
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>

commit 36522330dc59d2fc70c042f3f081d75c32b6259a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jan 16 13:10:38 2012 -0500

    Ignore the 0 signal for protected task RBAC checks

commit d513acd55f7a683f6e146a4f570cdb63300479ab
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jan 16 11:56:13 2012 -0500

    whitespace cleanup

commit ced261c4b82818c700aff8487f647f6f3e5b5122
Merge: d48751f 83555fb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 13 20:12:54 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 83555fb431e5be6c0e09687ff3bdc583f0caf9d9
Merge: fcd8129 93dad39
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 13 20:12:43 2012 -0500

    Merge branch 'linux-3.1.y' into pax-test

commit d48751f3919ae855fda0ff6c149db82442329253
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 11 19:05:47 2012 -0500

    Call our own set_user when forcing change to new id

commit 26d9d497f6b926bc1699980aa18c360a3d3c52a0
Merge: e6578ff fcd8129
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 10 16:00:10 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit fcd8129277601f2e2d5a2066120cf8b2472d7d1f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 10 15:58:43 2012 -0500

    Merge changes from pax-linux-3.1.8-test23.patch

commit e6578ff3e7629c432ed9b99bde6af2a1c00279b5
Merge: 8859ec3 a120549
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 21:45:56 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit a12054967a77090de1caa07c41e694a77db4e237
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 21:45:30 2012 -0500

    Merge changes from pax-linux-3.1.8-test22.patch

commit 8859ec32f9815c274df65448f9f2960176c380d3
Merge: a5016b4 ddd4114
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 21:26:08 2012 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        fs/binfmt_elf.c
        security/Kconfig

commit ddd41147e158a79704983a409b7433eba797cf66
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 21:12:42 2012 -0500

    Resync with PaX patch (whitespace difference)

commit 29e569df8205c5f0e043fe4803aa984406c8b118
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 21:09:47 2012 -0500

    Merge changes from pax-linux-3.1.8-test21.patch

commit a5016b4f9c09c337b17e063a7f369af1e86d944d
Merge: 0124c92 04231d5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 18:52:20 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 04231d52dc8d0d6788a6bc6709dc046d3eb37097
Merge: 7bdddeb a919904
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 18:51:50 2012 -0500

    Merge branch 'linux-3.1.y' into pax-test
    
    Conflicts:
        include/net/flow.h

commit 0124c9264234c450904a0a5fa2f8c608ab8e3796
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 18:33:05 2012 -0500

    Make GRKERNSEC_SETXID option compatible with credential debugging

commit 69919c6da7cf8a781439da15b597a7d6bc9b3abe
Author: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Date:   Wed Dec 28 15:57:11 2011 -0800

    mm/mempolicy.c: refix mbind_range() vma issue
    
    commit 8aacc9f550 ("mm/mempolicy.c: fix pgoff in mbind vma merge") is the
    slightly incorrect fix.
    
    Why? Think following case.
    
    1. map 4 pages of a file at offset 0
    
       [0123]
    
    2. map 2 pages just after the first mapping of the same file but with
       page offset 2
    
       [0123][23]
    
    3. mbind() 2 pages from the first mapping at offset 2.
       mbind_range() should treat new vma is,
    
       [0123][23]
         |23|
         mbind vma
    
       but it does
    
       [0123][23]
         |01|
         mbind vma
    
       Oops. then, it makes wrong vma merge and splitting ([01][0123] or similar).
    
    This patch fixes it.
    
    [testcase]
      test result - before the patch
    
        case4: 126: test failed. expect '2,4', actual '2,2,2'
                case5: passed
        case6: passed
        case7: passed
        case8: passed
        case_n: 246: test failed. expect '4,2', actual '1,4'
    
        ------------[ cut here ]------------
        kernel BUG at mm/filemap.c:135!
        invalid opcode: 0000 [#4] SMP DEBUG_PAGEALLOC
    
        (snip long bug on messages)
    
      test result - after the patch
    
        case4: passed
                case5: passed
        case6: passed
        case7: passed
        case8: passed
        case_n: passed
    
      source:  mbind_vma_test.c
    ============================================================
     #include <numaif.h>
     #include <numa.h>
     #include <sys/mman.h>
     #include <stdio.h>
     #include <unistd.h>
     #include <stdlib.h>
     #include <string.h>
    
    static unsigned long pagesize;
    void* mmap_addr;
    struct bitmask *nmask;
    char buf[1024];
    FILE *file;
    char retbuf[10240] = "";
    int mapped_fd;
    
    char *rubysrc = "ruby -e '\
      pid = %d; \
      vstart = 0x%llx; \
      vend = 0x%llx; \
      s = `pmap -q #{pid}`; \
      rary = []; \
      s.each_line {|line|; \
        ary=line.split(\" \"); \
        addr = ary[0].to_i(16); \
        if(vstart <= addr && addr < vend) then \
          rary.push(ary[1].to_i()/4); \
        end; \
      }; \
      print rary.join(\",\"); \
    '";
    
    void init(void)
    {
        void* addr;
        char buf[128];
    
        nmask = numa_allocate_nodemask();
        numa_bitmask_setbit(nmask, 0);
    
        pagesize = getpagesize();
    
        sprintf(buf, "%s", "mbind_vma_XXXXXX");
        mapped_fd = mkstemp(buf);
        if (mapped_fd == -1)
                perror("mkstemp "), exit(1);
        unlink(buf);
    
        if (lseek(mapped_fd, pagesize*8, SEEK_SET) < 0)
                perror("lseek "), exit(1);
        if (write(mapped_fd, "\0", 1) < 0)
                perror("write "), exit(1);
    
        addr = mmap(NULL, pagesize*8, PROT_NONE,
                    MAP_SHARED, mapped_fd, 0);
        if (addr == MAP_FAILED)
                perror("mmap "), exit(1);
    
        if (mprotect(addr+pagesize, pagesize*6, PROT_READ|PROT_WRITE) < 0)
                perror("mprotect "), exit(1);
    
        mmap_addr = addr + pagesize;
    
        /* make page populate */
        memset(mmap_addr, 0, pagesize*6);
    }
    
    void fin(void)
    {
        void* addr = mmap_addr - pagesize;
        munmap(addr, pagesize*8);
    
        memset(buf, 0, sizeof(buf));
        memset(retbuf, 0, sizeof(retbuf));
    }
    
    void mem_bind(int index, int len)
    {
        int err;
    
        err = mbind(mmap_addr+pagesize*index, pagesize*len,
                    MPOL_BIND, nmask->maskp, nmask->size, 0);
        if (err)
                perror("mbind "), exit(err);
    }
    
    void mem_interleave(int index, int len)
    {
        int err;
    
        err = mbind(mmap_addr+pagesize*index, pagesize*len,
                    MPOL_INTERLEAVE, nmask->maskp, nmask->size, 0);
        if (err)
                perror("mbind "), exit(err);
    }
    
    void mem_unbind(int index, int len)
    {
        int err;
    
        err = mbind(mmap_addr+pagesize*index, pagesize*len,
                    MPOL_DEFAULT, NULL, 0, 0);
        if (err)
                perror("mbind "), exit(err);
    }
    
    void Assert(char *expected, char *value, char *name, int line)
    {
        if (strcmp(expected, value) == 0) {
                fprintf(stderr, "%s: passed\n", name);
                return;
        }
        else {
                fprintf(stderr, "%s: %d: test failed. expect '%s', actual '%s'\n",
                        name, line,
                        expected, value);
    //          exit(1);
        }
    }
    
    /*
          AAAA
        PPPPPPNNNNNN
        might become
        PPNNNNNNNNNN
        case 4 below
    */
    void case4(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        mem_bind(0, 4);
        mem_unbind(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("2,4", retbuf, "case4", __LINE__);
    
        fin();
    }
    
    /*
           AAAA
     PPPPPPNNNNNN
     might become
     PPPPPPPPPPNN
     case 5 below
    */
    void case5(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        mem_bind(0, 2);
        mem_bind(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("4,2", retbuf, "case5", __LINE__);
    
        fin();
    }
    
    /*
            AAAA
        PPPPNNNNXXXX
        might become
        PPPPPPPPPPPP 6
    */
    void case6(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        mem_bind(0, 2);
        mem_bind(4, 2);
        mem_bind(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("6", retbuf, "case6", __LINE__);
    
        fin();
    }
    
    /*
        AAAA
    PPPPNNNNXXXX
    might become
    PPPPPPPPXXXX 7
    */
    void case7(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        mem_bind(0, 2);
        mem_interleave(4, 2);
        mem_bind(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("4,2", retbuf, "case7", __LINE__);
    
        fin();
    }
    
    /*
        AAAA
    PPPPNNNNXXXX
    might become
    PPPPNNNNNNNN 8
    */
    void case8(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        mem_bind(0, 2);
        mem_interleave(4, 2);
        mem_interleave(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("2,4", retbuf, "case8", __LINE__);
    
        fin();
    }
    
    void case_n(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        /* make redundunt mappings [0][1234][34][7] */
        mmap(mmap_addr + pagesize*4, pagesize*2, PROT_READ|PROT_WRITE,
             MAP_FIXED|MAP_SHARED, mapped_fd, pagesize*3);
    
        /* Expect to do nothing. */
        mem_unbind(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("4,2", retbuf, "case_n", __LINE__);
    
        fin();
    }
    
    int main(int argc, char** argv)
    {
        case4();
        case5();
        case6();
        case7();
        case8();
        case_n();
    
        return 0;
    }
    =============================================================
    
    Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
    Acked-by: Johannes Weiner <hannes@cmpxchg.org>
    Cc: Minchan Kim <minchan.kim@gmail.com>
    Cc: Caspar Zhang <caspar@casparzhang.com>
    Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
    Cc: Christoph Lameter <cl@linux.com>
    Cc: Hugh Dickins <hugh.dickins@tiscali.co.uk>
    Cc: Mel Gorman <mel@csn.ul.ie>
    Cc: Lee Schermerhorn <lee.schermerhorn@hp.com>
    Cc: <stable@vger.kernel.org>                [3.1.x]
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit f3a1082005781777086df235049f8c0b7efe524e
Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Date:   Tue Dec 27 22:32:41 2011 -0500

    packet: fix possible dev refcnt leak when bind fail
    
    If bind is fail when bind is called after set PACKET_FANOUT
    sock option, the dev refcnt will leak.
    
    Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 915f8b08dac68839dc7204ee81cf9852fda16d24
Author: Haogang Chen <haogangchen@gmail.com>
Date:   Mon Dec 19 17:11:56 2011 -0800

    nilfs2: potential integer overflow in nilfs_ioctl_clean_segments()
    
    There is a potential integer overflow in nilfs_ioctl_clean_segments().
    When a large argv[n].v_nmembs is passed from the userspace, the subsequent
    call to vmalloc() will allocate a buffer smaller than expected, which
    leads to out-of-bound access in nilfs_ioctl_move_blocks() and
    lfs_clean_segments().
    
    The following check does not prevent the overflow because nsegs is also
    controlled by the userspace and could be very large.
    
                if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment)
                        goto out_free;
    
    This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and
    returns -EINVAL when overflow.
    
    Signed-off-by: Haogang Chen <haogangchen@gmail.com>
    Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 006afb6eb7a7398edc0068c3a7b9510ffaf80f72
Author: Kautuk Consul <consul.kautuk@gmail.com>
Date:   Mon Dec 19 17:12:04 2011 -0800

    mm/vmalloc.c: remove static declaration of va from __get_vm_area_node
    
    Static storage is not required for the struct vmap_area in
    __get_vm_area_node.
    
    Removing "static" to store this variable on the stack instead.
    
    Signed-off-by: Kautuk Consul <consul.kautuk@gmail.com>
    Acked-by: David Rientjes <rientjes@google.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 461ecdf221edb089e5fa0d5563e1688cd0a36f66
Author: Michel Lespinasse <walken@google.com>
Date:   Mon Dec 19 17:12:06 2011 -0800

    binary_sysctl(): fix memory leak
    
    binary_sysctl() calls sysctl_getname() which allocates from names_cache
    slab usin __getname()
    
    The matching function to free the name is __putname(), and not putname()
    which should be used only to match getname() allocations.
    
    This is because when auditing is enabled, putname() calls audit_putname
    *instead* (not in addition) to __putname().  Then, if a syscall is in
    progress, audit_putname does not release the name - instead, it expects
    the name to get released when the syscall completes, but that will happen
    only if audit_getname() was called previously, i.e.  if the name was
    allocated with getname() rather than the naked __getname().  So,
    __getname() followed by putname() ends up leaking memory.
    
    Signed-off-by: Michel Lespinasse <walken@google.com>
    Acked-by: Al Viro <viro@zeniv.linux.org.uk>
    Cc: Christoph Hellwig <hch@infradead.org>
    Cc: Eric Paris <eparis@redhat.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 0a2cd3ef50c0bae70d59c74a77db0455d26fde56
Author: Sean Hefty <sean.hefty@intel.com>
Date:   Tue Dec 6 21:17:11 2011 +0000

    RDMA/cma: Verify private data length
    
    private_data_len is defined as a u8.  If the user specifies a large
    private_data size (> 220 bytes), we will calculate a total length that
    exceeds 255, resulting in private_data_len wrapping back to 0.  This
    can lead to overwriting random kernel memory.  Avoid this by verifying
    that the resulting size fits into a u8.
    
    Reported-by: B. Thery <benjamin.thery@bull.net>
    Addresses: <http://bugs.openfabrics.org/bugzilla/show_bug.cgi?id=2335>
    Signed-off-by: Sean Hefty <sean.hefty@intel.com>
    Signed-off-by: Roland Dreier <roland@purestorage.com>

commit 6b618c54aaec99078629ec5b9575cb7d6fc31176
Author: Xi Wang <xi.wang@gmail.com>
Date:   Sun Dec 11 23:40:56 2011 -0800

    Input: cma3000_d0x - fix signedness bug in cma3000_thread_irq()
    
    The error check (intr_status < 0) didn't work because intr_status is
    a u8.  Change its type to signed int.
    
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Signed-off-by: Dmitry Torokhov <dtor@mail.ru>

commit e27f34e383d7863b2528a63b81b23db09781f6b6
Author: Xi Wang <xi.wang@gmail.com>
Date:   Fri Dec 16 12:44:15 2011 +0000

    sctp: fix incorrect overflow check on autoclose
    
    Commit 8ffd3208 voids the previous patches f6778aab and 810c0719 for
    limiting the autoclose value.  If userspace passes in -1 on 32-bit
    platform, the overflow check didn't work and autoclose would be set
    to 0xffffffff.
    
    This patch defines a max_autoclose (in seconds) for limiting the value
    and exposes it through sysctl, with the following intentions.
    
    1) Avoid overflowing autoclose * HZ.
    
    2) Keep the default autoclose bound consistent across 32- and 64-bit
       platforms (INT_MAX / HZ in this patch).
    
    3) Keep the autoclose value consistent between setsockopt() and
       getsockopt() calls.
    
    Suggested-by: Vlad Yasevich <vladislav.yasevich@hp.com>
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 8ebdfaad2f46ff0ac9fef9858e436bcc712a1ac8
Author: Xi Wang <xi.wang@gmail.com>
Date:   Wed Dec 21 05:18:33 2011 -0500

    vmwgfx: fix incorrect VRAM size check in vmw_kms_fb_create()
    
    Commit e133e737 didn't correctly fix the integer overflow issue.
    
    -   unsigned int required_size;
    +   u64 required_size;
        ...
        required_size = mode_cmd->pitch * mode_cmd->height;
    -   if (unlikely(required_size > dev_priv->vram_size)) {
    +   if (unlikely(required_size > (u64) dev_priv->vram_size)) {
    
    Note that both pitch and height are u32.  Their product is still u32 and
    would overflow before being assigned to required_size.  A correct way is
    to convert pitch and height to u64 before the multiplication.
    
        required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height;
    
    This patch calls the existing vmw_kms_validate_mode_vram() for
    validation.
    
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Reviewed-and-tested-by: Thomas Hellstrom <thellstrom@vmware.com>
    Signed-off-by: Dave Airlie <airlied@redhat.com>
    
    Conflicts:
    
        drivers/gpu/drm/vmwgfx/vmwgfx_kms.c

commit eb8f0bd01fb994c9abc77dc84729794cd841753d
Author: Xi Wang <xi.wang@gmail.com>
Date:   Thu Dec 22 13:35:22 2011 +0000

    rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt()
    
    Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will
    cause a kernel oops due to insufficient bounds checking.
    
        if (count > 1<<30) {
                /* Enforce a limit to prevent overflow */
                return -EINVAL;
        }
        count = roundup_pow_of_two(count);
        table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count));
    
    Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as:
    
        ... + (count * sizeof(struct rps_dev_flow))
    
    where sizeof(struct rps_dev_flow) is 8.  (1 << 30) * 8 will overflow
    32 bits.
    
    This patch replaces the magic number (1 << 30) with a symbolic bound.
    
    Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 648188958672024b616c42c1f6c98c8cfc85619d
Author: Xi Wang <xi.wang@gmail.com>
Date:   Fri Dec 30 10:40:17 2011 -0500

    netfilter: ctnetlink: fix timeout calculation
    
    The sanity check (timeout < 0) never works; the dividend is unsigned
    and so is the division, which should have been a signed division.
    
        long timeout = (ct->timeout.expires - jiffies) / HZ;
        if (timeout < 0)
                timeout = 0;
    
    This patch converts the time values to signed for the division.
    
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

commit ab03a0973cee73f88655ff4981812ad316a6cd59
Merge: 76f82df 7bdddeb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 3 17:42:50 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 7bdddebd9d274a344a1c57a561152160c9e9a32a
Merge: 3e59cb5 55cc81a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 3 17:42:36 2012 -0500

    Merge branch 'linux-3.1.y' into pax-test

commit 76f82df18ba181687f454426fa9ced7a92b2ac1f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 22 20:15:02 2011 -0500

    Only further restrict futex targeting another process -- our modified
    permission check also happened to allow a case where a process retaining
    uid 0 could issue futex syscalls against other uid 0 tasks, despite the euid
    being non-zero (reported on forums by ben_w)

commit 6b235a4450a5fea41663ec35fa0608988b6078c6
Merge: 97c16f0 3e59cb5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 22 19:11:06 2011 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        fs/hfs/btree.c

commit 3e59cb503d4ca6ce0954b8d3eb508cf7d1a31f50
Merge: 285eb4e c26f60b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 22 19:09:57 2011 -0500

    Merge branch 'linux-3.1.y' into pax-test
    
    Conflicts:
        arch/x86/kernel/process.c

commit 97c16f0fcff592160c1787bd1c56ae7ad070ac17
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Dec 19 21:54:01 2011 -0500

    Add new option: "Enforce consistent multithreaded privileges"

commit 7d125a16a5245b2bafc9184b8f93e864394ba1cb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Dec 7 19:58:31 2011 -0500

    Remove harmless duplicate code -- exec_file would be null already so the
    second check would never pass.

commit 4e3304e94aa72737810bc50169519af157dce4ce
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Dec 7 19:50:39 2011 -0500

    Revert back to (possibly?) undocumented /proc/pid behavior that gdb
    depended on for attaching to a thread.  Entries exist in /proc for
    threads, but are not visible in a readdir.

commit 1bd899335f23815cfe8deac44c6b346398f3b95e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 18:03:28 2011 -0500

    Put the already-walked path if in RCU-walk mode

commit ec7ae36b7159f10649709779443a988662965d66
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 17:35:21 2011 -0500

    Fix memory leak introduced by recent (unpublished) commit
    75ab998b94a29d464518d6d501bdde3fbfcbfa14

commit 1e2318a8ea2e67eaf17236be374b5da8a5ba5e04
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 13:56:10 2011 -0500

    Explicitly check size copied to userland in override_release to silence gcc

commit c30a85d0fff67e0724e726febb934c0b6fa01c6c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 13:54:02 2011 -0500

    Initialize variable to silence erroneous gcc warning

commit 2cf8e7a3bf4e97b2cd3de9ebc453bc505dc7eb78
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 13:47:47 2011 -0500

    Future-proof other potential RCU-aware locations where we can log.

commit 0c904e8c7ea0338c47c7ae825e093a152dc8f8a8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 13:02:54 2011 -0500

    Fix freeze reported by 'vs' on the forums.  Bug occurred due to
    MAY_NOT_BLOCK added to Linux 3.1.  Our logging code, when a capability used
    in generic_permission() was in the task's effective set but disallowed by
    RBAC, would block when acquiring locks resulting in the freeze.
    
    Also update the ordering of checks so that CAP_DAC_READ_SEARCH isn't logged
    as being required when CAP_DAC_OVERRIDE is present (consistent with
    older patches).

commit ab694e5eccfbc369baa593ebc1269d1908cf16dc
Author: Xi Wang <xi.wang@gmail.com>
Date:   Tue Nov 29 09:26:30 2011 +0000

    sctp: better integer overflow check in sctp_auth_create_key()
    
    The check from commit 30c2235c is incomplete and cannot prevent
    cases like key_len = 0x80000000 (INT_MAX + 1).  In that case, the
    left-hand side of the check (INT_MAX - key_len), which is unsigned,
    becomes 0xffffffff (UINT_MAX) and bypasses the check.
    
    However this shouldn't be a security issue.  The function is called
    from the following two code paths:
    
     1) setsockopt()
    
     2) sctp_auth_asoc_set_secret()
    
    In case (1), sca_keylength is never going to exceed 65535 since it's
    bounded by a u16 from the user API.  As such, the key length will
    never overflow.
    
    In case (2), sca_keylength is computed based on the user key (1 short)
    and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still
    will not overflow.
    
    In other words, this overflow check is not really necessary.  Just
    make it more correct.
    
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Cc: Vlad Yasevich <vladislav.yasevich@hp.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit e565e28c3635a1d50f80541fbf6b606d742fec76
Author: Josh Boyer <jwboyer@redhat.com>
Date:   Fri Aug 19 14:50:26 2011 -0400

    fs/minix: Verify bitmap block counts before mounting
    
    Newer versions of MINIX can create filesystems that allocate an extra
    bitmap block.  Mounting of this succeeds, but doing a statfs call will
    result in an oops in count_free because of a negative number being used
    for the bh index.
    
    Avoid this by verifying the number of allocated blocks at mount time,
    erroring out if there are not enough and make statfs ignore the extras
    if there are too many.
    
    This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792
    
    Signed-off-by: Josh Boyer <jwboyer@redhat.com>
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

commit 6e134e398ec1a3f428261680e83df4319e64bed9
Author: Julia Lawall <julia@diku.dk>
Date:   Tue Nov 15 14:53:11 2011 -0800

    drivers/gpu/vga/vgaarb.c: add missing kfree
    
    kbuf is a buffer that is local to this function, so all of the error paths
    leaving the function should release it.
    
    Signed-off-by: Julia Lawall <julia@diku.dk>
    Cc: Jesper Juhl <jj@chaosbits.net>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Dave Airlie <airlied@redhat.com>

commit 2b9057b321e36860e8d63985b5c4e496f254b717
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Dec 3 21:33:28 2011 -0500

    Import changes between pax-linux-3.1.4-test18.patch and grsecurity-2.2.2-3.1.4-201112021740.patch

commit 5dfe6091dca281a456eaff5e7b4692d768a05cfd
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Dec 3 21:29:37 2011 -0500

    Import pax-linux-3.1.4-test18.patch

commit 285eb4ea45d853ae00426b3315a61c1368080dad
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Dec 10 18:33:46 2011 -0500

    Import changes from pax-linux-3.1.5-test20.patch

commit a6bda918fc90ec1d5c387e978d147ad2044153f1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 8 20:55:54 2011 -0500

    Import changes from pax-linux-3.1.4-test19.patch

commit e6d987bdb782b280f882cc20055e3d9cb28ad3a5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Dec 3 21:29:37 2011 -0500

    Import pax-linux-3.1.4-test18.patch
commit c982acca364cbd7677bad7e53b9c7ecfaa6dfeb7
Merge: 814820a 3a59a59
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun May 12 21:51:18 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        security/Kconfig

commit 3a59a59cf5e1bf88f96b05c64f7969e97f7f051f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun May 12 21:50:07 2013 -0400

    Update to pax-linux-3.8.13-test24.patch:
    - fixed sparc/constification compile error, reported by blake
    - UDEREF/amd64 should be a bit more efficient when disabled at boot time
    - fixed some unnecessary integer truncations that could trip up the size overflow plugin

 arch/arm/kernel/vmlinux.lds.S       |    4 ++--
 arch/sparc/kernel/us3_cpufreq.c     |    4 ++--
 arch/x86/ia32/ia32entry.S           |    4 ++--
 arch/x86/include/asm/pgtable.h      |    6 ++++--
 arch/x86/include/asm/uaccess.h      |    6 +++---
 arch/x86/kernel/kprobes-opt.c       |    4 ++++
 arch/x86/lib/copy_user_nocache_64.S |    2 +-
 arch/x86/lib/getuser.S              |    8 ++++----
 arch/x86/lib/putuser.S              |    8 ++++----
 arch/x86/mm/fault.c                 |    6 +++---
 drivers/net/slip/slhc.c             |    2 +-
 drivers/staging/iio/ring_sw.c       |    2 +-
 fs/binfmt_elf.c                     |    6 +++---
 fs/nfsd/nfscache.c                  |    2 +-
 fs/xattr.c                          |   21 +++++++++++++++++++++
 include/linux/syscalls.h            |    2 +-
 include/linux/xattr.h               |    3 +++
 init/main.c                         |    3 +++
 kernel/futex_compat.c               |    2 +-
 kernel/trace/trace.h                |    2 +-
 net/socket.c                        |    2 +-
 security/Kconfig                    |    2 +-
 22 files changed, 67 insertions(+), 34 deletions(-)

commit 814820abfe5b9a34401d838b2510431a4cd92be9
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Mon May 6 09:31:17 2013 +0000

    Upstream commit: 6bf15191f666c5965d212561d7a5c7b78b808dfa
    
    tipc: potential divide by zero in tipc_link_recv_fragment()
    
    The worry here is that fragm_sz could be zero since it comes from
    skb->data.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/tipc/link.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

commit b58503d2784f0a4dbf4d9dbef9bdcc7bf163e3c1
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Mon May 6 08:28:41 2013 +0000

    Upstream commit: cb4b102f0ab29fcbaf945c6b1f85ef006cdb8edc
    
    tipc: add a bounds check in link_recv_changeover_msg()
    
    The bearer_id here comes from skb->data and it can be a number from 0 to
    7.  The problem is that the ->links[] array has only 2 elements so I
    have added a range check.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/tipc/link.c |    5 ++++-
 1 files changed, 4 insertions(+), 1 deletions(-)

commit ed0428c4ef6c5498870772f212ac651216eb8d0c
Merge: 2452d8d dbf932a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun May 12 21:18:25 2013 -0400

    Merge branch 'linux-3.8.y' into pax-test
    
    Conflicts:
        arch/x86/kernel/cpu/perf_event_intel_uncore.c
        arch/x86/mm/init.c

commit a113d6ac19303cd76d405df5aef5a4d190e6e7d7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun May 12 20:24:01 2013 -0400

    compile fix

 grsecurity/gracl.c      |    1 +
 grsecurity/gracl_segv.c |    1 +
 2 files changed, 2 insertions(+), 0 deletions(-)

commit 1bd664ee9054a28bbcf1dad6f9ffbc9e8500bb00
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun May 12 18:25:26 2013 -0400

    fix btrfs support here as well

 grsecurity/gracl_segv.c |   17 +++++++++--------
 1 files changed, 9 insertions(+), 8 deletions(-)

commit c75e4664fe4d20da1639f70d9def097c4f20856b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun May 12 18:12:57 2013 -0400

    Fix RBAC compatibility with btrfs compiled as a module, as
    reported on the forums by YuHg at:
    http://forums.grsecurity.net/viewtopic.php?t=2575&p=12952#p12952

 fs/btrfs/inode.c            |   11 +----------
 grsecurity/gracl.c          |   19 ++++++++++---------
 grsecurity/gracl_segv.c     |    2 +-
 grsecurity/grsec_disabled.c |    2 +-
 4 files changed, 13 insertions(+), 21 deletions(-)

commit e40c5804acc5b83e10d16ca3ba92502a3e5f7f27
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat May 11 12:12:00 2013 -0400

    allow copies just up to the start of kernel code

 fs/exec.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 04638852588cf243f865f5a73aa9dab94fab53b7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri May 10 16:53:07 2013 -0400

    MODULES_EXEC_VADDR is a virtual address

 fs/exec.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 017fc58a177b8b3fd9c2a7a4366f3590c9d49435
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri May 10 16:51:03 2013 -0400

    exempt module rx areas from usercopy protection under i386 kernexec
    their .rodata will be placed between stext/etext causing copies of
    constant strings to trigger usercopy reports/terminations

 fs/exec.c |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

commit c1b2cc5dd5f5ae5c88402c7acbcb270f8d36a9da
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed May 8 20:25:52 2013 -0400

    User jorgus on the forums:
    http://forums.grsecurity.net/viewtopic.php?f=3&t=3446
    discovered that the upstreamed version of enforcing RLIMIT_NPROC
    at setuid/exec time missed an important corner case:
    If RLIMIT_NPROC is set after a setuid occurs and the user's process
    limit is reached elsewhere, no enforcement of RLIMIT_NPROC will
    happen at exec time for the task with a modified RLIMIT_NPROC.
    
    This patch fixes that.

 kernel/sys.c |    7 +++++++
 1 files changed, 7 insertions(+), 0 deletions(-)

commit 85ffce8c95bd1d9114852f74db8c66ddbc2e77ff
Merge: 539fff0 2452d8d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed May 8 18:13:41 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 2452d8d0416d5c9c32805443dd89e5c9778dea4a
Merge: 6c850d8 9c9ab76
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed May 8 18:13:31 2013 -0400

    Merge branch 'linux-3.8.y' into pax-test
    
    Conflicts:
        arch/x86/kernel/irq.c
        kernel/trace/trace_stack.c

commit 539fff0cf95c3dcc02c5e0ac3ef8da4519efdb9a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue May 7 21:43:00 2013 -0400

    turn counter into a flag

 grsecurity/Kconfig        |    2 +-
 grsecurity/grsec_chroot.c |    8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

commit 3da48c0f89377e1ef76470d4b19f19df793fdf32
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue May 7 21:02:39 2013 -0400

    add GRKERNSEC_CHROOT_INITRD to work around Plymouth stupidity
    useful for Fedora/RHEL users

 grsecurity/Kconfig        |   10 ++++++++++
 grsecurity/grsec_chroot.c |   17 +++++++++++++++--
 2 files changed, 25 insertions(+), 2 deletions(-)

commit 418102925c0cfb0de51b0a021abaa575e28fafa6
Author: Peter Zijlstra <a.p.zijlstra@chello.nl>
Date:   Fri May 3 14:11:25 2013 +0200

    Upstream commit: 7cc23cd6c0c7d7f4bee057607e7ce01568925717
    
    perf/x86/intel/lbr: Demand proper privileges for PERF_SAMPLE_BRANCH_KERNEL
    
    We should always have proper privileges when requesting kernel
    data.
    
    Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
    Cc: <stable@kernel.org>
    Cc: Andi Kleen <ak@linux.intel.com>
    Cc: eranian@google.com
    Link: http://lkml.kernel.org/r/20130503121256.230745028@chello.nl
    [ Fix build error reported by fengguang.wu@intel.com, propagate error code back. ]
    Signed-off-by: Ingo Molnar <mingo@kernel.org>
    Link: http://lkml.kernel.org/n/tip-v0x9ky3ahzr6nm3c6ilwrili@git.kernel.org

 arch/x86/kernel/cpu/perf_event_intel_lbr.c |   13 ++++++++++---
 1 files changed, 10 insertions(+), 3 deletions(-)

commit f9e1af27cca1722a4c6a801000b5b3b5410401a2
Author: Eric Dumazet <edumazet@google.com>
Date:   Mon Apr 29 05:58:52 2013 +0000

    Upstream commit: aebda156a570782a86fc4426842152237a19427d
    
    net: defer net_secret[] initialization
    
    Instead of feeding net_secret[] at boot time, defer the init
    at the point first socket is created.
    
    This permits some platforms to use better entropy sources than
    the ones available at boot time.
    
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 include/net/secure_seq.h |    1 +
 net/core/secure_seq.c    |    4 +---
 net/ipv4/af_inet.c       |    5 ++++-
 3 files changed, 6 insertions(+), 4 deletions(-)

commit a9229d75129cd9744a5e486ec99a0fe6aeaf10ac
Author: Daniel Borkmann <dborkman@redhat.com>
Date:   Wed May 1 02:59:23 2013 +0000

    Upstream commit: be3e45810bb1ee0bdfa93f6b9532d8c451e50f48
    
    net: sctp: attribute printl with __printf for gcc fmt checks
    
    Let GCC check for format string errors in sctp's probe printl
    function. This patch fixes the warning when compiled with W=1:
    
    net/sctp/probe.c:73:2: warning: function might be possible candidate
    for 'gnu_printf' format attribute [-Wmissing-format-attribute]
    
    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/sctp/probe.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 81b98190c66a90f0ed2de4560f542b1dea7664f2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu May 2 19:58:54 2013 -0400

    remove no-longer-needed vmware 8 compat fix

 mm/page_alloc.c |    6 ------
 1 files changed, 0 insertions(+), 6 deletions(-)

commit a7716a90c1dbe09a8a6d98c74ea2f7fe2a530e94
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu May 2 19:55:23 2013 -0400

    remove unnecessary < 0 check

 net/phonet/af_phonet.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit a4e8dd5b1cca13c2e4145af75694a04aaa811f3f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed May 1 18:30:48 2013 -0400

    remove references to CONFIG_X86_WP_WORKS_OK

 arch/um/defconfig |    1 -
 security/Kconfig  |    2 +-
 2 files changed, 1 insertions(+), 2 deletions(-)

commit 408da6791f93ffe00d26bfe919f1b2218fe0804d
Merge: a8dbe8e 6c850d8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed May 1 18:28:44 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        arch/sparc/mm/ultra.S
        drivers/tty/tty_io.c

commit 6c850d8b76b375e418b6a18a33cc8263f36fabcf
Merge: cdbcbef 9fa1d01
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed May 1 18:25:18 2013 -0400

    Merge branch 'linux-3.8.y' into pax-test

commit a8dbe8ee7a0a3ace489e2f95d69d33e14d5f0b78
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Apr 29 18:44:23 2013 -0400

    add module.h to silence compiler warning, thanks to
    Sergei Trofimovich

 fs/btrfs/inode.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 55eba82aca97aa56378e000840c48965557721e8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Apr 29 18:43:03 2013 -0400

    compilation fix

 kernel/trace/trace.h |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit e3bf912b54af6df7fbebc68b5999554562056c5c
Merge: 5b72e37 cdbcbef
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Apr 29 18:34:42 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit cdbcbef45c4f003cbee11e10668a35d424c17c60
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Apr 29 18:33:35 2013 -0400

    Update to pax-linux-3.8.10-test21.patch:
    - removed size overflow coverage of resource_size(), reported at http://forums.grsecurity.net/viewtopic.php?f=3&t=3412
    - fixed bad pointer arithmetic in nfsd_cache_update, reported by Jason A. Donenfeld and http://forums.grsecurity.net/viewtopic.php?f=3&t=3438
      note that the false positive is not fixed yet
    - fixed a few unintended bitmask computations found by a not-yet-public gcc plugin
    - fixed the kernel stack leak bug in do_tgkill, found by the size overflow plugin (https://code.google.com/p/chromium/issues/detail?id=223444)
    - reverted the nested NMI fix in search for a real one
    - simplified the arm_delay_ops constification

 arch/arm/include/asm/delay.h     |    8 ++++----
 arch/arm/lib/delay.c             |   17 +++++------------
 arch/x86/kernel/entry_64.S       |   11 ++++++++++-
 arch/x86/kernel/i8259.c          |    2 +-
 arch/x86/kernel/pci-calgary_64.c |    2 +-
 arch/x86/kvm/vmx.c               |    4 ++--
 drivers/block/pktcdvd.c          |    2 +-
 fs/btrfs/extent-tree.c           |    2 +-
 fs/nfsd/nfscache.c               |    6 ++++--
 kernel/trace/trace.c             |    2 +-
 tools/gcc/structleak_plugin.c    |    4 ++++
 11 files changed, 34 insertions(+), 26 deletions(-)

commit 5b72e3790fa0e8a16a09c0ef745d8065620a1e74
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Apr 26 20:53:06 2013 -0400

    don't use file_inode()

 drivers/tty/tty_io.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit a2df9595fa2e3c7a0c63b1acac75425fd4feb946
Author: Jiri Slaby <jslaby@suse.cz>
Date:   Fri Apr 26 13:48:53 2013 +0200

    Upstream commit: 37b7f3c76595e23257f61bd80b223de8658617ee
    
    TTY: fix atime/mtime regression
    
    In commit b0de59b5733d ("TTY: do not update atime/mtime on read/write")
    we removed timestamps from tty inodes to fix a security issue and waited
    if something breaks.  Well, 'w', the utility to find out logged users
    and their inactivity time broke.  It shows that users are inactive since
    the time they logged in.
    
    To revert to the old behaviour while still preventing attackers to
    guess the password length, we update the timestamps in one-minute
    intervals by this patch.
    
    Signed-off-by: Jiri Slaby <jslaby@suse.cz>
    Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    Conflicts:
    
        drivers/tty/tty_io.c

 drivers/tty/tty_io.c |   15 ++++++++++++++-
 1 files changed, 14 insertions(+), 1 deletions(-)

commit c9c76fe07da7611a5062dd3234e5d2369e0a78ec
Author: Jiri Slaby <jslaby@suse.cz>
Date:   Fri Feb 15 15:25:05 2013 +0100

    Upstream commit: b0de59b5733d
    
    TTY: do not update atime/mtime on read/write
    
    On http://vladz.devzero.fr/013_ptmx-timing.php, we can see how to find
    out length of a password using timestamps of /dev/ptmx. It is
    documented in "Timing Analysis of Keystrokes and Timing Attacks on
    SSH". To avoid that problem, do not update time when reading
    from/writing to a TTY.
    
    I am afraid of regressions as this is a behavior we have since 0.97
    and apps may expect the time to be current, e.g. for monitoring
    whether there was a change on the TTY. Now, there is no change. So
    this would better have a lot of testing before it goes upstream.
    
    References: CVE-2013-0160
    
    Signed-off-by: Jiri Slaby <jslaby@suse.cz>
    Cc: stable <stable@vger.kernel.org> # after 3.9 is out
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 drivers/tty/tty_io.c |    8 ++------
 1 files changed, 2 insertions(+), 6 deletions(-)

commit 5344a24e2320d61dbdb88aae04922f0799deefd0
Author: Zhao Hongjiang <zhaohongjiang@huawei.com>
Date:   Fri Apr 26 11:03:53 2013 +0800

    Upstream commit: 91d80a84bbc8f28375cca7e65ec666577b4209ad
    
    aio: fix possible invalid memory access when DEBUG is enabled
    
    dprintk() shouldn't access @ring after it's unmapped.
    
    Signed-off-by: Zhao Hongjiang <zhaohongjiang@huawei.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 fs/aio.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 786841cb279bbd8e458d67e112a1d01a3d4598a7
Author: John David Anglin <dave.anglin@bell.net>
Date:   Tue Apr 23 22:42:07 2013 +0200

    Upstream commit: bda079d336cd8183e1d844a265ea87ae3e1bbe78
    
    parisc: use spin_lock_irqsave/spin_unlock_irqrestore for PTE updates
    
    User applications running on SMP kernels have long suffered from instability
    and random segmentation faults.  This patch improves the situation although
    there is more work to be done.
    
    One of the problems is the various routines in pgtable.h that update page table
    entries use different locking mechanisms, or no lock at all (set_pte_at).  This
    change modifies the routines to all use the same lock pa_dbit_lock.  This lock
    is used for dirty bit updates in the interruption code. The patch also purges
    the TLB entries associated with the PTE to ensure that inconsistent values are
    not used after the page table entry is updated.  The UP and SMP code are now
    identical.
    
    The change also includes a minor update to the purge_tlb_entries function in
    cache.c to improve its efficiency.
    
    Signed-off-by: John David Anglin <dave.anglin@bell.net>
    Cc: Helge Deller <deller@gmx.de>
    Signed-off-by: Helge Deller <deller@gmx.de>

 arch/parisc/include/asm/pgtable.h |   47 +++++++++++++++++++-----------------
 arch/parisc/kernel/cache.c        |    5 +---
 2 files changed, 26 insertions(+), 26 deletions(-)

commit 775a77ad179d4c25bc94e85ef81135cbdffcfdc1
Merge: ba54c97 4d05084
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Apr 26 18:17:20 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        arch/x86/kvm/x86.c
        include/linux/capability.h

commit 4d0508463d0ee3ec4b9eca1ea6bed3be03a3df21
Merge: c664779 bb8dd67
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Apr 26 18:15:45 2013 -0400

    Merge branch 'linux-3.8.y' into pax-test

commit ba54c977fe8c3afc4a9efd7afc3f30cf10b02fa2
Author: David S. Miller <davem@davemloft.net>
Date:   Wed Apr 24 16:52:18 2013 -0700

    Upstream commit: f0af97070acbad5d6a361f485828223a4faaa0ee
    
    sparc64: Fix missing put_cpu_var() in tlb_batch_add_one() when not batching.
    
    Reported-by: Meelis Roos <mroos@linux.ee>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 arch/sparc/mm/tlb.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit dc080cfd57c7cdc426f8c6c2da11911ac99959d8
Author: David S. Miller <davem@davemloft.net>
Date:   Fri Apr 19 17:26:26 2013 -0400

    Upstream commit: f36391d2790d04993f48da6a45810033a2cdf847
    
    sparc64: Fix race in TLB batch processing.
    
    As reported by Dave Kleikamp, when we emit cross calls to do batched
    TLB flush processing we have a race because we do not synchronize on
    the sibling cpus completing the cross call.
    
    So meanwhile the TLB batch can be reset (tb->tlb_nr set to zero, etc.)
    and either flushes are missed or flushes will flush the wrong
    addresses.
    
    Fix this by using generic infrastructure to synchonize on the
    completion of the cross call.
    
    This first required getting the flush_tlb_pending() call out from
    switch_to() which operates with locks held and interrupts disabled.
    The problem is that smp_call_function_many() cannot be invoked with
    IRQs disabled and this is explicitly checked for with WARN_ON_ONCE().
    
    We get the batch processing outside of locked IRQ disabled sections by
    using some ideas from the powerpc port. Namely, we only batch inside
    of arch_{enter,leave}_lazy_mmu_mode() calls.  If we're not in such a
    region, we flush TLBs synchronously.
    
    1) Get rid of xcall_flush_tlb_pending and per-cpu type
       implementations.
    
    2) Do TLB batch cross calls instead via:
    
        smp_call_function_many()
                tlb_pending_func()
                        __flush_tlb_pending()
    
    3) Batch only in lazy mmu sequences:
    
        a) Add 'active' member to struct tlb_batch
        b) Define __HAVE_ARCH_ENTER_LAZY_MMU_MODE
        c) Set 'active' in arch_enter_lazy_mmu_mode()
        d) Run batch and clear 'active' in arch_leave_lazy_mmu_mode()
        e) Check 'active' in tlb_batch_add_one() and do a synchronous
               flush if it's clear.
    
    4) Add infrastructure for synchronous TLB page flushes.
    
        a) Implement __flush_tlb_page and per-cpu variants, patch
           as needed.
        b) Likewise for xcall_flush_tlb_page.
        c) Implement smp_flush_tlb_page() to invoke the cross-call.
        d) Wire up global_flush_tlb_page() to the right routine based
               upon CONFIG_SMP
    
    5) It turns out that singleton batches are very common, 2 out of every
       3 batch flushes have only a single entry in them.
    
       The batch flush waiting is very expensive, both because of the poll
       on sibling cpu completeion, as well as because passing the tlb batch
       pointer to the sibling cpus invokes a shared memory dereference.
    
       Therefore, in flush_tlb_pending(), if there is only one entry in
       the batch perform a completely asynchronous global_flush_tlb_page()
       instead.
    
    Reported-by: Dave Kleikamp <dave.kleikamp@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Acked-by: Dave Kleikamp <dave.kleikamp@oracle.com>

 arch/sparc/include/asm/pgtable_64.h   |    1 +
 arch/sparc/include/asm/switch_to_64.h |    3 +-
 arch/sparc/include/asm/tlbflush_64.h  |   37 +++++++++--
 arch/sparc/kernel/smp_64.c            |   41 ++++++++++-
 arch/sparc/mm/tlb.c                   |   38 +++++++++-
 arch/sparc/mm/tsb.c                   |   57 ++++++++++++----
 arch/sparc/mm/ultra.S                 |  119 ++++++++++++++++++++++++++-------
 7 files changed, 241 insertions(+), 55 deletions(-)

commit cd80cc3cfd122295e6ec6db1e5e16e5b7a5d3b59
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date:   Fri Apr 19 15:32:32 2013 +0000

    Upstream commit: 83f1b4ba917db5dc5a061a44b3403ddb6e783494
    
    net: fix incorrect credentials passing
    
    Commit 257b5358b32f ("scm: Capture the full credentials of the scm
    sender") changed the credentials passing code to pass in the effective
    uid/gid instead of the real uid/gid.
    
    Obviously this doesn't matter most of the time (since normally they are
    the same), but it results in differences for suid binaries when the wrong
    uid/gid ends up being used.
    
    This just undoes that (presumably unintentional) part of the commit.
    
    Reported-by: Andy Lutomirski <luto@amacapital.net>
    Cc: Eric W. Biederman <ebiederm@xmission.com>
    Cc: Serge E. Hallyn <serge@hallyn.com>
    Cc: David S. Miller <davem@davemloft.net>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 include/net/scm.h |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit e126225d1fcaa405ff2a7f1518d615cffe42e7d5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Apr 18 19:22:40 2013 -0400

    move _etext to only cover kernel code, not read-only data, as reported by Gu1

 arch/arm/kernel/vmlinux.lds.S |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 98ad6adbc48759e4f9eae435d3e51ba487155685
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Apr 18 19:17:24 2013 -0400

    add asm/sections.h for USERCOPY change

 fs/exec.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit c403a6c43da1bcac9b1ef2bca9bba0fb84a40f10
Author: Dmitry Popov <dp@highloadlab.com>
Date:   Thu Apr 11 08:55:07 2013 +0000

    Upstream commit: d66954a066158781ccf9c13c91d0316970fe57b6
    
    tcp: incoming connections might use wrong route under synflood
    
    There is a bug in cookie_v4_check (net/ipv4/syncookies.c):
        flowi4_init_output(&fl4, 0, sk->sk_mark, RT_CONN_FLAGS(sk),
                           RT_SCOPE_UNIVERSE, IPPROTO_TCP,
                           inet_sk_flowi_flags(sk),
                           (opt && opt->srr) ? opt->faddr : ireq->rmt_addr,
                           ireq->loc_addr, th->source, th->dest);
    
    Here we do not respect sk->sk_bound_dev_if, therefore wrong dst_entry may be
    taken. This dst_entry is used by new socket (get_cookie_sock ->
    tcp_v4_syn_recv_sock), so its packets may take the wrong path.
    
    Signed-off-by: Dmitry Popov <dp@highloadlab.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/syncookies.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 3600395e8fef3ae712e72f9b68c3609639616df8
Author: Thomas Graf <tgraf@suug.ch>
Date:   Thu Apr 11 10:57:18 2013 +0000

    Upstream commit: 50bceae9bd3569d56744882f3012734d48a1d413
    
    tcp: Reallocate headroom if it would overflow csum_start
    
    If a TCP retransmission gets partially ACKed and collapsed multiple
    times it is possible for the headroom to grow beyond 64K which will
    overflow the 16bit skb->csum_start which is based on the start of
    the headroom. It has been observed rarely in the wild with IPoIB due
    to the 64K MTU.
    
    Verify if the acking and collapsing resulted in a headroom exceeding
    what csum_start can cover and reallocate the headroom if so.
    
    A big thank you to Jim Foraker <foraker1@llnl.gov> and the team at
    LLNL for helping out with the investigation and testing.
    
    Reported-by: Jim Foraker <foraker1@llnl.gov>
    Signed-off-by: Thomas Graf <tgraf@suug.ch>
    Acked-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/tcp_output.c |    8 ++++++--
 1 files changed, 6 insertions(+), 2 deletions(-)

commit 4b0b9a5038da806a2b6eba9efc3f3a53c5188a61
Author: Ivan Vecera <ivecera@redhat.com>
Date:   Fri Apr 12 16:49:24 2013 +0200

    Upstream commit: f11a869d4e38397ac81f2a3d22e8d2aeb3992b0f
    
    be2net: take care of __vlan_put_tag return value
    
    The driver should use return value of __vlan_put_tag with appropriate
    NULL-check instead of old skb pointer.
    
    Signed-off-by: Ivan Vecera <ivecera@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/ethernet/emulex/benet/be_main.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

commit 8d3aca40a891f13b9b1e0d957913fa788fd1cc55
Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Date:   Fri Apr 12 03:17:12 2013 +0000

    Upstream commit: 3be8fbab18fbc06b6ff94a56f9c225e29ea64a73
    
    tuntap: fix error return code in tun_set_iff()
    
    Fix to return a negative error code from the error handling
    case instead of 0, as returned elsewhere in this function.
    
    [ Bug added in linux-3.8 , commit 4008e97f866db665
      ("tuntap: fix ambigious multiqueue API") ]
    
    Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
    Acked-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/tun.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 42cfd101287e0ffa5e8425ca7dd3c4131a7a601c
Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Date:   Sat Apr 13 15:49:03 2013 +0000

    Upstream commit: 06848c10f720cbc20e3b784c0df24930b7304b93
    
    esp4: fix error return code in esp_output()
    
    Fix to return a negative error code from the error handling
    case instead of 0, as returned elsewhere in this function.
    
    Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
    Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/esp4.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

commit 2b45b5f52c2a8930f80c62de392a62516c83e225
Author: Bjørn Mork <bjorn@mork.no>
Date:   Tue Apr 16 00:17:07 2013 +0000

    Upstream commit: 32b161aa88aa40a83888a995c6e2ef81140219b1
    
    net: cdc_mbim: remove bogus sizeof()
    
    The intention was to test against the constant, not the size of
    the constant.
    
    Signed-off-by: Bjørn Mork <bjorn@mork.no>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/usb/cdc_mbim.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 17d7408795519037a5a1272c7888238e20830bfe
Author: Vyacheslav Dubeyko <slava@dubeyko.com>
Date:   Wed Apr 17 15:58:33 2013 -0700

    Upstream commit: 12f267a20aecf8b84a2a9069b9011f1661c779b4
    
    hfsplus: fix potential overflow in hfsplus_file_truncate()
    
    Change a u32 to loff_t hfsplus_file_truncate().
    
    Signed-off-by: Vyacheslav Dubeyko <slava@dubeyko.com>
    Cc: Christoph Hellwig <hch@infradead.org>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: Hin-Tak Leung <htl10@users.sourceforge.net>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 fs/hfsplus/extents.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 5c9574e7f16e7a9b3ea9b419c46ddc57110a555b
Author: Emese Revfy <re.emese@gmail.com>
Date:   Wed Apr 17 15:58:36 2013 -0700

    Upstream commit: b9e146d8eb3b9ecae5086d373b50fa0c1f3e7f0f
    
    kernel/signal.c: stop info leak via the tkill and the tgkill syscalls
    
    This fixes a kernel memory contents leak via the tkill and tgkill syscalls
    for compat processes.
    
    This is visible in the siginfo_t->_sifields._rt.si_sigval.sival_ptr field
    when handling signals delivered from tkill.
    
    The place of the infoleak:
    
    int copy_siginfo_to_user32(compat_siginfo_t __user *to, siginfo_t *from)
    {
            ...
            put_user_ex(ptr_to_compat(from->si_ptr), &to->si_ptr);
            ...
    }
    
    Signed-off-by: Emese Revfy <re.emese@gmail.com>
    Reviewed-by: PaX Team <pageexec@freemail.hu>
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: Oleg Nesterov <oleg@redhat.com>
    Cc: "Eric W. Biederman" <ebiederm@xmission.com>
    Cc: Serge Hallyn <serge.hallyn@canonical.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 kernel/signal.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 0942d16614b0ef59d50b10151d77ec52fc98c2d0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 17 20:17:00 2013 -0400

    Improve PAX_USERCOPY to reject direct copies to/from main kernel text

 fs/exec.c |   29 +++++++++++++++++++++++++++--
 1 files changed, 27 insertions(+), 2 deletions(-)

commit 3cb37d0c0c77dc3928ff8417f982139f95366eba
Merge: e87c19f c664779
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 17 20:06:08 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit c664779987cb0c27a242029f0e0db812e3236203
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 17 19:54:09 2013 -0400

    add intentional_overflow marking for resource_size() as reasoned by:
    http://forums.grsecurity.net/viewtopic.php?f=3&t=3412

 include/linux/ioport.h |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit e87c19f8312355b8658e5138c16bfa6043a379c8
Merge: 802d119 d0c636c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 17 16:57:12 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit d0c636ceaaf406e606898ce3e770e32fb043ea8a
Merge: bc88628 2396403
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 17 16:57:01 2013 -0400

    Merge branch 'linux-3.8.y' into pax-test
    
    Conflicts:
        arch/x86/kernel/paravirt.c

commit 802d1193dcb507b2a62a2de0a869a7dbadd66b9b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Apr 14 21:39:51 2013 -0400

    move location of RBAC user check on setfsuid until after capability checks
    for consistency with other checks

 kernel/sys.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

commit 1a860d7d67051559ab2e6d10f9888649c92904e6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Apr 14 21:34:46 2013 -0400

    A denied setfsuid by the RBAC system would result in an abort_creds() being called
    with an uninitalized pointer, introduced by a bad forward-port

 kernel/sys.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

commit 9f94b84d0e5e101fe8ea8ebcc8eeb141d8a6edb9
Merge: c38d142 bc88628
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Apr 14 21:28:33 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        security/Kconfig

commit bc88628a6a8fcccaabb90908640809b0540df225
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Apr 14 21:26:41 2013 -0400

    Update to pax-linux-3.8.7-test20.patch:
    - fixed KERNEXEC and NMI nesting problem reported by stef&hunger
    - changed PHYSICAL_ALIGN/START to fix http://forums.grsecurity.net/viewtopic.php?f=3&t=3414
    - CONSTIFY depends on KERNEXEC (for the kernel open/close feature)
    - fixed CONSTIFY and powerpc interference, reported by  John Hardin (https://bugs.gentoo.org/show_bug.cgi?id=456364)

 arch/powerpc/include/asm/smp.h |    2 +-
 arch/x86/Kconfig               |    4 ++--
 arch/x86/kernel/entry_64.S     |    8 ++++----
 security/Kconfig               |    2 +-
 4 files changed, 8 insertions(+), 8 deletions(-)

commit c38d142744489fc4d9be80188b6435a278438fd9
Author: Suleiman Souhlal <suleiman@google.com>
Date:   Sat Apr 13 16:03:06 2013 -0700

    Upstream commit: 5b55d708335a9e3e4f61f2dadf7511502205ccd1
    
    vfs: Revert spurious fix to spinning prevention in prune_icache_sb
    
    Revert commit 62a3ddef6181 ("vfs: fix spinning prevention in prune_icache_sb").
    
    This commit doesn't look right: since we are looking at the tail of the
    list (sb->s_inode_lru.prev) if we want to skip an inode, we should put
    it back at the head of the list instead of the tail, otherwise we will
    keep spinning on it.
    
    Discovered when investigating why prune_icache_sb came top in perf
    reports of a swapping load.
    
    Signed-off-by: Suleiman Souhlal <suleiman@google.com>
    Signed-off-by: Hugh Dickins <hughd@google.com>
    Cc: stable@vger.kernel.org # v3.2+
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 fs/inode.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 93019624b80ba59798393942798d7f6ed0c1dbc6
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date:   Sat Apr 13 15:15:30 2013 -0700

    Upstream commit: a49b7e82cab0f9b41f483359be83f44fbb6b4979
    
    kobject: fix kset_find_obj() race with concurrent last kobject_put()
    
    Anatol Pomozov identified a race condition that hits module unloading
    and re-loading.  To quote Anatol:
    
     "This is a race codition that exists between kset_find_obj() and
      kobject_put().  kset_find_obj() might return kobject that has refcount
      equal to 0 if this kobject is freeing by kobject_put() in other
      thread.
    
      Here is timeline for the crash in case if kset_find_obj() searches for
      an object tht nobody holds and other thread is doing kobject_put() on
      the same kobject:
    
        THREAD A (calls kset_find_obj())     THREAD B (calls kobject_put())
        splin_lock()
                                             atomic_dec_return(kobj->kref), counter gets zero here
                                             ... starts kobject cleanup ....
                                             spin_lock() // WAIT thread A in kobj_kset_leave()
        iterate over kset->list
        atomic_inc(kobj->kref) (counter becomes 1)
        spin_unlock()
                                             spin_lock() // taken
                                             // it does not know that thread A increased counter so it
                                             remove obj from list
                                             spin_unlock()
                                             vfree(module) // frees module object with containing kobj
    
        // kobj points to freed memory area!!
        kobject_put(kobj) // OOPS!!!!
    
      The race above happens because module.c tries to use kset_find_obj()
      when somebody unloads module.  The module.c code was introduced in
      commit 6494a93d55fa"
    
    Anatol supplied a patch specific for module.c that worked around the
    problem by simply not using kset_find_obj() at all, but rather than make
    a local band-aid, this just fixes kset_find_obj() to be thread-safe
    using the proper model of refusing the get a new reference if the
    refcount has already dropped to zero.
    
    See examples of this proper refcount handling not only in the kref
    documentation, but in various other equivalent uses of this pattern by
    grepping for atomic_inc_not_zero().
    
    [ Side note: the module race does indicate that module loading and
      unloading is not properly serialized wrt sysfs information using the
      module mutex.  That may require further thought, but this is the
      correct fix at the kobject layer regardless. ]
    
    Reported-analyzed-and-tested-by: Anatol Pomozov <anatol.pomozov@gmail.com>
    Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 lib/kobject.c |    9 ++++++++-
 1 files changed, 8 insertions(+), 1 deletions(-)

commit 5277b052b5fab36729e1255fb3b12f47a4b12867
Author: Dave Hansen <dave@sr71.net>
Date:   Fri Apr 12 16:23:54 2013 -0700

    Upstream commit: 1de14c3c5cbc9bb17e9dcc648cda51c0c85d54b9
    
    x86-32: Fix possible incomplete TLB invalidate with PAE pagetables
    
    This patch attempts to fix:
    
        https://bugzilla.kernel.org/show_bug.cgi?id=56461
    
    The symptom is a crash and messages like this:
    
        chrome: Corrupted page table at address 34a03000
        *pdpt = 0000000000000000 *pde = 0000000000000000
        Bad pagetable: 000f [#1] PREEMPT SMP
    
    Ingo guesses this got introduced by commit 611ae8e3f520 ("x86/tlb:
    enable tlb flush range support for x86") since that code started to free
    unused pagetables.
    
    On x86-32 PAE kernels, that new code has the potential to free an entire
    PMD page and will clear one of the four page-directory-pointer-table
    (aka pgd_t entries).
    
    The hardware aggressively "caches" these top-level entries and invlpg
    does not actually affect the CPU's copy.  If we clear one we *HAVE* to
    do a full TLB flush, otherwise we might continue using a freed pmd page.
    (note, we do this properly on the population side in pud_populate()).
    
    This patch tracks whenever we clear one of these entries in the 'struct
    mmu_gather', and ensures that we follow up with a full tlb flush.
    
    BTW, I disassembled and checked that:
    
        if (tlb->fullmm == 0)
    and
        if (!tlb->fullmm && !tlb->need_flush_all)
    
    generate essentially the same code, so there should be zero impact there
    to the !PAE case.
    
    Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
    Cc: Peter Anvin <hpa@zytor.com>
    Cc: Ingo Molnar <mingo@kernel.org>
    Cc: Artem S Tashkinov <t.artem@mailcity.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 arch/x86/include/asm/tlb.h |    2 +-
 arch/x86/mm/pgtable.c      |    7 +++++++
 include/asm-generic/tlb.h  |    7 ++++++-
 mm/memory.c                |    1 +
 4 files changed, 15 insertions(+), 2 deletions(-)

commit 521e573fc77d1783c1d4636dfbb4617a922f043d
Merge: 032f626 f807619
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Apr 12 19:29:34 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit f80761993b85df96fc142dfc3a317cadc0f8eae5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Apr 12 19:28:21 2013 -0400

    Update to pax-linux-3.8.7-test19.patch:
    - fixed STACKLEAK/XEN interference once again, reported by Jason A. Donenfeld
    - fixed small typo, reported by mlarm (http://forums.grsecurity.net/viewtopic.php?f=3&t=3411)
    - fixed the structleak plugin to compile for gcc 4.5-4.6 as well

 Makefile                      |    2 +-
 arch/x86/xen/enlighten.c      |    6 +++---
 tools/gcc/structleak_plugin.c |    5 +++--
 3 files changed, 7 insertions(+), 6 deletions(-)

commit 032f626a4ae9bc3196313a2e762650c3d9abdc96
Merge: a3a770e 89886f5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Apr 12 18:38:40 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 89886f561cc0d1c42a99624ec8c3704711088155
Merge: 9123489 531ec28
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Apr 12 18:38:30 2013 -0400

    Merge branch 'linux-3.8.y' into pax-test

commit a3a770e18578841e4fbe2aa0831a22811b4812cf
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Apr 11 20:46:20 2013 -0400

    Revert "Don't auto-enable stackleak if kernel is used for xen dom0, kernel will not boot"
    Will be fixed with the next PaX patch
    
    This reverts commit 63badcd2023717cc62b6c3ad5f25fe504c49e6d7.

 security/Kconfig |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit fc98763e4f1f1487928750b26a63098b9e0ed5b1
Author: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Date:   Fri Mar 29 10:20:56 2013 -0400

    Upstream commit: b22227944b8fe92b19150b4c36421e37979d9a16
    
    xen/mmu: On early bootup, flush the TLB when changing RO->RW bits Xen provided pagetables.
    
    Occassionaly on a DL380 G4 the guest would crash quite early with this:
    
    (XEN) d244:v0: unhandled page fault (ec=0003)
    (XEN) Pagetable walk from ffffffff84dc7000:
    (XEN)  L4[0x1ff] = 00000000c3f18067 0000000000001789
    (XEN)  L3[0x1fe] = 00000000c3f14067 000000000000178d
    (XEN)  L2[0x026] = 00000000dc8b2067 0000000000004def
    (XEN)  L1[0x1c7] = 00100000dc8da067 0000000000004dc7
    (XEN) domain_crash_sync called from entry.S
    (XEN) Domain 244 (vcpu#0) crashed on cpu#3:
    (XEN) ----[ Xen-4.1.3OVM  x86_64  debug=n  Not tainted ]----
    (XEN) CPU:    3
    (XEN) RIP:    e033:[<ffffffff81263f22>]
    (XEN) RFLAGS: 0000000000000216   EM: 1   CONTEXT: pv guest
    (XEN) rax: 0000000000000000   rbx: ffffffff81785f88   rcx: 000000000000003f
    (XEN) rdx: 0000000000000000   rsi: 00000000dc8da063   rdi: ffffffff84dc7000
    
    The offending code shows it to be a loop writting the value zero
    (%rax) in the %rdi (the L4 provided by Xen) register:
    
       0: 44 00 00             add    %r8b,(%rax)
       3: 31 c0                 xor    %eax,%eax
       5: b9 40 00 00 00       mov    $0x40,%ecx
       a: 66 0f 1f 84 00 00 00 nopw   0x0(%rax,%rax,1)
      11: 00 00
      13: ff c9                 dec    %ecx
      15:* 48 89 07             mov    %rax,(%rdi)     <-- trapping instruction
      18: 48 89 47 08           mov    %rax,0x8(%rdi)
      1c: 48 89 47 10           mov    %rax,0x10(%rdi)
    
    which fails. xen_setup_kernel_pagetable recycles some of the Xen's
    page-table entries when it has switched over to its Linux page-tables.
    
    Right before try to clear the page, we  make a hypercall to change
    it from _RO to  _RW and that works (otherwise we would hit an BUG()).
    And the _RW flag is set for that page:
    (XEN)  L1[0x1c7] = 001000004885f067 0000000000004dc7
    
    The error code is 3, so PFEC_page_present and PFEC_write_access, so page is
    present (correct), and we tried to write to the page, but a violation
    occurred. The one theory is that the the page entries in hardware
    (which are cached) are not up to date with what we just set. Especially
    as we have just done an CR3 write and flushed the multicalls.
    
    This patch does solve the problem by flusing out the TLB page
    entry after changing it from _RO to _RW and we don't hit this
    issue anymore.
    
    Fixed-Oracle-Bug: 16243091 [ON OCCASIONS VM START GOES INTO
    'CRASH' STATE: CLEAR_PAGE+0X12 ON HP DL380 G4]
    Reported-and-Tested-by: Saar Maoz <Saar.Maoz@oracle.com>
    Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>

 arch/x86/xen/mmu.c |   12 ++++++++----
 1 files changed, 8 insertions(+), 4 deletions(-)

commit d56bdc2595e76ca48cbfd695def7f82c3ab80c11
Author: Namhyung Kim <namhyung.kim@lge.com>
Date:   Mon Apr 1 21:46:23 2013 +0900

    Upstream commit: 83e03b3fe4daffdebbb42151d5410d730ae50bd1
    
    tracing: Fix double free when function profile init failed
    
    On the failure path, stat->start and stat->pages will refer same page.
    So it'll attempt to free the same page again and get kernel panic.
    
    Link: http://lkml.kernel.org/r/1364820385-32027-1-git-send-email-namhyung@kernel.org
    
    Cc: Frederic Weisbecker <fweisbec@gmail.com>
    Cc: Namhyung Kim <namhyung.kim@lge.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Namhyung Kim <namhyung@kernel.org>
    Signed-off-by: Steven Rostedt <rostedt@goodmis.org>

 kernel/trace/ftrace.c |    1 -
 1 files changed, 0 insertions(+), 1 deletions(-)

commit c86b0de9f4c42a7ede40df5af9436e87ccc784bb
Author: Neil Horman <nhorman@tuxdriver.com>
Date:   Tue Apr 9 23:19:00 2013 +0000

    Upstream commit: 61a0f6efc8932e9914e1782ff3a027e23c687fc6
    
    e100: Add dma mapping error check
    
    e100 uses pci_map_single, but fails to check for a dma mapping error after its
    use, resulting in a stack trace:
    
    [   46.656594] ------------[ cut here ]------------
    [   46.657004] WARNING: at lib/dma-debug.c:933 check_unmap+0x47b/0x950()
    [   46.657004] Hardware name: To Be Filled By O.E.M.
    [   46.657004] e100 0000:00:0e.0: DMA-API: device driver failed to check map
    error[device address=0x000000007a4540fa] [size=90 bytes] [mapped as single]
    [   46.657004] Modules linked in:
    [   46.657004]  w83627hf hwmon_vid snd_via82xx ppdev snd_ac97_codec ac97_bus
    snd_seq snd_pcm snd_mpu401 snd_mpu401_uart ns558 snd_rawmidi gameport parport_pc
    e100 snd_seq_device parport snd_page_alloc snd_timer snd soundcore skge shpchp
    k8temp mii edac_core i2c_viapro edac_mce_amd nfsd auth_rpcgss nfs_acl lockd
    sunrpc binfmt_misc uinput ata_generic pata_acpi radeon i2c_algo_bit
    drm_kms_helper ttm firewire_ohci drm firewire_core pata_via sata_via i2c_core
    sata_promise crc_itu_t
    [   46.657004] Pid: 792, comm: ip Not tainted 3.8.0-0.rc6.git0.1.fc19.x86_64 #1
    [   46.657004] Call Trace:
    [   46.657004]  <IRQ>  [<ffffffff81065ed0>] warn_slowpath_common+0x70/0xa0
    [   46.657004]  [<ffffffff81065f4c>] warn_slowpath_fmt+0x4c/0x50
    [   46.657004]  [<ffffffff81364cfb>] check_unmap+0x47b/0x950
    [   46.657004]  [<ffffffff8136522f>] debug_dma_unmap_page+0x5f/0x70
    [   46.657004]  [<ffffffffa030f0f0>] ? e100_tx_clean+0x30/0x210 [e100]
    [   46.657004]  [<ffffffffa030f1a8>] e100_tx_clean+0xe8/0x210 [e100]
    [   46.657004]  [<ffffffffa030fc6f>] e100_poll+0x56f/0x6c0 [e100]
    [   46.657004]  [<ffffffff8159dce1>] ? net_rx_action+0xa1/0x370
    [   46.657004]  [<ffffffff8159ddb2>] net_rx_action+0x172/0x370
    [   46.657004]  [<ffffffff810703bf>] __do_softirq+0xef/0x3d0
    [   46.657004]  [<ffffffff816e4ebc>] call_softirq+0x1c/0x30
    [   46.657004]  [<ffffffff8101c485>] do_softirq+0x85/0xc0
    [   46.657004]  [<ffffffff81070885>] irq_exit+0xd5/0xe0
    [   46.657004]  [<ffffffff816e5756>] do_IRQ+0x56/0xc0
    [   46.657004]  [<ffffffff816dacb2>] common_interrupt+0x72/0x72
    [   46.657004]  <EOI>  [<ffffffff816da1eb>] ?
    _raw_spin_unlock_irqrestore+0x3b/0x70
    [   46.657004]  [<ffffffff816d124d>] __slab_free+0x58/0x38b
    [   46.657004]  [<ffffffff81214424>] ? fsnotify_clear_marks_by_inode+0x34/0x120
    [   46.657004]  [<ffffffff811b0417>] ? kmem_cache_free+0x97/0x320
    [   46.657004]  [<ffffffff8157fc14>] ? sock_destroy_inode+0x34/0x40
    [   46.657004]  [<ffffffff8157fc14>] ? sock_destroy_inode+0x34/0x40
    [   46.657004]  [<ffffffff811b0692>] kmem_cache_free+0x312/0x320
    [   46.657004]  [<ffffffff8157fc14>] sock_destroy_inode+0x34/0x40
    [   46.657004]  [<ffffffff811e8c28>] destroy_inode+0x38/0x60
    [   46.657004]  [<ffffffff811e8d5e>] evict+0x10e/0x1a0
    [   46.657004]  [<ffffffff811e9605>] iput+0xf5/0x180
    [   46.657004]  [<ffffffff811e4338>] dput+0x248/0x310
    [   46.657004]  [<ffffffff811ce0e1>] __fput+0x171/0x240
    [   46.657004]  [<ffffffff811ce26e>] ____fput+0xe/0x10
    [   46.657004]  [<ffffffff8108d54c>] task_work_run+0xac/0xe0
    [   46.657004]  [<ffffffff8106c6ed>] do_exit+0x26d/0xc30
    [   46.657004]  [<ffffffff8109eccc>] ? finish_task_switch+0x7c/0x120
    [   46.657004]  [<ffffffff816dad58>] ? retint_swapgs+0x13/0x1b
    [   46.657004]  [<ffffffff8106d139>] do_group_exit+0x49/0xc0
    [   46.657004]  [<ffffffff8106d1c4>] sys_exit_group+0x14/0x20
    [   46.657004]  [<ffffffff816e3b19>] system_call_fastpath+0x16/0x1b
    [   46.657004] ---[ end trace 4468c44e2156e7d1 ]---
    [   46.657004] Mapped at:
    [   46.657004]  [<ffffffff813663d1>] debug_dma_map_page+0x91/0x140
    [   46.657004]  [<ffffffffa030e8eb>] e100_xmit_prepare+0x12b/0x1c0 [e100]
    [   46.657004]  [<ffffffffa030c924>] e100_exec_cb+0x84/0x140 [e100]
    [   46.657004]  [<ffffffffa030e56a>] e100_xmit_frame+0x3a/0x190 [e100]
    [   46.657004]  [<ffffffff8159ee89>] dev_hard_start_xmit+0x259/0x6c0
    
    Easy fix, modify the cb paramter to e100_exec_cb to return an error, and do the
    dma_mapping_error check in the obvious place
    
    This was reported previously here:
    http://article.gmane.org/gmane.linux.network/257893
    
    But nobody stepped up and fixed it.
    
    CC: Josh Boyer <jwboyer@redhat.com>
    CC: e1000-devel@lists.sourceforge.net
    Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
    Reported-by: Michal Jaegermann <michal@harddata.com>
    Tested-by: Aaron Brown <aaron.f.brown@intel.com>
    Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/ethernet/intel/e100.c |   36 +++++++++++++++++++++++++-----------
 1 files changed, 25 insertions(+), 11 deletions(-)

commit df93708573ce6c512b9a9406a83a6fd4e87ff6a6
Author: Trond Myklebust <Trond.Myklebust@netapp.com>
Date:   Wed Apr 10 12:44:18 2013 -0400

    Upstream commit: eb04e0ac198cec3bab407ad220438dfa65c19c67
    
    NFSv4: Doh! Typo in the fix to nfs41_walk_client_list
    
    Make sure that we set the status to 0 on success. Missed in testing
    because it never appears when doing multiple mounts to _different_
    servers.
    
    Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
    Cc: <stable@vger.kernel.org> # 3.7.x: 7b1f1fd: NFSv4/4.1: Fix bugs in nfs4[01]_walk_client_list

 fs/nfs/nfs4client.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 0ea7b7294f627588b0b3dc26a8a0ff8e1e27b5ea
Author: Yuval Mintz <yuvalmin@broadcom.com>
Date:   Wed Apr 10 13:34:39 2013 +0300

    Upstream commit: fea75645342c7ad574214497a78e562db12dfd7b
    
    bnx2x: Prevent null pointer dereference in AFEX mode
    
    The cnic module is responsible for initializing various bnx2x structs
    via callbacks provided by the bnx2x module.
    One such struct is the queue object for the FCoE queue.
    
    If a device is working in AFEX mode and its configuration allows FCoE yet
    the cnic module is not loaded, it's very likely a null pointer dereference
    will occur, as the bnx2x will erroneously access the FCoE's queue object.
    
    Prevent said access until cnic properly registers itself.
    
    Signed-off-by: Yuval Mintz <yuvalmin@broadcom.com>
    Signed-off-by: Ariel Elior <ariele@broadcom.com>
    Signed-off-by: Eilon Greenstein <eilong@broadcom.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 2908830232725db624aaa052f7ad38d1f98bf541
Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Date:   Tue Apr 9 14:16:04 2013 +0800

    Upstream commit: 3480a2125923e4b7a56d79efc76743089bf273fc
    
    can: gw: use kmem_cache_free() instead of kfree()
    
    Memory allocated by kmem_cache_alloc() should be freed using
    kmem_cache_free(), not kfree().
    
    Cc: linux-stable <stable@vger.kernel.org> # >= v3.2
    Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
    Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
    Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>

 net/can/gw.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

commit d40b572e845a5fb561e3c4a80cc306cd38888a4e
Author: Christoph Paasch <christoph.paasch@uclouvain.be>
Date:   Sun Apr 7 04:53:15 2013 +0000

    Upstream commit: 50a75a8914539c5dcd441c5f54d237a666a426fd
    
    ipv6/tcp: Stop processing ICMPv6 redirect messages
    
    Tetja Rediske found that if the host receives an ICMPv6 redirect message
    after sending a SYN+ACK, the connection will be reset.
    
    He bisected it down to 093d04d (ipv6: Change skb->data before using
    icmpv6_notify() to propagate redirect), but the origin of the bug comes
    from ec18d9a26 (ipv6: Add redirect support to all protocol icmp error
    handlers.). The bug simply did not trigger prior to 093d04d, because
    skb->data did not point to the inner IP header and thus icmpv6_notify
    did not call the correct err_handler.
    
    This patch adds the missing "goto out;" in tcp_v6_err. After receiving
    an ICMPv6 Redirect, we should not continue processing the ICMP in
    tcp_v6_err, as this may trigger the removal of request-socks or setting
    sk_err(_soft).
    
    Reported-by: Tetja Rediske <tetja@tetja.de>
    Signed-off-by: Christoph Paasch <christoph.paasch@uclouvain.be>
    Acked-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv6/tcp_ipv6.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit c7d5c2524456ef3ea9194840e7a9a75069a46824
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 10 20:32:54 2013 -0400

    - fixed typo in Makefile reported by mlarm (https://forums.grsecurity.net/viewtopic.php?t=3411)

 Makefile |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit acac2380fd97acee4367d2aa24c74322dcf1d22b
Author: Trond Myklebust <Trond.Myklebust@netapp.com>
Date:   Fri Apr 5 16:11:11 2013 -0400

    Upstream commit: 7b1f1fd1842e6ede25183c267ae733a7f67f00bc
    
    NFSv4/4.1: Fix bugs in nfs4[01]_walk_client_list
    
    It is unsafe to use list_for_each_entry_safe() here, because
    when we drop the nn->nfs_client_lock, we pin the _current_ list
    entry and ensure that it stays in the list, but we don't do the
    same for the _next_ list entry. Use of list_for_each_entry() is
    therefore the correct thing to do.
    
    Also fix the refcounting in nfs41_walk_client_list().
    
    Finally, ensure that the nfs_client has finished being initialised
    and, in the case of NFSv4.1, that the session is set up.
    
    Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
    Cc: Chuck Lever <chuck.lever@oracle.com>
    Cc: Bryan Schumaker <bjschuma@netapp.com>
    Cc: stable@vger.kernel.org [>= 3.7]

 fs/nfs/nfs4client.c |   44 ++++++++++++++++++++++++++++----------------
 1 files changed, 28 insertions(+), 16 deletions(-)

commit a6cf5f387b882ac0ce655b75f623f86c075517be
Author: Chuck Lever <chuck.lever@oracle.com>
Date:   Fri Mar 22 12:52:59 2013 -0400

    Upstream commit: a58e0be6f6b3eb2079b0b8fedc9df6fa86869f1e
    
    SUNRPC: Remove extra xprt_put()
    
    While testing error cases where rpc_new_client() fails, I saw
    some oopses.
    
    If rpc_new_client() fails, it already invokes xprt_put().  Thus
    __rpc_clone_client() does not need to invoke it again.
    
    Introduced by commit 1b63a751 "SUNRPC: Refactor rpc_clone_client()"
    Fri Sep 14, 2012.
    
    Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
    Cc: stable@vger.kernel.org [>=3.7]
    Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>

 net/sunrpc/clnt.c |    4 +---
 1 files changed, 1 insertions(+), 3 deletions(-)

commit a744b307c1f65ceb100412dc18cdd7ecc9a8ae00
Author: Trond Myklebust <Trond.Myklebust@netapp.com>
Date:   Fri Apr 5 14:13:21 2013 -0400

    Upstream commit: f05c124a70a4953a66acbd6d6c601ea1eb5d0fa7
    
    SUNRPC: Fix a potential memory leak in rpc_new_client
    
    If the call to rpciod_up() fails, we currently leak a reference to the
    struct rpc_xprt.
    As part of the fix, we also remove the redundant check for xprt!=NULL.
    This is already taken care of by the callers.
    
    Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>

 net/sunrpc/clnt.c |    7 ++-----
 1 files changed, 2 insertions(+), 5 deletions(-)

commit 43b9f1b9b8380984c5c100978bd33e8f16da06ac
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 10 19:16:05 2013 -0400

    From https://lkml.org/lkml/2013/4/8/469:
    [PATCH] rtnetlink: call nlmsg_parse() with correct header length

 net/core/rtnetlink.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 9529169b8c405874fd543b785f53c74fa0501c2a
Author: Christopher Harvey <charvey@matrox.com>
Date:   Fri Apr 5 10:51:15 2013 -0400

    Upstream commit: 1812a3db0874be1d1524086da9e84397b800f546
    
    drm/mgag200: Index 24 in extended CRTC registers is 24 in hex, not decimal.
    
    This change properly enables the "requester" in G200ER cards that is
    responsible for getting pixels out of memory and clocking them out to
    the screen.
    
    Signed-off-by: Christopher Harvey <charvey@matrox.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Dave Airlie <airlied@redhat.com>

 drivers/gpu/drm/mgag200/mgag200_mode.c |   13 +++----------
 1 files changed, 3 insertions(+), 10 deletions(-)

commit 07c42243c7b01e2a7a9d168ad491e28b9ef9082a
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Thu Mar 28 13:30:23 2013 -0400

    Upstream commit: 52f21999c7b921a0390708b66ed286282c2e4bee
    
    ecryptfs: close rmmod race
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

 fs/ecryptfs/miscdev.c |   14 ++------------
 1 files changed, 2 insertions(+), 12 deletions(-)

commit 2800bdcf9cd642b967e5fdc2a15c1c4aefbadd9b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 10 19:03:45 2013 -0400

    Backport overflow fix from upstream commit: ccf932042fa7785832d8989ba1369cd7c7f5d7a1

 arch/ia64/kernel/palinfo.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 83280e384ae3ceadad30369ced111dc7d4b46085
Author: Andrey Vagin <avagin@openvz.org>
Date:   Tue Apr 9 17:33:29 2013 +0400

    Upstream commit: e9c5d8a562f01b211926d70443378eb14b29a676
    
    mnt: release locks on error path in do_loopback
    
    do_loopback calls lock_mount(path) and forget to unlock_mount
    if clone_mnt or copy_mnt fails.
    
    [   77.661566] ================================================
    [   77.662939] [ BUG: lock held when returning to user space! ]
    [   77.664104] 3.9.0-rc5+ #17 Not tainted
    [   77.664982] ------------------------------------------------
    [   77.666488] mount/514 is leaving the kernel with locks still held!
    [   77.668027] 2 locks held by mount/514:
    [   77.668817]  #0:  (&sb->s_type->i_mutex_key#7){+.+.+.}, at: [<ffffffff811cca22>] lock_mount+0x32/0xe0
    [   77.671755]  #1:  (&namespace_sem){+++++.}, at: [<ffffffff811cca3a>] lock_mount+0x4a/0xe0
    
    Signed-off-by: Andrey Vagin <avagin@openvz.org>
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

 fs/namespace.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 679e536b9d9536d804f049fe942367a596253e6d
Author: Alex Williamson <alex.williamson@redhat.com>
Date:   Tue Mar 26 11:33:16 2013 -0600

    Upstream commit: 904c680c7bf016a8619a045850937427f8d7368c
    
    vfio-pci: Fix possible integer overflow
    
    The VFIO_DEVICE_SET_IRQS ioctl takes a start and count parameter, both
    of which are unsigned.  We attempt to bounds check these, but fail to
    account for the case where start is a very large number, allowing
    start + count to wrap back into the valid range.  Bounds check both
    start and start + count.
    
    Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Alex Williamson <alex.williamson@redhat.com>

 drivers/vfio/pci/vfio_pci.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 63badcd2023717cc62b6c3ad5f25fe504c49e6d7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 10 18:48:45 2013 -0400

    Don't auto-enable stackleak if kernel is used for xen dom0, kernel will not boot

 security/Kconfig |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit b5261a6384ee42499b29495aaae40b271e77d394
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Apr 9 17:30:45 2013 -0400

    some undefined behavior fixups

 grsecurity/gracl.c      |    4 ++--
 grsecurity/gracl_ip.c   |   10 +++++-----
 grsecurity/gracl_segv.c |    4 ++--
 3 files changed, 9 insertions(+), 9 deletions(-)

commit 9f83caa35e78be1f3e753586ab217555c3b21ff4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Apr 9 17:28:54 2013 -0400

    don't whine about denied ipv6 when it's not enabled

 grsecurity/gracl_ip.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit 5a02f8bc96bd0c31f9ff09e63f9d85d560b8be61
Merge: 97bca88 9123489
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Apr 9 17:18:45 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 9123489428c58668a89f316db6619739cbdd2c2a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Apr 9 17:17:46 2013 -0400

    Update to pax-linux-3.8.6-test18.patch:
    - new size overflow plugin from Emese to work around a gcc optimization
      resulting in an intentional overflow, reported by Carlos Carvalho
      (http://forums.grsecurity.net/viewtopic.php?f=3&t=3409)

 tools/gcc/size_overflow_plugin.c |   68 ++++++++++++++++++++++++++++++++++++-
 1 files changed, 66 insertions(+), 2 deletions(-)

commit 97bca8889e0f1e853f16b7026c39c6729a8587ab
Merge: 675a41e e9d6073
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Apr 8 21:32:59 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        arch/sparc/kernel/us3_cpufreq.c

commit e9d6073f15010ccace0b6b0f0a19ed63cf1adeef
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Apr 8 21:19:03 2013 -0400

    Update to pax-linux-3.8.6-test17.patch:
    - fixed ia64/ppc/sparc compilation by spender
    - improved the STRUCTLEAK gcc plugin to cover a few more cases (credit to stef for the bugreport)

 arch/ia64/include/asm/uaccess.h    |    2 -
 arch/powerpc/include/asm/uaccess.h |    2 -
 arch/sparc/include/asm/uaccess.h   |    7 ----
 arch/sparc/kernel/prom_common.c    |    2 +-
 arch/sparc/kernel/us3_cpufreq.c    |   69 ++++++++++--------------------------
 tools/gcc/structleak_plugin.c      |   15 ++++----
 6 files changed, 28 insertions(+), 69 deletions(-)

commit 675a41e42a636dcb1e97bffe0f0fa6262242e64b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Apr 7 12:00:50 2013 -0400

    fix similar leaks in sys_recvfrom as fixed in recvmsg, already handled by the new structleak plugin

 net/socket.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 5a216624a06429488f24ce47db093da042f90e48
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Apr 6 13:22:24 2013 -0400

    fix typo

 arch/sparc/kernel/us3_cpufreq.c |    5 +----
 1 files changed, 1 insertions(+), 4 deletions(-)

commit e476ca18d21788898cd3acd1b57049971a2fb70f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Apr 6 13:16:13 2013 -0400

    properly fix cpufreq_driver for ultrasparc III with constification

 arch/sparc/kernel/us3_cpufreq.c |   35 +++++++++++++++++------------------
 1 files changed, 17 insertions(+), 18 deletions(-)

commit 3ef64a33c8a38d17db7d1e6ff13d9036c75598ae
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Apr 6 12:58:48 2013 -0400

    mark prom_sparc_ops __initconst

 arch/sparc/kernel/prom_common.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit daaa8e290cb1eb08e86c6d3f0fb1a8270d897439
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Apr 6 12:53:16 2013 -0400

    fix ia64/powerpc/sparc compilation

 arch/ia64/include/asm/uaccess.h    |    2 --
 arch/powerpc/include/asm/uaccess.h |    2 --
 arch/sparc/include/asm/uaccess.h   |    7 -------
 3 files changed, 0 insertions(+), 11 deletions(-)

commit 4a0cd3af0fd8788bd1c84de775743c8ae51e9a39
Author: Johannes Berg <johannes.berg@intel.com>
Date:   Tue Mar 19 20:26:57 2013 +0100

    Upstream commit: ce1eadda6badef9e4e3460097ede674fca47383d
    
    cfg80211: fix wdev tracing crash
    
    Arend reported a crash in tracing if the driver returns an
    ERR_PTR() value from the add_virtual_intf() callback. This
    is due to the tracing then still attempting to dereference
    the "pointer", fix this by using IS_ERR_OR_NULL().
    
    Reported-by: Arend van Spriel <arend@broadcom.com>
    Tested-by: Arend van Spriel <arend@broadcom.com>
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>

 net/wireless/trace.h |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 68e6eafdaf9a3b37c780b3916a35a1961b1559fd
Author: Johannes Berg <johannes.berg@intel.com>
Date:   Mon Mar 25 11:51:14 2013 +0100

    Upstream commit: 3fbd45ca8d1c98f3c2582ef8bc70ade42f70947b
    
    mac80211: fix remain-on-channel cancel crash
    
    If a ROC item is canceled just as it expires, the work
    struct may be scheduled while it is running (and waiting
    for the mutex). This results in it being run after being
    freed, which obviously crashes.
    
    To fix this don't free it when aborting is requested but
    instead mark it as "to be freed", which makes the work a
    no-op and allows freeing it outside.
    
    Cc: stable@vger.kernel.org [3.6+]
    Reported-by: Jouni Malinen <j@w1.fi>
    Tested-by: Jouni Malinen <j@w1.fi>
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>

 net/mac80211/cfg.c         |    6 ++++--
 net/mac80211/ieee80211_i.h |    3 ++-
 net/mac80211/offchannel.c  |   23 +++++++++++++++++------
 3 files changed, 23 insertions(+), 9 deletions(-)

commit dd5df32b00e3c2344ba39fe01071e7b67b83e1e4
Author: Stone Piao <piaoyun@marvell.com>
Date:   Fri Mar 29 19:21:21 2013 -0700

    Upstream commit: 901ceba4e81e9dd6b4a3c4c37ee22000a6c5c65f
    
    mwifiex: limit channel number not to overflow memory
    
    Limit the channel number in scan request, or the driver scan
    config structure memory will be overflowed.
    
    Cc: <stable@vger.kernel.org> # 3.5+
    Signed-off-by: Stone Piao <piaoyun@marvell.com>
    Signed-off-by: Bing Zhao <bzhao@marvell.com>
    Signed-off-by: John W. Linville <linville@tuxdriver.com>

 drivers/net/wireless/mwifiex/cfg80211.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 207c411512bdaf0e4271f93ecac6ca26588da36f
Author: Gao feng <gaofeng@cn.fujitsu.com>
Date:   Thu Mar 21 19:48:41 2013 +0000

    Upstream commit: 130549fed828cc34c22624c6195afcf9e7ae56fe
    
    netfilter: reset nf_trace in nf_reset
    
    We forgot to clear the nf_trace of sk_buff in nf_reset,
    When we use veth device, this nf_trace information will
    be leaked from one net namespace to another net namespace.
    
    Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

 include/linux/skbuff.h |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit 3b12800d73c763265b2de5f2a7a745d9caa62c6f
Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Date:   Fri Mar 22 01:28:18 2013 +0000

    Upstream commit: 558724a5b2a73ad0c7638e21e8dffc419d267b6c
    
    netfilter: nfnetlink_queue: fix error return code in nfnetlink_queue_init()
    
    Fix to return a negative error code from the error handling
    case instead of 0, as returned elsewhere in this function.
    
    Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

 net/netfilter/nfnetlink_queue_core.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

commit a79feb7d3251eca577d83d7f69eee2b961ab2924
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date:   Sat Mar 23 16:57:59 2013 +0100

    Upstream commit: deadcfc3324410726cd6a663fb4fc46be595abe7
    
    netfilter: nfnetlink_acct: return -EINVAL if object name is empty
    
    If user-space tries to create accounting object with an empty
    name, then return -EINVAL.
    
    Reported-by: Michael Zintakis <michael.zintakis@googlemail.com>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

 net/netfilter/nfnetlink_acct.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 1a51dca4fc16538d90a7a4c92b1ffe7e0fd76cf7
Author: Matthias Schiffer <mschiffer@universe-factory.net>
Date:   Sat Mar 30 10:23:12 2013 +0000

    Upstream commit: 906b1c394d0906a154fbdc904ca506bceb515756
    
    netfilter: ip6t_NPT: Fix translation for non-multiple of 32 prefix lengths
    
    The bitmask used for the prefix mangling was being calculated
    incorrectly, leading to the wrong part of the address being replaced
    when the prefix length wasn't a multiple of 32.
    
    Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

 net/ipv6/netfilter/ip6t_NPT.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 3425de1e3dc22e1602f9c77fe8d258da58416d5e
Author: Veaceslav Falico <vfalico@redhat.com>
Date:   Wed Apr 3 05:46:33 2013 +0000

    Upstream commit: 4de79c737b200492195ebc54a887075327e1ec1d
    
    bonding: remove sysfs before removing devices
    
    We have a race condition if we try to rmmod bonding and simultaneously add
    a bond master through sysfs. In bonding_exit() we first remove the devices
    (through rtnl_link_unregister() ) and only after that we remove the sysfs.
    If we manage to add a device through sysfs after that the devices were
    removed - we'll end up with that device/sysfs structure and with the module
    unloaded.
    
    Fix this by first removing the sysfs and only after that calling
    rtnl_link_unregister().
    
    Signed-off-by: Veaceslav Falico <vfalico@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/bonding/bond_main.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit d12cae44a9d12441d81c489178803237219d403d
Author: Eric W. Biederman <ebiederm@xmission.com>
Date:   Wed Apr 3 16:14:47 2013 +0000

    Upstream commit: 0e82e7f6dfeec1013339612f74abc2cdd29d43d2
    
    af_unix: If we don't care about credentials coallesce all messages
    
    It was reported that the following LSB test case failed
    https://lsbbugs.linuxfoundation.org/attachment.cgi?id=2144 because we
    were not coallescing unix stream messages when the application was
    expecting us to.
    
    The problem was that the first send was before the socket was accepted
    and thus sock->sk_socket was NULL in maybe_add_creds, and the second
    send after the socket was accepted had a non-NULL value for sk->socket
    and thus we could tell the credentials were not needed so we did not
    bother.
    
    The unnecessary credentials on the first message cause
    unix_stream_recvmsg to start verifying that all messages had the same
    credentials before coallescing and then the coallescing failed because
    the second message had no credentials.
    
    Ignoring credentials when we don't care in unix_stream_recvmsg fixes a
    long standing pessimization which would fail to coallesce messages when
    reading from a unix stream socket if the senders were different even if
    we did not care about their credentials.
    
    I have tested this and verified that the in the LSB test case mentioned
    above that the messages do coallesce now, while the were failing to
    coallesce without this change.
    
    Reported-by: Karel Srot <ksrot@redhat.com>
    Reported-by: Ding Tianhong <dingtianhong@huawei.com>
    Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/unix/af_unix.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 126d882492b130da6367f71cdf3ac59bf4f4c1bf
Author: Eric W. Biederman <ebiederm@xmission.com>
Date:   Wed Apr 3 16:13:35 2013 +0000

    Upstream commit: 25da0e3e9d3fb2b522bc2a598076735850310eb1
    
    Revert "af_unix: dont send SCM_CREDENTIAL when dest socket is NULL"
    
    This reverts commit 14134f6584212d585b310ce95428014b653dfaf6.
    
    The problem that the above patch was meant to address is that af_unix
    messages are not being coallesced because we are sending unnecesarry
    credentials.  Not sending credentials in maybe_add_creds totally
    breaks unconnected unix domain sockets that wish to send credentails
    to other sockets.
    
    In practice this break some versions of udev because they receive a
    message and the sending uid is bogus so they drop the message.
    
    Reported-by: Sven Joachim <svenjoac@gmx.de>
    Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/unix/af_unix.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 1295b4f600e8f5ab56af71e5a89e4c0e74e95663
Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Date:   Wed Mar 20 21:31:42 2013 +0000

    Upstream commit: cb0e51d80694fc9964436be1a1a15275e991cb1e
    
    lantiq_etop: use free_netdev(netdev) instead of kfree()
    
    Freeing netdev without free_netdev() leads to net, tx leaks.
    And it may lead to dereferencing freed pointer.
    
    Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/ethernet/lantiq_etop.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 1dcdddf846697fbd0b474e7b12ff92f7b408fe5f
Author: Cong Wang <amwang@redhat.com>
Date:   Fri Mar 22 19:14:07 2013 +0000

    Upstream commit: 4a7df340ed1bac190c124c1601bfc10cde9fb4fb
    
    8021q: fix a potential use-after-free
    
    vlan_vid_del() could possibly free ->vlan_info after a RCU grace
    period, however, we may still refer to the freed memory area
    by 'grp' pointer. Found by code inspection.
    
    This patch moves vlan_vid_del() as behind as possible.
    
    Cc: Patrick McHardy <kaber@trash.net>
    Cc: "David S. Miller" <davem@davemloft.net>
    Signed-off-by: Cong Wang <amwang@redhat.com>
    Acked-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/8021q/vlan.c |    7 +++++++
 1 files changed, 7 insertions(+), 0 deletions(-)

commit fff29c277024a39845d4b535083c8dafc21b45d9
Author: Hong zhi guo <honkiko@gmail.com>
Date:   Sat Mar 23 02:27:50 2013 +0000

    Upstream commit: 9b46922e15f4d9d2aedcd320c3b7f7f54d956da7
    
    bridge: fix crash when set mac address of br interface
    
    When I tried to set mac address of a bridge interface to a mac
    address which already learned on this bridge, I got system hang.
    
    The cause is straight forward: function br_fdb_change_mac_address
    calls fdb_insert with NULL source nbp. Then an fdb lookup is
    performed. If an fdb entry is found and it's local, it's OK. But
    if it's not local, source is dereferenced for printk without NULL
    check.
    
    Signed-off-by: Hong Zhiguo <honkiko@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/bridge/br_fdb.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit b72eca0f8495b4b084bcf3eb4fbb425281ba5349
Author: Kumar Amit Mehta <gmate.amit@gmail.com>
Date:   Sat Mar 23 20:10:25 2013 +0000

    Upstream commit: 8fe7f99a9e11a43183bc27420309ae105e1fec1a
    
    bnx2x: fix assignment of signed expression to unsigned variable
    
    fix for incorrect assignment of signed expression to unsigned variable.
    
    Signed-off-by: Kumar Amit Mehta <gmate.amit@gmail.com>
    Acked-by: Dmitry Kravkov <dmitry@broadcom.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/ethernet/broadcom/bnx2x/bnx2x_dcb.c |   18 +++++++++---------
 1 files changed, 9 insertions(+), 9 deletions(-)

commit 4d2d5e3694574d8e9d7594bf6111f144dccc873e
Author: dingtianhong <dingtianhong@huawei.com>
Date:   Mon Mar 25 17:02:04 2013 +0000

    Upstream commit: 14134f6584212d585b310ce95428014b653dfaf6
    
    af_unix: dont send SCM_CREDENTIAL when dest socket is NULL
    
    SCM_SCREDENTIALS should apply to write() syscalls only either source or destination
    socket asserted SOCK_PASSCRED. The original implememtation in maybe_add_creds is wrong,
    and breaks several LSB testcases ( i.e. /tset/LSB.os/netowkr/recvfrom/T.recvfrom).
    
    Origionally-authored-by: Karel Srot <ksrot@redhat.com>
    Signed-off-by: Ding Tianhong <dingtianhong@huawei.com>
    Acked-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/unix/af_unix.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit b964e1e61f0f0ccaa380be3342f956c604054bdc
Author: Eric W. Biederman <ebiederm@xmission.com>
Date:   Thu Mar 21 02:30:41 2013 -0700

    Upstream commit: eddc0a3abff273842a94784d2d022bbc36dc9015
    
    yama:  Better permission check for ptraceme
    
    Change the permission check for yama_ptrace_ptracee to the standard
    ptrace permission check, testing if the traceer has CAP_SYS_PTRACE
    in the tracees user namespace.
    
    Reviewed-by: Kees Cook <keescook@chromium.org>
    Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>

 security/yama/yama_lsm.c |    4 +---
 1 files changed, 1 insertions(+), 3 deletions(-)

commit b94e71c7b6abe75989edff18aca2781233fa143b
Author: Stanislav Kinsbursky <skinsbursky@parallels.com>
Date:   Mon Apr 1 11:40:51 2013 +0400

    Upstream commit: 2dc958fa2fe6987e7ab106bd97029a09a82fcd8d
    
    ipc: set msg back to -EAGAIN if copy wasn't performed
    
    Make sure that msg pointer is set back to error value in case of
    MSG_COPY flag is set and desired message to copy wasn't found.  This
    garantees that msg is either a error pointer or a copy address.
    
    Otherwise the last message in queue will be freed without unlinking from
    the queue (which leads to memory corruption) and the dummy allocated
    copy won't be released.
    
    Signed-off-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 ipc/msg.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit a997fbbe7a37ffd805f4784a18b8e530da6978d1
Author: Jan Kara <jack@suse.cz>
Date:   Fri Mar 29 15:39:16 2013 +0100

    Upstream commit: 35e5cbc0af240778e61113286c019837e06aeec6
    
    reiserfs: Fix warning and inode leak when deleting inode with xattrs
    
    After commit 21d8a15a (lookup_one_len: don't accept . and ..) reiserfs
    started failing to delete xattrs from inode. This was due to a buggy
    test for '.' and '..' in fill_with_dentries() which resulted in passing
    '.' and '..' entries to lookup_one_len() in some cases. That returned
    error and so we failed to iterate over all xattrs of and inode.
    
    Fix the test in fill_with_dentries() along the lines of the one in
    lookup_one_len().
    
    Reported-by: Pawel Zawora <pzawora@gmail.com>
    CC: stable@vger.kernel.org
    Signed-off-by: Jan Kara <jack@suse.cz>

 fs/reiserfs/xattr.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 9f07957378e0f55abb81da8e23b124a608fbe1cc
Author: Paul Bolle <pebolle@tiscali.nl>
Date:   Wed Apr 3 12:24:45 2013 +0100

    Upstream commit: 4e1db26a0b42e2b6e27c05d68adcc01709c2eed2
    
    ARM: 7690/1: mm: fix CONFIG_LPAE typos
    
    CONFIG_LPAE doesn't exist: the correct option is CONFIG_ARM_LPAE, so fix
    up the two typos under arch/arm/.
    
    The fix to head.S is slightly scary, but this is just for setting up
    an early io-mapping for the serial port when running on a big-endian,
    LPAE system. Since these systems don't exist in the wild (at least, I
    have no access to one outside of kvmtool, which doesn't provide a serial
    port suitable for earlyprintk), then we can revisit the code later if it
    causes any problems.
    
    Signed-off-by: Paul Bolle <pebolle@tiscali.nl>
    Signed-off-by: Will Deacon <will.deacon@arm.com>
    Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>

 arch/arm/kernel/head.S  |    2 +-
 arch/arm/kernel/setup.c |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

commit 984ba346b2d8f158473e9723ba145031368431ed
Author: Catalin Marinas <catalin.marinas@arm.com>
Date:   Tue Mar 26 23:35:04 2013 +0100

    Upstream commit: 93dc68876b608da041fe40ed39424b0fcd5aa2fb
    
    ARM: 7684/1: errata: Workaround for Cortex-A15 erratum 798181 (TLBI/DSB operations)
    
    On Cortex-A15 (r0p0..r3p2) the TLBI/DSB are not adequately shooting down
    all use of the old entries. This patch implements the erratum workaround
    which consists of:
    
    1. Dummy TLBIMVAIS and DSB on the CPU doing the TLBI operation.
    2. Send IPI to the CPUs that are running the same mm (and ASID) as the
       one being invalidated (or all the online CPUs for global pages).
    3. CPU receiving the IPI executes a DMB and CLREX (part of the exception
       return code already).
    
    Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
    Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
    
    Conflicts:
    
        arch/arm/include/asm/tlbflush.h
        arch/arm/kernel/smp_tlb.c
        arch/arm/mm/context.c

 arch/arm/Kconfig                   |   10 +++++
 arch/arm/include/asm/highmem.h     |    7 ++++
 arch/arm/include/asm/mmu_context.h |    2 +
 arch/arm/include/asm/tlbflush.h    |   15 ++++++++
 arch/arm/kernel/smp_tlb.c          |   66 ++++++++++++++++++++++++++++++++++++
 arch/arm/mm/context.c              |    6 ++-
 6 files changed, 104 insertions(+), 2 deletions(-)

commit 9a6ef010c38b3d5471886d2dea6e3c1622e2a286
Author: Jan Stancek <jstancek@redhat.com>
Date:   Thu Apr 4 11:35:10 2013 -0700

    Upstream commit: b6a9b7f6b1f21735a7456d534dc0e68e61359d2c
    
    mm: prevent mmap_cache race in find_vma()
    
    find_vma() can be called by multiple threads with read lock
    held on mm->mmap_sem and any of them can update mm->mmap_cache.
    Prevent compiler from re-fetching mm->mmap_cache, because other
    readers could update it in the meantime:
    
                   thread 1                             thread 2
                                            |
      find_vma()                            |  find_vma()
        struct vm_area_struct *vma = NULL;  |
        vma = mm->mmap_cache;               |
        if (!(vma && vma->vm_end > addr     |
            && vma->vm_start <= addr)) {    |
                                            |    mm->mmap_cache = vma;
        return vma;                         |
         ^^ compiler may optimize this      |
            local variable out and re-read  |
            mm->mmap_cache                  |
    
    This issue can be reproduced with gcc-4.8.0-1 on s390x by running
    mallocstress testcase from LTP, which triggers:
    
      kernel BUG at mm/rmap.c:1088!
        Call Trace:
         ([<000003d100c57000>] 0x3d100c57000)
          [<000000000023a1c0>] do_wp_page+0x2fc/0xa88
          [<000000000023baae>] handle_pte_fault+0x41a/0xac8
          [<000000000023d832>] handle_mm_fault+0x17a/0x268
          [<000000000060507a>] do_protection_exception+0x1e2/0x394
          [<0000000000603a04>] pgm_check_handler+0x138/0x13c
          [<000003fffcf1f07a>] 0x3fffcf1f07a
        Last Breaking-Event-Address:
          [<000000000024755e>] page_add_new_anon_rmap+0xc2/0x168
    
    Thanks to Jakub Jelinek for his insight on gcc and helping to
    track this down.
    
    Signed-off-by: Jan Stancek <jstancek@redhat.com>
    Acked-by: David Rientjes <rientjes@google.com>
    Signed-off-by: Hugh Dickins <hughd@google.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 mm/mmap.c  |    2 +-
 mm/nommu.c |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

commit 53f5096daa14967938bc154e6c41f9119863fb36
Merge: e988d7c 0a45285
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Apr 5 17:32:31 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        drivers/net/ethernet/broadcom/tg3.c

commit 0a452855444d02502df6eb21ef3083cf303f71e1
Merge: 0277fa1 00cfbb8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Apr 5 17:31:15 2013 -0400

    Update to pax-linux-3.8.6-test16.patch:
    - fixed some attribute leakage into userland headers, patch by Mathias Krause
    - fixed some of the access_*_vm related breakage that trigger size overflows, reported by Hunger
    
    Merge branch 'linux-3.8.y' into pax-test
    
    Conflicts:
        drivers/gpu/drm/i915/intel_display.c

commit e988d7c8d946c816a2cb97f0d38048a1584966b8
Merge: baec40e 0277fa1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 3 22:05:41 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 0277fa123b486cf11420967e4568d7653e225fd3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 3 22:04:48 2013 -0400

    Update to pax-linux-3.8.5-test15.patch:
    - fixed section mismatch error caused by CONSTIFY (http://forums.grsecurity.net/viewtopic.php?f=3&t=3388 and http://forums.grsecurity.net/viewtopic.php?f=3&t=3391)
    - fixed integer type mixup in the cx88 driver (http://forums.grsecurity.net/viewtopic.php?f=3&t=3394)

 drivers/media/pci/cx88/cx88-video.c |    6 +++---
 include/net/net_namespace.h         |    4 ++++
 2 files changed, 7 insertions(+), 3 deletions(-)

commit baec40e6708fd5ae2000cad6c70c5980c998b91c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Apr 2 19:50:32 2013 -0400

    fix compilation as reported on forums for gcc versions lacking plugin
    support

 include/net/net_namespace.h |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

commit f6da5efca8a7edc9d3af02d6c35fddae0d2fd095
Merge: 6b69c35 0db9d15
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Apr 2 17:47:27 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 0db9d156826bdd50510086fde837648a3dfd370e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Apr 2 17:46:05 2013 -0400

    Update to pax-linux-3.8.5-test14.patch:
    - removed some no longer necessary __size_overflow marks and updated the overflow plugin's hash table

 arch/x86/include/asm/uaccess_64.h |    6 +-
 include/linux/moduleloader.h      |    4 +-
 tools/gcc/size_overflow_hash.data |   98 +++++++++++++++++++++----------------
 3 files changed, 61 insertions(+), 47 deletions(-)

commit 6b69c3589fa97b454a08c28ecfac5a512f610f4d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Apr 2 17:35:06 2013 -0400

    remove duplicate compiler.h

 include/linux/sysrq.h |    1 -
 1 files changed, 0 insertions(+), 1 deletions(-)

commit 01e1d503fd2220adaaec0b92ea19441bdff73555
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 29 19:53:50 2013 -0400

    fix intentional_overflow marking on sys_sendto

 include/linux/syscalls.h |    2 +-
 net/socket.c             |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

commit cd5ff114d958470f471c63775278e8c05e774630
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 29 18:46:16 2013 -0400

    fix size_overflow false positive

 kernel/futex_compat.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 295ba16cc53df2375261accbedd6575ea327770a
Merge: 18340f1 278a989
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 29 17:36:18 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        fs/exec.c
        include/linux/thread_info.h

commit 278a989c831d62193c7b3d119fe2302babd45d12
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 29 17:34:34 2013 -0400

    Resync with pax-linux-3.8.5-test13.patch

 arch/arm/include/asm/pgtable.h |    3 ++-
 arch/arm/lib/delay.c           |    1 +
 fs/exec.c                      |    8 ++++----
 include/linux/compiler.h       |    1 +
 include/linux/proc_fs.h        |    2 +-
 include/linux/thread_info.h    |    6 +++---
 include/linux/zlib.h           |    3 ++-
 init/main.c                    |    4 ++--
 kernel/user_namespace.c        |    2 +-
 lib/list_debug.c               |    4 ++--
 mm/slab.c                      |    1 +
 mm/slob.c                      |    1 +
 mm/slub.c                      |    1 +
 net/core/sysctl_net_core.c     |    3 +--
 tools/gcc/constify_plugin.c    |    1 +
 15 files changed, 24 insertions(+), 17 deletions(-)

commit 18340f14bd42d06c60995ab04cf6bb235bcaade6
Merge: 05f01ae e8cfeae
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 29 17:30:57 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit e8cfeae7751abb844911a15114dff5c9b2b9fcd9
Merge: b461cb7 aa4cfde
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 29 17:30:44 2013 -0400

    Merge branch 'linux-3.8.y' into pax-test
    
    Conflicts:
        drivers/gpu/drm/i915/i915_gem_execbuffer.c
        fs/nfsd/vfs.c

commit 05f01ae4c3479541586a2387f916a6620889c479
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 29 17:05:39 2013 -0400

    Another infoleak, up to 128 bytes on the stack in __sys_recvmsg
    takes user-provided length, copies up to that amount in a sockaddr_storage
    struct on the stack, then takes an upper-bounded-only user-provided length
    and copies the sockaddr_storage struct back out to userland, complete with
    uninitialized data

 net/socket.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit eea6ade59490784e83e08ec67322288fcf14cb31
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 28 23:07:37 2013 -0400

    return a proper error, otherwise we could be accessing uninitialized data
    (previous define was a positive value)

 drivers/usb/storage/realtek_cr.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 3cc43b90104c3016adb40f412ce2e4b0dcdd4c9e
Merge: c3dc9a6 b461cb7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 28 20:54:24 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit b461cb7b1d85490430ef7896c247794af72c3749
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 28 20:54:11 2013 -0400

    Add structleak plugin

 tools/gcc/structleak_plugin.c |  270 +++++++++++++++++++++++++++++++++++++++++
 1 files changed, 270 insertions(+), 0 deletions(-)

commit c3dc9a6ef10782894bb11fd088fd712db44d8062
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 28 20:53:22 2013 -0400

    Enable structleak by default for the security auto-config

 security/Kconfig |   11 +++++++----
 1 files changed, 7 insertions(+), 4 deletions(-)

commit 6568e7348222fbe00256c9d337c4c24ee57e3f7e
Merge: d8503a3 74bec16
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 28 20:47:10 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 74bec16b657147a5575b1f14f4423a717ba317a6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 28 20:46:13 2013 -0400

    Update to pax-linux-3.8.4-test13.patch:
    - fixed bug with the old PAGEEXEC method and hugetlb, reported by Alex Efros (https://bugs.gentoo.org/show_bug.cgi?id=437722)
    - added a new gcc plugin to plug (pun intended) some of the kernel stack leaks to userland

 Makefile                      |    5 +++-
 arch/x86/include/asm/compat.h |    2 +-
 arch/x86/mm/fault.c           |    3 +-
 fs/binfmt_elf.c               |    2 +-
 include/linux/compiler.h      |   42 ++++++++++++++--------------------------
 security/Kconfig              |   16 +++++++++++++++
 tools/gcc/Makefile            |    2 +
 tools/gcc/constify_plugin.c   |    7 +++++-
 8 files changed, 47 insertions(+), 32 deletions(-)

commit d8503a3a35d68b9ba1615d29335aef3f70d51465
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 28 20:02:40 2013 -0400

    Fix 8-byte stack infoleak in ia32_rt_sigpending
    User controls length, kernel only performs check on the upper bound, will
    fill in any amount less than sizeof(sigset_t) via a copy_to_user under
    KERNEL_DS in sys_rt_sigpending, then will copy the full size of compat_sigset_t
    regardless of whether the sigset_t content copied into it has been initialized
    or not

 arch/x86/ia32/sys_ia32.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 46a9f4b871ebf298ee67cc3f799dbd6c2382022b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 26 21:05:05 2013 -0400

    commit 814d9d4f9164c3d778dadd093a54bb55d9a0c576
    Author: J. Bruce Fields <bfields@redhat.com>
    Date:   Tue Mar 26 14:11:13 2013 -0400
    
        nfsd4: reject "negative" acl lengths
    
        Since we only enforce an upper bound, not a lower bound, a "negative"
        length can get through here.
    
        The symptom seen was a warning when we attempt to a kmalloc with an
        excessive size.
    
        Reported-by: Toralf Förster <toralf.foerster@gmx.de>
        Signed-off-by: J. Bruce Fields <bfields@redhat.com>

 fs/nfsd/nfs4xdr.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 2cf84a1843bfdf9298e2a1dc8df4e52d11a1af89
Author: Jeff Layton <jlayton@redhat.com>
Date:   Mon Mar 11 09:52:19 2013 -0400

    Upstream commit: f853c616883a8de966873a1dab283f1369e275a1
    
    cifs: ignore everything in SPNEGO blob after mechTypes
    
    We've had several reports of people attempting to mount Windows 8 shares
    and getting failures with a return code of -EINVAL. The default sec=
    mode changed recently to sec=ntlmssp. With that, we expect and parse a
    SPNEGO blob from the server in the NEGOTIATE reply.
    
    The current decode_negTokenInit function first parses all of the
    mechTypes and then tries to parse the rest of the negTokenInit reply.
    The parser however currently expects a mechListMIC or nothing to follow the
    mechTypes, but Windows 8 puts a mechToken field there instead to carry
    some info for the new NegoEx stuff.
    
    In practice, we don't do anything with the fields after the mechTypes
    anyway so I don't see any real benefit in continuing to parse them.
    This patch just has the kernel ignore the fields after the mechTypes.
    We'll probably need to reinstate some of this if we ever want to support
    NegoEx.
    
    Reported-by: Jason Burgess <jason@jacknife2.dns2go.com>
    Reported-by: Yan Li <elliot.li.tech@gmail.com>
    Signed-off-by: Jeff Layton <jlayton@redhat.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Steve French <sfrench@us.ibm.com>

 fs/cifs/asn1.c |   53 +++++------------------------------------------------
 1 files changed, 5 insertions(+), 48 deletions(-)

commit 0b1c6223105a05d5a84e39a5e951868e37610e1c
Merge: 93ff726 0deb54c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 25 18:35:15 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 0deb54c1f47145aef38f4d2bf0b7de3e9fbab959
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 25 18:35:05 2013 -0400

    fix typo

 arch/x86/mm/ioremap.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 93ff72680353534d4b0b213aecb61f1fc2f9a152
Merge: be9f8b8 f95e53a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 25 18:30:06 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit f95e53abadb6e4665866e4502ff9f518514193e1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 25 18:29:25 2013 -0400

    Update to pax-linux-3.8.4-test12.patch:
    
    - fixed perf compilation reported by Michael Tremer
    - fixed USERCOPY reports triggered by SCTP, reported by mcp
    - last fix for aslr gap accounting, promise (thanks to spender)

 arch/x86/mm/ioremap.c                    |    3 +++
 fs/binfmt_elf.c                          |    5 ++---
 mm/mmap.c                                |    2 +-
 net/sctp/socket.c                        |   19 +++++++++++++++----
 tools/perf/util/include/linux/compiler.h |    8 ++++++++
 5 files changed, 29 insertions(+), 8 deletions(-)

commit be9f8b82b0d8a21d7515fb6e44a907623381c5df
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 25 16:48:34 2013 -0400

    From: Al Viro <viro@ZenIV.linux.org.uk>
    To: Brad Spengler <spender@grsecurity.net>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    
    Umm...  I see what you are describing, and AFAICS you are correct; let me
    see if I am misreading your analysis:
            * vfsmount_lock may act fair; A holding it shared, with B spinning
    on attempt to take it exclusive may lead to C spinning on attempt to take
    it shared.
            * path_is_under() tries get rename_lock while holding vfsmount_lock
    shared.
            * d_path() et.al. try to take vfsmount_lock shared, while holding
    rename_lock.
    
    All true and yes, it's a bug (I'd probably classify it as a livelock, but
    that doesn't make any real difference).  There are three possible solutions,
    AFAICS:
            1) two-liner in path_is_under() replacing the use of vfsmount_lock
    with that of namespace_sem; trivial, but results in function unexpectedly
    blocking.  The current callers are fine with that, but it's a trouble
    waiting to happen.
            2) replace write_seqlock() in prepend_path() callers with
    read_seqbegin/read_seqretry loops; bigger and more brittle, since unlike
    is_subdir() we need more than just ->d_parent not pointing to something
    freed - we also care about ->d_name.len being in sync with ->d_name.name.
    It probably can be worked around, but...
    
            3) declare that rename_lock nests inside vfsmount_lock and let
    the callers of prepend_path() take vfsmount_lock().  I'd probably prefer
    that one...
    
    Nest rename_lock inside vfsmount_lock
    
    ... lest we get livelocks between path_is_under() and d_path() and friends.
    
    [ add grsec-specific bits, thanks to Alexey Vlasov for his patience in reproducing
      the issue ]
    
    Spotted-by: Brad Spengler <spender@grsecurity.net>
    Cc: stable@vger.kernel.org
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

 fs/dcache.c        |   16 +++++++++++-----
 grsecurity/gracl.c |   20 ++++++++++----------
 2 files changed, 21 insertions(+), 15 deletions(-)

commit d9253ae96e0e88510ae7b8adb8ab3ef089be6dee
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date:   Fri Mar 22 11:44:04 2013 -0700

    Upstream commit: 51f0885e5415b4cc6535e9cdcc5145bfbc134353
    
    vfs,proc: guarantee unique inodes in /proc
    
    Dave Jones found another /proc issue with his Trinity tool: thanks to
    the namespace model, we can have multiple /proc dentries that point to
    the same inode, aliasing directories in /proc/<pid>/net/ for example.
    
    This ends up being a total disaster, because it acts like hardlinked
    directories, and causes locking problems.  We rely on the topological
    sort of the inodes pointed to by dentries, and if we have aliased
    directories, that odering becomes unreliable.
    
    In short: don't do this.  Multiple dentries with the same (directory)
    inode is just a bad idea, and the namespace code should never have
    exposed things this way.  But we're kind of stuck with it.
    
    This solves things by just always allocating a new inode during /proc
    dentry lookup, instead of using "iget_locked()" to look up existing
    inodes by superblock and number.  That actually simplies the code a bit,
    at the cost of potentially doing more inode [de]allocations.
    
    That said, the inode lookup wasn't free either (and did a lot of locking
    of inodes), so it is probably not that noticeable.  We could easily keep
    the old lookup model for non-directory entries, but rather than try to
    be excessively clever this just implements the minimal and simplest
    workaround for the problem.
    
    Reported-and-tested-by: Dave Jones <davej@redhat.com>
    Analyzed-by: Al Viro <viro@zeniv.linux.org.uk>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    Conflicts:
    
        fs/proc/inode.c

 fs/proc/inode.c |    9 +++------
 1 files changed, 3 insertions(+), 6 deletions(-)

commit 399d3bbdb82db765c86118ae5a0bf1d2d17762fb
Author: Vladimir Davydov <vdavydov@parallels.com>
Date:   Fri Mar 22 15:04:51 2013 -0700

    Upstream commit: 38d78e587d4960d0db94add518d27ee74bad2301
    
    mqueue: sys_mq_open: do not call mnt_drop_write() if read-only
    
    mnt_drop_write() must be called only if mnt_want_write() succeeded,
    otherwise the mnt_writers counter will diverge.
    
    mnt_writers counters are used to check if remounting FS as read-only is
    OK, so after an extra mnt_drop_write() call, it would be impossible to
    remount mqueue FS as read-only.  Besides, on umount a warning would be
    printed like this one:
    
      =====================================
      [ BUG: bad unlock balance detected! ]
      3.9.0-rc3 #5 Not tainted
      -------------------------------------
      a.out/12486 is trying to release lock (sb_writers) at:
      mnt_drop_write+0x1f/0x30
      but there are no more locks to release!
    
    Signed-off-by: Vladimir Davydov <vdavydov@parallels.com>
    Cc: Doug Ledford <dledford@redhat.com>
    Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
    Cc: "Eric W. Biederman" <ebiederm@xmission.com>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 ipc/mqueue.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit d3859c71e2ec174b6f3e5cbe06d3011cdddaa59e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 23 13:02:32 2013 -0400

    Don't use constify plugin if not enabled in config,
    reported by Alexey Vlasov

 Makefile |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 3afb82e020593249ac394e9859397c3e0ef5341c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 23 12:50:13 2013 -0400

    oded 0day #2
    http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf
    slide 20

 drivers/net/ethernet/broadcom/tg3.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

commit 4cc4b98b29faff2530540be16e0fcd8a74800b06
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 23 12:15:50 2013 -0400

    oded 0day #1
    http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf
    slide 18

 drivers/net/wireless/zd1211rw/zd_usb.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 8a3292af6fdae4b88b49a2a4ef96eee145b4d479
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 23 12:13:12 2013 -0400

    remove warning on accessing this /proc entry, HIDESYM already caught the infoleak

 drivers/gpu/drm/i915/i915_debugfs.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 44cb11a9470f72157601d0ad4d572d111f90f504
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 22 18:11:42 2013 -0400

    use VM_DONTDUMP

 fs/binfmt_elf.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 92dd7f850ae63e3ddc3d262f2b7134cf54b51abb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 22 17:53:09 2013 -0400

    fix recent RLIMIT_AS changes (due to vm_flags typo)
    
    Conflicts:
    
        fs/binfmt_elf.c

 fs/binfmt_elf.c |    2 +-
 mm/mmap.c       |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

commit fd5f0d92b0fbec02029dad124501a9c80e527a32
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 22 17:08:48 2013 -0400

    complete_walk drops rcu-walk mode, no need for our own dropping
    method outside of generic_permission

 fs/namei.c |   30 ------------------------------
 1 files changed, 0 insertions(+), 30 deletions(-)

commit b49ab1c73edb6442eec609b26bba4d850b3111b6
Merge: 5e9a707 783ade9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 21 21:56:28 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 783ade9f97f0f736e3c83275b7c9fcb2d6e9d9c4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 21 21:55:31 2013 -0400

    Update to pax-linux-3.8.3-test11.patch:
    - rewrote the ASLR gap accounting code once again
    - fixed ptrace compat bug found by the size overflow plugin

 fs/binfmt_elf.c          |   25 ++++++++++++-------------
 fs/exec.c                |    7 ++-----
 include/linux/compat.h   |    2 +-
 include/linux/mm.h       |    5 +++++
 include/linux/mm_types.h |    2 +-
 kernel/ptrace.c          |    2 +-
 mm/mmap.c                |   15 ++++++++++-----
 7 files changed, 32 insertions(+), 26 deletions(-)

commit 5e9a7077d935b2279f25428c5d32fd53cbbfb92a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 21 19:37:33 2013 -0400

    Make the constify plugin usage actually depend on the introduced config option
    (it was still forced on)

 tools/gcc/Makefile |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 1974b4f58d9d729c80ac1987785446115304a54c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 21 16:12:38 2013 -0400

    fix failed merge

 arch/arm/mm/fault.c |   15 +++------------
 1 files changed, 3 insertions(+), 12 deletions(-)

commit 675a8ab4a8fe8315df348735a37a302a7535224c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 20 23:36:14 2013 -0400

    From c4dab66c31612717f798e1e8ff11b57253a81a31 Mon Sep 17 00:00:00 2001
    From: Kees Cook <keescook@chromium.org>
    Date: Sun, 10 Mar 2013 20:09:31 +0000
    Subject: drm/i915: bounds check execbuffer relocation count
    
    It is possible to wrap the counter used to allocate the buffer for
    relocation copies. This could lead to heap writing overflows.
    
    CVE-2013-0913
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Reported-by: Pinkie Pie
    Cc: stable@vger.kernel.org

 drivers/gpu/drm/i915/i915_gem_execbuffer.c |   11 ++++++++---
 1 files changed, 8 insertions(+), 3 deletions(-)

commit ddeac12cbb9076bffd51c544e03463f94c9eaa39
Author: Andy Honig <ahonig@google.com>
Date:   Wed Feb 20 14:48:10 2013 -0800

    Upstream commit: 0b79459b482e85cb7426aa7da683a9f2c97aeae1
    
    KVM: x86: Convert MSR_KVM_SYSTEM_TIME to use gfn_to_hva_cache functions (CVE-2013-1797)
    
    There is a potential use after free issue with the handling of
    MSR_KVM_SYSTEM_TIME.  If the guest specifies a GPA in a movable or removable
    memory such as frame buffers then KVM might continue to write to that
    address even after it's removed via KVM_SET_USER_MEMORY_REGION.  KVM pins
    the page in memory so it's unlikely to cause an issue, but if the user
    space component re-purposes the memory previously used for the guest, then
    the guest will be able to corrupt that memory.
    
    Tested: Tested against kvmclock unit test
    
    Signed-off-by: Andrew Honig <ahonig@google.com>
    Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>

 arch/x86/include/asm/kvm_host.h |    4 +-
 arch/x86/kvm/x86.c              |   47 ++++++++++++++++----------------------
 2 files changed, 22 insertions(+), 29 deletions(-)

commit 0bcac31b57c381001feb69fd6ec8069e61e03432
Author: Andy Honig <ahonig@google.com>
Date:   Mon Mar 11 09:34:52 2013 -0700

    Upstream commit: c300aa64ddf57d9c5d9c898a64b36877345dd4a9
    
    KVM: x86: fix for buffer overflow in handling of MSR_KVM_SYSTEM_TIME (CVE-2013-1796)
    
    If the guest sets the GPA of the time_page so that the request to update the
    time straddles a page then KVM will write onto an incorrect page.  The
    write is done byusing kmap atomic to get a pointer to the page for the time
    structure and then performing a memcpy to that page starting at an offset
    that the guest controls.  Well behaved guests always provide a 32-byte aligned
    address, however a malicious guest could use this to corrupt host kernel
    memory.
    
    Tested: Tested against kvmclock unit test.
    
    Signed-off-by: Andrew Honig <ahonig@google.com>
    Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>

 arch/x86/kvm/x86.c |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

commit 695c59887e4ec10b0b695ab4f645d1226c433be0
Author: Andy Honig <ahonig@google.com>
Date:   Wed Feb 20 14:49:16 2013 -0800

    Upstream commit: a2c118bfab8bc6b8bb213abfc35201e441693d55
    
    KVM: Fix bounds checking in ioapic indirect register reads (CVE-2013-1798)
    
    If the guest specifies a IOAPIC_REG_SELECT with an invalid value and follows
    that with a read of the IOAPIC_REG_WINDOW KVM does not properly validate
    that request.  ioapic_read_indirect contains an
    ASSERT(redir_index < IOAPIC_NUM_PINS), but the ASSERT has no effect in
    non-debug builds.  In recent kernels this allows a guest to cause a kernel
    oops by reading invalid memory.  In older kernels (pre-3.3) this allows a
    guest to read from large ranges of host memory.
    
    Tested: tested against apic unit tests.
    
    Signed-off-by: Andrew Honig <ahonig@google.com>
    Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>

 virt/kvm/ioapic.c |    7 +++++--
 1 files changed, 5 insertions(+), 2 deletions(-)

commit c77e4017f6f372ac09751b6fcd85c35781dc2d9e
Merge: aec3cd4 c522e3a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 20 19:38:25 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit c522e3a2167ff5e18996e55ca8cca5ca6f6d29e3
Merge: c57d855 405acc3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 20 19:38:11 2013 -0400

    Merge branch 'linux-3.8.y' into pax-test

commit aec3cd4d2bd54673b155d9ae3fb9c44becc790d1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 19 19:56:04 2013 -0400

    include linux/compiler.h

 include/linux/zlib.h |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 1f1109e97bc609218e52e4bb57683d3b23cf2e8e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 19 18:42:20 2013 -0400

    fix missing sock_release()

 net/irda/af_irda.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

commit dd65c05cd24faf8946d4941434a553ee285c35a3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 19 18:36:17 2013 -0400

    fix mpt fusion infoleak

 drivers/message/fusion/mptbase.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

commit e297b4f150b769efdc4c547d3caf1e3c0f24735f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 19 18:33:45 2013 -0400

    Fix size_overflow false positive reported by slashbeast

 include/linux/zlib.h |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 5b9982733764361c7102c2b1a9cbe42e5bf4f4be
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 19 17:35:36 2013 -0400

    fix up failed merge

 arch/arm/mm/fault.c |    9 ++-------
 1 files changed, 2 insertions(+), 7 deletions(-)

commit a1bdc34d1d882da3abf47923a760e5b0bbdaf0bd
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 19 17:34:36 2013 -0400

    update documentation on consequences of building without gcc plugin support

 Makefile |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit f49ae0f6c3bbedf6b3817ee2b1b232e0da7fa537
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 19 17:18:13 2013 -0400

    fix compilation failure associated with the latent entropy plugin and lack of gcc plugin support reported on the forums

 init/main.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit f00195c633f91cfbd8c1f530d2c371b713026e20
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 18 22:27:33 2013 -0400

    Fix compile error reported by KDE on the forums

 kernel/user_namespace.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 2979c6ee78aabb4421873ea53581380c6bb6ed05
Merge: 0949569 c57d855
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 18 22:20:46 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        arch/arm/mm/fault.c
        arch/x86/mm/fault.c
        fs/exec.c

commit c57d8557f5f2d77c2c7fa1f58316819a5e1f9293
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 18 21:22:03 2013 -0400

    Update to pax-linux-3.8.2-test9.patch:
     arm changes from spender
      - removed userland access to the vectors page
      - removed obsolete sigreturn trampoline handling
      - added emulation for __kuser_get_tls
      - fixed missing uderef instrumentation in unaligned memory accessors (failed safe)
    - fixed recent sysfs/power_supply attr breakage reported by Steven Allen
    - hopefully fixed the remaining issues with aslr_gap accounting (http://forums.grsecurity.net/viewtopic.php?f=3&t=2960)
    - changed debian packager rules to include the compiler plugins, from Tyler Coumbes <coumbes@gmail.com>
    - fixed the sa_restorer leak discovered and reported by Emese Revfy (CVE-2013-0914, google chromium bug #177956)
    - new size overflow plugin from Emese that instruments a whole lot more code due to tracking function return values
      and more type casts as well. this found the above mentioned sa_restorer leak and would have protected against CVE-2013-0913.

 arch/arm/kernel/process.c                     |    5 +-
 arch/arm/kernel/signal.c                      |   24 +-
 arch/arm/kernel/traps.c                       |    7 -
 arch/arm/mm/alignment.c                       |    8 +
 arch/arm/mm/fault.c                           |   23 +-
 arch/arm/mm/mmu.c                             |    2 +-
 arch/x86/include/asm/bitops.h                 |    2 +-
 arch/x86/include/asm/desc.h                   |    2 +-
 arch/x86/include/asm/div64.h                  |    2 +-
 arch/x86/include/asm/io.h                     |    8 +-
 arch/x86/include/asm/paravirt.h               |    2 +-
 arch/x86/kernel/cpu/perf_event_intel_uncore.c |   16 +-
 arch/x86/kernel/setup_percpu.c                |    2 +-
 arch/x86/mm/fault.c                           |    4 +-
 arch/x86/mm/numa.c                            |    2 +-
 arch/x86/mm/physaddr.c                        |    4 +-
 drivers/ata/libahci.c                         |    2 +-
 drivers/gpu/drm/i915/i915_gem_execbuffer.c    |    2 +-
 drivers/infiniband/hw/mthca/mthca_cmd.c       |    2 +-
 drivers/infiniband/hw/mthca/mthca_mr.c        |    2 +-
 drivers/lguest/page_tables.c                  |    2 +-
 drivers/net/wireless/at76c50x-usb.c           |    2 +-
 drivers/oprofile/oprofile_files.c             |    2 +-
 drivers/power/power_supply_core.c             |    1 +
 drivers/usb/core/message.c                    |    2 +-
 fs/befs/endian.h                              |    4 +-
 fs/binfmt_elf.c                               |    5 +-
 fs/exec.c                                     |    4 +-
 fs/qnx6/qnx6.h                                |    4 +-
 fs/sysv/sysv.h                                |    2 +-
 fs/ubifs/io.c                                 |    2 +-
 fs/ufs/swab.h                                 |    4 +-
 include/linux/compat.h                        |    4 +-
 include/linux/completion.h                    |    6 +-
 include/linux/cpumask.h                       |   12 +-
 include/linux/ctype.h                         |    2 +-
 include/linux/err.h                           |    4 +-
 include/linux/math64.h                        |    6 +-
 include/linux/sched.h                         |    2 +-
 include/linux/unaligned/access_ok.h           |   12 +-
 include/linux/usb.h                           |    2 +-
 include/uapi/linux/byteorder/little_endian.h  |    4 +-
 include/uapi/linux/swab.h                     |    6 +-
 kernel/sched/core.c                           |    6 +-
 kernel/signal.c                               |    3 +
 kernel/time.c                                 |    2 +-
 kernel/timer.c                                |    2 +-
 lib/div64.c                                   |    4 +-
 mm/page-writeback.c                           |    2 +-
 net/socket.c                                  |    2 +
 scripts/package/builddeb                      |    1 +
 tools/gcc/size_overflow_hash.data             | 8869 +++++++++++++++----------
 tools/gcc/size_overflow_plugin.c              | 1072 ++--
 53 files changed, 6227 insertions(+), 3951 deletions(-)

commit 09495691bb31f11ec14d9127429f9a0f3f716f22
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 17 20:51:50 2013 -0400

    fix typo

 grsecurity/gracl.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit deb85b00d0f9f886e264e116313f298401ec5c59
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 17 20:03:33 2013 -0400

    Call update_rlimit_cpu to immediately change RLIMIT_CPU on the task
    with a subject applied to it with RES_CPU.  Otherwise, the limit will only
    begin to be applied at fork time.
    
    Thanks to Bjornar Ness for the report.

 grsecurity/gracl.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

commit 2126421f123513f604ceef2b23ba9ed516de7e58
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 16 22:07:43 2013 -0400

    Move inode auditing prior to our refcnt dropping

 fs/namei.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 4d4e665885aab4bacfe662ad6d2190fc9d817146
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 16 22:00:30 2013 -0400

    Drop reference on completed path walked in RCU mode or when violating
    the chroot fchdir check inside a chroot -- possible culprit for a reported
    vfsmount_lock hang during unmount

 fs/namei.c |    8 ++++++--
 1 files changed, 6 insertions(+), 2 deletions(-)

commit 53a8a413f45340ee176dd36dd283de3a1ebb7417
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 16 16:43:45 2013 -0400

    add user_arg_ptr back to exec.c

 fs/exec.c |   12 ++++++++++++
 1 files changed, 12 insertions(+), 0 deletions(-)

commit 83d285953c7e75db388c7f65be5cf1e16fcedec8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 16 11:22:36 2013 -0400

    Don't globally include compat.h -- with the new X32 support it
    changes some definitions involving ELF binaries resulting in invalid
    coredumps, as reported by KDE on the forums:
    http://forums.grsecurity.net/viewtopic.php?f=3&t=3310
    Thanks to the PaX Team for debugging

 fs/exec.c                  |    3 +++
 grsecurity/grsec_exec.c    |   13 +++++++++++++
 include/linux/grsecurity.h |   15 ---------------
 3 files changed, 16 insertions(+), 15 deletions(-)

commit 67a94583659cf6c583fbbb023ec2a8ed471ba94a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 14 20:59:26 2013 -0400

    Add peer information to /proc/net/unix from Kenan Kalajdzic:
    http://marc.info/?l=linux-netdev&m=126745636809191&w=2
    
    We use a "P" prefix to the inode number instead of "peer=".  This
    additional information can be used, for instance, to find what processes
    are connected to MySQL's unix domain socket.

 net/unix/af_unix.c |   12 +++++++++---
 1 files changed, 9 insertions(+), 3 deletions(-)

commit 1cd623d11a462d151ea8a5cace4521e1724911a3
Author: Oliver Neukum <oneukum@suse.de>
Date:   Tue Mar 12 14:52:42 2013 +0100

    Upstream commit: c0f5ecee4e741667b2493c742b60b6218d40b3aa
    
    USB: cdc-wdm: fix buffer overflow
    
    The buffer for responses must not overflow.
    If this would happen, set a flag, drop the data and return
    an error after user space has read all remaining data.
    
    Signed-off-by: Oliver Neukum <oliver@neukum.org>
    CC: stable@kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 drivers/usb/class/cdc-wdm.c |   23 ++++++++++++++++++++---
 1 files changed, 20 insertions(+), 3 deletions(-)

commit 3e9e7beb379eaf424d0634c0c556e47c07d367fc
Merge: 9cdf9bc db4cb92
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 14 20:23:14 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        security/keys/compat.c

commit db4cb924546e3fec3a59f78d056f48176eaf7100
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 14 20:22:24 2013 -0400

    Update to pax-linux-3.8.2-test8.patch

 arch/arm/include/asm/cache.h                |    2 ++
 arch/arm/mach-omap2/gpmc.c                  |   22 ++++++++++++----------
 arch/arm/mach-omap2/omap_device.c           |    4 ++--
 arch/arm/mach-omap2/omap_device.h           |    4 ++--
 arch/arm/plat-orion/include/plat/addr-map.h |    2 +-
 5 files changed, 19 insertions(+), 15 deletions(-)

commit 5e72fcce7c468d29168c64c72c18ff5ff0d3b4ae
Merge: 3c865f9 1a45c31
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 14 20:20:54 2013 -0400

    Merge branch 'linux-3.8.y' into pax-test
    
    Conflicts:
        arch/arm/include/asm/delay.h
        arch/arm/include/asm/pgtable.h
        arch/arm/lib/delay.c
        security/keys/compat.c

commit 9cdf9bccf22d6a6741e4152bb5d32335beb8caf1
Author: Al Viro <viro@ZenIV.linux.org.uk>
Date:   Tue Mar 12 02:59:49 2013 +0000

    Upstream commit: a930d8790552658140d7d0d2e316af4f0d76a512
    
    vfs: fix pipe counter breakage
    
    If you open a pipe for neither read nor write, the pipe code will not
    add any usage counters to the pipe, causing the 'struct pipe_inode_info"
    to be potentially released early.
    
    That doesn't normally matter, since you cannot actually use the pipe,
    but the pipe release code - particularly fasync handling - still expects
    the actual pipe infrastructure to all be there.  And rather than adding
    NULL pointer checks, let's just disallow this case, the same way we
    already do for the named pipe ("fifo") case.
    
    This is ancient going back to pre-2.4 days, and until trinity, nobody
    naver noticed.
    
    Reported-by: Dave Jones <davej@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 fs/pipe.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit c11fa4be226659a40a6c73f0fa09fee074fba1b2
Author: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Date:   Mon Feb 25 10:20:36 2013 -0500

    Upstream commit: 8aec0f5d4137532de14e6554fd5dd201ff3a3c49
    
    Fix: compat_rw_copy_check_uvector() misuse in aio, readv, writev, and security keys
    
    Looking at mm/process_vm_access.c:process_vm_rw() and comparing it to
    compat_process_vm_rw() shows that the compatibility code requires an
    explicit "access_ok()" check before calling
    compat_rw_copy_check_uvector(). The same difference seems to appear when
    we compare fs/read_write.c:do_readv_writev() to
    fs/compat.c:compat_do_readv_writev().
    
    This subtle difference between the compat and non-compat requirements
    should probably be debated, as it seems to be error-prone. In fact,
    there are two others sites that use this function in the Linux kernel,
    and they both seem to get it wrong:
    
    Now shifting our attention to fs/aio.c, we see that aio_setup_iocb()
    also ends up calling compat_rw_copy_check_uvector() through
    aio_setup_vectored_rw(). Unfortunately, the access_ok() check appears to
    be missing. Same situation for
    security/keys/compat.c:compat_keyctl_instantiate_key_iov().
    
    I propose that we add the access_ok() check directly into
    compat_rw_copy_check_uvector(), so callers don't have to worry about it,
    and it therefore makes the compat call code similar to its non-compat
    counterpart. Place the access_ok() check in the same location where
    copy_from_user() can trigger a -EFAULT error in the non-compat code, so
    the ABI behaviors are alike on both compat and non-compat.
    
    While we are here, fix compat_do_readv_writev() so it checks for
    compat_rw_copy_check_uvector() negative return values.
    
    And also, fix a memory leak in compat_keyctl_instantiate_key_iov() error
    handling.
    
    Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
    Acked-by: Al Viro <viro@ZenIV.linux.org.uk>
    Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    Conflicts:
    
        security/keys/compat.c

 fs/compat.c            |   15 +++++++--------
 mm/process_vm_access.c |    8 --------
 security/keys/compat.c |    3 ++-
 3 files changed, 9 insertions(+), 17 deletions(-)

commit 13487f197ab2d5bc76156224c24c45a44bbd6a11
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 11 18:38:38 2013 -0400

    Fix leak of signal handler addresses across execve, found by Emese Revfy

 kernel/signal.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit 79b130c4b11c7940daf2b33d653a17666331c634
Merge: 6480ce9 3c865f9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 10 20:04:03 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 3c865f9184c6fd56c634bce0096cfc8039d5c43d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 10 20:03:12 2013 -0400

    Update to pax-linux-3.8.2-test7.patch:
    - fixed gcc asserts reported by KDE (http://forums.grsecurity.net/viewtopic.php?f=3&t=3342)
    - adjusted RLIMIT_AS accounting for the extra ASLR gap mappings, reported by Alexander Stoll (https://bugs.gentoo.org/show_bug.cgi?id=459268)

 fs/binfmt_elf.c                   |    3 ++-
 fs/exec.c                         |    3 +++
 include/linux/mm_types.h          |    2 +-
 init/main.c                       |    4 ++--
 mm/mmap.c                         |    2 +-
 mm/page_alloc.c                   |    4 ++--
 tools/gcc/latent_entropy_plugin.c |   11 +++++++----
 7 files changed, 18 insertions(+), 11 deletions(-)

commit 6480ce919bd7d68ba14f3194e4bdd7b61bc8e491
Merge: 4a5305e 25b3569
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 10 10:41:16 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 25b356980568bed9958315bb5a551fdc610055ed
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 10 10:40:48 2013 -0400

    Update to pax-linux-3.8.2-test6.patch:
    - fixed a KERNEXEC false positive on arm reported by Gu1
    - fixed various compile errors reported by x14sg1 (http://forums.grsecurity.net/viewtopic.php?f=3&t=3340)
    - fixed too strict mmap parameter checking on i386, reported by browndav (http://forums.grsecurity.net/viewtopic.php?f=1&t=3339)
    - added fix from spender for some namespace breakage reported by zakalwe
    - small latent entropy improvement: pass pax_extra_latent_entropy to the kernel to extract entropy from RAM content during boot

 Documentation/kernel-parameters.txt |    5 +++++
 arch/arm/kernel/patch.c             |    2 ++
 arch/x86/kernel/sys_i386_32.c       |    5 +++--
 drivers/acpi/blacklist.c            |    2 +-
 drivers/video/aty/mach64_cursor.c   |    1 +
 init/main.c                         |    4 ----
 mm/page_alloc.c                     |   27 +++++++++++++++++++++++++++
 net/ipv4/ip_fragment.c              |    2 +-
 security/Kconfig                    |    5 +++++
 tools/gcc/latent_entropy_plugin.c   |    7 +++++--
 10 files changed, 50 insertions(+), 10 deletions(-)

commit 4a5305eb7b6c5e49c332feeca9b6bfead9ab917f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 9 11:19:06 2013 -0500

    From: Mathias Krause <minipli@googlemail.com>
    To: "David S. Miller" <davem@davemloft.net>
    Cc: netdev@vger.kernel.org, Mathias Krause <minipli@googlemail.com>,
            Stephen Hemminger <stephen@networkplumber.org>
    Subject: [PATCH 1/3] bridge: fix mdb info leaks
    Date: Sat,  9 Mar 2013 16:52:19 +0100
    
    The bridging code discloses heap and stack bytes via the RTM_GETMDB
    netlink interface and via the notify messages send to group RTNLGRP_MDB
    afer a successful add/del.
    
    Fix both cases by initializing all unset members/padding bytes with
    memset(0).
    
    Cc: Stephen Hemminger <stephen@networkplumber.org>
    Signed-off-by: Mathias Krause <minipli@googlemail.com>
    
    From: Mathias Krause <minipli@googlemail.com>
    To: "David S. Miller" <davem@davemloft.net>
    Cc: netdev@vger.kernel.org, Mathias Krause <minipli@googlemail.com>
    Subject: [PATCH 2/3] rtnl: fix info leak on RTM_GETLINK request for VF devices
    Date: Sat,  9 Mar 2013 16:52:20 +0100
    
    Initialize the mac address buffer with 0 as the driver specific function
    will probably not fill the whole buffer. In fact, all in-kernel drivers
    fill only ETH_ALEN of the MAX_ADDR_LEN bytes, i.e. 6 of the 32 possible
    bytes. Therefore we currently leak 26 bytes of stack memory to userland
    via the netlink interface.
    
    Signed-off-by: Mathias Krause <minipli@googlemail.com>
    
    From: Mathias Krause <minipli@googlemail.com>
    To: "David S. Miller" <davem@davemloft.net>
    Cc: netdev@vger.kernel.org, Mathias Krause <minipli@googlemail.com>
    Subject: [PATCH 3/3] dcbnl: fix various netlink info leaks
    Date: Sat,  9 Mar 2013 16:52:21 +0100
    
    The dcb netlink interface leaks stack memory in various places:
    * perm_addr[] buffer is only filled at max with 12 of the 32 bytes but
      copied completely,
    * no in-kernel driver fills all fields of an IEEE 802.1Qaz subcommand,
      so we're leaking up to 58 bytes for ieee_ets structs, up to 136 bytes
      for ieee_pfc structs, etc.,
    * the same is true for CEE -- no in-kernel driver fills the whole
      struct,
    
    Prevent all of the above stack info leaks by properly initializing the
    buffers/structures involved.
    
    Signed-off-by: Mathias Krause <minipli@googlemail.com>

 net/bridge/br_mdb.c  |    4 ++++
 net/core/rtnetlink.c |    1 +
 net/dcb/dcbnl.c      |    8 ++++++++
 3 files changed, 13 insertions(+), 0 deletions(-)

commit 601dd446f896e3a362f706943df18a68d50420a1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 9 09:35:25 2013 -0500

    add open/close wrappers in __patch_text() as reported by Gu1 on IRC

 arch/arm/kernel/patch.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit ae39966fd85a493e9079b357e3faa62245a41222
Author: Peter Hurley <peter@hurleysoftware.com>
Date:   Fri Mar 8 12:43:27 2013 -0800

    Upstream commit: 88b9e456b1649722673ffa147914299799dc9041
    
    ipc: don't allocate a copy larger than max
    
    When MSG_COPY is set, a duplicate message must be allocated for the copy
    before locking the queue.  However, the copy could not be larger than was
    sent which is limited to msg_ctlmax.
    
    Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
    Acked-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 ipc/msg.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

commit 61240e99650ea3e540a03a3e994349c5086f166b
Author: Peter Hurley <peter@hurleysoftware.com>
Date:   Fri Mar 8 12:43:26 2013 -0800

    Upstream commit: e1082f45f1e2bbf6e25f6b614fc6616ebf709d19
    
    ipc: fix potential oops when src msg > 4k w/ MSG_COPY
    
    If the src msg is > 4k, then dest->next points to the
    next allocated segment; resetting it just prior to dereferencing
    is bad.
    
    Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
    Acked-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 ipc/msgutil.c |    3 ---
 1 files changed, 0 insertions(+), 3 deletions(-)

commit 51727f602a267f34fb2e0dc9557f1714028d51a2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 8 22:14:06 2013 -0500

    add missing 'else' in recent constify fixups

 net/ipv4/ip_fragment.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit a38c1a640729b3d8e584d1ab98e908c221bc12cf
Merge: 1580bb3 47c3f47
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 8 18:18:37 2013 -0500

    Merge branch 'pax-test' into grsec-test

commit 47c3f47ba4f874f5c72e4c04b76b6b92e44daebe
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 8 18:17:22 2013 -0500

    Update to pax-linux-3.8.2-test5.patch:
    - fixed some fallout after the last round of constification changes, reported by several people

 arch/arm/common/gic.c                   |    4 ++--
 arch/arm/include/asm/hardware/gic.h     |    3 ++-
 arch/x86/include/asm/nmi.h              |    2 +-
 arch/x86/kernel/nmi.c                   |    2 +-
 arch/x86/pci/irq.c                      |    2 +-
 drivers/base/power/domain.c             |    4 ++--
 drivers/cpufreq/cpufreq_governor.c      |    4 ++--
 drivers/mfd/twl4030-irq.c               |    1 +
 drivers/video/vesafb.c                  |    7 +++++--
 include/linux/irq.h                     |    1 +
 include/linux/pm_domain.h               |    2 +-
 kernel/sched/core.c                     |    4 ++++
 lib/Kconfig.debug                       |    4 ++--
 net/core/sysctl_net_core.c              |    2 +-
 net/decnet/af_decnet.c                  |    1 +
 net/ipv4/devinet.c                      |    2 +-
 net/ipv4/ip_fragment.c                  |    2 +-
 net/ipv4/route.c                        |    2 +-
 net/ipv4/sysctl_net_ipv4.c              |    2 +-
 net/ipv6/netfilter/nf_conntrack_reasm.c |    2 +-
 net/ipv6/reassembly.c                   |    2 +-
 scripts/sortextable.h                   |    6 +++---
 22 files changed, 36 insertions(+), 25 deletions(-)

commit 1580bb38b4db0bf2a46316599815e8b234edad81
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 7 22:02:59 2013 -0500

    add an additional open/close wrapper

 kernel/sched/core.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 21622672d28d58e0d93a805cd1f9650a894a752a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 7 21:58:24 2013 -0500

    fix oops at shutdown with new constify code

 kernel/sched/core.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit f6b9ab9fcc747bb1b14a4857d59e6681936220ec
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 7 21:18:44 2013 -0500

    Add PAX_CONSTIFY_PLUGIN, which we previously enabled unconditionally
    it currently conflicts with some lock debugging options, so made as an
    option to allow for debugging when necessary

 Makefile          |    2 --
 lib/Kconfig.debug |    6 +++---
 security/Kconfig  |   18 ++++++++++++++++++
 3 files changed, 21 insertions(+), 5 deletions(-)

commit 0885b00b8373a1597b69c38032a0c9eee279303b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 7 20:55:19 2013 -0500

    disable DEBUG_LOCK_ALLOC, as it conflicts with the new constify

 lib/Kconfig.debug |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit c8a2617165e7127a54f293cbf57d22d50dd83abd
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 7 20:30:41 2013 -0500

    Fix error:
    drivers/video/vesafb.c:502:3: error: assignment of member ‘fb_pan_display’ in read-only object
    with cast and proper kernexec accessors

 drivers/video/vesafb.c |    7 +++++--
 1 files changed, 5 insertions(+), 2 deletions(-)

commit 99f2814d3e2a6db25985edc47c7e09c4a2d8c408
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 7 20:20:28 2013 -0500

    fix typo

 grsecurity/gracl.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 399674de6c42bbcae2d01b082d6d9ce9d183b000
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 7 20:12:17 2013 -0500

    fix compilation error -- no reason for task_pid_nr to not take a const task ptr

 include/linux/sched.h |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit a6c239eacf683f9dd2aeebb1b1adb71e5eedbd9f
Author: Kees Cook <keescook@chromium.org>
Date:   Mon Feb 25 21:32:25 2013 +0000

    Upstream commit: e70ab977991964a5a7ad1182799451d067e62669
    
    proc connector: reject unprivileged listener bumps
    
    While PROC_CN_MCAST_LISTEN/IGNORE is entirely advisory, it was possible
    for an unprivileged user to turn off notifications for all listeners by
    sending PROC_CN_MCAST_IGNORE. Instead, require the same privileges as
    required for a multicast bind.
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: Evgeniy Polyakov <zbr@ioremap.net>
    Cc: Matt Helsley <matthltc@us.ibm.com>
    Cc: stable@vger.kernel.org
    Acked-by: Evgeniy Polyakov <zbr@ioremap.net>
    Acked-by: Matt Helsley <matthltc@us.ibm.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/connector/cn_proc.c |    8 ++++++++
 1 files changed, 8 insertions(+), 0 deletions(-)

commit ac6014ded57101e3e608941555ff507e20c1ece3
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Tue Feb 26 19:15:02 2013 +0000

    Upstream commit: 90c7881ecee1f08e0a49172cf61371cf2509ee4a
    
    irda: small read beyond end of array in debug code
    
    charset comes from skb->data.  It's a number in the 0-255 range.
    If we have debugging turned on then this could cause a read beyond
    the end of the array.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/irda/iriap.c |    7 +++++--
 1 files changed, 5 insertions(+), 2 deletions(-)

commit e60bd2aad9bfdb68731cc888eae14a7600bd2ffe
Author: Guenter Roeck <linux@roeck-us.net>
Date:   Wed Feb 27 10:57:31 2013 +0000

    Upstream commit: 726bc6b092da4c093eb74d13c07184b18c1af0f1
    
    net/sctp: Validate parameter size for SCTP_GET_ASSOC_STATS
    
    Building sctp may fail with:
    
    In function ‘copy_from_user’,
        inlined from ‘sctp_getsockopt_assoc_stats’ at
        net/sctp/socket.c:5656:20:
    arch/x86/include/asm/uaccess_32.h:211:26: error: call to
        ‘copy_from_user_overflow’ declared with attribute error: copy_from_user()
        buffer size is not provably correct
    
    if built with W=1 due to a missing parameter size validation
    before the call to copy_from_user.
    
    Signed-off-by: Guenter Roeck <linux@roeck-us.net>
    Acked-by: Vlad Yasevich <vyasevich@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/sctp/socket.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

commit be49e0ae9a4d0e8daa831d7d8d6f3a56beda3e3c
Author: Guillaume Nault <g.nault@alphalink.fr>
Date:   Fri Mar 1 05:02:02 2013 +0000

    Upstream commit: 8b82547e33e85fc24d4d172a93c796de1fefa81a
    
    l2tp: Restore socket refcount when sendmsg succeeds
    
    The sendmsg() syscall handler for PPPoL2TP doesn't decrease the socket
    reference counter after successful transmissions. Any successful
    sendmsg() call from userspace will then increase the reference counter
    forever, thus preventing the kernel's session and tunnel data from
    being freed later on.
    
    The problem only happens when writing directly on L2TP sockets.
    PPP sockets attached to L2TP are unaffected as the PPP subsystem
    uses pppol2tp_xmit() which symmetrically increase/decrease reference
    counters.
    
    This patch adds the missing call to sock_put() before returning from
    pppol2tp_sendmsg().
    
    Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/l2tp/l2tp_ppp.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 98a9a5f981f5deda4059a255c1196886f2f27e2f
Author: Cong Wang <amwang@redhat.com>
Date:   Sun Mar 3 16:18:11 2013 +0000

    Upstream commit: ece6b0a2b25652d684a7ced4ae680a863af041e0
    
    rds: limit the size allocated by rds_message_alloc()
    
    Dave Jones reported the following bug:
    
    "When fed mangled socket data, rds will trust what userspace gives it,
    and tries to allocate enormous amounts of memory larger than what
    kmalloc can satisfy."
    
    WARNING: at mm/page_alloc.c:2393 __alloc_pages_nodemask+0xa0d/0xbe0()
    Hardware name: GA-MA78GM-S2H
    Modules linked in: vmw_vsock_vmci_transport vmw_vmci vsock fuse bnep dlci bridge 8021q garp stp mrp binfmt_misc l2tp_ppp l2tp_core rfcomm s
    Pid: 24652, comm: trinity-child2 Not tainted 3.8.0+ #65
    Call Trace:
     [<ffffffff81044155>] warn_slowpath_common+0x75/0xa0
     [<ffffffff8104419a>] warn_slowpath_null+0x1a/0x20
     [<ffffffff811444ad>] __alloc_pages_nodemask+0xa0d/0xbe0
     [<ffffffff8100a196>] ? native_sched_clock+0x26/0x90
     [<ffffffff810b2128>] ? trace_hardirqs_off_caller+0x28/0xc0
     [<ffffffff810b21cd>] ? trace_hardirqs_off+0xd/0x10
     [<ffffffff811861f8>] alloc_pages_current+0xb8/0x180
     [<ffffffff8113eaaa>] __get_free_pages+0x2a/0x80
     [<ffffffff811934fe>] kmalloc_order_trace+0x3e/0x1a0
     [<ffffffff81193955>] __kmalloc+0x2f5/0x3a0
     [<ffffffff8104df0c>] ? local_bh_enable_ip+0x7c/0xf0
     [<ffffffffa0401ab3>] rds_message_alloc+0x23/0xb0 [rds]
     [<ffffffffa04043a1>] rds_sendmsg+0x2b1/0x990 [rds]
     [<ffffffff810b21cd>] ? trace_hardirqs_off+0xd/0x10
     [<ffffffff81564620>] sock_sendmsg+0xb0/0xe0
     [<ffffffff810b2052>] ? get_lock_stats+0x22/0x70
     [<ffffffff810b24be>] ? put_lock_stats.isra.23+0xe/0x40
     [<ffffffff81567f30>] sys_sendto+0x130/0x180
     [<ffffffff810b872d>] ? trace_hardirqs_on+0xd/0x10
     [<ffffffff816c547b>] ? _raw_spin_unlock_irq+0x3b/0x60
     [<ffffffff816cd767>] ? sysret_check+0x1b/0x56
     [<ffffffff810b8695>] ? trace_hardirqs_on_caller+0x115/0x1a0
     [<ffffffff81341d8e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
     [<ffffffff816cd742>] system_call_fastpath+0x16/0x1b
    ---[ end trace eed6ae990d018c8b ]---
    
    Reported-by: Dave Jones <davej@redhat.com>
    Cc: Dave Jones <davej@redhat.com>
    Cc: David S. Miller <davem@davemloft.net>
    Cc: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
    Signed-off-by: Cong Wang <amwang@redhat.com>
    Acked-by: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/rds/message.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit b46df323e01c63c62fdb82cf2c47e4386f5a0499
Author: Cong Wang <amwang@redhat.com>
Date:   Sun Mar 3 16:28:27 2013 +0000

    Upstream commit: 3f736868b47687d1336fe88185560b22bb92021e
    
    sctp: use KMALLOC_MAX_SIZE instead of its own MAX_KMALLOC_SIZE
    
    Don't definite its own MAX_KMALLOC_SIZE, use the one
    defined in mm.
    
    Cc: Vlad Yasevich <vyasevich@gmail.com>
    Cc: Sridhar Samudrala <sri@us.ibm.com>
    Cc: Neil Horman <nhorman@tuxdriver.com>
    Cc: David S. Miller <davem@davemloft.net>
    Signed-off-by: Cong Wang <amwang@redhat.com>
    Acked-by: Neil Horman <nhorman@tuxdriver.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/sctp/ssnmap.c |    8 +++-----
 1 files changed, 3 insertions(+), 5 deletions(-)

commit 4295a024e812f903fc580c81de5e81cc149503fa
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 7 17:57:49 2013 -0500

    Upstream commit: https://lkml.org/lkml/2013/3/6/535

 security/keys/process_keys.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 33edd486a9899a145a15586d7134636b0300aaee
Merge: 4eeeaf3 a2a2094
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 7 17:53:00 2013 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        arch/arm/include/asm/domain.h

commit a2a20947f5e1332e474160a39af520738b3c8c19
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 7 17:51:04 2013 -0500

    Update to pax-linux-3.8.2-test4.patch:
     fixed arm compilation problems reported by Michael Tremer
    - the constify plugin got smarter that enabled, with some additional patching,
      the elimination of about half the static function pointers on amd64/allmod
      (up from about 18%), depending on the kernel config it can be even more (70%)

 Documentation/dontdiff                        |    2 +
 arch/arm/include/asm/domain.h                 |    1 +
 arch/x86/include/asm/i8259.h                  |    2 +-
 arch/x86/include/asm/nmi.h                    |    4 +-
 arch/x86/kernel/acpi/boot.c                   |    4 +-
 arch/x86/kernel/apic/apic_noop.c              |    2 +-
 arch/x86/kernel/apic/es7000_32.c              |    2 +-
 arch/x86/kernel/apic/io_apic.c                |   10 +-
 arch/x86/kernel/cpu/mcheck/mce.c              |    2 +-
 arch/x86/kernel/cpu/perf_event.c              |    6 +-
 arch/x86/kernel/cpu/perf_event_intel_uncore.c |    2 +-
 arch/x86/kernel/cpu/perf_event_intel_uncore.h |    2 +-
 arch/x86/kernel/i8259.c                       |    6 +-
 arch/x86/kernel/io_delay.c                    |    2 +-
 arch/x86/kernel/nmi.c                         |    6 +-
 arch/x86/kernel/nmi_selftest.c                |    4 +-
 arch/x86/kernel/pci-swiotlb.c                 |    2 +-
 arch/x86/oprofile/nmi_int.c                   |    8 +-
 arch/x86/oprofile/op_model_amd.c              |    8 +-
 arch/x86/oprofile/op_model_ppro.c             |    7 +-
 arch/x86/oprofile/op_x86_model.h              |    2 +-
 arch/x86/pci/irq.c                            |    6 +-
 drivers/acpi/apei/apei-internal.h             |    2 +-
 drivers/acpi/bgrt.c                           |    6 +-
 drivers/acpi/blacklist.c                      |    2 +-
 drivers/acpi/processor_idle.c                 |    2 +-
 drivers/acpi/sysfs.c                          |    4 +-
 drivers/base/bus.c                            |    4 +-
 drivers/base/node.c                           |    2 +-
 drivers/base/syscore.c                        |    4 +-
 drivers/block/drbd/drbd_receiver.c            |    4 +-
 drivers/char/random.c                         |    2 +-
 drivers/cpufreq/acpi-cpufreq.c                |   20 ++-
 drivers/cpufreq/cpufreq.c                     |    7 +-
 drivers/cpufreq/cpufreq_governor.c            |    4 +-
 drivers/cpufreq/cpufreq_governor.h            |    2 +-
 drivers/cpufreq/p4-clockmod.c                 |   12 +-
 drivers/cpufreq/speedstep-centrino.c          |    7 +-
 drivers/cpuidle/cpuidle.c                     |    2 +-
 drivers/cpuidle/governor.c                    |    4 +-
 drivers/cpuidle/sysfs.c                       |    2 +-
 drivers/devfreq/devfreq.c                     |    4 +-
 drivers/edac/edac_mc_sysfs.c                  |    2 +-
 drivers/edac/edac_pci_sysfs.c                 |    2 +-
 drivers/firewire/core-device.c                |    2 +-
 drivers/firmware/dmi-id.c                     |    2 +-
 drivers/firmware/efivars.c                    |    2 +-
 drivers/firmware/google/memconsole.c          |    4 +-
 drivers/gpio/gpio-ich.c                       |    2 +-
 drivers/gpu/drm/drm_drv.c                     |    2 +-
 drivers/gpu/drm/drm_ioc32.c                   |    9 +-
 drivers/gpu/drm/i915/i915_ioc32.c             |   11 +-
 drivers/gpu/drm/i915/intel_display.c          |   26 ++-
 drivers/gpu/drm/mga/mga_ioc32.c               |   11 +-
 drivers/gpu/drm/nouveau/nouveau_ioc32.c       |    2 +-
 drivers/gpu/drm/r128/r128_ioc32.c             |   11 +-
 drivers/gpu/drm/radeon/radeon_ioc32.c         |   11 +-
 drivers/gpu/drm/radeon/radeon_ttm.c           |   33 ++--
 drivers/gpu/drm/udl/udl_fb.c                  |    1 -
 drivers/hwmon/acpi_power_meter.c              |    4 +-
 drivers/hwmon/applesmc.c                      |    2 +-
 drivers/hwmon/asus_atk0110.c                  |   10 +-
 drivers/hwmon/ibmaem.c                        |    2 +-
 drivers/hwmon/pmbus/pmbus_core.c              |    2 +-
 drivers/iio/industrialio-core.c               |    2 +-
 drivers/input/mouse/psmouse.h                 |    2 +-
 drivers/iommu/iommu.c                         |    2 +-
 drivers/leds/leds-clevo-mail.c                |    2 +-
 drivers/leds/leds-ss4200.c                    |    2 +-
 drivers/media/v4l2-core/v4l2-ioctl.c          |    5 +-
 drivers/mfd/twl4030-irq.c                     |    8 +-
 drivers/mfd/twl6030-irq.c                     |   10 +-
 drivers/misc/c2port/core.c                    |    4 +-
 drivers/mtd/sm_ftl.c                          |    2 +-
 drivers/net/bonding/bond_main.c               |    2 +-
 drivers/net/macvlan.c                         |   16 +-
 drivers/net/vxlan.c                           |    2 +-
 drivers/pci/hotplug/acpiphp_ibm.c             |    4 +-
 drivers/pci/hotplug/pci_hotplug_core.c        |    6 +-
 drivers/pci/hotplug/pciehp_core.c             |    2 +-
 drivers/pci/pci-sysfs.c                       |    6 +-
 drivers/pci/pci.h                             |    2 +-
 drivers/platform/x86/msi-laptop.c             |   14 +-
 drivers/platform/x86/sony-laptop.c            |    2 +-
 drivers/power/power_supply.h                  |    4 +-
 drivers/power/power_supply_core.c             |    6 +-
 drivers/power/power_supply_sysfs.c            |    6 +-
 drivers/rtc/rtc-cmos.c                        |    4 +-
 drivers/rtc/rtc-ds1307.c                      |    2 +-
 drivers/rtc/rtc-m48t59.c                      |    4 +-
 drivers/scsi/bfa/bfa.h                        |    2 +-
 drivers/staging/iio/iio_hwmon.c               |    2 +-
 drivers/usb/storage/usb.h                     |    2 +-
 drivers/video/aty/atyfb_base.c                |    8 +-
 drivers/video/aty/mach64_cursor.c             |    4 +-
 drivers/video/backlight/kb3886_bl.c           |    2 +-
 drivers/video/fb_defio.c                      |    6 +-
 drivers/video/mb862xx/mb862xxfb_accel.c       |   16 +-
 drivers/video/nvidia/nvidia.c                 |   27 ++-
 drivers/video/s1d13xxxfb.c                    |    6 +-
 drivers/video/smscufx.c                       |    4 +-
 drivers/video/udlfb.c                         |    4 +-
 drivers/video/uvesafb.c                       |   14 +-
 fs/exec.c                                     |    6 +-
 fs/ext4/super.c                               |    2 +-
 fs/jfs/super.c                                |    4 +-
 fs/nfs/callback_xdr.c                         |    2 +-
 fs/nfsd/nfs4proc.c                            |    2 +-
 fs/nfsd/nfs4xdr.c                             |    6 +-
 fs/nls/nls_base.c                             |   18 +-
 fs/nls/nls_euc-jp.c                           |    6 +-
 fs/nls/nls_koi8-ru.c                          |    6 +-
 fs/proc/proc_sysctl.c                         |   18 +-
 include/drm/drmP.h                            |   12 +-
 include/keys/asymmetric-subtype.h             |    2 +-
 include/linux/atmdev.h                        |    2 +-
 include/linux/binfmts.h                       |    2 +-
 include/linux/configfs.h                      |    2 +-
 include/linux/cpufreq.h                       |    3 +-
 include/linux/cpuidle.h                       |    5 +-
 include/linux/devfreq.h                       |    2 +-
 include/linux/device.h                        |    7 +-
 include/linux/extcon.h                        |    2 +-
 include/linux/fb.h                            |    2 +-
 include/linux/fscache.h                       |    2 +-
 include/linux/genl_magic_func.h               |    2 +-
 include/linux/hwmon-sysfs.h                   |    5 +-
 include/linux/iommu.h                         |    2 +-
 include/linux/irq.h                           |    2 +-
 include/linux/key-type.h                      |    2 +-
 include/linux/kobject.h                       |    1 +
 include/linux/kobject_ns.h                    |    2 +-
 include/linux/list.h                          |   14 +-
 include/linux/mod_devicetable.h               |    2 +-
 include/linux/module.h                        |    5 +-
 include/linux/net.h                           |    2 +-
 include/linux/netfilter.h                     |    2 +-
 include/linux/nls.h                           |    2 +-
 include/linux/pci_hotplug.h                   |    3 +-
 include/linux/platform_data/usb-exynos.h      |    2 +-
 include/linux/pnp.h                           |    2 +-
 include/linux/ppp-comp.h                      |    2 +-
 include/linux/rculist.h                       |   16 ++
 include/linux/sched.h                         |    2 +-
 include/linux/sock_diag.h                     |    2 +-
 include/linux/sunrpc/clnt.h                   |    2 +-
 include/linux/sunrpc/svc.h                    |    2 +-
 include/linux/sunrpc/svcauth.h                |    2 +-
 include/linux/swiotlb.h                       |    3 +-
 include/linux/syscore_ops.h                   |    2 +-
 include/linux/sysctl.h                        |    6 +-
 include/linux/sysfs.h                         |   10 +-
 include/linux/sysrq.h                         |    1 +
 include/linux/xattr.h                         |    2 +-
 include/net/9p/transport.h                    |    2 +-
 include/net/bluetooth/l2cap.h                 |    2 +-
 include/net/genetlink.h                       |    2 +-
 include/net/ip.h                              |    2 +-
 include/net/ip_vs.h                           |    4 +-
 include/net/llc_c_ac.h                        |    2 +-
 include/net/llc_c_ev.h                        |    4 +-
 include/net/llc_c_st.h                        |    2 +-
 include/net/llc_s_ac.h                        |    2 +-
 include/net/llc_s_st.h                        |    2 +-
 include/net/mac80211.h                        |    2 +-
 include/net/net_namespace.h                   |    2 +-
 include/net/netns/conntrack.h                 |    6 +-
 include/net/rtnetlink.h                       |    2 +-
 include/net/sctp/sm.h                         |    4 +-
 include/net/sctp/structs.h                    |    2 +-
 include/net/xfrm.h                            |    4 +-
 ipc/ipc_sysctl.c                              |   10 +-
 ipc/mq_sysctl.c                               |    2 +-
 kernel/kmod.c                                 |    2 +-
 kernel/ksysfs.c                               |    2 +-
 kernel/module.c                               |    4 +-
 kernel/pid_namespace.c                        |    2 +-
 kernel/rcutree_plugin.h                       |    2 +-
 kernel/sched/core.c                           |   39 ++--
 kernel/smpboot.c                              |    4 +-
 kernel/softirq.c                              |    2 +-
 kernel/sysctl.c                               |    2 +-
 kernel/utsname_sysctl.c                       |    2 +-
 kernel/watchdog.c                             |    2 +-
 lib/Kconfig.debug                             |    2 +-
 lib/kobject.c                                 |    4 +-
 lib/list_debug.c                              |   57 ++++-
 lib/swiotlb.c                                 |    2 +-
 mm/hugetlb.c                                  |   16 +-
 mm/memory-failure.c                           |    2 +-
 mm/slab_common.c                              |    2 +-
 net/9p/mod.c                                  |    4 +-
 net/ax25/sysctl_net_ax25.c                    |    2 +-
 net/core/neighbour.c                          |    2 +-
 net/core/net-sysfs.c                          |    2 +-
 net/core/net_namespace.c                      |    8 +-
 net/core/rtnetlink.c                          |   11 +-
 net/core/sock_diag.c                          |    9 +-
 net/core/sysctl_net_core.c                    |   15 +-
 net/ipv4/af_inet.c                            |    8 +-
 net/ipv4/devinet.c                            |   12 +-
 net/ipv4/inet_connection_sock.c               |    2 +-
 net/ipv4/ip_fragment.c                        |    9 +-
 net/ipv4/ip_gre.c                             |    6 +-
 net/ipv4/ip_vti.c                             |    4 +-
 net/ipv4/ipip.c                               |    4 +-
 net/ipv4/route.c                              |   14 +-
 net/ipv4/sysctl_net_ipv4.c                    |   43 ++--
 net/ipv6/addrconf.c                           |    4 +-
 net/ipv6/icmp.c                               |    2 +-
 net/ipv6/ip6_gre.c                            |    6 +-
 net/ipv6/ip6_tunnel.c                         |    4 +-
 net/ipv6/netfilter/nf_conntrack_reasm.c       |   12 +-
 net/ipv6/reassembly.c                         |   11 +-
 net/ipv6/route.c                              |    2 +-
 net/ipv6/sit.c                                |    4 +-
 net/ipv6/sysctl_net_ipv6.c                    |    2 +-
 net/netfilter/ipset/ip_set_core.c             |    2 +-
 net/netfilter/ipvs/ip_vs_ctl.c                |    4 +-
 net/netfilter/ipvs/ip_vs_lblc.c               |    2 +-
 net/netfilter/ipvs/ip_vs_lblcr.c              |    2 +-
 net/netfilter/nf_conntrack_acct.c             |    2 +-
 net/netfilter/nf_conntrack_ecache.c           |    2 +-
 net/netfilter/nf_conntrack_helper.c           |    2 +-
 net/netfilter/nf_conntrack_proto.c            |    2 +-
 net/netfilter/nf_conntrack_standalone.c       |    2 +-
 net/netfilter/nf_conntrack_timestamp.c        |    2 +-
 net/netfilter/nf_log.c                        |   10 +-
 net/netfilter/nf_sockopt.c                    |    4 +-
 net/netlink/genetlink.c                       |   16 +-
 net/phonet/sysctl.c                           |    2 +-
 net/rds/rds.h                                 |    2 +-
 net/sctp/ipv6.c                               |    6 +-
 net/sctp/protocol.c                           |   10 +-
 net/sctp/sm_sideeffect.c                      |    2 +-
 net/sctp/sysctl.c                             |    4 +-
 net/sunrpc/clnt.c                             |    4 +-
 net/sunrpc/svc.c                              |    4 +-
 net/unix/sysctl_net_unix.c                    |    2 +-
 net/xfrm/xfrm_policy.c                        |   11 +-
 net/xfrm/xfrm_state.c                         |   29 ++-
 net/xfrm/xfrm_sysctl.c                        |    2 +-
 security/apparmor/lsm.c                       |    2 +-
 security/keys/key.c                           |   18 +-
 security/yama/yama_lsm.c                      |   22 +-
 tools/gcc/Makefile                            |    4 +-
 tools/gcc/constify_plugin.c                   |  299 +++++++++++++++++++------
 tools/gcc/size_overflow_plugin.c              |    7 +-
 248 files changed, 994 insertions(+), 668 deletions(-)

commit 4eeeaf3a560e25d1685f8973ef676b205efaa81b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 6 12:58:21 2013 -0500

    Make slab_state __read_only, it's only written to during init

 mm/slab_common.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit e7067b68d36fb9e0e8818de5d9ce1b4ba19ce24a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 6 12:31:35 2013 -0500

    Make two new helper functions:
    gr_is_global_root() and gr_is_global_nonroot()

 grsecurity/gracl.c      |   10 +++++-----
 grsecurity/gracl_segv.c |    2 +-
 grsecurity/grsec_link.c |    4 ++--
 grsecurity/grsec_sig.c  |   10 +++++-----
 grsecurity/grsec_tpe.c  |    6 +++---
 include/linux/uidgid.h  |    2 ++
 6 files changed, 18 insertions(+), 16 deletions(-)

commit d45d88eddd4998b280b1e5b5384289ee11ca7088
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 6 12:14:41 2013 -0500

    convert remaining task->pid to task_pid_nr(task)

 grsecurity/gracl.c        |   22 +++++++++++-----------
 grsecurity/gracl_shm.c    |    2 +-
 grsecurity/grsec_chroot.c |    4 ++--
 grsecurity/grsec_sig.c    |    4 ++--
 4 files changed, 16 insertions(+), 16 deletions(-)

commit c877f2ece03ee2232dd281c1977ae59507297124
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 5 17:29:54 2013 -0500

    compat-log is only used anymore by vm86-on-64bit and allows unlimited
    spamming of the kernel log buffer (and since it includes the changable
    process name, can avoid syslog log deduplication)
    Turn it off by default

 fs/compat.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 7c1964c4b7276889d7967bee70e46918cdca1b14
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 4 17:19:10 2013 -0500

    fix compilation error reported on IRC and forums when GRKERNSEC_PROC_USERGROUP
    is enabled, introduced with recent userns support

 init/main.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit c3ce01b94d8dd42b9c7942c0d513b152613e0656
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 3 18:46:12 2013 -0500

    Prevent TOMOYO from auto-loading modules by unprivileged users
    (Only reachable if TOMOYO is actually used)

 security/tomoyo/mount.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

commit 79e142f9455b398759ff9d93d4963a21b98dddda
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 3 18:28:45 2013 -0500

    For now, don't permit any special access to /proc in a user namespace
    Later we can go back and allow a userns-uid0 special access to a /proc
    with a non-global pid namespace

 fs/proc/base.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 8b91fb393049ce5f3c0a86f62247409853fd9700
Merge: d931eb8 603ef05
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 3 17:42:09 2013 -0500

    Merge branch 'pax-test' into grsec-test

commit 603ef0579b9c3765d999c1938cb7a120d8c8e00b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 3 17:41:31 2013 -0500

    Fix compilation error on ARM reported by Michael Tremer

 arch/arm/mach-omap2/wd_timer.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

commit b4c9ce81fdd7839a150c97873c710c479e788280
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 3 17:39:53 2013 -0500

    Fix compilation error on ARM reported by Michael Tremer

 arch/arm/kernel/armksyms.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit d931eb81ab3da46896268fd61373a6aa7bbea930
Merge: bfa7f44 5948f93
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 3 17:34:36 2013 -0500

    Merge branch 'pax-test' into grsec-test

commit 5948f930bc1c2d22138c1c76ca7e1bc94b6a3ce0
Merge: ab30472 19b00d2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 3 17:34:08 2013 -0500

    Merge branch 'linux-3.8.y' into pax-test

commit bfa7f445c5d484de51a5828b92ad2ff65053cc87
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 3 15:12:12 2013 -0500

    Initial support for user namespaces, as we previously didn't allow
    the option to be enabled at all.
    
    RBAC will act on the global uids/gids only, so all uids/gids in user
    namespaces will be converted
    
    Because Eric Biederman is insulted that I didn't support his
    backdoor prior to it receiving proper review.  I still have the CAP_SYS_ADMIN
    check in for user namespaces, so this is generally irrelevant.

 fs/exec.c                   |    6 +-
 fs/proc/base.c              |    2 +-
 fs/proc/proc_net.c          |    4 +-
 grsecurity/gracl.c          |  128 +++++++++++++++++++++++++++++-------------
 grsecurity/gracl_cap.c      |    4 +-
 grsecurity/gracl_ip.c       |   16 +++---
 grsecurity/gracl_segv.c     |   12 +++-
 grsecurity/gracl_shm.c      |    4 +-
 grsecurity/grsec_disabled.c |   10 ++--
 grsecurity/grsec_fifo.c     |    6 +-
 grsecurity/grsec_init.c     |   24 ++++----
 grsecurity/grsec_log.c      |    3 -
 grsecurity/grsec_tpe.c      |    6 +-
 include/linux/grinternal.h  |   12 ++--
 include/linux/grsecurity.h  |   12 ++--
 include/linux/uidgid.h      |    3 +
 init/Kconfig                |    2 -
 ipc/shm.c                   |    2 +-
 kernel/cred.c               |    5 +-
 kernel/kallsyms.c           |    2 +-
 kernel/kmod.c               |    6 +-
 kernel/sys.c                |   12 ++--
 22 files changed, 166 insertions(+), 115 deletions(-)

commit 27a8cc1a9f22f95de6fe8740bdc900a160274dff
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date:   Wed Feb 27 08:36:04 2013 -0800

    Upstream commit: 09884964335e85e897876d17783c2ad33cf8a2e0
    
    mm: do not grow the stack vma just because of an overrun on preceding vma
    
    The stack vma is designed to grow automatically (marked with VM_GROWSUP
    or VM_GROWSDOWN depending on architecture) when an access is made beyond
    the existing boundary.  However, particularly if you have not limited
    your stack at all ("ulimit -s unlimited"), this can cause the stack to
    grow even if the access was really just one past *another* segment.
    
    And that's wrong, especially since we first grow the segment, but then
    immediately later enforce the stack guard page on the last page of the
    segment.  So _despite_ first growing the stack segment as a result of
    the access, the kernel will then make the access cause a SIGSEGV anyway!
    
    So do the same logic as the guard page check does, and consider an
    access to within one page of the next segment to be a bad access, rather
    than growing the stack to abut the next segment.
    
    Reported-and-tested-by: Heiko Carstens <heiko.carstens@de.ibm.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 mm/mmap.c |   27 +++++++++++++++++++++++++++
 1 files changed, 27 insertions(+), 0 deletions(-)

commit 5596211af754867ca825f58e6e0300a8439950fe
Author: H. Peter Anvin <hpa@linux.intel.com>
Date:   Wed Feb 27 12:46:40 2013 -0800

    Upstream commit: 7c10093692ed2e6f318387d96b829320aa0ca64c
    
    x86: Make sure we can boot in the case the BDA contains pure garbage
    
    On non-BIOS platforms it is possible that the BIOS data area contains
    garbage instead of being zeroed or something equivalent (firmware
    people: we are talking of 1.5K here, so please do the sane thing.)
    
    We need on the order of 20-30K of low memory in order to boot, which
    may grow up to < 64K in the future.  We probably want to avoid the
    lowest of the low memory.  At the same time, it seems extremely
    unlikely that a legitimate EBDA would ever reach down to the 128K
    (which would require it to be over half a megabyte in size.)  Thus,
    pick 128K as the cutoff for "this is insane, ignore."  We may still
    end up reserving a bunch of extra memory on the low megabyte, but that
    is not really a major issue these days.  In the worst case we lose
    512K of RAM.
    
    This code really should be merged with trim_bios_range() in
    arch/x86/kernel/setup.c, but that is a bigger patch for a later merge
    window.
    
    Reported-by: Darren Hart <dvhart@linux.intel.com>
    Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
    Cc: Matt Fleming <matt.fleming@intel.com>
    Cc: <stable@vger.kernel.org>
    Link: http://lkml.kernel.org/n/tip-oebml055yyfm8yxmria09rja@git.kernel.org

 arch/x86/kernel/head.c |   53 ++++++++++++++++++++++++++++++-----------------
 1 files changed, 34 insertions(+), 19 deletions(-)

commit 10eb1dabfb743fb22dcbcf186bb8d2192d2d55ea
Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Date:   Wed Feb 27 17:05:46 2013 -0800

    Upstream commit: 940da353a83e895ea600cb8ab17dceefb1bcb469
    
    memstick: move the dereference below the NULL test
    
    The dereference should be moved below the NULL test.
    
    spatch with a semantic match is used to found this.
    (http://coccinelle.lip6.fr/)
    
    Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
    Cc: Maxim Levitsky <maximlevitsky@gmail.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 drivers/memstick/host/r592.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 1a63cb1ca50a10748cbf766894ecedf34a89baa3
Author: Xi Wang <xi.wang@gmail.com>
Date:   Wed Feb 27 17:05:21 2013 -0800

    Upstream commit: df1778be1a33edffa51d094eeda87c858ded6560
    
    sysctl: fix null checking in bin_dn_node_address()
    
    The null check of `strchr() + 1' is broken, which is always non-null,
    leading to OOB read.  Instead, check the result of strchr().
    
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Cc: "Eric W. Biederman" <ebiederm@xmission.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 kernel/sysctl_binary.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 7ca96db0817416fd40761e7437d1939fc0731380
Author: Tejun Heo <tj@kernel.org>
Date:   Wed Feb 27 17:03:34 2013 -0800

    Upstream commit: 6cdae7416a1c45c2ce105a78187d9b7e8feb9e24
    
    idr: fix a subtle bug in idr_get_next()
    
    The iteration logic of idr_get_next() is borrowed mostly verbatim from
    idr_for_each().  It walks down the tree looking for the slot matching
    the current ID.  If the matching slot is not found, the ID is
    incremented by the distance of single slot at the given level and
    repeats.
    
    The implementation assumes that during the whole iteration id is aligned
    to the layer boundaries of the level closest to the leaf, which is true
    for all iterations starting from zero or an existing element and thus is
    fine for idr_for_each().
    
    However, idr_get_next() may be given any point and if the starting id
    hits in the middle of a non-existent layer, increment to the next layer
    will end up skipping the same offset into it.  For example, an IDR with
    IDs filled between [64, 127] would look like the following.
    
              [  0  64 ... ]
           /----/   |
           |        |
          NULL    [ 64 ... 127 ]
    
    If idr_get_next() is called with 63 as the starting point, it will try
    to follow down the pointer from 0.  As it is NULL, it will then try to
    proceed to the next slot in the same level by adding the slot distance
    at that level which is 64 - making the next try 127.  It goes around the
    loop and finds and returns 127 skipping [64, 126].
    
    Note that this bug also triggers in idr_for_each_entry() loop which
    deletes during iteration as deletions can make layers go away leaving
    the iteration with unaligned ID into missing layers.
    
    Fix it by ensuring proceeding to the next slot doesn't carry over the
    unaligned offset - ie.  use round_up(id + 1, slot_distance) instead of
    id += slot_distance.
    
    Signed-off-by: Tejun Heo <tj@kernel.org>
    Reported-by: David Teigland <teigland@redhat.com>
    Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 lib/idr.c |    9 ++++++++-
 1 files changed, 8 insertions(+), 1 deletions(-)

commit 745362f28034f54242ba2e64eaa7374ab9869613
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 1 20:31:42 2013 -0500

    Fix dentry use-after-free after failed complete_walk() with RBAC enabled
    Many thanks to zakalwe from #grsecurity for the report and debugging help

 fs/namei.c |    8 +++-----
 1 files changed, 3 insertions(+), 5 deletions(-)

commit b53b3b14330920c6f7cfb74c8508a3026e1be620
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 28 18:29:26 2013 -0500

    Fix bad git merge

 fs/namespace.c |    8 --------
 1 files changed, 0 insertions(+), 8 deletions(-)

commit 71886f69ea10fa22e593dba1bdbe5c0334c6fede
Merge: 1cce1dd ab30472
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 28 17:45:14 2013 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        net/core/sock_diag.c

commit ab3047280e1dfb43f1b301a296123757b4ac4f6e
Merge: 4b61d21 4c91a0e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 28 17:43:56 2013 -0500

    Merge branch 'linux-3.8.y' into pax-test

commit 1cce1ddd17c584c80465521834c3faf1a7c607d7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 27 22:20:22 2013 -0500

    add compiler.h to sysrq.h to fix compilation problem reported by micu on forums

 include/linux/sysrq.h |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 9f1e7fe130803fde83eb903b575335f59cd2bd18
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 27 17:52:31 2013 -0500

    declare check_syslog_permissions() earlier in file, fix bug in syslog_action_restricted() in upstream kernel

 kernel/printk.c |   12 +++++++-----
 1 files changed, 7 insertions(+), 5 deletions(-)

commit 11dd499888fa76f3466821ce4daa5e0c55e43d39
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 27 17:23:46 2013 -0500

    Fix upstream vulnerability from addition of a /dev/kmsg device
    while neglecting to add the same set of existing permission checks
    from do_syslog.  This bit both dmesg_restrict and GRKERNSEC_DMESG.
    A temporary workaround without this patch would be to
    chmod 0600 /dev/kmsg (and is likely a good idea anyway).
    
    Notified in #grsecurity IRC by Jason A. Donenfeld and Petr Matousek
    Initially reported to Redhat bugzilla by Christian Kujau:
    https://bugzilla.redhat.com/show_bug.cgi?id=903192

 kernel/printk.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

commit 66c04806f5660988c3cb4855e60de294e77e3d0e
Author: David Howells <dhowells@redhat.com>
Date:   Thu Feb 21 12:00:25 2013 +0000

    Upstream commit: fe9453a1dcb5fb146f9653267e78f4a558066f6f
    
    KEYS: Revert one application of "Fix unreachable code" patch
    
    A patch to fix some unreachable code in search_my_process_keyrings() got
    applied twice by two different routes upstream as commits e67eab39bee2
    and b010520ab3d2 (both "fix unreachable code").
    
    Unfortunately, the second application removed something it shouldn't
    have and this wasn't detected by GIT.  This is due to the patch not
    having sufficient lines of context to distinguish the two places of
    application.
    
    The effect of this is relatively minor: inside the kernel, the keyring
    search routines may search multiple keyrings and then prioritise the
    errors if no keys or negative keys are found in any of them.  With the
    extra deletion, the presence of a negative key in the thread keyring
    (causing ENOKEY) is incorrectly overridden by an error searching the
    process keyring.
    
    So revert the second application of the patch.
    
    Signed-off-by: David Howells <dhowells@redhat.com>
    Cc: Jiri Kosina <jkosina@suse.cz>
    Cc: Andrew Morton <akpm@linux-foundation.org>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 security/keys/process_keys.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 954b0c8a95b08c09c3d15ec38106ce403bf714da
Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Date:   Thu Feb 21 16:42:43 2013 -0800

    Upstream commit: 49deb4bc227cb9db5b8ebf9434367f8bed057c7a
    
    configfs: move the dereference below the NULL test
    
    The dereference should be moved below the NULL test.
    
    spatch with a semantic match is used to found this.
    (http://coccinelle.lip6.fr/)
    
    Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
    Cc: Joel Becker <jlbec@evilplan.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 fs/configfs/dir.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

commit d16d42c4fdc8baca5816d75b4a115102bf3d3423
Author: Nicolas Pitre <nicolas.pitre@linaro.org>
Date:   Sun Feb 24 20:06:09 2013 -0500

    Upstream commit: a883b70d8e0a88278c0a1f80753b4dc99962b541
    
    tty vt: fix character insertion overflow
    
    Commit 81732c3b2fed ("tty vt: Fix line garbage in virtual console on
    command line edition") broke insert_char() in multiple ways.  Then
    commit b1a925f44a3a ("tty vt: Fix a regression in command line edition")
    partially fixed it.  However, the buffer being moved is still too large
    and overflowing beyond the end of the current line, corrupting existing
    characters on the next line.
    
    Example test case:
    
    echo -e "abc\nde\x1b[A\x1b[4h \x1b[4l\x1b[B"
    
    Expected result:
    
    ab c
    de
    
    Current result:
    
    ab c
     e
    
    Needless to say that this is very annoying when inserting words in the
    middle of paragraphs with certain text editors.
    
    Signed-off-by: Nicolas Pitre <nico@linaro.org>
    Cc: Jean-François Moine <moinejf@free.fr>
    Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 drivers/tty/vt/vt.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 6cda35071669b4aabde081bd039e0ffea36f997a
Author: Robin Holt <holt@sgi.com>
Date:   Fri Feb 22 16:35:34 2013 -0800

    Upstream commit: 751efd8610d3d7d67b7bdf7f62646edea7365dd7
    
    mmu_notifier_unregister NULL Pointer deref and multiple ->release() callouts
    
    There is a race condition between mmu_notifier_unregister() and
    __mmu_notifier_release().
    
    Assume two tasks, one calling mmu_notifier_unregister() as a result of a
    filp_close() ->flush() callout (task A), and the other calling
    mmu_notifier_release() from an mmput() (task B).
    
                    A                               B
    t1                                              srcu_read_lock()
    t2              if (!hlist_unhashed())
    t3                                              srcu_read_unlock()
    t4              srcu_read_lock()
    t5                                              hlist_del_init_rcu()
    t6                                              synchronize_srcu()
    t7              srcu_read_unlock()
    t8              hlist_del_rcu()  <--- NULL pointer deref.
    
    Additionally, the list traversal in __mmu_notifier_release() is not
    protected by the by the mmu_notifier_mm->hlist_lock which can result in
    callouts to the ->release() notifier from both mmu_notifier_unregister()
    and __mmu_notifier_release().
    
    -stable suggestions:
    
    The stable trees prior to 3.7.y need commits 21a92735f660 and
    70400303ce0c cherry-picked in that order prior to cherry-picking this
    commit.  The 3.7.y tree already has those two commits.
    
    Signed-off-by: Robin Holt <holt@sgi.com>
    Cc: Andrea Arcangeli <aarcange@redhat.com>
    Cc: Wanpeng Li <liwanp@linux.vnet.ibm.com>
    Cc: Xiao Guangrong <xiaoguangrong@linux.vnet.ibm.com>
    Cc: Avi Kivity <avi@redhat.com>
    Cc: Hugh Dickins <hughd@google.com>
    Cc: Marcelo Tosatti <mtosatti@redhat.com>
    Cc: Sagi Grimberg <sagig@mellanox.co.il>
    Cc: Haggai Eran <haggaie@mellanox.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 mm/mmu_notifier.c |   82 +++++++++++++++++++++++++++--------------------------
 1 files changed, 42 insertions(+), 40 deletions(-)

commit bf5167ed78ba6131c6874887f714bda50c2cab83
Author: Mike Galbraith <bitbucket@online.de>
Date:   Mon Jan 28 12:19:25 2013 +0100

    Upstream commit: e0a79f529d5ba2507486d498b25da40911d95cf6
    
    sched: Fix select_idle_sibling() bouncing cow syndrome
    
    If the previous CPU is cache affine and idle, select it.
    
    The current implementation simply traverses the sd_llc domain,
    taking the first idle CPU encountered, which walks buddy pairs
    hand in hand over the package, inflicting excruciating pain.
    
    1 tbench pair (worst case) in a 10 core + SMT package:
    
      pre   15.22 MB/sec 1 procs
      post 252.01 MB/sec 1 procs
    
    Signed-off-by: Mike Galbraith <bitbucket@online.de>
    Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
    Link: http://lkml.kernel.org/r/1359371965.5783.127.camel@marge.simpson.net
    Signed-off-by: Ingo Molnar <mingo@kernel.org>

 kernel/sched/fair.c |   21 +++++++--------------
 1 files changed, 7 insertions(+), 14 deletions(-)

commit cf7c2d257836fdcb5d51ad142cbc56ac12f7a37c
Author: Eric W. Biederman <ebiederm@xmission.com>
Date:   Fri Dec 28 18:58:39 2012 -0800

    Upstream commit: c61a2810a2161986353705b44d9503e6bb079f4f
    
    userns: Avoid recursion in put_user_ns
    
    When freeing a deeply nested user namespace free_user_ns calls
    put_user_ns on it's parent which may in turn call free_user_ns again.
    When -fno-optimize-sibling-calls is passed to gcc one stack frame per
    user namespace is left on the stack, potentially overflowing the
    kernel stack.  CONFIG_FRAME_POINTER forces -fno-optimize-sibling-calls
    so we can't count on gcc to optimize this code.
    
    Remove struct kref and use a plain atomic_t.  Making the code more
    flexible and easier to comprehend.  Make the loop in free_user_ns
    explict to guarantee that the stack does not overflow with
    CONFIG_FRAME_POINTER enabled.
    
    I have tested this fix with a simple program that uses unshare to
    create a deeply nested user namespace structure and then calls exit.
    With 1000 nesteuser namespaces before this change running my test
    program causes the kernel to die a horrible death.  With 10,000,000
    nested user namespaces after this change my test program runs to
    completion and causes no harm.
    
    Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
    Pointed-out-by: Vasily Kulikov <segoon@openwall.com>
    Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>

 include/linux/user_namespace.h |   10 +++++-----
 kernel/user.c                  |    4 +---
 kernel/user_namespace.c        |   17 +++++++++--------
 3 files changed, 15 insertions(+), 16 deletions(-)

commit 81501c7106ccc186c94806f4db954626295b5ebe
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Feb 26 17:12:30 2013 -0500

    Pass the same flags to kern_path_create as the original function

 fs/namei.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit a677c8eee35afe48868f92c7d6745bfe809cd481
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Fri Feb 22 22:45:42 2013 -0500

    Upstream commit: 9b40bc90abd126bcc5da5658059b8e72e285e559
    
    get rid of unprotected dereferencing of mnt->mnt_ns
    
    It's safe only under namespace_sem or vfsmount_lock; all places
    in fs/namespace.c that want mnt->mnt_ns->user_ns actually want to use
    current->nsproxy->mnt_ns->user_ns (note the calls of check_mnt() in
    there).
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

 fs/namespace.c |   29 +++++++++++++++++------------
 1 files changed, 17 insertions(+), 12 deletions(-)

commit 89298124d0c96dc34a60377e7a1308f8f532ff75
Author: Greg Thelen <gthelen@google.com>
Date:   Fri Feb 22 16:36:01 2013 -0800

    Upstream fix: 5f00110f7273f9ff04ac69a5f85bb535a4fd0987
    
    tmpfs: fix use-after-free of mempolicy object
    
    The tmpfs remount logic preserves filesystem mempolicy if the mpol=M
    option is not specified in the remount request.  A new policy can be
    specified if mpol=M is given.
    
    Before this patch remounting an mpol bound tmpfs without specifying
    mpol= mount option in the remount request would set the filesystem's
    mempolicy object to a freed mempolicy object.
    
    To reproduce the problem boot a DEBUG_PAGEALLOC kernel and run:
        # mkdir /tmp/x
    
        # mount -t tmpfs -o size=100M,mpol=interleave nodev /tmp/x
    
        # grep /tmp/x /proc/mounts
        nodev /tmp/x tmpfs rw,relatime,size=102400k,mpol=interleave:0-3 0 0
    
        # mount -o remount,size=200M nodev /tmp/x
    
        # grep /tmp/x /proc/mounts
        nodev /tmp/x tmpfs rw,relatime,size=204800k,mpol=??? 0 0
            # note ? garbage in mpol=... output above
    
        # dd if=/dev/zero of=/tmp/x/f count=1
            # panic here
    
    Panic:
        BUG: unable to handle kernel NULL pointer dereference at           (null)
        IP: [<          (null)>]           (null)
        [...]
        Oops: 0010 [#1] SMP DEBUG_PAGEALLOC
        Call Trace:
          mpol_shared_policy_init+0xa5/0x160
          shmem_get_inode+0x209/0x270
          shmem_mknod+0x3e/0xf0
          shmem_create+0x18/0x20
          vfs_create+0xb5/0x130
          do_last+0x9a1/0xea0
          path_openat+0xb3/0x4d0
          do_filp_open+0x42/0xa0
          do_sys_open+0xfe/0x1e0
          compat_sys_open+0x1b/0x20
          cstar_dispatch+0x7/0x1f
    
    Non-debug kernels will not crash immediately because referencing the
    dangling mpol will not cause a fault.  Instead the filesystem will
    reference a freed mempolicy object, which will cause unpredictable
    behavior.
    
    The problem boils down to a dropped mpol reference below if
    shmem_parse_options() does not allocate a new mpol:
    
        config = *sbinfo
        shmem_parse_options(data, &config, true)
        mpol_put(sbinfo->mpol)
        sbinfo->mpol = config.mpol  /* BUG: saves unreferenced mpol */
    
    This patch avoids the crash by not releasing the mempolicy if
    shmem_parse_options() doesn't create a new mpol.
    
    How far back does this issue go? I see it in both 2.6.36 and 3.3.  I did
    not look back further.
    
    Signed-off-by: Greg Thelen <gthelen@google.com>
    Acked-by: Hugh Dickins <hughd@google.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 mm/shmem.c |   10 ++++++++--
 1 files changed, 8 insertions(+), 2 deletions(-)

commit 614943c76d9e49f12f3e1154f1dea80dc4bb2743
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 23 11:08:05 2013 -0500

    Userland can send a netlink message requesting SOCK_DIAG_BY_FAMILY
    with a family greater or equal then AF_MAX -- the array size of
    sock_diag_handlers[]. The current code does not test for this
    condition therefore is vulnerable to an out-of-bound access opening
    doors for a privilege escalation.
    
    Signed-off-by: Mathias Krause <minipli@googlemail.com>
    
    The sock_diag_lock_handler() and sock_diag_unlock_handler() actually
    make the code less readable. Get rid of them and make the lock usage
    and access to sock_diag_handlers[] clear on the first sight.
    
    Signed-off-by: Mathias Krause <minipli@googlemail.com>

 net/core/sock_diag.c |   27 ++++++++++-----------------
 1 files changed, 10 insertions(+), 17 deletions(-)

commit e8d44970f8ac5ceda7b0e3f2c2ab33cefb800990
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 23 10:58:52 2013 -0500

    Fix compilation failure reported by Hinnerk van Bruinehsen when CPU_USE_DOMAINS is not defined

 arch/arm/include/asm/domain.h |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 7b729586eb81f344fdedf0942fab0acc738a6725
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 22 19:02:51 2013 -0500

    Add back capability check for user namespaces.  They have not seen enough proper review and needlessly exposes additional attack surface for all users.

 kernel/fork.c |   17 +++++++++++++++++
 1 files changed, 17 insertions(+), 0 deletions(-)

commit fadc560d0c486af88da83177735f5515e88acdcc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 21 23:06:48 2013 -0500

    put is_hugetlbfs_mnt inside ifdefs

 grsecurity/gracl.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 8252176922d405484f986eb2cc350b7cd3ae586e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 21 23:02:07 2013 -0500

    remove unused label

 kernel/module.c |    1 -
 1 files changed, 0 insertions(+), 1 deletions(-)

commit dad4a980f0b625059e215d13da728aa7fd02a374
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 21 23:00:52 2013 -0500

    compile fix

 fs/open.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 13e3266c41b98a40f3d8a4a7fb8ee5c0983156b7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 21 22:57:49 2013 -0500

    remove kmalloc_array_error for the same reasons as kcalloc_error

 include/linux/slab.h |    9 ---------
 1 files changed, 0 insertions(+), 9 deletions(-)

commit 0c24df0e81ae880c4523cc78ff91609b9aa6133a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 21 22:49:35 2013 -0500

    Initial port of grsecurity for Linux 3.8

 Documentation/kernel-parameters.txt                |    4 +
 Makefile                                           |   10 +-
 arch/alpha/include/asm/cache.h                     |    4 +-
 arch/alpha/kernel/osf_sys.c                        |   14 +-
 arch/arm/include/asm/cache.h                       |    2 +
 arch/arm/include/asm/thread_info.h                 |    9 +-
 arch/arm/kernel/process.c                          |    4 +-
 arch/arm/kernel/ptrace.c                           |    9 +
 arch/arm/kernel/traps.c                            |    7 +-
 arch/arm/mm/fault.c                                |   27 +-
 arch/arm/mm/mmap.c                                 |    6 +-
 arch/avr32/include/asm/cache.h                     |    4 +-
 arch/blackfin/include/asm/cache.h                  |    3 +-
 arch/cris/include/arch-v10/arch/cache.h            |    3 +-
 arch/cris/include/arch-v32/arch/cache.h            |    3 +-
 arch/frv/include/asm/cache.h                       |    3 +-
 arch/frv/mm/elf-fdpic.c                            |    7 +-
 arch/hexagon/include/asm/cache.h                   |    6 +-
 arch/ia64/include/asm/cache.h                      |    3 +-
 arch/ia64/kernel/sys_ia64.c                        |    3 +-
 arch/ia64/mm/hugetlbpage.c                         |    3 +-
 arch/m32r/include/asm/cache.h                      |    4 +-
 arch/m68k/include/asm/cache.h                      |    4 +-
 arch/microblaze/include/asm/cache.h                |    3 +-
 arch/mips/include/asm/cache.h                      |    3 +-
 arch/mips/include/asm/thread_info.h                |    9 +-
 arch/mips/kernel/ptrace.c                          |    9 +
 arch/mips/kernel/scall32-o32.S                     |    2 +-
 arch/mips/kernel/scall64-64.S                      |    2 +-
 arch/mips/kernel/scall64-n32.S                     |    2 +-
 arch/mips/kernel/scall64-o32.S                     |    2 +-
 arch/mips/mm/mmap.c                                |    3 +-
 arch/mn10300/proc-mn103e010/include/proc/cache.h   |    4 +-
 arch/mn10300/proc-mn2ws0050/include/proc/cache.h   |    4 +-
 arch/openrisc/include/asm/cache.h                  |    4 +-
 arch/parisc/include/asm/cache.h                    |    5 +-
 arch/parisc/kernel/sys_parisc.c                    |   19 +-
 arch/powerpc/include/asm/cache.h                   |    3 +-
 arch/powerpc/include/asm/thread_info.h             |    8 +-
 arch/powerpc/kernel/process.c                      |   10 +-
 arch/powerpc/kernel/ptrace.c                       |   14 +
 arch/powerpc/kernel/traps.c                        |    5 +
 arch/powerpc/mm/slice.c                            |    8 +-
 arch/s390/include/asm/cache.h                      |    4 +-
 arch/score/include/asm/cache.h                     |    4 +-
 arch/sh/include/asm/cache.h                        |    3 +-
 arch/sh/mm/mmap.c                                  |    6 +-
 arch/sparc/include/asm/cache.h                     |    4 +-
 arch/sparc/include/asm/thread_info_64.h            |    9 +-
 arch/sparc/kernel/process_32.c                     |    6 +-
 arch/sparc/kernel/process_64.c                     |    8 +-
 arch/sparc/kernel/ptrace_64.c                      |   14 +
 arch/sparc/kernel/sys_sparc_64.c                   |    6 +-
 arch/sparc/kernel/syscalls.S                       |    8 +-
 arch/sparc/kernel/traps_32.c                       |    8 +-
 arch/sparc/kernel/traps_64.c                       |   28 +-
 arch/sparc/kernel/unaligned_64.c                   |    2 +-
 arch/sparc/mm/fault_64.c                           |    2 +-
 arch/sparc/mm/hugetlbpage.c                        |    3 +-
 arch/tile/include/asm/cache.h                      |    3 +-
 arch/um/include/asm/cache.h                        |    3 +-
 arch/unicore32/include/asm/cache.h                 |    6 +-
 arch/x86/Kconfig                                   |    5 +-
 arch/x86/Kconfig.debug                             |    2 +-
 arch/x86/ia32/ia32_aout.c                          |    2 +
 arch/x86/include/asm/thread_info.h                 |    8 +-
 arch/x86/kernel/dumpstack.c                        |    8 +
 arch/x86/kernel/entry_32.S                         |    2 +-
 arch/x86/kernel/entry_64.S                         |    2 +-
 arch/x86/kernel/ioport.c                           |   13 +
 arch/x86/kernel/ptrace.c                           |   14 +
 arch/x86/kernel/smpboot.c                          |    3 +
 arch/x86/kernel/sys_i386_32.c                      |   14 +-
 arch/x86/kernel/sys_x86_64.c                       |    3 +-
 arch/x86/kernel/verify_cpu.S                       |    1 +
 arch/x86/kernel/vm86_32.c                          |   16 +
 arch/x86/mm/fault.c                                |   12 +-
 arch/x86/mm/hugetlbpage.c                          |    3 +-
 arch/x86/mm/init.c                                 |   66 +-
 arch/x86/net/bpf_jit_comp.c                        |  126 +-
 arch/xtensa/variants/dc232b/include/variant/core.h |    2 +-
 arch/xtensa/variants/fsf/include/variant/core.h    |    3 +-
 arch/xtensa/variants/s6000/include/variant/core.h  |    3 +-
 crypto/ablkcipher.c                                |   12 +-
 crypto/aead.c                                      |    9 +-
 crypto/ahash.c                                     |    2 +-
 crypto/blkcipher.c                                 |    6 +-
 crypto/crypto_user.c                               |   38 +-
 crypto/pcompress.c                                 |    3 +-
 crypto/rng.c                                       |    2 +-
 crypto/shash.c                                     |    3 +-
 drivers/block/cciss.c                              |    2 +
 drivers/char/Kconfig                               |    4 +-
 drivers/char/genrtc.c                              |    1 +
 drivers/char/mem.c                                 |   17 +
 drivers/char/random.c                              |   12 +
 drivers/gpu/drm/drm_info.c                         |    4 +
 drivers/hid/hid-wiimote-debug.c                    |    2 +-
 drivers/media/radio/radio-cadet.c                  |    2 +-
 drivers/message/fusion/mptbase.c                   |    5 +
 drivers/net/phy/mdio-bitbang.c                     |    1 +
 drivers/pci/proc.c                                 |    9 +
 drivers/rtc/rtc-dev.c                              |    3 +
 drivers/tty/sysrq.c                                |    2 +-
 drivers/tty/vt/keyboard.c                          |   22 +-
 drivers/video/logo/logo_linux_clut224.ppm          | 2721 ++++++--------
 drivers/xen/xenfs/xenstored.c                      |    5 +
 fs/attr.c                                          |    1 +
 fs/autofs4/waitq.c                                 |    9 +
 fs/binfmt_aout.c                                   |    7 +
 fs/binfmt_elf.c                                    |    6 +
 fs/btrfs/inode.c                                   |   10 +-
 fs/btrfs/ioctl.c                                   |    6 +-
 fs/compat.c                                        |   18 +
 fs/coredump.c                                      |   10 +-
 fs/debugfs/inode.c                                 |    4 +
 fs/exec.c                                          |  155 +-
 fs/ext2/balloc.c                                   |    4 +-
 fs/ext3/balloc.c                                   |    4 +-
 fs/ext4/balloc.c                                   |    4 +-
 fs/fcntl.c                                         |    5 +
 fs/file.c                                          |    4 +
 fs/filesystems.c                                   |    5 +
 fs/fs_struct.c                                     |   26 +-
 fs/hugetlbfs/inode.c                               |    5 +-
 fs/namei.c                                         |  269 ++-
 fs/namespace.c                                     |   24 +
 fs/open.c                                          |   38 +
 fs/pipe.c                                          |    2 +-
 fs/proc/Kconfig                                    |   10 +-
 fs/proc/array.c                                    |   59 +-
 fs/proc/base.c                                     |  168 +-
 fs/proc/cmdline.c                                  |    4 +
 fs/proc/devices.c                                  |    4 +
 fs/proc/fd.c                                       |   17 +-
 fs/proc/inode.c                                    |   17 +
 fs/proc/internal.h                                 |    3 +
 fs/proc/kcore.c                                    |    3 +
 fs/proc/proc_net.c                                 |   12 +
 fs/proc/proc_sysctl.c                              |   43 +-
 fs/proc/root.c                                     |    8 +
 fs/proc/task_mmu.c                                 |   75 +-
 fs/readdir.c                                       |   19 +
 fs/select.c                                        |    2 +
 fs/seq_file.c                                      |   12 +-
 fs/stat.c                                          |   19 +-
 fs/sysfs/dir.c                                     |   12 +
 fs/utimes.c                                        |    7 +
 fs/xattr.c                                         |   19 +-
 grsecurity/Kconfig                                 | 1021 +++++
 grsecurity/Makefile                                |   38 +
 grsecurity/gracl.c                                 | 4017 ++++++++++++++++++++
 grsecurity/gracl_alloc.c                           |  105 +
 grsecurity/gracl_cap.c                             |  110 +
 grsecurity/gracl_fs.c                              |  431 +++
 grsecurity/gracl_ip.c                              |  384 ++
 grsecurity/gracl_learn.c                           |  207 +
 grsecurity/gracl_res.c                             |   68 +
 grsecurity/gracl_segv.c                            |  299 ++
 grsecurity/gracl_shm.c                             |   40 +
 grsecurity/grsec_chdir.c                           |   19 +
 grsecurity/grsec_chroot.c                          |  357 ++
 grsecurity/grsec_disabled.c                        |  434 +++
 grsecurity/grsec_exec.c                            |  174 +
 grsecurity/grsec_fifo.c                            |   24 +
 grsecurity/grsec_fork.c                            |   23 +
 grsecurity/grsec_init.c                            |  283 ++
 grsecurity/grsec_link.c                            |   58 +
 grsecurity/grsec_log.c                             |  329 ++
 grsecurity/grsec_mem.c                             |   40 +
 grsecurity/grsec_mount.c                           |   62 +
 grsecurity/grsec_pax.c                             |   36 +
 grsecurity/grsec_ptrace.c                          |   30 +
 grsecurity/grsec_sig.c                             |  222 ++
 grsecurity/grsec_sock.c                            |  244 ++
 grsecurity/grsec_sysctl.c                          |  469 +++
 grsecurity/grsec_time.c                            |   16 +
 grsecurity/grsec_tpe.c                             |   73 +
 grsecurity/grsum.c                                 |   61 +
 include/linux/capability.h                         |    5 +
 include/linux/cred.h                               |    3 +
 include/linux/fs.h                                 |   10 +
 include/linux/fsnotify.h                           |    6 +
 include/linux/gracl.h                              |  319 ++
 include/linux/gralloc.h                            |    9 +
 include/linux/grdefs.h                             |  140 +
 include/linux/grinternal.h                         |  215 ++
 include/linux/grmsg.h                              |  111 +
 include/linux/grsecurity.h                         |  257 ++
 include/linux/grsock.h                             |   19 +
 include/linux/kallsyms.h                           |   14 +-
 include/linux/kmod.h                               |    2 +
 include/linux/netfilter/xt_gradm.h                 |    9 +
 include/linux/printk.h                             |    3 +-
 include/linux/proc_fs.h                            |   12 +
 include/linux/sched.h                              |   66 +-
 include/linux/security.h                           |    1 +
 include/linux/seq_file.h                           |    3 +
 include/linux/shm.h                                |    4 +
 include/linux/sysctl.h                             |    2 +
 include/linux/thread_info.h                        |    2 +
 include/linux/vermagic.h                           |    9 +-
 include/trace/events/fs.h                          |   53 +
 include/uapi/linux/personality.h                   |    1 +
 init/Kconfig                                       |    5 +-
 init/main.c                                        |   14 +
 ipc/mqueue.c                                       |    1 +
 ipc/shm.c                                          |   28 +
 kernel/capability.c                                |   39 +-
 kernel/cgroup.c                                    |    2 +-
 kernel/compat.c                                    |    1 +
 kernel/configs.c                                   |   11 +
 kernel/cred.c                                      |  109 +-
 kernel/exit.c                                      |   10 +-
 kernel/fork.c                                      |   24 +-
 kernel/futex.c                                     |    1 +
 kernel/kallsyms.c                                  |    9 +
 kernel/kcmp.c                                      |    4 +
 kernel/kmod.c                                      |   71 +-
 kernel/kprobes.c                                   |    4 +-
 kernel/ksysfs.c                                    |    2 +
 kernel/lockdep_proc.c                              |   10 +-
 kernel/module.c                                    |   80 +-
 kernel/panic.c                                     |    4 +-
 kernel/pid.c                                       |   19 +-
 kernel/posix-timers.c                              |    8 +
 kernel/printk.c                                    |    5 +
 kernel/ptrace.c                                    |   20 +-
 kernel/resource.c                                  |   10 +
 kernel/sched/core.c                                |    6 +-
 kernel/signal.c                                    |   37 +-
 kernel/sys.c                                       |   38 +-
 kernel/sysctl.c                                    |   39 +-
 kernel/taskstats.c                                 |    6 +
 kernel/time.c                                      |    5 +
 kernel/time/timekeeping.c                          |    3 +
 kernel/time/timer_list.c                           |   12 +
 kernel/time/timer_stats.c                          |   10 +-
 lib/Kconfig.debug                                  |    5 +-
 lib/is_single_threaded.c                           |    3 +
 lib/vsprintf.c                                     |   35 +-
 localversion-grsec                                 |    1 +
 mm/Kconfig                                         |    4 +-
 mm/filemap.c                                       |    1 +
 mm/kmemleak.c                                      |    4 +-
 mm/mempolicy.c                                     |   12 +-
 mm/migrate.c                                       |    3 +-
 mm/mlock.c                                         |    3 +
 mm/mmap.c                                          |   62 +-
 mm/mprotect.c                                      |    8 +
 mm/page_alloc.c                                    |    6 +
 mm/process_vm_access.c                             |    6 +
 mm/shmem.c                                         |    2 +-
 mm/slab.c                                          |    2 +-
 mm/slub.c                                          |   14 +-
 mm/vmalloc.c                                       |    4 +
 mm/vmstat.c                                        |   18 +-
 net/core/dev.c                                     |    9 +
 net/core/sock_diag.c                               |    7 +
 net/ipv4/inet_hashtables.c                         |    5 +
 net/ipv4/ip_sockglue.c                             |    3 +-
 net/ipv4/tcp_input.c                               |    4 +-
 net/ipv4/tcp_ipv4.c                                |   24 +-
 net/ipv4/tcp_minisocks.c                           |    9 +-
 net/ipv4/tcp_timer.c                               |   11 +
 net/ipv4/udp.c                                     |   24 +
 net/ipv6/tcp_ipv6.c                                |   23 +-
 net/ipv6/udp.c                                     |    7 +
 net/netfilter/Kconfig                              |   10 +
 net/netfilter/Makefile                             |    1 +
 net/netfilter/nf_conntrack_core.c                  |    8 +
 net/netfilter/xt_gradm.c                           |   51 +
 net/netrom/af_netrom.c                             |    2 +-
 net/phonet/af_phonet.c                             |    4 +-
 net/sctp/proc.c                                    |    3 +-
 net/socket.c                                       |   62 +-
 net/sysctl_net.c                                   |    2 +-
 net/unix/af_unix.c                                 |   19 +
 security/Kconfig                                   |  320 ++-
 security/apparmor/lsm.c                            |    2 +-
 security/commoncap.c                               |   29 +
 security/min_addr.c                                |    2 +
 security/security.c                                |    2 -
 security/selinux/hooks.c                           |    2 -
 security/yama/Kconfig                              |    2 +-
 tools/gcc/Makefile                                 |    2 +-
 286 files changed, 15083 insertions(+), 2067 deletions(-)

commit 4b61d2188de70da9dc9b3e67fc0565077370eb27
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 20 21:00:42 2013 -0500

    Initial import of pax-linux-3.8-test3.patch

 Documentation/dontdiff                           |   43 +-
 Documentation/kernel-parameters.txt              |    7 +
 Makefile                                         |   97 +-
 arch/alpha/include/asm/atomic.h                  |   10 +
 arch/alpha/include/asm/elf.h                     |    7 +
 arch/alpha/include/asm/pgalloc.h                 |    6 +
 arch/alpha/include/asm/pgtable.h                 |   11 +
 arch/alpha/kernel/module.c                       |    2 +-
 arch/alpha/kernel/osf_sys.c                      |   10 +-
 arch/alpha/mm/fault.c                            |  141 +-
 arch/arm/Kconfig                                 |    2 +-
 arch/arm/include/asm/atomic.h                    |  421 +++-
 arch/arm/include/asm/cache.h                     |    3 +-
 arch/arm/include/asm/cacheflush.h                |    2 +-
 arch/arm/include/asm/checksum.h                  |   14 +-
 arch/arm/include/asm/cmpxchg.h                   |    2 +
 arch/arm/include/asm/delay.h                     |    8 +-
 arch/arm/include/asm/domain.h                    |   32 +-
 arch/arm/include/asm/elf.h                       |   13 +-
 arch/arm/include/asm/fncpy.h                     |    2 +
 arch/arm/include/asm/futex.h                     |   10 +
 arch/arm/include/asm/kmap_types.h                |    2 +-
 arch/arm/include/asm/mach/dma.h                  |    2 +-
 arch/arm/include/asm/mach/map.h                  |    7 +-
 arch/arm/include/asm/outercache.h                |    2 +-
 arch/arm/include/asm/page.h                      |    2 +-
 arch/arm/include/asm/pgalloc.h                   |   22 +-
 arch/arm/include/asm/pgtable-2level-hwdef.h      |    5 +
 arch/arm/include/asm/pgtable-2level.h            |    1 +
 arch/arm/include/asm/pgtable-3level-hwdef.h      |    4 +
 arch/arm/include/asm/pgtable-3level.h            |    2 +
 arch/arm/include/asm/pgtable.h                   |   56 +-
 arch/arm/include/asm/proc-fns.h                  |    2 +-
 arch/arm/include/asm/processor.h                 |    5 +-
 arch/arm/include/asm/smp.h                       |    2 +-
 arch/arm/include/asm/thread_info.h               |    6 +-
 arch/arm/include/asm/uaccess.h                   |   92 +-
 arch/arm/include/uapi/asm/ptrace.h               |    2 +-
 arch/arm/kernel/armksyms.c                       |    4 +-
 arch/arm/kernel/entry-armv.S                     |  107 +-
 arch/arm/kernel/entry-common.S                   |   41 +-
 arch/arm/kernel/entry-header.S                   |   60 +
 arch/arm/kernel/fiq.c                            |    2 +
 arch/arm/kernel/head.S                           |    6 +-
 arch/arm/kernel/hw_breakpoint.c                  |    2 +-
 arch/arm/kernel/module.c                         |   29 +-
 arch/arm/kernel/perf_event_cpu.c                 |    2 +-
 arch/arm/kernel/process.c                        |   10 +-
 arch/arm/kernel/setup.c                          |   22 +-
 arch/arm/kernel/smp.c                            |    2 +-
 arch/arm/kernel/traps.c                          |    8 +-
 arch/arm/kernel/vmlinux.lds.S                    |   20 +-
 arch/arm/lib/clear_user.S                        |    6 +-
 arch/arm/lib/copy_from_user.S                    |    6 +-
 arch/arm/lib/copy_page.S                         |    1 +
 arch/arm/lib/copy_to_user.S                      |    6 +-
 arch/arm/lib/csumpartialcopyuser.S               |    4 +-
 arch/arm/lib/delay.c                             |   14 +-
 arch/arm/lib/uaccess_with_memcpy.c               |    2 +-
 arch/arm/mach-kirkwood/common.c                  |   19 +-
 arch/arm/mach-omap2/board-n8x0.c                 |    2 +-
 arch/arm/mach-omap2/omap-wakeupgen.c             |    2 +-
 arch/arm/mach-omap2/omap_hwmod.c                 |    4 +-
 arch/arm/mach-ux500/include/mach/setup.h         |    7 -
 arch/arm/mm/Kconfig                              |    3 +-
 arch/arm/mm/fault.c                              |   78 +
 arch/arm/mm/fault.h                              |   12 +
 arch/arm/mm/init.c                               |   41 +
 arch/arm/mm/ioremap.c                            |    4 +-
 arch/arm/mm/mmap.c                               |   36 +-
 arch/arm/mm/mmu.c                                |  186 +-
 arch/arm/mm/proc-v7-2level.S                     |    3 +
 arch/arm/plat-omap/sram.c                        |    2 +
 arch/arm/plat-orion/include/plat/addr-map.h      |    2 +-
 arch/arm/plat-samsung/include/plat/dma-ops.h     |    2 +-
 arch/arm64/kernel/debug-monitors.c               |    2 +-
 arch/arm64/kernel/hw_breakpoint.c                |    2 +-
 arch/avr32/include/asm/elf.h                     |    8 +-
 arch/avr32/include/asm/kmap_types.h              |    4 +-
 arch/avr32/mm/fault.c                            |   27 +
 arch/frv/include/asm/atomic.h                    |   10 +
 arch/frv/include/asm/kmap_types.h                |    2 +-
 arch/frv/mm/elf-fdpic.c                          |    7 +-
 arch/ia64/include/asm/atomic.h                   |   10 +
 arch/ia64/include/asm/elf.h                      |    7 +
 arch/ia64/include/asm/pgalloc.h                  |   12 +
 arch/ia64/include/asm/pgtable.h                  |   13 +-
 arch/ia64/include/asm/spinlock.h                 |    2 +-
 arch/ia64/include/asm/uaccess.h                  |   28 +-
 arch/ia64/kernel/err_inject.c                    |    2 +-
 arch/ia64/kernel/mca.c                           |    2 +-
 arch/ia64/kernel/module.c                        |   48 +-
 arch/ia64/kernel/palinfo.c                       |    2 +-
 arch/ia64/kernel/salinfo.c                       |    2 +-
 arch/ia64/kernel/sys_ia64.c                      |   13 +-
 arch/ia64/kernel/topology.c                      |    2 +-
 arch/ia64/kernel/vmlinux.lds.S                   |    2 +-
 arch/ia64/mm/fault.c                             |   32 +-
 arch/ia64/mm/hugetlbpage.c                       |    2 +-
 arch/ia64/mm/init.c                              |   13 +
 arch/m32r/lib/usercopy.c                         |    6 +
 arch/mips/include/asm/atomic.h                   |   14 +
 arch/mips/include/asm/elf.h                      |   11 +-
 arch/mips/include/asm/exec.h                     |    2 +-
 arch/mips/include/asm/page.h                     |    2 +-
 arch/mips/include/asm/pgalloc.h                  |    5 +
 arch/mips/kernel/binfmt_elfn32.c                 |    7 +
 arch/mips/kernel/binfmt_elfo32.c                 |    7 +
 arch/mips/kernel/process.c                       |   12 -
 arch/mips/mm/fault.c                             |   17 +
 arch/mips/mm/mmap.c                              |   51 +-
 arch/parisc/include/asm/atomic.h                 |   10 +
 arch/parisc/include/asm/elf.h                    |    7 +
 arch/parisc/include/asm/pgalloc.h                |    6 +
 arch/parisc/include/asm/pgtable.h                |   11 +
 arch/parisc/include/asm/uaccess.h                |    4 +-
 arch/parisc/kernel/module.c                      |   50 +-
 arch/parisc/kernel/sys_parisc.c                  |    6 +-
 arch/parisc/kernel/traps.c                       |    4 +-
 arch/parisc/mm/fault.c                           |  140 +-
 arch/powerpc/include/asm/atomic.h                |   10 +
 arch/powerpc/include/asm/elf.h                   |   19 +-
 arch/powerpc/include/asm/exec.h                  |    2 +-
 arch/powerpc/include/asm/kmap_types.h            |    2 +-
 arch/powerpc/include/asm/mman.h                  |    2 +-
 arch/powerpc/include/asm/page.h                  |    8 +-
 arch/powerpc/include/asm/page_64.h               |    7 +-
 arch/powerpc/include/asm/pgalloc-64.h            |    7 +
 arch/powerpc/include/asm/pgtable.h               |    1 +
 arch/powerpc/include/asm/pte-hash32.h            |    1 +
 arch/powerpc/include/asm/reg.h                   |    1 +
 arch/powerpc/include/asm/uaccess.h               |  142 +-
 arch/powerpc/kernel/exceptions-64e.S             |    4 +-
 arch/powerpc/kernel/exceptions-64s.S             |    2 +-
 arch/powerpc/kernel/module_32.c                  |   13 +-
 arch/powerpc/kernel/process.c                    |   55 -
 arch/powerpc/kernel/signal_32.c                  |    2 +-
 arch/powerpc/kernel/signal_64.c                  |    2 +-
 arch/powerpc/kernel/sysfs.c                      |    2 +-
 arch/powerpc/kernel/vdso.c                       |    5 +-
 arch/powerpc/lib/usercopy_64.c                   |   18 -
 arch/powerpc/mm/fault.c                          |   54 +-
 arch/powerpc/mm/mmap_64.c                        |   16 +
 arch/powerpc/mm/mmu_context_nohash.c             |    2 +-
 arch/powerpc/mm/numa.c                           |    2 +-
 arch/powerpc/mm/slice.c                          |   23 +-
 arch/powerpc/platforms/powermac/smp.c            |    2 +-
 arch/s390/include/asm/atomic.h                   |   10 +
 arch/s390/include/asm/elf.h                      |   13 +-
 arch/s390/include/asm/exec.h                     |    2 +-
 arch/s390/include/asm/uaccess.h                  |   15 +-
 arch/s390/kernel/module.c                        |   22 +-
 arch/s390/kernel/process.c                       |   36 -
 arch/s390/mm/mmap.c                              |   24 +
 arch/score/include/asm/exec.h                    |    2 +-
 arch/score/kernel/process.c                      |    5 -
 arch/sh/kernel/cpu/sh4a/smp-shx3.c               |    2 +-
 arch/sh/mm/mmap.c                                |   22 +-
 arch/sparc/include/asm/atomic_64.h               |  106 +-
 arch/sparc/include/asm/cache.h                   |    2 +-
 arch/sparc/include/asm/elf_32.h                  |    7 +
 arch/sparc/include/asm/elf_64.h                  |    7 +
 arch/sparc/include/asm/pgalloc_32.h              |    1 +
 arch/sparc/include/asm/pgalloc_64.h              |    1 +
 arch/sparc/include/asm/pgtable_32.h              |   15 +-
 arch/sparc/include/asm/pgtsrmmu.h                |    5 +
 arch/sparc/include/asm/spinlock_64.h             |   35 +-
 arch/sparc/include/asm/thread_info_32.h          |    2 +
 arch/sparc/include/asm/thread_info_64.h          |    2 +
 arch/sparc/include/asm/uaccess.h                 |    8 +
 arch/sparc/include/asm/uaccess_32.h              |   27 +-
 arch/sparc/include/asm/uaccess_64.h              |   19 +-
 arch/sparc/kernel/Makefile                       |    2 +-
 arch/sparc/kernel/sys_sparc_32.c                 |    2 +-
 arch/sparc/kernel/sys_sparc_64.c                 |   48 +-
 arch/sparc/kernel/sysfs.c                        |    2 +-
 arch/sparc/kernel/traps_64.c                     |   13 +-
 arch/sparc/lib/Makefile                          |    2 +-
 arch/sparc/lib/atomic_64.S                       |  136 +-
 arch/sparc/lib/ksyms.c                           |    6 +
 arch/sparc/mm/Makefile                           |    2 +-
 arch/sparc/mm/fault_32.c                         |  292 ++
 arch/sparc/mm/fault_64.c                         |  486 +++
 arch/sparc/mm/hugetlbpage.c                      |   21 +-
 arch/tile/include/asm/atomic_64.h                |   10 +
 arch/tile/include/asm/uaccess.h                  |    4 +-
 arch/um/Makefile                                 |    4 +
 arch/um/include/asm/kmap_types.h                 |    2 +-
 arch/um/include/asm/page.h                       |    3 +
 arch/um/include/asm/pgtable-3level.h             |    1 +
 arch/um/kernel/process.c                         |   16 -
 arch/x86/Kconfig                                 |   10 +-
 arch/x86/Kconfig.cpu                             |    6 +-
 arch/x86/Kconfig.debug                           |    6 +-
 arch/x86/Makefile                                |   10 +
 arch/x86/boot/Makefile                           |    3 +
 arch/x86/boot/bitops.h                           |    4 +-
 arch/x86/boot/boot.h                             |    4 +-
 arch/x86/boot/compressed/Makefile                |    3 +
 arch/x86/boot/compressed/eboot.c                 |    2 -
 arch/x86/boot/compressed/head_32.S               |    7 +-
 arch/x86/boot/compressed/head_64.S               |    4 +-
 arch/x86/boot/compressed/misc.c                  |    4 +-
 arch/x86/boot/cpucheck.c                         |   28 +-
 arch/x86/boot/header.S                           |    6 +-
 arch/x86/boot/memory.c                           |    2 +-
 arch/x86/boot/video-vesa.c                       |    1 +
 arch/x86/boot/video.c                            |    2 +-
 arch/x86/crypto/aes-x86_64-asm_64.S              |    4 +
 arch/x86/crypto/aesni-intel_asm.S                |   31 +
 arch/x86/crypto/blowfish-x86_64-asm_64.S         |    8 +
 arch/x86/crypto/camellia-x86_64-asm_64.S         |    8 +
 arch/x86/crypto/cast5-avx-x86_64-asm_64.S        |    8 +
 arch/x86/crypto/cast6-avx-x86_64-asm_64.S        |    8 +
 arch/x86/crypto/salsa20-x86_64-asm_64.S          |    5 +
 arch/x86/crypto/serpent-avx-x86_64-asm_64.S      |    8 +
 arch/x86/crypto/serpent-sse2-x86_64-asm_64.S     |    5 +
 arch/x86/crypto/sha1_ssse3_asm.S                 |    3 +
 arch/x86/crypto/twofish-avx-x86_64-asm_64.S      |    8 +
 arch/x86/crypto/twofish-x86_64-asm_64-3way.S     |    5 +
 arch/x86/crypto/twofish-x86_64-asm_64.S          |    3 +
 arch/x86/ia32/ia32_signal.c                      |   14 +-
 arch/x86/ia32/ia32entry.S                        |  141 +-
 arch/x86/ia32/sys_ia32.c                         |   12 +-
 arch/x86/include/asm/alternative-asm.h           |   39 +
 arch/x86/include/asm/alternative.h               |    4 +-
 arch/x86/include/asm/apic.h                      |    2 +-
 arch/x86/include/asm/apm.h                       |    4 +-
 arch/x86/include/asm/atomic.h                    |  307 ++-
 arch/x86/include/asm/atomic64_32.h               |  100 +
 arch/x86/include/asm/atomic64_64.h               |  202 ++-
 arch/x86/include/asm/bitops.h                    |    2 +-
 arch/x86/include/asm/boot.h                      |    7 +-
 arch/x86/include/asm/cache.h                     |    5 +-
 arch/x86/include/asm/cacheflush.h                |    2 +-
 arch/x86/include/asm/checksum_32.h               |   12 +-
 arch/x86/include/asm/cmpxchg.h                   |   35 +
 arch/x86/include/asm/cpufeature.h                |    4 +-
 arch/x86/include/asm/desc.h                      |   65 +-
 arch/x86/include/asm/desc_defs.h                 |    6 +
 arch/x86/include/asm/elf.h                       |   31 +-
 arch/x86/include/asm/emergency-restart.h         |    2 +-
 arch/x86/include/asm/fpu-internal.h              |    6 +-
 arch/x86/include/asm/futex.h                     |   16 +-
 arch/x86/include/asm/hw_irq.h                    |    4 +-
 arch/x86/include/asm/io.h                        |   13 +-
 arch/x86/include/asm/irqflags.h                  |    5 +
 arch/x86/include/asm/kprobes.h                   |    9 +-
 arch/x86/include/asm/local.h                     |  142 +-
 arch/x86/include/asm/mman.h                      |   15 +
 arch/x86/include/asm/mmu.h                       |   16 +-
 arch/x86/include/asm/mmu_context.h               |   76 +-
 arch/x86/include/asm/module.h                    |   17 +-
 arch/x86/include/asm/page_64_types.h             |    2 +-
 arch/x86/include/asm/paravirt.h                  |   44 +-
 arch/x86/include/asm/paravirt_types.h            |   17 +-
 arch/x86/include/asm/pgalloc.h                   |   23 +
 arch/x86/include/asm/pgtable-2level.h            |    2 +
 arch/x86/include/asm/pgtable-3level.h            |    4 +
 arch/x86/include/asm/pgtable.h                   |  110 +-
 arch/x86/include/asm/pgtable_32.h                |   14 +-
 arch/x86/include/asm/pgtable_32_types.h          |   15 +-
 arch/x86/include/asm/pgtable_64.h                |   19 +-
 arch/x86/include/asm/pgtable_64_types.h          |    5 +
 arch/x86/include/asm/pgtable_types.h             |   36 +-
 arch/x86/include/asm/processor.h                 |   39 +-
 arch/x86/include/asm/ptrace.h                    |   26 +-
 arch/x86/include/asm/realmode.h                  |    4 +-
 arch/x86/include/asm/reboot.h                    |   10 +-
 arch/x86/include/asm/rwsem.h                     |   60 +-
 arch/x86/include/asm/segment.h                   |   24 +-
 arch/x86/include/asm/smp.h                       |   14 +-
 arch/x86/include/asm/spinlock.h                  |   36 +-
 arch/x86/include/asm/stackprotector.h            |    4 +-
 arch/x86/include/asm/stacktrace.h                |   32 +-
 arch/x86/include/asm/switch_to.h                 |    4 +-
 arch/x86/include/asm/thread_info.h               |   83 +-
 arch/x86/include/asm/uaccess.h                   |   96 +-
 arch/x86/include/asm/uaccess_32.h                |  106 +-
 arch/x86/include/asm/uaccess_64.h                |  232 +-
 arch/x86/include/asm/word-at-a-time.h            |    2 +-
 arch/x86/include/asm/x86_init.h                  |   10 +-
 arch/x86/include/asm/xsave.h                     |   10 +-
 arch/x86/include/uapi/asm/e820.h                 |    2 +-
 arch/x86/kernel/Makefile                         |    2 +-
 arch/x86/kernel/acpi/sleep.c                     |    4 +
 arch/x86/kernel/acpi/wakeup_32.S                 |    6 +-
 arch/x86/kernel/alternative.c                    |   65 +-
 arch/x86/kernel/apic/apic.c                      |    6 +-
 arch/x86/kernel/apic/apic_flat_64.c              |    4 +-
 arch/x86/kernel/apic/bigsmp_32.c                 |    2 +-
 arch/x86/kernel/apic/es7000_32.c                 |    5 +-
 arch/x86/kernel/apic/io_apic.c                   |    8 +-
 arch/x86/kernel/apic/numaq_32.c                  |    3 +-
 arch/x86/kernel/apic/probe_32.c                  |    2 +-
 arch/x86/kernel/apic/summit_32.c                 |    2 +-
 arch/x86/kernel/apic/x2apic_cluster.c            |    4 +-
 arch/x86/kernel/apic/x2apic_phys.c               |    2 +-
 arch/x86/kernel/apic/x2apic_uv_x.c               |    2 +-
 arch/x86/kernel/apm_32.c                         |   19 +-
 arch/x86/kernel/asm-offsets.c                    |   20 +
 arch/x86/kernel/asm-offsets_64.c                 |    1 +
 arch/x86/kernel/cpu/Makefile                     |    4 -
 arch/x86/kernel/cpu/amd.c                        |    2 +-
 arch/x86/kernel/cpu/common.c                     |   75 +-
 arch/x86/kernel/cpu/intel.c                      |    2 +-
 arch/x86/kernel/cpu/intel_cacheinfo.c            |   50 +-
 arch/x86/kernel/cpu/mcheck/mce.c                 |   29 +-
 arch/x86/kernel/cpu/mcheck/p5.c                  |    3 +
 arch/x86/kernel/cpu/mcheck/therm_throt.c         |    2 +-
 arch/x86/kernel/cpu/mcheck/winchip.c             |    3 +
 arch/x86/kernel/cpu/mtrr/main.c                  |    2 +-
 arch/x86/kernel/cpu/mtrr/mtrr.h                  |    2 +-
 arch/x86/kernel/cpu/perf_event.c                 |    4 +-
 arch/x86/kernel/cpu/perf_event_intel.c           |    6 +-
 arch/x86/kernel/cpu/perf_event_intel_uncore.c    |    2 +-
 arch/x86/kernel/cpuid.c                          |    2 +-
 arch/x86/kernel/crash.c                          |    4 +-
 arch/x86/kernel/doublefault_32.c                 |    8 +-
 arch/x86/kernel/dumpstack.c                      |   30 +-
 arch/x86/kernel/dumpstack_32.c                   |   34 +-
 arch/x86/kernel/dumpstack_64.c                   |   63 +-
 arch/x86/kernel/early_printk.c                   |    1 +
 arch/x86/kernel/entry_32.S                       |  354 ++-
 arch/x86/kernel/entry_64.S                       |  512 +++-
 arch/x86/kernel/ftrace.c                         |   14 +-
 arch/x86/kernel/head32.c                         |    4 +-
 arch/x86/kernel/head_32.S                        |  237 ++-
 arch/x86/kernel/head_64.S                        |  158 +-
 arch/x86/kernel/i386_ksyms_32.c                  |    8 +
 arch/x86/kernel/i387.c                           |    2 +-
 arch/x86/kernel/i8259.c                          |    2 +-
 arch/x86/kernel/ioport.c                         |    2 +-
 arch/x86/kernel/irq.c                            |   10 +-
 arch/x86/kernel/irq_32.c                         |   69 +-
 arch/x86/kernel/irq_64.c                         |    2 +-
 arch/x86/kernel/kdebugfs.c                       |    2 +-
 arch/x86/kernel/kgdb.c                           |   25 +-
 arch/x86/kernel/kprobes-opt.c                    |   12 +-
 arch/x86/kernel/kprobes.c                        |   30 +-
 arch/x86/kernel/kvm.c                            |    2 +-
 arch/x86/kernel/ldt.c                            |   31 +-
 arch/x86/kernel/machine_kexec_32.c               |    6 +-
 arch/x86/kernel/microcode_core.c                 |    2 +-
 arch/x86/kernel/microcode_intel.c                |    4 +-
 arch/x86/kernel/module.c                         |   76 +-
 arch/x86/kernel/msr.c                            |    2 +-
 arch/x86/kernel/nmi.c                            |   11 +
 arch/x86/kernel/paravirt-spinlocks.c             |    2 +-
 arch/x86/kernel/paravirt.c                       |   43 +-
 arch/x86/kernel/pci-iommu_table.c                |    2 +-
 arch/x86/kernel/process.c                        |   57 +-
 arch/x86/kernel/process_32.c                     |   29 +-
 arch/x86/kernel/process_64.c                     |   15 +-
 arch/x86/kernel/ptrace.c                         |   25 +-
 arch/x86/kernel/pvclock.c                        |    8 +-
 arch/x86/kernel/reboot.c                         |   44 +-
 arch/x86/kernel/relocate_kernel_64.S             |    4 +-
 arch/x86/kernel/setup.c                          |   14 +-
 arch/x86/kernel/setup_percpu.c                   |   27 +-
 arch/x86/kernel/signal.c                         |   15 +-
 arch/x86/kernel/smp.c                            |    2 +-
 arch/x86/kernel/smpboot.c                        |   15 +-
 arch/x86/kernel/step.c                           |   10 +-
 arch/x86/kernel/sys_i386_32.c                    |  247 ++
 arch/x86/kernel/sys_x86_64.c                     |   19 +-
 arch/x86/kernel/tboot.c                          |   14 +-
 arch/x86/kernel/time.c                           |   10 +-
 arch/x86/kernel/tls.c                            |    7 +-
 arch/x86/kernel/traps.c                          |   64 +-
 arch/x86/kernel/uprobes.c                        |    2 +-
 arch/x86/kernel/vm86_32.c                        |    6 +-
 arch/x86/kernel/vmlinux.lds.S                    |  148 +-
 arch/x86/kernel/vsyscall_64.c                    |   12 +-
 arch/x86/kernel/x8664_ksyms_64.c                 |    2 -
 arch/x86/kernel/x86_init.c                       |    8 +-
 arch/x86/kernel/xsave.c                          |    2 +
 arch/x86/kvm/cpuid.c                             |   21 +-
 arch/x86/kvm/emulate.c                           |    4 +-
 arch/x86/kvm/lapic.c                             |    2 +-
 arch/x86/kvm/paging_tmpl.h                       |    2 +-
 arch/x86/kvm/svm.c                               |    8 +
 arch/x86/kvm/vmx.c                               |   47 +-
 arch/x86/kvm/x86.c                               |   10 +-
 arch/x86/lguest/boot.c                           |    3 +-
 arch/x86/lib/atomic64_386_32.S                   |  164 +
 arch/x86/lib/atomic64_cx8_32.S                   |  103 +-
 arch/x86/lib/checksum_32.S                       |  100 +-
 arch/x86/lib/clear_page_64.S                     |    5 +-
 arch/x86/lib/cmpxchg16b_emu.S                    |    2 +
 arch/x86/lib/copy_page_64.S                      |   24 +-
 arch/x86/lib/copy_user_64.S                      |   47 +-
 arch/x86/lib/copy_user_nocache_64.S              |   20 +-
 arch/x86/lib/csum-copy_64.S                      |    2 +
 arch/x86/lib/csum-wrappers_64.c                  |    4 +-
 arch/x86/lib/getuser.S                           |   68 +-
 arch/x86/lib/insn.c                              |    6 +-
 arch/x86/lib/iomap_copy_64.S                     |    2 +
 arch/x86/lib/memcpy_64.S                         |   18 +-
 arch/x86/lib/memmove_64.S                        |   34 +-
 arch/x86/lib/memset_64.S                         |    7 +-
 arch/x86/lib/mmx_32.c                            |  243 +-
 arch/x86/lib/msr-reg.S                           |   18 +-
 arch/x86/lib/putuser.S                           |   90 +-
 arch/x86/lib/rwlock.S                            |   42 +
 arch/x86/lib/rwsem.S                             |    6 +-
 arch/x86/lib/thunk_64.S                          |    2 +
 arch/x86/lib/usercopy_32.c                       |  376 ++-
 arch/x86/lib/usercopy_64.c                       |   25 +-
 arch/x86/mm/extable.c                            |   25 +-
 arch/x86/mm/fault.c                              |  555 +++-
 arch/x86/mm/gup.c                                |    2 +-
 arch/x86/mm/highmem_32.c                         |    4 +
 arch/x86/mm/hugetlbpage.c                        |   30 +-
 arch/x86/mm/init.c                               |   92 +-
 arch/x86/mm/init_32.c                            |  122 +-
 arch/x86/mm/init_64.c                            |   48 +-
 arch/x86/mm/iomap_32.c                           |    4 +
 arch/x86/mm/ioremap.c                            |   12 +-
 arch/x86/mm/kmemcheck/kmemcheck.c                |    4 +-
 arch/x86/mm/mmap.c                               |   41 +-
 arch/x86/mm/mmio-mod.c                           |   10 +-
 arch/x86/mm/pageattr-test.c                      |    2 +-
 arch/x86/mm/pageattr.c                           |   33 +-
 arch/x86/mm/pat.c                                |   12 +-
 arch/x86/mm/pf_in.c                              |   10 +-
 arch/x86/mm/pgtable.c                            |  137 +-
 arch/x86/mm/pgtable_32.c                         |    3 +
 arch/x86/mm/setup_nx.c                           |    7 +
 arch/x86/mm/tlb.c                                |    4 +
 arch/x86/net/bpf_jit.S                           |   14 +
 arch/x86/net/bpf_jit_comp.c                      |   37 +-
 arch/x86/oprofile/backtrace.c                    |    8 +-
 arch/x86/pci/amd_bus.c                           |    2 +-
 arch/x86/pci/mrst.c                              |    4 +-
 arch/x86/pci/pcbios.c                            |  144 +-
 arch/x86/platform/efi/efi_32.c                   |   19 +
 arch/x86/platform/efi/efi_stub_32.S              |   64 +-
 arch/x86/platform/efi/efi_stub_64.S              |    8 +
 arch/x86/platform/mrst/mrst.c                    |    6 +-
 arch/x86/platform/olpc/olpc_dt.c                 |    2 +-
 arch/x86/power/cpu.c                             |    4 +-
 arch/x86/realmode/init.c                         |    8 +-
 arch/x86/realmode/rm/Makefile                    |    3 +
 arch/x86/realmode/rm/header.S                    |    4 +-
 arch/x86/realmode/rm/trampoline_32.S             |   12 +-
 arch/x86/realmode/rm/trampoline_64.S             |    2 +-
 arch/x86/tools/relocs.c                          |   95 +-
 arch/x86/vdso/Makefile                           |    2 +-
 arch/x86/vdso/vdso32-setup.c                     |   23 +-
 arch/x86/vdso/vma.c                              |   29 +-
 arch/x86/xen/enlighten.c                         |   47 +-
 arch/x86/xen/mmu.c                               |    9 +
 arch/x86/xen/smp.c                               |   18 +-
 arch/x86/xen/xen-asm_32.S                        |   12 +-
 arch/x86/xen/xen-head.S                          |   11 +
 arch/x86/xen/xen-ops.h                           |    2 -
 block/blk-iopoll.c                               |    4 +-
 block/blk-map.c                                  |    2 +-
 block/blk-softirq.c                              |    4 +-
 block/bsg.c                                      |   12 +-
 block/compat_ioctl.c                             |    2 +-
 block/partitions/efi.c                           |    8 +-
 block/scsi_ioctl.c                               |   27 +-
 crypto/cryptd.c                                  |    4 +-
 drivers/acpi/apei/cper.c                         |    8 +-
 drivers/acpi/ec_sys.c                            |   12 +-
 drivers/acpi/processor_driver.c                  |    2 +-
 drivers/ata/libata-core.c                        |    8 +-
 drivers/ata/pata_arasan_cf.c                     |    4 +-
 drivers/atm/adummy.c                             |    2 +-
 drivers/atm/ambassador.c                         |    8 +-
 drivers/atm/atmtcp.c                             |   14 +-
 drivers/atm/eni.c                                |   10 +-
 drivers/atm/firestream.c                         |    8 +-
 drivers/atm/fore200e.c                           |   14 +-
 drivers/atm/he.c                                 |   18 +-
 drivers/atm/horizon.c                            |    4 +-
 drivers/atm/idt77252.c                           |   36 +-
 drivers/atm/iphase.c                             |   34 +-
 drivers/atm/lanai.c                              |   12 +-
 drivers/atm/nicstar.c                            |   46 +-
 drivers/atm/solos-pci.c                          |    4 +-
 drivers/atm/suni.c                               |    4 +-
 drivers/atm/uPD98402.c                           |   16 +-
 drivers/atm/zatm.c                               |    6 +-
 drivers/base/devtmpfs.c                          |    2 +-
 drivers/base/power/wakeup.c                      |    8 +-
 drivers/block/cciss.c                            |   28 +-
 drivers/block/cciss.h                            |    2 +-
 drivers/block/cpqarray.c                         |   28 +-
 drivers/block/cpqarray.h                         |    2 +-
 drivers/block/drbd/drbd_int.h                    |    6 +-
 drivers/block/drbd/drbd_main.c                   |    8 +-
 drivers/block/drbd/drbd_receiver.c               |   18 +-
 drivers/block/loop.c                             |    2 +-
 drivers/cdrom/cdrom.c                            |    9 +-
 drivers/cdrom/gdrom.c                            |    1 -
 drivers/char/agp/frontend.c                      |    2 +-
 drivers/char/hpet.c                              |    2 +-
 drivers/char/ipmi/ipmi_msghandler.c              |    8 +-
 drivers/char/ipmi/ipmi_si_intf.c                 |    8 +-
 drivers/char/mem.c                               |   41 +-
 drivers/char/nvram.c                             |    2 +-
 drivers/char/pcmcia/synclink_cs.c                |   18 +-
 drivers/char/random.c                            |    8 +-
 drivers/char/sonypi.c                            |    9 +-
 drivers/char/tpm/tpm.c                           |    2 +-
 drivers/char/tpm/tpm_acpi.c                      |    3 +-
 drivers/char/tpm/tpm_eventlog.c                  |    7 +-
 drivers/char/virtio_console.c                    |    4 +-
 drivers/clocksource/arm_generic.c                |    2 +-
 drivers/cpufreq/cpufreq.c                        |    2 +-
 drivers/cpufreq/cpufreq_stats.c                  |    2 +-
 drivers/dma/sh/shdma.c                           |    2 +-
 drivers/edac/edac_pci_sysfs.c                    |   20 +-
 drivers/edac/mce_amd.h                           |    2 +-
 drivers/firewire/core-card.c                     |    2 +-
 drivers/firewire/core-cdev.c                     |    3 +-
 drivers/firewire/core-transaction.c              |    1 +
 drivers/firewire/core.h                          |    1 +
 drivers/firmware/dmi_scan.c                      |    7 +-
 drivers/firmware/efivars.c                       |    2 +-
 drivers/gpio/gpio-vr41xx.c                       |    2 +-
 drivers/gpu/drm/drm_crtc_helper.c                |    2 +-
 drivers/gpu/drm/drm_drv.c                        |    4 +-
 drivers/gpu/drm/drm_fops.c                       |   18 +-
 drivers/gpu/drm/drm_global.c                     |   14 +-
 drivers/gpu/drm/drm_info.c                       |   14 +-
 drivers/gpu/drm/drm_ioc32.c                      |    4 +-
 drivers/gpu/drm/drm_ioctl.c                      |    2 +-
 drivers/gpu/drm/drm_lock.c                       |    4 +-
 drivers/gpu/drm/drm_stub.c                       |    2 +-
 drivers/gpu/drm/i810/i810_dma.c                  |    8 +-
 drivers/gpu/drm/i810/i810_drv.h                  |    4 +-
 drivers/gpu/drm/i915/i915_debugfs.c              |    2 +-
 drivers/gpu/drm/i915/i915_dma.c                  |    2 +-
 drivers/gpu/drm/i915/i915_drv.h                  |    6 +-
 drivers/gpu/drm/i915/i915_gem_execbuffer.c       |    6 +-
 drivers/gpu/drm/i915/i915_irq.c                  |   22 +-
 drivers/gpu/drm/i915/intel_display.c             |    9 +-
 drivers/gpu/drm/mga/mga_drv.h                    |    4 +-
 drivers/gpu/drm/mga/mga_irq.c                    |    8 +-
 drivers/gpu/drm/nouveau/nouveau_bios.c           |    2 +-
 drivers/gpu/drm/nouveau/nouveau_drm.h            |    2 +-
 drivers/gpu/drm/nouveau/nouveau_fence.h          |    2 +-
 drivers/gpu/drm/nouveau/nouveau_gem.c            |    2 +-
 drivers/gpu/drm/nouveau/nouveau_vga.c            |    2 +-
 drivers/gpu/drm/r128/r128_cce.c                  |    2 +-
 drivers/gpu/drm/r128/r128_drv.h                  |    4 +-
 drivers/gpu/drm/r128/r128_irq.c                  |    4 +-
 drivers/gpu/drm/r128/r128_state.c                |    4 +-
 drivers/gpu/drm/radeon/mkregtable.c              |    4 +-
 drivers/gpu/drm/radeon/radeon_device.c           |    2 +-
 drivers/gpu/drm/radeon/radeon_drv.h              |    2 +-
 drivers/gpu/drm/radeon/radeon_ioc32.c            |    2 +-
 drivers/gpu/drm/radeon/radeon_irq.c              |    6 +-
 drivers/gpu/drm/radeon/radeon_state.c            |    4 +-
 drivers/gpu/drm/radeon/radeon_ttm.c              |    4 +-
 drivers/gpu/drm/radeon/rs690.c                   |    4 +-
 drivers/gpu/drm/ttm/ttm_page_alloc.c             |    4 +-
 drivers/gpu/drm/via/via_drv.h                    |    4 +-
 drivers/gpu/drm/via/via_irq.c                    |   18 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_drv.h              |    2 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c             |    8 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_irq.c              |    4 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_marker.c           |    2 +-
 drivers/hid/hid-core.c                           |    4 +-
 drivers/hv/channel.c                             |    4 +-
 drivers/hv/hv.c                                  |    2 +-
 drivers/hv/hyperv_vmbus.h                        |    2 +-
 drivers/hv/vmbus_drv.c                           |    4 +-
 drivers/hwmon/coretemp.c                         |    2 +-
 drivers/hwmon/sht15.c                            |   12 +-
 drivers/hwmon/via-cputemp.c                      |    2 +-
 drivers/i2c/busses/i2c-amd756-s4882.c            |    2 +-
 drivers/i2c/busses/i2c-nforce2-s4985.c           |    2 +-
 drivers/ide/ide-cd.c                             |    2 +-
 drivers/infiniband/core/cm.c                     |   32 +-
 drivers/infiniband/core/fmr_pool.c               |   20 +-
 drivers/infiniband/hw/cxgb4/mem.c                |    4 +-
 drivers/infiniband/hw/ipath/ipath_rc.c           |    6 +-
 drivers/infiniband/hw/ipath/ipath_ruc.c          |    6 +-
 drivers/infiniband/hw/nes/nes.c                  |    4 +-
 drivers/infiniband/hw/nes/nes.h                  |   40 +-
 drivers/infiniband/hw/nes/nes_cm.c               |   62 +-
 drivers/infiniband/hw/nes/nes_mgt.c              |    8 +-
 drivers/infiniband/hw/nes/nes_nic.c              |   40 +-
 drivers/infiniband/hw/nes/nes_verbs.c            |   10 +-
 drivers/infiniband/hw/qib/qib.h                  |    1 +
 drivers/input/gameport/gameport.c                |    4 +-
 drivers/input/input.c                            |    4 +-
 drivers/input/joystick/sidewinder.c              |    1 +
 drivers/input/joystick/xpad.c                    |    4 +-
 drivers/input/mousedev.c                         |    2 +-
 drivers/input/serio/serio.c                      |    4 +-
 drivers/isdn/capi/capi.c                         |   10 +-
 drivers/isdn/gigaset/interface.c                 |    8 +-
 drivers/isdn/hardware/avm/b1.c                   |    4 +-
 drivers/isdn/i4l/isdn_tty.c                      |   22 +-
 drivers/isdn/icn/icn.c                           |    2 +-
 drivers/lguest/core.c                            |   10 +-
 drivers/lguest/x86/core.c                        |   12 +-
 drivers/lguest/x86/switcher_32.S                 |   27 +-
 drivers/md/bitmap.c                              |    2 +-
 drivers/md/dm-ioctl.c                            |    2 +-
 drivers/md/dm-raid1.c                            |   16 +-
 drivers/md/dm-stripe.c                           |   10 +-
 drivers/md/dm-table.c                            |    2 +-
 drivers/md/dm-thin-metadata.c                    |    4 +-
 drivers/md/dm.c                                  |   16 +-
 drivers/md/md.c                                  |   26 +-
 drivers/md/md.h                                  |    6 +-
 drivers/md/persistent-data/dm-space-map.h        |    1 +
 drivers/md/raid1.c                               |    4 +-
 drivers/md/raid10.c                              |   16 +-
 drivers/md/raid5.c                               |   10 +-
 drivers/media/dvb-core/dvbdev.c                  |    2 +-
 drivers/media/dvb-frontends/dib3000.h            |    2 +-
 drivers/media/platform/omap/omap_vout.c          |   11 +-
 drivers/media/platform/s5p-tv/mixer.h            |    2 +-
 drivers/media/platform/s5p-tv/mixer_grp_layer.c  |    2 +-
 drivers/media/platform/s5p-tv/mixer_reg.c        |    2 +-
 drivers/media/platform/s5p-tv/mixer_video.c      |   24 +-
 drivers/media/platform/s5p-tv/mixer_vp_layer.c   |    2 +-
 drivers/media/radio/radio-cadet.c                |    2 +
 drivers/media/usb/dvb-usb/cxusb.c                |    2 +-
 drivers/media/usb/dvb-usb/dw2102.c               |    2 +-
 drivers/message/fusion/mptsas.c                  |   34 +-
 drivers/message/fusion/mptscsih.c                |   19 +-
 drivers/message/i2o/i2o_proc.c                   |   51 +-
 drivers/message/i2o/iop.c                        |    8 +-
 drivers/mfd/janz-cmodio.c                        |    1 +
 drivers/misc/kgdbts.c                            |    4 +-
 drivers/misc/lis3lv02d/lis3lv02d.c               |    8 +-
 drivers/misc/lis3lv02d/lis3lv02d.h               |    2 +-
 drivers/misc/sgi-gru/gruhandles.c                |    4 +-
 drivers/misc/sgi-gru/gruprocfs.c                 |    8 +-
 drivers/misc/sgi-gru/grutables.h                 |  154 +-
 drivers/misc/sgi-xp/xp.h                         |    2 +-
 drivers/misc/sgi-xp/xpc.h                        |    3 +-
 drivers/misc/sgi-xp/xpc_main.c                   |    4 +-
 drivers/mmc/core/mmc_ops.c                       |    2 +-
 drivers/mmc/host/dw_mmc.h                        |    2 +-
 drivers/mmc/host/sdhci-s3c.c                     |    8 +-
 drivers/mtd/devices/doc2000.c                    |    2 +-
 drivers/mtd/nand/denali.c                        |    1 +
 drivers/mtd/nftlmount.c                          |    1 +
 drivers/net/ethernet/8390/ax88796.c              |    4 +-
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h  |    2 +-
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c   |   11 +-
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h   |    3 +-
 drivers/net/ethernet/broadcom/tg3.h              |    1 +
 drivers/net/ethernet/chelsio/cxgb3/l2t.h         |    2 +-
 drivers/net/ethernet/dec/tulip/de4x5.c           |    4 +-
 drivers/net/ethernet/emulex/benet/be_main.c      |    2 +-
 drivers/net/ethernet/faraday/ftgmac100.c         |    2 +
 drivers/net/ethernet/faraday/ftmac100.c          |    2 +
 drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c     |    2 +-
 drivers/net/ethernet/neterion/vxge/vxge-config.c |    7 +-
 drivers/net/ethernet/realtek/r8169.c             |    8 +-
 drivers/net/ethernet/sfc/ptp.c                   |    2 +-
 drivers/net/ethernet/stmicro/stmmac/mmc_core.c   |    4 +-
 drivers/net/hyperv/hyperv_net.h                  |    2 +-
 drivers/net/hyperv/rndis_filter.c                |    4 +-
 drivers/net/ieee802154/fakehard.c                |    2 +-
 drivers/net/macvlan.c                            |    2 +-
 drivers/net/macvtap.c                            |    2 +-
 drivers/net/ppp/ppp_generic.c                    |    4 +-
 drivers/net/team/team.c                          |    2 +-
 drivers/net/tun.c                                |    5 +-
 drivers/net/usb/hso.c                            |   23 +-
 drivers/net/wireless/ath/ath9k/ar9002_mac.c      |   30 +-
 drivers/net/wireless/ath/ath9k/ar9003_mac.c      |   58 +-
 drivers/net/wireless/ath/ath9k/hw.h              |    4 +-
 drivers/net/wireless/iwlegacy/3945-mac.c         |    4 +-
 drivers/net/wireless/iwlwifi/dvm/debugfs.c       |   26 +-
 drivers/net/wireless/iwlwifi/pcie/trans.c        |    4 +-
 drivers/net/wireless/mac80211_hwsim.c            |   32 +-
 drivers/net/wireless/rndis_wlan.c                |    2 +-
 drivers/net/wireless/rt2x00/rt2x00.h             |    2 +-
 drivers/net/wireless/rt2x00/rt2x00queue.c        |    4 +-
 drivers/net/wireless/ti/wl1251/sdio.c            |   12 +-
 drivers/net/wireless/ti/wl12xx/main.c            |    8 +-
 drivers/net/wireless/ti/wl18xx/main.c            |    6 +-
 drivers/oprofile/buffer_sync.c                   |    8 +-
 drivers/oprofile/event_buffer.c                  |    2 +-
 drivers/oprofile/oprof.c                         |    2 +-
 drivers/oprofile/oprofile_stats.c                |   10 +-
 drivers/oprofile/oprofile_stats.h                |   10 +-
 drivers/oprofile/oprofilefs.c                    |    2 +-
 drivers/oprofile/timer_int.c                     |    2 +-
 drivers/parport/procfs.c                         |    4 +-
 drivers/pci/hotplug/cpcihp_generic.c             |    6 +-
 drivers/pci/hotplug/cpcihp_zt5550.c              |   14 +-
 drivers/pci/hotplug/cpqphp_nvram.c               |    4 +
 drivers/pci/pcie/aspm.c                          |    6 +-
 drivers/pci/probe.c                              |    2 +-
 drivers/platform/x86/thinkpad_acpi.c             |   70 +-
 drivers/pnp/pnpbios/bioscalls.c                  |   14 +-
 drivers/pnp/resource.c                           |    4 +-
 drivers/power/pda_power.c                        |    7 +-
 drivers/regulator/max8660.c                      |    6 +-
 drivers/regulator/max8973-regulator.c            |    8 +-
 drivers/regulator/mc13892-regulator.c            |    6 +-
 drivers/scsi/bfa/bfa.h                           |    2 +-
 drivers/scsi/bfa/bfa_fcpim.h                     |    2 +-
 drivers/scsi/bfa/bfa_ioc.h                       |    4 +-
 drivers/scsi/hosts.c                             |    4 +-
 drivers/scsi/hpsa.c                              |   30 +-
 drivers/scsi/hpsa.h                              |    2 +-
 drivers/scsi/libfc/fc_exch.c                     |   50 +-
 drivers/scsi/libsas/sas_ata.c                    |    2 +-
 drivers/scsi/lpfc/lpfc.h                         |    8 +-
 drivers/scsi/lpfc/lpfc_debugfs.c                 |   18 +-
 drivers/scsi/lpfc/lpfc_init.c                    |    6 +-
 drivers/scsi/lpfc/lpfc_scsi.c                    |   16 +-
 drivers/scsi/pmcraid.c                           |   20 +-
 drivers/scsi/pmcraid.h                           |    8 +-
 drivers/scsi/qla2xxx/qla_attr.c                  |    4 +-
 drivers/scsi/qla2xxx/qla_gbl.h                   |    4 +-
 drivers/scsi/qla2xxx/qla_os.c                    |    6 +-
 drivers/scsi/qla4xxx/ql4_def.h                   |    2 +-
 drivers/scsi/qla4xxx/ql4_os.c                    |    6 +-
 drivers/scsi/scsi.c                              |    2 +-
 drivers/scsi/scsi_lib.c                          |    6 +-
 drivers/scsi/scsi_sysfs.c                        |    2 +-
 drivers/scsi/scsi_tgt_lib.c                      |    2 +-
 drivers/scsi/scsi_transport_fc.c                 |    8 +-
 drivers/scsi/scsi_transport_iscsi.c              |    6 +-
 drivers/scsi/scsi_transport_srp.c                |    6 +-
 drivers/scsi/sd.c                                |    2 +-
 drivers/scsi/sg.c                                |    2 +-
 drivers/spi/spi.c                                |    2 +-
 drivers/staging/octeon/ethernet-rx.c             |   12 +-
 drivers/staging/octeon/ethernet.c                |    8 +-
 drivers/staging/ramster/tmem.c                   |   54 +-
 drivers/staging/rtl8712/rtl871x_io.h             |    2 +-
 drivers/staging/sbe-2t3e3/netdev.c               |    2 +-
 drivers/staging/usbip/vhci.h                     |    2 +-
 drivers/staging/usbip/vhci_hcd.c                 |    6 +-
 drivers/staging/usbip/vhci_rx.c                  |    2 +-
 drivers/staging/vt6655/hostap.c                  |    7 +-
 drivers/staging/vt6656/hostap.c                  |    7 +-
 drivers/staging/zcache/tmem.c                    |    4 +-
 drivers/staging/zcache/tmem.h                    |    2 +
 drivers/target/target_core_device.c              |    2 +-
 drivers/target/target_core_transport.c           |    2 +-
 drivers/tty/cyclades.c                           |    6 +-
 drivers/tty/hvc/hvc_console.c                    |   14 +-
 drivers/tty/hvc/hvcs.c                           |   21 +-
 drivers/tty/ipwireless/tty.c                     |   27 +-
 drivers/tty/moxa.c                               |    2 +-
 drivers/tty/n_gsm.c                              |    4 +-
 drivers/tty/n_tty.c                              |    3 +-
 drivers/tty/pty.c                                |    4 +-
 drivers/tty/rocket.c                             |    6 +-
 drivers/tty/serial/kgdboc.c                      |   32 +-
 drivers/tty/serial/samsung.c                     |    9 +-
 drivers/tty/serial/serial_core.c                 |    8 +-
 drivers/tty/synclink.c                           |   34 +-
 drivers/tty/synclink_gt.c                        |   28 +-
 drivers/tty/synclinkmp.c                         |   34 +-
 drivers/tty/tty_io.c                             |    2 +-
 drivers/tty/tty_ldisc.c                          |   10 +-
 drivers/tty/tty_port.c                           |   22 +-
 drivers/uio/uio.c                                |   21 +-
 drivers/usb/atm/cxacru.c                         |    2 +-
 drivers/usb/atm/usbatm.c                         |   24 +-
 drivers/usb/core/devices.c                       |    6 +-
 drivers/usb/core/hcd.c                           |    4 +-
 drivers/usb/core/sysfs.c                         |    2 +-
 drivers/usb/core/usb.c                           |    2 +-
 drivers/usb/early/ehci-dbgp.c                    |   16 +-
 drivers/usb/gadget/u_serial.c                    |   22 +-
 drivers/usb/serial/console.c                     |    6 +-
 drivers/usb/wusbcore/wa-hc.h                     |    4 +-
 drivers/usb/wusbcore/wa-xfer.c                   |    2 +-
 drivers/video/aty/aty128fb.c                     |    2 +-
 drivers/video/fbcmap.c                           |    3 +-
 drivers/video/fbmem.c                            |    6 +-
 drivers/video/i810/i810_accel.c                  |    1 +
 drivers/video/udlfb.c                            |   32 +-
 drivers/video/uvesafb.c                          |   39 +-
 drivers/video/vesafb.c                           |   51 +-
 drivers/video/via/via_clock.h                    |    2 +-
 fs/9p/vfs_inode.c                                |    2 +-
 fs/Kconfig.binfmt                                |    2 +-
 fs/aio.c                                         |   11 +-
 fs/autofs4/waitq.c                               |    2 +-
 fs/befs/linuxvfs.c                               |    2 +-
 fs/binfmt_aout.c                                 |   23 +-
 fs/binfmt_elf.c                                  |  604 ++++-
 fs/binfmt_flat.c                                 |    6 +
 fs/bio.c                                         |    6 +-
 fs/block_dev.c                                   |    2 +-
 fs/btrfs/ctree.c                                 |    9 +-
 fs/btrfs/relocation.c                            |    2 +-
 fs/btrfs/super.c                                 |    2 +-
 fs/cachefiles/bind.c                             |    6 +-
 fs/cachefiles/daemon.c                           |    8 +-
 fs/cachefiles/internal.h                         |   12 +-
 fs/cachefiles/namei.c                            |    2 +-
 fs/cachefiles/proc.c                             |   12 +-
 fs/cachefiles/rdwr.c                             |    2 +-
 fs/ceph/dir.c                                    |    2 +-
 fs/cifs/cifs_debug.c                             |   12 +-
 fs/cifs/cifsfs.c                                 |    8 +-
 fs/cifs/cifsglob.h                               |   54 +-
 fs/cifs/link.c                                   |    2 +-
 fs/cifs/misc.c                                   |    4 +-
 fs/cifs/smb1ops.c                                |   80 +-
 fs/cifs/smb2ops.c                                |   84 +-
 fs/cifs/smb2pdu.c                                |    3 +-
 fs/coda/cache.c                                  |   10 +-
 fs/compat.c                                      |    6 +-
 fs/compat_binfmt_elf.c                           |    2 +
 fs/compat_ioctl.c                                |    8 +-
 fs/configfs/dir.c                                |   10 +-
 fs/coredump.c                                    |   24 +-
 fs/dcache.c                                      |    2 +-
 fs/ecryptfs/inode.c                              |    4 +-
 fs/ecryptfs/miscdev.c                            |    2 +-
 fs/ecryptfs/read_write.c                         |    4 +-
 fs/exec.c                                        |  356 ++-
 fs/ext4/ext4.h                                   |   20 +-
 fs/ext4/mballoc.c                                |   44 +-
 fs/fhandle.c                                     |    3 +-
 fs/fifo.c                                        |   22 +-
 fs/fs_struct.c                                   |    8 +-
 fs/fscache/cookie.c                              |   36 +-
 fs/fscache/internal.h                            |  196 +-
 fs/fscache/object.c                              |   28 +-
 fs/fscache/operation.c                           |   30 +-
 fs/fscache/page.c                                |  110 +-
 fs/fscache/stats.c                               |  344 +-
 fs/fuse/cuse.c                                   |   10 +-
 fs/fuse/dev.c                                    |    2 +-
 fs/fuse/dir.c                                    |    2 +-
 fs/gfs2/inode.c                                  |    2 +-
 fs/hugetlbfs/inode.c                             |   13 +-
 fs/inode.c                                       |    4 +-
 fs/jffs2/erase.c                                 |    3 +-
 fs/jffs2/wbuf.c                                  |    3 +-
 fs/jfs/super.c                                   |    2 +-
 fs/libfs.c                                       |   10 +-
 fs/lockd/clntproc.c                              |    4 +-
 fs/locks.c                                       |    8 +-
 fs/namei.c                                       |   15 +-
 fs/namespace.c                                   |    2 +-
 fs/nfs/inode.c                                   |    6 +-
 fs/nfsd/vfs.c                                    |    6 +-
 fs/notify/fanotify/fanotify_user.c               |    4 +-
 fs/notify/notification.c                         |    4 +-
 fs/ntfs/dir.c                                    |    2 +-
 fs/ntfs/file.c                                   |    4 +-
 fs/ocfs2/localalloc.c                            |    2 +-
 fs/ocfs2/ocfs2.h                                 |   10 +-
 fs/ocfs2/suballoc.c                              |   12 +-
 fs/ocfs2/super.c                                 |   20 +-
 fs/pipe.c                                        |   33 +-
 fs/proc/array.c                                  |   20 +
 fs/proc/kcore.c                                  |   32 +-
 fs/proc/meminfo.c                                |    2 +-
 fs/proc/nommu.c                                  |    2 +-
 fs/proc/self.c                                   |    2 +-
 fs/proc/task_mmu.c                               |   39 +-
 fs/proc/task_nommu.c                             |    4 +-
 fs/quota/netlink.c                               |    4 +-
 fs/readdir.c                                     |    2 +-
 fs/reiserfs/do_balan.c                           |    2 +-
 fs/reiserfs/procfs.c                             |    2 +-
 fs/reiserfs/reiserfs.h                           |    4 +-
 fs/seq_file.c                                    |    2 +-
 fs/splice.c                                      |   36 +-
 fs/sysfs/file.c                                  |   10 +-
 fs/sysfs/symlink.c                               |    2 +-
 fs/udf/misc.c                                    |    2 +-
 fs/xattr_acl.c                                   |    4 +-
 fs/xfs/xfs_bmap.c                                |    2 +-
 fs/xfs/xfs_dir2_sf.c                             |   10 +-
 fs/xfs/xfs_ioctl.c                               |    2 +-
 fs/xfs/xfs_iops.c                                |    2 +-
 include/asm-generic/4level-fixup.h               |    2 +
 include/asm-generic/atomic-long.h                |  210 ++
 include/asm-generic/atomic.h                     |    2 +-
 include/asm-generic/atomic64.h                   |   12 +
 include/asm-generic/cache.h                      |    4 +-
 include/asm-generic/emergency-restart.h          |    2 +-
 include/asm-generic/kmap_types.h                 |    4 +-
 include/asm-generic/local.h                      |   13 +
 include/asm-generic/pgtable-nopmd.h              |   18 +-
 include/asm-generic/pgtable-nopud.h              |   15 +-
 include/asm-generic/pgtable.h                    |    8 +
 include/asm-generic/vmlinux.lds.h                |   10 +-
 include/crypto/algapi.h                          |    2 +-
 include/drm/drmP.h                               |    5 +-
 include/drm/drm_crtc_helper.h                    |    2 +-
 include/drm/ttm/ttm_memory.h                     |    2 +-
 include/linux/atmdev.h                           |    2 +-
 include/linux/binfmts.h                          |    1 +
 include/linux/blkdev.h                           |    2 +-
 include/linux/blktrace_api.h                     |    2 +-
 include/linux/cache.h                            |    4 +
 include/linux/cdrom.h                            |    1 -
 include/linux/cleancache.h                       |    2 +-
 include/linux/compiler-gcc4.h                    |   20 +
 include/linux/compiler.h                         |   72 +-
 include/linux/cpu.h                              |    2 +-
 include/linux/crypto.h                           |    6 +-
 include/linux/decompress/mm.h                    |    2 +-
 include/linux/dma-mapping.h                      |    2 +-
 include/linux/dmaengine.h                        |    4 +-
 include/linux/efi.h                              |    1 +
 include/linux/elf.h                              |    2 +
 include/linux/filter.h                           |    4 +
 include/linux/frontswap.h                        |    2 +-
 include/linux/fs.h                               |    3 +-
 include/linux/fs_struct.h                        |    2 +-
 include/linux/fscache-cache.h                    |    4 +-
 include/linux/fsnotify.h                         |    2 +-
 include/linux/ftrace_event.h                     |    2 +-
 include/linux/genhd.h                            |    2 +-
 include/linux/gfp.h                              |   12 +-
 include/linux/highmem.h                          |   12 +
 include/linux/i2c.h                              |    1 +
 include/linux/i2o.h                              |    2 +-
 include/linux/if_pppox.h                         |    2 +-
 include/linux/init.h                             |   33 +-
 include/linux/init_task.h                        |    7 +
 include/linux/interrupt.h                        |    8 +-
 include/linux/kgdb.h                             |    6 +-
 include/linux/kobject.h                          |    2 +-
 include/linux/kref.h                             |    2 +-
 include/linux/kvm_host.h                         |    4 +-
 include/linux/libata.h                           |    2 +-
 include/linux/list.h                             |    3 +
 include/linux/mm.h                               |   91 +-
 include/linux/mm_types.h                         |   22 +-
 include/linux/mmiotrace.h                        |    4 +-
 include/linux/mmzone.h                           |    2 +-
 include/linux/mod_devicetable.h                  |    4 +-
 include/linux/module.h                           |   55 +-
 include/linux/moduleloader.h                     |   18 +-
 include/linux/moduleparam.h                      |    4 +-
 include/linux/namei.h                            |    6 +-
 include/linux/netdevice.h                        |    3 +-
 include/linux/netfilter/ipset/ip_set.h           |    2 +-
 include/linux/netfilter/nfnetlink.h              |    2 +-
 include/linux/notifier.h                         |    3 +-
 include/linux/oprofile.h                         |    4 +-
 include/linux/perf_event.h                       |   10 +-
 include/linux/pipe_fs_i.h                        |    6 +-
 include/linux/platform_data/usb-ehci-s5p.h       |    2 +-
 include/linux/pm_runtime.h                       |    2 +-
 include/linux/poison.h                           |    4 +-
 include/linux/power/smartreflex.h                |    2 +-
 include/linux/random.h                           |    5 +
 include/linux/reboot.h                           |   14 +-
 include/linux/regset.h                           |    3 +-
 include/linux/relay.h                            |    2 +-
 include/linux/rio.h                              |    2 +-
 include/linux/rmap.h                             |    4 +-
 include/linux/sched.h                            |   64 +-
 include/linux/seq_file.h                         |    1 +
 include/linux/skbuff.h                           |   12 +-
 include/linux/slab.h                             |   36 +-
 include/linux/slab_def.h                         |   33 +-
 include/linux/slob_def.h                         |    4 +-
 include/linux/slub_def.h                         |   10 +-
 include/linux/sonet.h                            |    2 +-
 include/linux/sunrpc/clnt.h                      |    8 +-
 include/linux/sunrpc/svc_rdma.h                  |   18 +-
 include/linux/sysrq.h                            |    2 +-
 include/linux/thread_info.h                      |    7 +
 include/linux/tty.h                              |    4 +-
 include/linux/tty_driver.h                       |    2 +-
 include/linux/tty_ldisc.h                        |    2 +-
 include/linux/types.h                            |   16 +
 include/linux/uaccess.h                          |    6 +-
 include/linux/unaligned/access_ok.h              |   12 +-
 include/linux/usb.h                              |    2 +-
 include/linux/usb/renesas_usbhs.h                |    2 +-
 include/linux/vermagic.h                         |   21 +-
 include/linux/vmalloc.h                          |   11 +-
 include/linux/vmstat.h                           |   20 +-
 include/media/v4l2-dev.h                         |    2 +-
 include/media/v4l2-ioctl.h                       |    1 -
 include/net/caif/cfctrl.h                        |    6 +-
 include/net/flow.h                               |    2 +-
 include/net/gro_cells.h                          |    6 +-
 include/net/inet_connection_sock.h               |    2 +-
 include/net/inetpeer.h                           |    8 +-
 include/net/ip_fib.h                             |    2 +-
 include/net/ip_vs.h                              |    4 +-
 include/net/irda/ircomm_tty.h                    |    1 +
 include/net/iucv/af_iucv.h                       |    2 +-
 include/net/neighbour.h                          |    2 +-
 include/net/net_namespace.h                      |    6 +-
 include/net/netdma.h                             |    2 +-
 include/net/netlink.h                            |    2 +-
 include/net/netns/ipv4.h                         |    2 +-
 include/net/protocol.h                           |    4 +-
 include/net/sctp/sctp.h                          |    6 +-
 include/net/sctp/structs.h                       |    4 +-
 include/net/sock.h                               |    6 +-
 include/net/tcp.h                                |    8 +-
 include/net/xfrm.h                               |    4 +-
 include/rdma/iw_cm.h                             |    2 +-
 include/scsi/libfc.h                             |    3 +-
 include/scsi/scsi_device.h                       |    6 +-
 include/scsi/scsi_transport_fc.h                 |    3 +-
 include/sound/soc.h                              |    4 +-
 include/target/target_core_base.h                |    2 +-
 include/trace/events/irq.h                       |    4 +-
 include/uapi/linux/a.out.h                       |    8 +
 include/uapi/linux/byteorder/little_endian.h     |   24 +-
 include/uapi/linux/elf.h                         |   28 +
 include/uapi/linux/screen_info.h                 |    3 +-
 include/uapi/linux/sysctl.h                      |    6 +-
 include/uapi/linux/xattr.h                       |    4 +
 include/video/udlfb.h                            |    8 +-
 include/video/uvesafb.h                          |    1 +
 init/Kconfig                                     |    2 +-
 init/Makefile                                    |    3 +
 init/do_mounts.c                                 |   14 +-
 init/do_mounts.h                                 |    8 +-
 init/do_mounts_initrd.c                          |   22 +-
 init/do_mounts_md.c                              |    6 +-
 init/init_task.c                                 |    4 +
 init/initramfs.c                                 |   40 +-
 init/main.c                                      |   78 +-
 ipc/msg.c                                        |   11 +-
 ipc/sem.c                                        |   11 +-
 ipc/shm.c                                        |   17 +-
 kernel/acct.c                                    |    2 +-
 kernel/audit.c                                   |    8 +-
 kernel/auditsc.c                                 |    4 +-
 kernel/capability.c                              |    3 +
 kernel/compat.c                                  |   40 +-
 kernel/debug/debug_core.c                        |   16 +-
 kernel/debug/kdb/kdb_main.c                      |    4 +-
 kernel/events/core.c                             |   28 +-
 kernel/exit.c                                    |    4 +-
 kernel/fork.c                                    |  167 +-
 kernel/futex.c                                   |    9 +
 kernel/gcov/base.c                               |    7 +-
 kernel/hrtimer.c                                 |    4 +-
 kernel/jump_label.c                              |    5 +
 kernel/kallsyms.c                                |   39 +-
 kernel/kexec.c                                   |    3 +-
 kernel/kmod.c                                    |    2 +-
 kernel/kprobes.c                                 |    8 +-
 kernel/lockdep.c                                 |    7 +-
 kernel/module.c                                  |  333 ++-
 kernel/mutex-debug.c                             |   12 +-
 kernel/mutex-debug.h                             |    4 +-
 kernel/mutex.c                                   |    7 +-
 kernel/notifier.c                                |   17 +-
 kernel/panic.c                                   |    3 +-
 kernel/pid.c                                     |    2 +-
 kernel/posix-cpu-timers.c                        |    4 +-
 kernel/posix-timers.c                            |   20 +-
 kernel/power/process.c                           |   12 +-
 kernel/profile.c                                 |   14 +-
 kernel/ptrace.c                                  |    6 +-
 kernel/rcutiny.c                                 |    4 +-
 kernel/rcutiny_plugin.h                          |    2 +-
 kernel/rcutorture.c                              |   56 +-
 kernel/rcutree.c                                 |   72 +-
 kernel/rcutree.h                                 |   24 +-
 kernel/rcutree_plugin.h                          |   18 +-
 kernel/rcutree_trace.c                           |   22 +-
 kernel/rtmutex-tester.c                          |   24 +-
 kernel/sched/auto_group.c                        |    4 +-
 kernel/sched/core.c                              |    2 +-
 kernel/sched/fair.c                              |    4 +-
 kernel/signal.c                                  |   12 +-
 kernel/smp.c                                     |    2 +-
 kernel/softirq.c                                 |   16 +-
 kernel/srcu.c                                    |    6 +-
 kernel/stop_machine.c                            |    2 +-
 kernel/sys.c                                     |   12 +-
 kernel/sysctl.c                                  |   37 +-
 kernel/sysctl_binary.c                           |   14 +-
 kernel/time/alarmtimer.c                         |    2 +-
 kernel/time/tick-broadcast.c                     |    2 +-
 kernel/time/timer_stats.c                        |   10 +-
 kernel/timer.c                                   |    4 +-
 kernel/trace/blktrace.c                          |    6 +-
 kernel/trace/ftrace.c                            |   20 +-
 kernel/trace/ring_buffer.c                       |   76 +-
 kernel/trace/trace.c                             |    6 +-
 kernel/trace/trace_events.c                      |   25 +-
 kernel/trace/trace_mmiotrace.c                   |    8 +-
 kernel/trace/trace_output.c                      |   12 +-
 kernel/trace/trace_stack.c                       |    2 +-
 lib/Makefile                                     |    2 +-
 lib/bitmap.c                                     |    8 +-
 lib/bug.c                                        |    2 +
 lib/debugobjects.c                               |    2 +-
 lib/devres.c                                     |    4 +-
 lib/dma-debug.c                                  |    4 +-
 lib/inflate.c                                    |    2 +-
 lib/ioremap.c                                    |    4 +-
 lib/list_debug.c                                 |   89 +-
 lib/radix-tree.c                                 |    2 +-
 lib/strncpy_from_user.c                          |    2 +-
 lib/strnlen_user.c                               |    2 +-
 lib/vsprintf.c                                   |   12 +-
 mm/Kconfig                                       |    6 +-
 mm/filemap.c                                     |    2 +-
 mm/fremap.c                                      |    5 +
 mm/highmem.c                                     |    7 +-
 mm/hugetlb.c                                     |   54 +
 mm/internal.h                                    |    1 +
 mm/maccess.c                                     |    4 +-
 mm/madvise.c                                     |   41 +
 mm/memory-failure.c                              |   18 +-
 mm/memory.c                                      |  404 ++-
 mm/mempolicy.c                                   |   26 +
 mm/mlock.c                                       |   16 +-
 mm/mmap.c                                        |  573 +++-
 mm/mprotect.c                                    |  138 +-
 mm/mremap.c                                      |   44 +-
 mm/nommu.c                                       |   11 +-
 mm/page-writeback.c                              |    2 +-
 mm/page_alloc.c                                  |   14 +-
 mm/percpu.c                                      |    2 +-
 mm/process_vm_access.c                           |   14 +-
 mm/rmap.c                                        |   38 +-
 mm/shmem.c                                       |   19 +-
 mm/slab.c                                        |  104 +-
 mm/slab.h                                        |    5 +-
 mm/slab_common.c                                 |    9 +-
 mm/slob.c                                        |  200 +-
 mm/slub.c                                        |   98 +-
 mm/sparse-vmemmap.c                              |    4 +-
 mm/sparse.c                                      |    2 +-
 mm/swap.c                                        |    3 +
 mm/swapfile.c                                    |   12 +-
 mm/util.c                                        |    6 +
 mm/vmalloc.c                                     |   82 +-
 mm/vmstat.c                                      |   12 +-
 net/8021q/vlan.c                                 |    5 +-
 net/9p/trans_fd.c                                |    2 +-
 net/atm/atm_misc.c                               |    8 +-
 net/atm/lec.h                                    |    2 +-
 net/atm/proc.c                                   |    6 +-
 net/atm/resources.c                              |    4 +-
 net/batman-adv/bat_iv_ogm.c                      |    8 +-
 net/batman-adv/hard-interface.c                  |    4 +-
 net/batman-adv/soft-interface.c                  |    4 +-
 net/batman-adv/types.h                           |    6 +-
 net/batman-adv/unicast.c                         |    2 +-
 net/bluetooth/hci_sock.c                         |    2 +-
 net/bluetooth/l2cap_core.c                       |    6 +-
 net/bluetooth/l2cap_sock.c                       |   12 +-
 net/bluetooth/rfcomm/sock.c                      |    4 +-
 net/bluetooth/rfcomm/tty.c                       |   10 +-
 net/bridge/netfilter/ebtables.c                  |    6 +-
 net/caif/cfctrl.c                                |   11 +-
 net/can/af_can.c                                 |    2 +-
 net/can/gw.c                                     |    6 +-
 net/compat.c                                     |   34 +-
 net/core/datagram.c                              |    2 +-
 net/core/dev.c                                   |   16 +-
 net/core/flow.c                                  |    8 +-
 net/core/iovec.c                                 |    4 +-
 net/core/rtnetlink.c                             |    2 +-
 net/core/scm.c                                   |    8 +-
 net/core/sock.c                                  |   24 +-
 net/decnet/sysctl_net_decnet.c                   |    4 +-
 net/ipv4/ah4.c                                   |    2 +-
 net/ipv4/esp4.c                                  |    2 +-
 net/ipv4/fib_frontend.c                          |    6 +-
 net/ipv4/fib_semantics.c                         |    2 +-
 net/ipv4/inetpeer.c                              |    4 +-
 net/ipv4/ip_fragment.c                           |    2 +-
 net/ipv4/ip_sockglue.c                           |    2 +-
 net/ipv4/ipcomp.c                                |    2 +-
 net/ipv4/ipconfig.c                              |    6 +-
 net/ipv4/netfilter/arp_tables.c                  |   12 +-
 net/ipv4/netfilter/ip_tables.c                   |   12 +-
 net/ipv4/ping.c                                  |    2 +-
 net/ipv4/raw.c                                   |   14 +-
 net/ipv4/route.c                                 |    2 +-
 net/ipv4/tcp_input.c                             |    2 +-
 net/ipv4/tcp_probe.c                             |    2 +-
 net/ipv4/udp.c                                   |   10 +-
 net/ipv6/addrconf.c                              |    2 +-
 net/ipv6/ip6_gre.c                               |    2 +-
 net/ipv6/ipv6_sockglue.c                         |    2 +-
 net/ipv6/netfilter/ip6_tables.c                  |   12 +-
 net/ipv6/raw.c                                   |   19 +-
 net/ipv6/udp.c                                   |    8 +-
 net/irda/ircomm/ircomm_tty.c                     |   18 +-
 net/iucv/af_iucv.c                               |    4 +-
 net/iucv/iucv.c                                  |    2 +-
 net/key/af_key.c                                 |    4 +-
 net/mac80211/cfg.c                               |    4 +-
 net/mac80211/ieee80211_i.h                       |    3 +-
 net/mac80211/iface.c                             |   14 +-
 net/mac80211/main.c                              |    2 +-
 net/mac80211/pm.c                                |    6 +-
 net/mac80211/rate.c                              |    2 +-
 net/mac80211/rc80211_pid_debugfs.c               |    2 +-
 net/mac80211/util.c                              |    2 +-
 net/netfilter/ipvs/ip_vs_conn.c                  |    6 +-
 net/netfilter/ipvs/ip_vs_core.c                  |    4 +-
 net/netfilter/ipvs/ip_vs_ctl.c                   |   10 +-
 net/netfilter/ipvs/ip_vs_sync.c                  |    6 +-
 net/netfilter/ipvs/ip_vs_xmit.c                  |    4 +-
 net/netfilter/nfnetlink_log.c                    |    4 +-
 net/netfilter/xt_statistic.c                     |    8 +-
 net/netlink/af_netlink.c                         |    4 +-
 net/packet/af_packet.c                           |   12 +-
 net/phonet/pep.c                                 |    6 +-
 net/phonet/socket.c                              |    2 +-
 net/rds/cong.c                                   |    6 +-
 net/rds/ib.h                                     |    2 +-
 net/rds/ib_cm.c                                  |    2 +-
 net/rds/ib_recv.c                                |    4 +-
 net/rds/iw.h                                     |    2 +-
 net/rds/iw_cm.c                                  |    2 +-
 net/rds/iw_recv.c                                |    4 +-
 net/rds/tcp.c                                    |    2 +-
 net/rds/tcp_send.c                               |    2 +-
 net/rxrpc/af_rxrpc.c                             |    2 +-
 net/rxrpc/ar-ack.c                               |   14 +-
 net/rxrpc/ar-call.c                              |    2 +-
 net/rxrpc/ar-connection.c                        |    2 +-
 net/rxrpc/ar-connevent.c                         |    2 +-
 net/rxrpc/ar-input.c                             |    4 +-
 net/rxrpc/ar-internal.h                          |    8 +-
 net/rxrpc/ar-local.c                             |    2 +-
 net/rxrpc/ar-output.c                            |    4 +-
 net/rxrpc/ar-peer.c                              |    2 +-
 net/rxrpc/ar-proc.c                              |    4 +-
 net/rxrpc/ar-transport.c                         |    2 +-
 net/rxrpc/rxkad.c                                |    4 +-
 net/sctp/ipv6.c                                  |    2 +-
 net/sctp/protocol.c                              |    8 +-
 net/sctp/socket.c                                |    2 +
 net/socket.c                                     |   34 +-
 net/sunrpc/sched.c                               |    4 +-
 net/sunrpc/xprtrdma/svc_rdma.c                   |   38 +-
 net/sunrpc/xprtrdma/svc_rdma_recvfrom.c          |    6 +-
 net/sunrpc/xprtrdma/svc_rdma_sendto.c            |    2 +-
 net/sunrpc/xprtrdma/svc_rdma_transport.c         |   10 +-
 net/tipc/link.c                                  |    6 +-
 net/tipc/msg.c                                   |    2 +-
 net/tipc/subscr.c                                |    2 +-
 net/wireless/wext-core.c                         |   19 +-
 net/xfrm/xfrm_policy.c                           |   16 +-
 net/xfrm/xfrm_state.c                            |    4 +-
 scripts/Makefile.build                           |    2 +-
 scripts/Makefile.clean                           |    3 +-
 scripts/Makefile.host                            |   28 +-
 scripts/basic/fixdep.c                           |   12 +-
 scripts/gcc-plugin.sh                            |   17 +
 scripts/link-vmlinux.sh                          |    2 +-
 scripts/mod/file2alias.c                         |   14 +-
 scripts/mod/modpost.c                            |   25 +-
 scripts/mod/modpost.h                            |    6 +-
 scripts/mod/sumversion.c                         |    2 +-
 scripts/pnmtologo.c                              |    6 +-
 security/Kconfig                                 |  654 ++++-
 security/integrity/ima/ima.h                     |    4 +-
 security/integrity/ima/ima_api.c                 |    2 +-
 security/integrity/ima/ima_fs.c                  |    4 +-
 security/integrity/ima/ima_queue.c               |    2 +-
 security/keys/compat.c                           |    2 +-
 security/keys/keyctl.c                           |    8 +-
 security/keys/keyring.c                          |    6 +-
 security/security.c                              |    9 +-
 security/selinux/hooks.c                         |    2 +-
 security/selinux/include/xfrm.h                  |    2 +-
 security/smack/smack_lsm.c                       |    2 +-
 security/tomoyo/tomoyo.c                         |    2 +-
 sound/aoa/codecs/onyx.c                          |    7 +-
 sound/aoa/codecs/onyx.h                          |    1 +
 sound/core/oss/pcm_oss.c                         |   18 +-
 sound/core/pcm_compat.c                          |    2 +-
 sound/core/pcm_native.c                          |    4 +-
 sound/core/seq/seq_device.c                      |    8 +-
 sound/drivers/mts64.c                            |   14 +-
 sound/drivers/opl4/opl4_lib.c                    |    2 +-
 sound/drivers/portman2x4.c                       |    3 +-
 sound/firewire/amdtp.c                           |    4 +-
 sound/firewire/amdtp.h                           |    2 +-
 sound/firewire/isight.c                          |   10 +-
 sound/firewire/scs1x.c                           |    8 +-
 sound/oss/sb_audio.c                             |    2 +-
 sound/oss/swarm_cs4297a.c                        |    6 +-
 sound/pci/ymfpci/ymfpci.h                        |    2 +-
 sound/pci/ymfpci/ymfpci_main.c                   |   12 +-
 tools/gcc/.gitignore                             |    1 +
 tools/gcc/Makefile                               |   43 +
 tools/gcc/checker_plugin.c                       |  171 +
 tools/gcc/colorize_plugin.c                      |  151 +
 tools/gcc/constify_plugin.c                      |  359 +++
 tools/gcc/generate_size_overflow_hash.sh         |   94 +
 tools/gcc/kallocstat_plugin.c                    |  170 +
 tools/gcc/kernexec_plugin.c                      |  465 +++
 tools/gcc/latent_entropy_plugin.c                |  321 ++
 tools/gcc/size_overflow_hash.data                | 3713 ++++++++++++++++++++++
 tools/gcc/size_overflow_plugin.c                 | 1941 +++++++++++
 tools/gcc/stackleak_plugin.c                     |  327 ++
 tools/perf/util/include/asm/alternative-asm.h    |    3 +
 virt/kvm/kvm_main.c                              |   32 +-
 1311 files changed, 26668 insertions(+), 6394 deletions(-)
commit a00016a11e35e91aec8e2d9b6ec4c6fbb11d6d2b
Merge: 0949bd4 fc53d63
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 22 19:03:44 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit fc53d6338964741b368070ec5c935bc579b8c2a6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 22 19:02:45 2012 -0400

    Update to pax-linux-3.2.12-test33.patch

commit 0949bd46a6455b308f66ad7c993bfee62412db35
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 22 16:56:09 2012 -0400

    Use current_umask() instead of current->fs->umask

commit 22f6432d0fe733619cfcb523782ed7d80c46d645
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 21 19:42:42 2012 -0400

    compile fix

commit 0cad49d6b8fbb32395da924c1665a1110a9a9eef
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 21 19:34:56 2012 -0400

    Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain
    uses of domains with particular hash collisions

commit 47fc52e0a068a29d6cca2f809daf0679cba33c44
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 20:25:49 2012 -0400

    zero kernel_role

commit b00953b43c69238d181d21121ef1577c988d5f6b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 19:29:34 2012 -0400

    zero real_root after releasing it

commit 0b3ab73ce5d34a2c3206955cd65eddd6bdfd32a1
Merge: b724f59 273f98e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 19:11:26 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit 273f98e58cdac555d3b5dce5c1ca168349f95878
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 19:10:52 2012 -0400

    Temporary workaround for (most) size_overflow plugin false-positives
    Increase randomization for brk-managed heap to 21 bits
    Update to pax-linux-3.2.12-test32.patch

commit b724f59125304460c2af8bd4b02921993afbb5d3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 18:58:53 2012 -0400

    compile fix

commit 329f1a9d0f137d0a973316c53bbec18a6eeecd4f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 18:52:23 2012 -0400

    Require default and kernel role

commit a7c5c4f55bdd61cfcd0fb1be7a67160429409878
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 18:47:28 2012 -0400

    Allow policies without special roles
    don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles)

commit 402ec3d24d66d38403dc543c84851f5e72d39e22
Merge: 8e012dc f14661a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 19 18:06:59 2012 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        fs/namei.c

commit f14661aaf202155c97f66626cea0269017bb7775
Merge: eae671f 058b017
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 19 18:05:44 2012 -0400

    Merge branch 'linux-3.2.y' into pax-test

commit 8e012dcf7a50b7cde34c2cec93ecedd049123b75
Author: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
Date:   Fri Mar 16 17:08:39 2012 -0700

    nilfs2: fix NULL pointer dereference in nilfs_load_super_block()
    
    According to the report from Slicky Devil, nilfs caused kernel oops at
    nilfs_load_super_block function during mount after he shrank the
    partition without resizing the filesystem:
    
     BUG: unable to handle kernel NULL pointer dereference at 00000048
     IP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2]
     *pde = 00000000
     Oops: 0000 [#1] PREEMPT SMP
     ...
     Call Trace:
      [<d0d7a87b>] init_nilfs+0x4b/0x2e0 [nilfs2]
      [<d0d6f707>] nilfs_mount+0x447/0x5b0 [nilfs2]
      [<c0226636>] mount_fs+0x36/0x180
      [<c023d961>] vfs_kern_mount+0x51/0xa0
      [<c023ddae>] do_kern_mount+0x3e/0xe0
      [<c023f189>] do_mount+0x169/0x700
      [<c023fa9b>] sys_mount+0x6b/0xa0
      [<c04abd1f>] sysenter_do_call+0x12/0x28
     Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43
     20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72
     48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00
     EIP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc
     CR2: 0000000000000048
    
    This turned out due to a defect in an error path which runs if the
    calculated location of the secondary super block was invalid.
    
    This patch fixes it and eliminates the reported oops.
    
    Reported-by: Slicky Devil <slicky.dvl@gmail.com>
    Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
    Tested-by: Slicky Devil <slicky.dvl@gmail.com>
    Cc: <stable@vger.kernel.org>        [2.6.30+]
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 8067d7f69bf27dc08057a771cf125e71e4575bf2
Author: Haogang Chen <haogangchen@gmail.com>
Date:   Fri Mar 16 17:08:38 2012 -0700

    nilfs2: clamp ns_r_segments_percentage to [1, 99]
    
    ns_r_segments_percentage is read from the disk.  Bogus or malicious
    value could cause integer overflow and malfunction due to meaningless
    disk usage calculation.  This patch reports error when mounting such
    bogus volumes.
    
    Signed-off-by: Haogang Chen <haogangchen@gmail.com>
    Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit e1a90645643f9b0194a5984ec8febd06360d5c8b
Author: Eric Dumazet <eric.dumazet@gmail.com>
Date:   Sat Mar 10 09:20:21 2012 +0000

    tcp: fix syncookie regression
    
    commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit())
    added a serious regression on synflood handling.
    
    Simon Kirby discovered a successful connection was delayed by 20 seconds
    before being responsive.
    
    In my tests, I discovered that xmit frames were lost, and needed ~4
    retransmits and a socket dst rebuild before being really sent.
    
    In case of syncookie initiated connection, we use a different path to
    initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared.
    
    As ip_queue_xmit() now depends on inet flow being setup, fix this by
    copying the temp flowi4 we use in cookie_v4_check().
    
    Reported-by: Simon Kirby <sim@netnation.com>
    Bisected-by: Simon Kirby <sim@netnation.com>
    Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
    Tested-by: Eric Dumazet <eric.dumazet@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 06c6c8628bf38b08b4d97f4c55cde9fdecfb5d65
Author: Stanislav Kinsbursky <skinsbursky@parallels.com>
Date:   Mon Mar 12 02:59:41 2012 +0000

    tun: don't hold network namespace by tun sockets
    
    v3: added previously removed sock_put() to the tun_release() callback, because
    sk_release_kernel() doesn't drop the socket reference.
    
    v2: sk_release_kernel() used for socket release. Dummy tun_release() is
    required for sk_release_kernel() ---> sock_release() ---> sock->ops->release()
    call.
    
    TUN was designed to destroy it's socket on network namesapce shutdown. But this
    will never happen for persistent device, because it's socket holds network
    namespace.
    This patch removes of holding network namespace by TUN socket and replaces it
    by creating socket in init_net and then changing it's net it to desired one. On
    shutdown socket is moved back to init_net prior to final put.
    
    Signed-off-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 46ae7374bd387c58d673a9e58852a9fd31042c5c
Author: Tyler Hicks <tyhicks@canonical.com>
Date:   Mon Dec 12 10:02:30 2011 -0600

    vfs: Correctly set the dir i_mutex lockdep class
    
    9a7aa12f3911853a introduced additional logic around setting the i_mutex
    lockdep class for directory inodes. The idea was that some filesystems
    may want their own special lockdep class for different directory
    inodes and calling unlock_new_inode() should not clobber one of
    those special classes.
    
    I believe that the added conditional, around the *negated* return value
    of lockdep_match_class(), caused directory inodes to be placed in the
    wrong lockdep class.
    
    inode_init_always() sets the i_mutex lockdep class with i_mutex_key for
    all inodes. If the filesystem did not change the class during inode
    initialization, then the conditional mentioned above was false and the
    directory inode was incorrectly left in the non-directory lockdep class.
    If the filesystem did set a special lockdep class, then the conditional
    mentioned above was true and that class was clobbered with
    i_mutex_dir_key.
    
    This patch removes the negation from the conditional so that the i_mutex
    lockdep class is properly set for directory inodes. Special classes are
    preserved and directory inodes with unmodified classes are set with
    i_mutex_dir_key.
    
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Reviewed-by: Jan Kara <jack@suse.cz>
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

commit 603590b0d2eca61ce26499eac9c563bc567a18c9
Author: Jan Kara <jack@suse.cz>
Date:   Mon Feb 20 17:54:00 2012 +0100

    udf: Fix deadlock in udf_release_file()
    
    udf_release_file() can be called from munmap() path with mmap_sem held.  Thus
    we cannot take i_mutex there because that ranks above mmap_sem. Luckily,
    i_mutex is not needed in udf_release_file() anymore since protection by
    i_data_sem is enough to protect from races with write and truncate.
    
    Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
    Reviewed-by: Namjae Jeon <linkinjeon@gmail.com>
    Signed-off-by: Jan Kara <jack@suse.cz>
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

commit ca79ab9034f3c2f7e3f65c35e0d9ed3ecea529bf
Author: Miklos Szeredi <mszeredi@suse.cz>
Date:   Tue Mar 6 13:56:33 2012 +0100

    vfs: fix double put after complete_walk()
    
    complete_walk() already puts nd->path, no need to do it again at cleanup time.
    
    This would result in Oopses if triggered, apparently the codepath is not too
    well exercised.
    
    Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
    CC: stable@vger.kernel.org
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

commit 13885ba2b18400f3ef6540497d30f1af896605e5
Author: Miklos Szeredi <mszeredi@suse.cz>
Date:   Tue Mar 6 13:56:34 2012 +0100

    vfs: fix return value from do_last()
    
    complete_walk() returns either ECHILD or ESTALE.  do_last() turns this into
    ECHILD unconditionally.  If not in RCU mode, this error will reach userspace
    which is complete nonsense.
    
    Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
    CC: stable@vger.kernel.org
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    
    Conflicts:
    
        fs/namei.c

commit f5ab7572c99ffb58953eb1070622307e904c3b7f
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Sat Mar 10 17:07:28 2012 -0500

    restore smp_mb() in unlock_new_inode()
    
    wait_on_inode() doesn't have ->i_lock
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

commit f3e758cd08e3881982d4b78eb72fe8a1ead6b872
Author: David S. Miller <davem@davemloft.net>
Date:   Tue Mar 13 18:19:51 2012 -0700

    sparc32: Add -Av8 to assembler command line.
    
    Newer version of binutils are more strict about specifying the
    correct options to enable certain classes of instructions.
    
    The sparc32 build is done for v7 in order to support sun4c systems
    which lack hardware integer multiply and divide instructions.
    
    So we have to pass -Av8 when building the assembler routines that
    use these instructions and get patched into the kernel when we find
    out that we have a v8 capable cpu.
    
    Reported-by: Paul Gortmaker <paul.gortmaker@windriver.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 66276ec78b2a971d2e704e5ef963cdc8b6a049a4
Author: Thomas Gleixner <tglx@linutronix.de>
Date:   Fri Mar 9 20:55:10 2012 +0100

    x86: Derandom delay_tsc for 64 bit
    
    Commit f0fbf0abc093 ("x86: integrate delay functions") converted
    delay_tsc() into a random delay generator for 64 bit.  The reason is
    that it merged the mostly identical versions of delay_32.c and
    delay_64.c.  Though the subtle difference of the result was:
    
     static void delay_tsc(unsigned long loops)
     {
    -   unsigned bclock, now;
    +   unsigned long bclock, now;
    
    Now the function uses rdtscl() which returns the lower 32bit of the
    TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64
    bit this fails when the lower 32bit are close to wrap around when
    bclock is read, because the following check
    
           if ((now - bclock) >= loops)
                        break;
    
    evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0
    because the unsigned long (now - bclock) of these values results in
    0xffffffff00000001 which is definitely larger than the loops
    value. That explains Tvortkos observation:
    
    "Because I am seeing udelay(500) (_occasionally_) being short, and
     that by delaying for some duration between 0us (yep) and 491us."
    
    Make those variables explicitely u32 again, so this works for both 32
    and 64 bit.
    
    Reported-by: Tvrtko Ursulin <tvrtko.ursulin@onelan.co.uk>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Cc: stable@vger.kernel.org # >= 2.6.27
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 2d0ddb60f5031bdf79b4d51225f9f2d5856255bf
Author: Al Viro <viro@ZenIV.linux.org.uk>
Date:   Thu Mar 8 17:51:19 2012 +0000

    aio: fix the "too late munmap()" race
    
    Current code has put_ioctx() called asynchronously from aio_fput_routine();
    that's done *after* we have killed the request that used to pin ioctx,
    so there's nothing to stop io_destroy() waiting in wait_for_all_aios()
    from progressing.  As the result, we can end up with async call of
    put_ioctx() being the last one and possibly happening during exit_mmap()
    or elf_core_dump(), neither of which expects stray munmap() being done
    to them...
    
    We do need to prevent _freeing_ ioctx until aio_fput_routine() is done
    with that, but that's all we care about - neither io_destroy() nor
    exit_aio() will progress past wait_for_all_aios() until aio_fput_routine()
    does really_put_req(), so the ioctx teardown won't be done until then
    and we don't care about the contents of ioctx past that point.
    
    Since actual freeing of these suckers is RCU-delayed, we don't need to
    bump ioctx refcount when request goes into list for async removal.
    All we need is rcu_read_lock held just over the ->ctx_lock-protected
    area in aio_fput_routine().
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
    Acked-by: Benjamin LaHaise <bcrl@kvack.org>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 002124c055afbf09b52226af65621999e8316448
Author: Al Viro <viro@ZenIV.linux.org.uk>
Date:   Wed Mar 7 05:16:35 2012 +0000

    aio: fix io_setup/io_destroy race
    
    Have ioctx_alloc() return an extra reference, so that caller would drop it
    on success and not bother with re-grabbing it on failure exit.  The current
    code is obviously broken - io_destroy() from another thread that managed
    to guess the address io_setup() would've returned would free ioctx right
    under us; gets especially interesting if aio_context_t * we pass to
    io_setup() points to PROT_READ mapping, so put_user() fails and we end
    up doing io_destroy() on kioctx another thread has just got freed...
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Acked-by: Benjamin LaHaise <bcrl@kvack.org>
    Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit a1cd2719b8ed8e40dbd98c87713ac23a2169f6d8
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Thu Mar 15 15:17:12 2012 -0700

    drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode
    
    strict_strtoul() writes a long but ->gamma_mode only has space to store an
    int, so on 64 bit systems we end up scribbling over ->gamma_table_count as
    well.  I've changed it to use kstrtouint() instead.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Acked-by: Inki Dae <inki.dae@samsung.com>
    Signed-off-by: Florian Tobias Schandinat <FlorianSchandinat@gmx.de>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit cf83f735a5571f4341ee6eab947a1f7d833cea6e
Merge: e4b05b6 eae671f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 16 21:04:27 2012 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        security/Kconfig

commit eae671fafe93f04685c04a089cc13efebc05d600
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 16 20:58:01 2012 -0400

    Update to pax-linux-3.2.11-test31.patch
    Introduction of the size_overflow plugin from Emese Revfy
    Many thanks to Emese for her hard work :)

commit e4b05b65c645c412eceb9c950ee7b4771627e6b1
Merge: e55aa68 258c015
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 15 20:59:19 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit 258c0159fa6dd5044ca984eeaad57bb6e21bacea
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 15 20:59:05 2012 -0400

    fix ARM compilation

commit e55aa68f4bb20e75cd7423123aa612c2a69590c0
Merge: 8f95ea9 55b7573
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 14 19:33:41 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit 55b7573f6c2f3be26fb39c7bd6a9d742d02811ca
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 14 19:33:15 2012 -0400

    Update to pax-linux-3.2.10-test28.patch

commit 8f95ea9f718c293794a1f6bdd2a5f5f336f7bd64
Merge: c8786a2 886ac5e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 13 17:38:13 2012 -0400

    Merge branch 'pax-test' into grsec-test
    
    Greets and thanks to snq for his assistance in testing/debugging REFCOUNT on ARM :)

commit 886ac5eeb1835e87cf7398b8aae9e9ba6b36bf77
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 13 17:37:44 2012 -0400

    Update to pax-linux-3.2.10-test26.patch

commit c8786a2abed5e5327f68efa520c04db99bb6a63a
Merge: 219c982 c061fcf
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 13 17:25:06 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit c061fcfa6b78f3774800821144d8ac2d94d7da3e
Merge: 89373d2 3f4b3b2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 13 17:25:02 2012 -0400

    Merge branch 'linux-3.2.y' into pax-test

commit 219c982a05abe47be4ea7d749e1b408e0cb86f1f
Merge: 54e19a3 89373d2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 12 17:23:57 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit 89373d2abafb9bda97f78bdb157d1d05cf21e008
Merge: a778588 7459f11
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 12 17:23:49 2012 -0400

    Merge branch 'linux-3.2.y' into pax-test

commit 54e19a3979978fca902b14ae25125f26fbbbc7a7
Merge: c4650f1 a778588
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 12 16:51:25 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit a778588c9d1b75c48c1f09aac98c1b28bd87a749
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 12 16:51:12 2012 -0400

    Update to pax-linux-3.2.9-test24.patch

commit c4650f14b13f84735fe3de06a1f3ff5776473eff
Merge: fb2abee 1015790
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 11 21:08:28 2012 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        security/Kconfig

commit 101579028a736c224e590c7e12a7357018c424e1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 11 21:07:27 2012 -0400

    Update to pax-linux-3.2.9-test22.patch

commit fb2abee4b9b49f5f18342a8cdf7aa3ba2b7c9100
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 11 11:02:17 2012 -0400

    Allow 4096 CPUs

commit 96bae28cbe6a41d48e3b56e5904814096e956000
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 11 10:25:58 2012 -0400

    Use a per-cpu 48-bit counter instead of a global atomic64
    Initialize each counter to have the cpu number in the lower 16 bits
    instead of incrementing the counter each time by 1, perform the increments
    above the cpu number so that wrapping/exhausting the counter doesn't corrupt
    any state
    idea from PaX Team

commit b975688101da6e966aebb1bc6b8c5c5983974f9c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 10 20:33:12 2012 -0500

    Special vnsec edition! :)
    Further reduce argv/env allowance for suid/sgid apps to 512KB
    Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap)
    Clear 3GB personality on suid/sgid binaries
    Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64)
      with the main purpose of throwing off program stack -> arg/env alignment
    Update documentation

commit e5cfa902c4e891d11dd2086543d2555aa0c27d33
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 10 19:54:47 2012 -0500

    Resolve skbuff.h warnings that turn into errors during compilation in
    the grsecurity directory with -Werror

commit 2023210ad43a944033fcacc660ce410888f562ee
Merge: ece4383 5f66adf
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 9 19:48:01 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 5f66adf72f83730a07bc79a2fab56afed6dbbd0e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 9 19:47:06 2012 -0500

    Add colorize plugin

commit ece4383e5e91c92d138c4df84225a70b552f4d69
Merge: a366d0e ab4a5a1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 9 17:56:46 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit ab4a5a1a67289c3585e2ff8aa64ecece7bd17eea
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 9 17:56:26 2012 -0500

    Update to pax-linux-3.2.9-test21.patch

commit a366d0ed963ce93fce10121c1100989d5f064e75
Author: Mikulas Patocka <mpatocka@redhat.com>
Date:   Sun Mar 4 19:52:03 2012 -0500

    mm: fix find_vma_prev
    
    Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory
    management on PA-RISC.
    
    After application of the patch, programs that allocate big arrays on the
    stack crash with segfault, for example, this will crash if compiled
    without optimization:
    
      int main()
      {
        char array[200000];
        array[199999] = 0;
        return 0;
      }
    
    The reason is that PA-RISC has up-growing stack and the stack is usually
    the last memory area.  In the above example, a page fault happens above
    the stack.
    
    Previously, if we passed too high address to find_vma_prev, it returned
    NULL and stored the last VMA in *pprev.  After "simplify find_vma_prev"
    change, it stores NULL in *pprev.  Consequently, the stack area is not
    found and it is not expanded, as it used to be before the change.
    
    This patch restores the old behavior and makes it return the last VMA in
    *pprev if the requested address is higher than address of any other VMA.
    
    Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
    Acked-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 9cd8dd4d56051099f11563f72fcd91cd0ce19604
Author: Hugh Dickins <hughd@google.com>
Date:   Tue Mar 6 12:28:52 2012 -0800

    mmap: EINVAL not ENOMEM when rejecting VM_GROWS
    
    Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP
    from shared anonymous: hoist the file case's -EINVAL up for both.
    
    Signed-off-by: Hugh Dickins <hughd@google.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 97745dce6c87f9d9ca5b4be9bd4c2fc1684ca04c
Author: Al Viro <viro@ZenIV.linux.org.uk>
Date:   Mon Mar 5 06:38:42 2012 +0000

    aout: move setup_arg_pages() prior to reading/mapping the binary
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 3b20ce55ae8cffee43cb4afdf5be438b5ac4fef0
Author: Jan Beulich <JBeulich@suse.com>
Date:   Mon Mar 5 16:49:24 2012 +0000

    vsprintf: make %pV handling compatible with kasprintf()
    
    kasprintf() (and potentially other functions that I didn't run across so
    far) want to evaluate argument lists twice.  Caring to do so for the
    primary list is obviously their job, but they can't reasonably be
    expected to check the format string for instances of %pV, which however
    need special handling too: On architectures like x86-64 (as opposed to
    e.g.  ix86), using the same argument list twice doesn't produce the
    expected results, as an internally managed cursor gets updated during
    the first run.
    
    Fix the problem by always acting on a copy of the original list when
    handling %pV.
    
    Signed-off-by: Jan Beulich <jbeulich@suse.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 4146896ab9674f51d4909f3a52bc7fe80f04e4cb
Author: Al Viro <viro@ZenIV.linux.org.uk>
Date:   Mon Mar 5 06:39:47 2012 +0000

    VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit a831bd53764695ea680cc1fa3c98759a610ed2ac
Author: Christian König <deathsimple@vodafone.de>
Date:   Tue Feb 28 23:19:20 2012 +0100

    drm/radeon: fix uninitialized variable
    
    Without this fix the driver randomly treats
    textures as arrays and I'm really wondering
    why gcc isn't complaining about it.
    
    Signed-off-by: Christian König <deathsimple@vodafone.de>
    Reviewed-by: Jerome Glisse <jglisse@redhat.com>
    Signed-off-by: Dave Airlie <airlied@redhat.com>

commit aa2cd55f97f3cc03bdd895b6e8ba99619ee69dfc
Author: H. Peter Anvin <hpa@zytor.com>
Date:   Fri Mar 2 10:43:48 2012 -0800

    regset: Prevent null pointer reference on readonly regsets
    
    The regset common infrastructure assumed that regsets would always
    have .get and .set methods, but not necessarily .active methods.
    Unfortunately people have since written regsets without .set methods.
    
    Rather than putting in stub functions everywhere, handle regsets with
    null .get or .set methods explicitly.
    
    Signed-off-by: H. Peter Anvin <hpa@zytor.com>
    Reviewed-by: Oleg Nesterov <oleg@redhat.com>
    Acked-by: Roland McGrath <roland@hack.frob.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 072ddd99401c79b53c6bf6bff9deb93022124c79
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 5 18:12:57 2012 -0500

    Fix compiler errors reported on forums

commit 1606774b48af24e6f99d99c624c0e447d4b66474
Merge: 3127bd5 4ca2ffd
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 5 17:31:35 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 4ca2ffd9da024f4ba2d0cb6245ba1b2726169452
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 5 17:31:21 2012 -0500

    Update to pax-linux-3.2.9-test20.patch

commit 3127bd581a292966b1057c7433219dac188c3720
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 2 21:30:37 2012 -0500

    Fix memory leak on logged exec_id check failure in /proc/pid/statm
    Thanks to Djalal Harouni for the report

commit d9f1a3be0e97e0632f97379322712d8deeb3ce23
Merge: 0a56be8 9aa8288
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 2 18:38:22 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 9aa8288a09e6e03ce37c08136b26bff17a093b5c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 2 18:37:43 2012 -0500

    Update to pax-linux-3.2.9-test19.patch

commit 0a56be884bbd7ce733cac0b879c45383494d73b0
Merge: 9e66745 3f5c52a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 1 20:18:01 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 3f5c52aba100b3bb252980f9d363aafde52da1a2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 1 20:16:56 2012 -0500

    Update to pax-linux-3.2.9-test18.patch

commit ae53ec231d12719a36bf871f8c5841020ed692ee
Merge: b255baf 44fb317
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 1 20:15:31 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test

commit 9e667456c03eadea2f305be761abe4de9a5877a3
Merge: 5e4e200 b255baf
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 27 20:53:59 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit b255baf50365d39b406f43aab2c64745607baaa2
Merge: 340ce90 1de504e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 27 20:53:29 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test
    Update to pax-linux-3.2.8-test17.patch
    
    Conflicts:
        arch/x86/include/asm/i387.h
        arch/x86/kernel/process_32.c
        arch/x86/kernel/traps.c

commit 5e4e200ac530452884b625cb75de240e1e98c731
Merge: 44306d7 340ce90
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 27 18:02:13 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 340ce90d98a043fa8e4ed9ffc229d4c1f86e2fec
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 27 18:01:48 2012 -0500

    Update to pax-linux-3.2.7-test17.patch

commit 44306d7b3097f77e73040dd25f4f6750751bae7a
Merge: 29d0b07 521c411
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 26 19:04:15 2012 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        Makefile

commit 521c411bb4ca66ce01146fde8bac9dd22414076d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 26 19:03:33 2012 -0500

    Update to pax-linux-3.2.7-test16.patch

commit 29d0b07290bb9a10cdfcc3c30058e16265330dea
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 26 17:12:44 2012 -0500

    fix typo

commit 344f6d84e5d3fdc6ec40a078fc2f5861d340b2ef
Merge: f45b3be caa8f83
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 20:59:27 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit caa8f83456c4d0b204beefffaa1d1993f2348d08
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 20:59:12 2012 -0500

    Update to pax-linux-3.2.7-test15.patch

commit f45b3be34a345502a302e736af9a65742ddef7cb
Merge: 62f35fd 9f1309b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 11:40:15 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 9f1309b0b935e3b30fc87a9e3009b84cf943ef47
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 11:39:57 2012 -0500

    Update to pax-linux-3.2.7-test14.patch

commit 62f35fdbecc58f2988fe13638d907b87a15776bb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 09:08:55 2012 -0500

    We could log on attempted exploits of writing /proc/self/mem, but the current
    log function declares the access a read, so just swap the ordering for now

commit 066ee8f9c26f1549b4ad893508777b549c8d4b79
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 08:46:14 2012 -0500

    Log /proc/pid/mem attempts

commit 674471e581893a94d475acac3e3c4496209b3ac9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 08:15:00 2012 -0500

    Make use of f_version for protecting /proc file structs (fine since we're not a directory
    or seq_file)

commit eab42cfdd237ffcdd8ec24bedecc275a3a9e987f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 24 20:02:19 2012 -0500

    Fix ia64 compilation

commit 50dfea412fd395e0183c2ade368efa525d38b267
Merge: 12db845 4c6f99b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 24 19:00:53 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 4c6f99bf338e03966356b147d0360cb3b522a44f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 24 19:00:36 2012 -0500

    (6:57:09 PM) pipacs: but you can be proactive
    (Fix other-arch atomic64/REFCOUNT compilation failures)

commit 12db8453f6bb0a756f369c9151668ba1249bc478
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 23 21:10:12 2012 -0500

    Remove unnecessary copies, as suggested by solar

commit cc02cab84368467ea03cb35f861a8a7092d91ab4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 23 20:59:35 2012 -0500

    Make global_exec_counter static, as suggested by solar

commit e642091a475ebb3a30e81f85e7751233d0c2af43
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 23 19:00:26 2012 -0500

    sync with stable tree

commit 6df09c3d8e371905b7b8fe90c4188f23614c6be5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 23 18:48:47 2012 -0500

    Remove unneeded gr_acl_handle_fchmod, as the code is shared now by gr_acl_handle_chmod
    Remove handling of old kludge in chmod/fchmod

commit 815cb62f2ca7b58efc39778b3a855feb675ab56c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 23 18:18:49 2012 -0500

    Apply umask checks to chmod/fchmod as well, as requested by sponsor
    Union the enforced umask with the existing one to produce minimal privilege
    Change umask type to u16

commit 0e7668c6abbdbcd3f7f9759e3994d6f4bc9953f0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 22 18:16:11 2012 -0500

    Add per-role umask enforcement to RBAC, requested by a sponsor

commit ad5ac943fe58199f1cc475912a39edb157acb77b
Merge: dda0bb5 41722e3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 20 20:04:42 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 41722e342e116d95f3d3556d66c97c888d752d39
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 20 20:04:00 2012 -0500

    Merge changes from pax-linux-3.2.7-test12.patch, fixes KVM incompatibility with
    KERNEXEC plugin

commit dda0bb57137846a476a866c60db2681aaf6052c0
Merge: 4fd554e d70927a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 20 20:01:41 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit d70927afec977d489a54c106a3c3ddc32e953050
Merge: 1daebf1 9d0231c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 20 20:01:33 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test

commit 4fd554e3a097b22c5049fcdc423897477deff5ef
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 20 09:17:57 2012 -0500

    Fix wrong logic on capability checks for switching roles, broke policies
    Thanks to Richard Kojedzinszky for reporting

commit 12f97d52ac603f24344f8d71569c412a307e9422
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 21:20:10 2012 -0500

    sparc64 compile fix

commit 07af3d8e76a6a47ce1836e5b20ed8c0f879c8201
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 18:38:32 2012 -0500

    Update configuration help and name for GRKERNSEC_PROC_MEMMAP

commit 5ced6f8def06c2176b40b5fa07345fc723dc4dcb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 18:18:01 2012 -0500

    optimize the check a bit

commit 03159050f64989be44ae03be769cbed62a7cd2e5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 18:00:45 2012 -0500

    smile VUPEN :D
    (limit argv+env to 1MB for suid/sgid binaries)

commit dd759d8800d225a397e4de49fe729c7d601298d2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 17:49:33 2012 -0500

    Address Space Protection -> Memory Protections (suggested on IRC for consistency)

commit 4de635bda8ebfb85312e3bf851bdbff93de400da
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 17:45:06 2012 -0500

    Change the long long type for exec_id to the proper u64

commit 4feb07e7cb64b3d0f0f8cca1aef70bc725cae6fa
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Thu Feb 9 00:46:47 2012 +0000

    isdn: type bug in isdn_net_header()
    
    We use len to store the return value from eth_header().  eth_header()
    can return -ETH_HLEN (-14).  We want to pass this back instead of
    truncating it to 65522 and returning that.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Acked-by: Neil Horman <nhorman@tuxdriver.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 134ac8545b47f0f27d550ea6e1edb3a1ed7a9748
Author: Heiko Carstens <heiko.carstens@de.ibm.com>
Date:   Sat Feb 4 10:47:10 2012 +0100

    exec: fix use-after-free bug in setup_new_exec()
    
    Setting the task name is done within setup_new_exec() by accessing
    bprm->filename. However this happens after flush_old_exec().
    This may result in a use after free bug, flush_old_exec() may
    "complete" vfork_done, which will wake up the parent which in turn
    may free the passed in filename.
    To fix this add a new tcomm field in struct linux_binprm which
    contains the now early generated task name until it is used.
    
    Fixes this bug on s390:
    
      Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000
      Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818)
      Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374)
      Call Trace:
      ([<0000000000282e2c>] setup_new_exec+0x38/0x374)
       [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4
       [<0000000000280a42>] search_binary_handler+0x38e/0x5bc
       [<0000000000282b6c>] do_execve_common+0x410/0x514
       [<0000000000282cb6>] do_execve+0x46/0x58
       [<00000000005bce58>] kernel_execve+0x28/0x70
       [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140
       [<00000000005bc8da>] kernel_thread_starter+0x6/0xc
       [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc
      Last Breaking-Event-Address:
       [<00000000002830f0>] setup_new_exec+0x2fc/0x374
    
      Kernel panic - not syncing: Fatal exception: panic_on_oops
    
    Reported-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
    Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit d758ee9f5230893dabb5aab737b3109684bde196
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Fri Feb 10 09:03:58 2012 +0100

    relay: prevent integer overflow in relay_open()
    
    "subbuf_size" and "n_subbufs" come from the user and they need to be
    capped to prevent an integer overflow.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Cc: stable@kernel.org
    Signed-off-by: Jens Axboe <axboe@kernel.dk>

commit 40ed7b34848b8e0d7bf9a3fc21a7c75ce1ae507c
Merge: b1baadf 1daebf1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 13 17:47:04 2012 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        fs/proc/base.c

commit 1daebf1d623fe5b0efdd329f78562eb7078bc772
Merge: 1413df2 c2db2e2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 13 17:45:54 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test

commit b1baadf5047ab67cf61cd20bf58c6afb09c37c7d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 12 16:44:05 2012 -0500

    add missing declaration

commit 3981059c35e8463002517935c28f3d74b8e3703c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 12 16:36:04 2012 -0500

    Require CAP_SETUID/CAP_SETGID in a subject in order to change roles
    in addition to existing checks (this handles the setresuid ruid = euid case)

commit 0beab03263c773f463412c350ad9064b44b6ede0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 12 16:13:40 2012 -0500

    Revert setreuid changes when RBAC is enabled, breaks freeradius
    I'll fix the learning issue Lavish reported a different way through
    gradm modifications
    
    This reverts commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111.

commit 0c61cb1cfbbfec7d07647268c922d51434d22621
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 11 14:22:46 2012 -0500

    copy exec_id on fork

commit 000c08e0890630086b2ed04084050ed856a7ec31
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 10 20:00:36 2012 -0500

    compile fix

commit 54b8c8f54484e5ee18040657827158bc4b63bccc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 10 19:19:52 2012 -0500

    Introduce enhancement to CONFIG_GRKERNSEC_PROC_MEMMAP
    denies reading of sensitive /proc/pid entries where the file descriptor
    was opened in a different task than the one performing the read

commit dd19579049186e2648b9ae5e42af04cfda7ab2dc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 10 17:43:24 2012 -0500

    Remove duplicate signal check

commit 6ff60c34155bb73a4eec7bbfe6f59e9d35e1c0c6
Merge: 4eba97e 1413df2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 8 19:24:34 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 1413df258d4664d928b876ffb57e1bdc1ccd06f6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 8 19:24:08 2012 -0500

    Merge changes from pax-linux-3.2.4-test11.patch

commit 4eba97eda7f7d25b7ab6ad5c9de094545e749044
Merge: 0e058dd 8dd90a2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 6 17:50:12 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 8dd90a21adfeefd86134d1fedf77b958bc59eaa3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 6 17:49:07 2012 -0500

    Merge changes from pax-linux-3.2.4-test10.patch, fixes BPF JIT double-free

commit a6b5dfed0937a0eb386b4b519a387f8e8177ffdc
Merge: 7e4169c 6133971
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 6 17:48:57 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test

commit 0e058dd6d14e0c67c44dd332a871f1fe1bb06095
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 5 19:24:45 2012 -0500

    We now allow configurations with no PaX markings, giving the system no way to override the defaults

commit 9afb0110287e31c3c56d861b4927f64f8dbd7857
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 5 10:01:23 2012 -0500

    Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory

commit a6a0ad24a5f7bef90236d94c1bdfe21d291fc834
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 4 21:01:16 2012 -0500

    Improve security of ptrace-based monitoring/sandboxing
    See:
    http://article.gmane.org/gmane.linux.kernel.lsm/15156

commit ca4ca5a1027b41f9528794e52a53ce9c47926101
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 20:42:55 2012 -0500

    fix typo

commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 20:25:38 2012 -0500

    Reported by lavish on IRC:
    If a suid/sgid binary did not learn any setuid/setgid call during learning,
    we would not any CAP_SETUID/CAP_SETGID capability to the task, nor
    any restrictions on uid/gid changes.  uid and gid can however be changed
    within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to
    euid/egid.
    
    My fix:
    POSIX doesn't specify whether unprivileged users can perform the above
    setresuid/setresgid as an unprivileged user, though Linux has historically
    permitted them.  Modify this behavior when RBAC is enabled to require
    CAP_SETUID/CAP_SETGID for these operations.
    
    Thanks to Lavish for the report!
    
    Conflicts:
    
        kernel/sys.c

commit e55be1f30908f1ad4450cb0558cde71ff5c7247f
Merge: ba586eb 7e4169c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 20:10:21 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 7e4169c6c880ec9641f1178c88545913c8a21e1f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 20:10:05 2012 -0500

    Merge changes from pax-linux-3.2.4-test9.patch

commit ba586ebbcd0ed781e38a99c580a757a00347c6eb
Author: Christopher Yeoh <cyeoh@au1.ibm.com>
Date:   Thu Feb 2 11:34:09 2012 +1030

    Fix race in process_vm_rw_core
    
    This fixes the race in process_vm_core found by Oleg (see
    
      http://article.gmane.org/gmane.linux.kernel/1235667/
    
    for details).
    
    This has been updated since I last sent it as the creation of the new
    mm_access() function did almost exactly the same thing as parts of the
    previous version of this patch did.
    
    In order to use mm_access() even when /proc isn't enabled, we move it to
    kernel/fork.c where other related process mm access functions already
    are.
    
    Signed-off-by: Chris Yeoh <yeohc@au1.ibm.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    Conflicts:
    
        fs/proc/base.c
        mm/process_vm_access.c

commit b9194d60fb9fe579f5c34817ed822abde18939a0
Author: Oleg Nesterov <oleg@redhat.com>
Date:   Tue Jan 31 17:15:11 2012 +0100

    proc: make sure mem_open() doesn't pin the target's memory
    
    Once /proc/pid/mem is opened, the memory can't be released until
    mem_release() even if its owner exits.
    
    Change mem_open() to do atomic_inc(mm_count) + mmput(), this only
    pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count)
    before access_remote_vm(), this verifies that this mm is still alive.
    
    I am not sure what should mem_rw() return if atomic_inc_not_zero()
    fails. With this patch it returns zero to match the "mm == NULL" case,
    may be it should return -EINVAL like it did before e268337d.
    
    Perhaps it makes sense to add the additional fatal_signal_pending()
    check into the main loop, to ensure we do not hold this memory if
    the target task was oom-killed.
    
    Cc: stable@kernel.org
    Signed-off-by: Oleg Nesterov <oleg@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit d4500134f9363bc79556e0e7a1fd811cd8552cc4
Author: Oleg Nesterov <oleg@redhat.com>
Date:   Tue Jan 31 17:14:38 2012 +0100

    proc: mem_release() should check mm != NULL
    
    mem_release() can hit mm == NULL, add the necessary check.
    
    Cc: stable@kernel.org
    Signed-off-by: Oleg Nesterov <oleg@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 5d1c11221a86f233fdbb232312a561f85d0a3a05
Author: Oleg Nesterov <oleg@redhat.com>
Date:   Tue Jan 31 17:14:54 2012 +0100

    note: redisabled mem_write
    
    proc: unify mem_read() and mem_write()
    
    No functional changes, cleanup and preparation.
    
    mem_read() and mem_write() are very similar. Move this code into the
    new common helper, mem_rw(), which takes the additional "int write"
    argument.
    
    Cc: stable@kernel.org
    Signed-off-by: Oleg Nesterov <oleg@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    Conflicts:
    
        fs/proc/base.c

commit af966b421d9f55ab7e1a8b2741beba44b22bc2e0
Merge: 3903f01 01fee18
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 19:50:40 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 01fee1851aef26b898ccba5312cabf1f919b74cb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 19:49:46 2012 -0500

    Merge changes from pax-linux-3.2.4-test8.patch

commit c2490ddbfc3f5dd664dd0e1b8575856c3be01879
Merge: 201c0db 141936c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 19:49:01 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test

commit 3903f0172ecadf7a575ba3535402a1506133640a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jan 30 23:26:44 2012 -0500

    Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT
    
    We'll whitelist required directories for compatibility instead of requiring
    that people disable the feature entirely if they use SELinux, fuse, etc
    
    Conflicts:
    
        fs/sysfs/mount.c

commit e3618feaa7e63807f1b88c199882075b3ec9bd05
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 29 01:12:19 2012 -0500

    perform RBAC check if TPE is on but match fails, matches previous behavior

commit 627b7fe22799a86e2f81a74f0e0c53474bec3100
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jan 28 13:17:06 2012 -0500

    log more information about the reason for a TPE denial for novice users, requested by a sponsor

commit efefd67008cbad8a8591e2484410966a300a39a5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:58:53 2012 -0500

    merge upstream sha512 changes

commit 8a79280377db78fb2091fe01eddb9e24f75d9fe1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:49:07 2012 -0500

    drop lock on error in xfs_readlink
    
    http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0

commit aa5f2f63e37f426bf2211c5fb8f7bc70de14f08a
Author: Li Wang <liwang@nudt.edu.cn>
Date:   Thu Jan 19 09:44:36 2012 +0800

    eCryptfs: Infinite loop due to overflow in ecryptfs_write()
    
    ecryptfs_write() can enter an infinite loop when truncating a file to a
    size larger than 4G. This only happens on architectures where size_t is
    represented by 32 bits.
    
    This was caused by a size_t overflow due to it incorrectly being used to
    store the result of a calculation which uses potentially large values of
    type loff_t.
    
    [tyhicks@canonical.com: rewrite subject and commit message]
    Signed-off-by: Li Wang <liwang@nudt.edu.cn>
    Signed-off-by: Yunchuan Wen <wenyunchuan@kylinos.com.cn>
    Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>

commit a7607747d0f74f357d78bb796d70635dd05f46e8
Author: Tyler Hicks <tyhicks@canonical.com>
Date:   Thu Jan 19 20:33:44 2012 -0600

    eCryptfs: Check inode changes in setattr
    
    Most filesystems call inode_change_ok() very early in ->setattr(), but
    eCryptfs didn't call it at all. It allowed the lower filesystem to make
    the call in its ->setattr() function. Then, eCryptfs would copy the
    appropriate inode attributes from the lower inode to the eCryptfs inode.
    
    This patch changes that and actually calls inode_change_ok() on the
    eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call
    would happen earlier in ecryptfs_setattr(), but there are some possible
    inode initialization steps that must happen first.
    
    Since the call was already being made on the lower inode, the change in
    functionality should be minimal, except for the case of a file extending
    truncate call. In that case, inode_newsize_ok() was never being
    called on the eCryptfs inode. Rather than inode_newsize_ok() catching
    maximum file size errors early on, eCryptfs would encrypt zeroed pages
    and write them to the lower filesystem until the lower filesystem's
    write path caught the error in generic_write_checks(). This patch
    introduces a new function, called ecryptfs_inode_newsize_ok(), which
    checks if the new lower file size is within the appropriate limits when
    the truncate operation will be growing the lower file.
    
    In summary this change prevents eCryptfs truncate operations (and the
    resulting page encryptions), which would exceed the lower filesystem
    limits or FSIZE rlimits, from ever starting.
    
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Reviewed-by: Li Wang <liwang@nudt.edu.cn>
    Cc: <stable@vger.kernel.org>

commit 0d96f190a39505254ace4e9330219aaeda9b64e3
Author: Tyler Hicks <tyhicks@canonical.com>
Date:   Wed Jan 18 18:30:04 2012 -0600

    eCryptfs: Make truncate path killable
    
    ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a
    page, zeroes out the appropriate portions, and then encrypts the page
    before writing it to the lower filesystem. It was unkillable and due to
    the lack of sparse file support could result in tying up a large portion
    of system resources, while encrypting pages of zeros, with no way for
    the truncate operation to be stopped from userspace.
    
    This patch adds the ability for ecryptfs_write() to detect a pending
    fatal signal and return as gracefully as possible. The intent is to
    leave the lower file in a useable state, while still allowing a user to
    break out of the encryption loop. If a pending fatal signal is detected,
    the eCryptfs inode size is updated to reflect the modified inode size
    and then -EINTR is returned.
    
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Cc: <stable@vger.kernel.org>

commit a02d0d2516b9e92edffeb8fca87462bca49c1f6f
Author: Tyler Hicks <tyhicks@canonical.com>
Date:   Tue Jan 24 10:02:22 2012 -0600

    eCryptfs: Fix oops when printing debug info in extent crypto functions
    
    If pages passed to the eCryptfs extent-based crypto functions are not
    mapped and the module parameter ecryptfs_verbosity=1 was specified at
    loading time, a NULL pointer dereference will occur.
    
    Note that this wouldn't happen on a production system, as you wouldn't
    pass ecryptfs_verbosity=1 on a production system. It leaks private
    information to the system logs and is for debugging only.
    
    The debugging info printed in these messages is no longer very useful
    and rather than doing a kmap() in these debugging paths, it will be
    better to simply remove the debugging paths completely.
    
    https://launchpad.net/bugs/913651
    
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Reported-by: Daniel DeFreez
    Cc: <stable@vger.kernel.org>

commit b1c44d3054dc7f293b2e0a98c0e9e5e03e01f04c
Author: Tyler Hicks <tyhicks@canonical.com>
Date:   Thu Jan 12 11:30:44 2012 +0100

    eCryptfs: Sanitize write counts of /dev/ecryptfs
    
    A malicious count value specified when writing to /dev/ecryptfs may
    result in a a very large kernel memory allocation.
    
    This patch peeks at the specified packet payload size, adds that to the
    size of the packet headers and compares the result with the write count
    value. The resulting maximum memory allocation size is approximately 532
    bytes.
    
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Reported-by: Sasha Levin <levinsasha928@gmail.com>
    Cc: <stable@vger.kernel.org>

commit 96dcb7282d323813181a1791f51c0ab7696b675b
Merge: 6c09fa5 201c0db
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:44:15 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 201c0dbf177527367676028151e36d340923f033
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:43:24 2012 -0500

    Merge changes from pax-linux-3.2.2-test6.patch, fixes 0 order vmalloc allocation errors
    on loading modules with empty sections

commit 6c09fa566a7c29f00556ca12f343f2db91c4f42b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:42:13 2012 -0500

    compile fix

commit 917ae526b4fcec2b3e1afefa13de9dff7d8a5423
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:39:28 2012 -0500

    use LSM flags instead of duplicating checks

commit 0cf3be2ea2ae43c9dd4933fb26c0429041b8acb8
Merge: 44b9f11 558718b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 18:56:23 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 558718b2217beff69edf60f34a6f9893d910e9ac
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 18:56:04 2012 -0500

    Merge changes from pax-linux-3.2.2-test6.patch

commit 44b9f1132b2de7cbf5f57525fe0f7f9fb0a76507
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 18:53:55 2012 -0500

    don't increase the size of task_struct when unnecessary
    change ptrace_readexec log message

commit a9c9626e054adb885883aa64f85506852894dd33
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 18:16:28 2012 -0500

    Update documentation for CONFIG_GRKERNSEC_PTRACE_READEXEC --
    the protection applies to all unreadable binaries.

commit 98fdf4ab69eba7a72efb2054295daafdbbc2fb8f
Merge: 7b3f3af 05a1349
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 25 20:52:09 2012 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        block/scsi_ioctl.c
        drivers/scsi/sd.c
        fs/proc/base.c

commit 05a134966efb9cb9346ad3422888969ffc79ac1d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 25 20:47:36 2012 -0500

    Resync with pax-linux-3.2.2-test5.patch

commit 5ecaafd81b229aeeb5656df36f9c8da86307f82a
Merge: c6d443d 3499d64
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 25 20:45:16 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test (and pax-linux-3.2.2-test5.patch)
    
    Conflicts:
        ipc/shm.c

commit 7b3f3afd7444613c759d68ff8c2efaebfae3bab1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 24 19:42:01 2012 -0500

    Add two new features, one is automatic by enabling CONFIG_GRKERNSEC
    (may be changed if it breaks some userland), the other has its own
    config option
    
    First feature requires CAP_SYS_ADMIN to write to any sysctl entry via
    the syscall or /proc/sys.
    
    Second feature requires read access to a suid/sgid binary in order
    to ptrace it, preventing infoleaking of binaries in situations where
    the admin has specified 4711 or 2711 perms.  Feature has been
    given the config option CONFIG_GRKERNSEC_PTRACE_READEXEC and
    a sysctl entry of ptrace_readexec

commit 11a7bb25c411c9dccfdca5718639b4becdffd388
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 22 14:37:10 2012 -0500

    Compilation fixes

commit cd400e21c7c352baba47d6f375297a7847afb33a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 22 14:20:27 2012 -0500

    Initial port of grsecurity 2.2.2 for Linux 3.2.1
    Note that the new syscalls added to this kernel for remote process read/write
    are subject to ptrace hardening/other relevant RBAC features
    /proc/slabinfo is S_IRUSR via mainline now, so I made slab_allocators S_IRUSR by default
    as well
    pax_track_stack has been removed from support for this kernel -- if you're running this kernel
    you should be using a version of gcc with plugin support

commit c6d443d1270f455c56a4ffe0f1dd3d3e7ec12a2f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 22 11:47:31 2012 -0500

    Import pax-linux-3.2.1-test5.patch
commit bfd7db842f835f9837cd43644459b3a95b0b488d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 22 11:02:02 2012 -0500

    Allow processes to access others' /proc/pid/maps files (subject to the normal modification of data)
    instead of returning -EACCES
    thanks to Wraith from irc for the report

commit 873ac13576506cd48ddb527c2540f274e249da50
Merge: 34083dd 8a44fcc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 20 18:04:02 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 8a44fcc90cf3368003dc84e1ed013b2e4248c9b2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 20 18:02:15 2012 -0500

    Merge the diff between pax-linux-3.2.1-test4.patch and pax-linux-3.2.1-test5.patch
    Denies executable shared memory when MPROTECT is active
    Fixes ia32 emulation crash on 64bit host introduced in a recent patch

commit 34083ddf5c0b2b1c0f5e9f7d9e32ddcba223446b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jan 19 20:23:14 2012 -0500

    Introduce new GRKERNSEC_SETXID implementation
    We're not able to change the credentials of other threads in the process until at most
    one syscall after the first thread does it, since we mark the threads as needing rescheduling
    and such work occurs on syscall exit.
    This does however ensure that we're only modifying the current task's credentials
    which upholds RCU expectations
    
    Many thanks to corsac for testing

commit 5f900ad54d3992a4e1cda88273acc2f897a42e71
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jan 19 17:42:48 2012 -0500

    Simplify backport

commit f02e444f7b2fb286f99d3b4031ff4e44a4606c37
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jan 19 17:08:16 2012 -0500

    Commit the latest silent fix for a local privilege escalation from Linus
    Also disable writing to /proc/pid/mem
    http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc

commit 814d38c72b1ee3338294576a05af4f6ca9cffa6c
Merge: 0394a3f 7e6299b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 18 20:22:09 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 7e6299b4733c082dde930375dd207b63237751ec
Merge: 83555fb 9bb1282
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 18 20:21:37 2012 -0500

    Merge branch 'linux-3.1.y' into pax-test

commit 0394a3f36c6195dcaf22e265c94d11bb7338c6f7
Author: Jesper Juhl <jj@chaosbits.net>
Date:   Sun Jan 8 22:44:29 2012 +0100

    audit: always follow va_copy() with va_end()
    
    A call to va_copy() should always be followed by a call to va_end() in
    the same function.  In kernel/autit.c::audit_log_vformat() this is not
    always done.  This patch makes sure va_end() is always called.
    
    Signed-off-by: Jesper Juhl <jj@chaosbits.net>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: Eric Paris <eparis@redhat.com>
    Cc: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit fcbb39319e88bfdf70efe3931cf80a9f23b1a4d9
Author: Andi Kleen <ak@linux.intel.com>
Date:   Thu Jan 12 17:20:30 2012 -0800

    panic: don't print redundant backtraces on oops
    
    When an oops causes a panic and panic prints another backtrace it's pretty
    common to have the original oops data be scrolled away on a 80x50 screen.
    
    The second backtrace is quite redundant and not needed anyways.
    
    So don't print the panic backtrace when oops_in_progress is true.
    
    [akpm@linux-foundation.org: add comment]
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
    Cc: Michael Holzheu <holzheu@linux.vnet.ibm.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 22e4717d04333e2aff6d5d1b2c1b16045f367a1f
Author: Miklos Szeredi <mszeredi@suse.cz>
Date:   Thu Jan 12 17:59:46 2012 +0100

    fsnotify: don't BUG in fsnotify_destroy_mark()
    
    Removing the parent of a watched file results in "kernel BUG at
    fs/notify/mark.c:139".
    
    To reproduce
    
      add "-w /tmp/audit/dir/watched_file" to audit.rules
      rm -rf /tmp/audit/dir
    
    This is caused by fsnotify_destroy_mark() being called without an
    extra reference taken by the caller.
    
    Reported by Francesco Cosoleto here:
    
      https://bugzilla.novell.com/show_bug.cgi?id=689860
    
    Fix by removing the BUG_ON and adding a comment about not accessing mark after
    the iput.
    
    Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
    CC: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 1a90cff66ed00cd57bf00a990d13e95060fa362c
Author: Paolo Bonzini <pbonzini@redhat.com>
Date:   Thu Jan 12 16:01:28 2012 +0100

    block: fail SCSI passthrough ioctls on partition devices
    
    Linux allows executing the SG_IO ioctl on a partition or LVM volume, and
    will pass the command to the underlying block device.  This is
    well-known, but it is also a large security problem when (via Unix
    permissions, ACLs, SELinux or a combination thereof) a program or user
    needs to be granted access only to part of the disk.
    
    This patch lets partitions forward a small set of harmless ioctls;
    others are logged with printk so that we can see which ioctls are
    actually sent.  In my tests only CDROM_GET_CAPABILITY actually occurred.
    Of course it was being sent to a (partition on a) hard disk, so it would
    have failed with ENOTTY and the patch isn't changing anything in
    practice.  Still, I'm treating it specially to avoid spamming the logs.
    
    In principle, this restriction should include programs running with
    CAP_SYS_RAWIO.  If for example I let a program access /dev/sda2 and
    /dev/sdb, it still should not be able to read/write outside the
    boundaries of /dev/sda2 independent of the capabilities.  However, for
    now programs with CAP_SYS_RAWIO will still be allowed to send the
    ioctls.  Their actions will still be logged.
    
    This patch does not affect the non-libata IDE driver.  That driver
    however already tests for bd != bd->bd_contains before issuing some
    ioctl; it could be restricted further to forbid these ioctls even for
    programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO.
    
    Cc: linux-scsi@vger.kernel.org
    Cc: Jens Axboe <axboe@kernel.dk>
    Cc: James Bottomley <JBottomley@parallels.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    [ Make it also print the command name when warning - Linus ]
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit b41a1178caa15bd7d6d5b36c04c7b1ead05717e2
Author: Paolo Bonzini <pbonzini@redhat.com>
Date:   Thu Jan 12 16:01:27 2012 +0100

    block: add and use scsi_blk_cmd_ioctl
    
    Introduce a wrapper around scsi_cmd_ioctl that takes a block device.
    
    The function will then be enhanced to detect partition block devices
    and, in that case, subject the ioctls to whitelisting.
    
    Cc: linux-scsi@vger.kernel.org
    Cc: Jens Axboe <axboe@kernel.dk>
    Cc: James Bottomley <JBottomley@parallels.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 97a79814903fc350e1d13704ea31528a42705401
Author: Kees Cook <keescook@chromium.org>
Date:   Sat Jan 7 10:41:04 2012 -0800

    audit: treat s_id as an untrusted string
    
    The use of s_id should go through the untrusted string path, just to be
    extra careful.
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Acked-by: Mimi Zohar <zohar@us.ibm.com>
    Signed-off-by: Eric Paris <eparis@redhat.com>

commit 2d3f39e9dd73f26a8248fd4442f110d983c5b419
Author: Xi Wang <xi.wang@gmail.com>
Date:   Tue Dec 20 18:39:41 2011 -0500

    audit: fix signedness bug in audit_log_execve_info()
    
    In the loop, a size_t "len" is used to hold the return value of
    audit_log_single_execve_arg(), which returns -1 on error.  In that
    case the error handling (len <= 0) will be bypassed since "len" is
    unsigned, and the loop continues with (p += len) being wrapped.
    Change the type of "len" to signed int to fix the error handling.
    
        size_t len;
        ...
        for (...) {
                len = audit_log_single_execve_arg(...);
                if (len <= 0)
                        break;
                p += len;
        }
    
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Signed-off-by: Eric Paris <eparis@redhat.com>

commit 1b3dc2ea3204fb22b9d0d30b2b7953991f5be594
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Tue Jan 17 03:28:51 2012 -0300

    [media] ds3000: using logical && instead of bitwise &
    
    The intent here was to test if the FE_HAS_LOCK was set.  The current
    test is equivalent to "if (status) { ..."
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>

commit 36522330dc59d2fc70c042f3f081d75c32b6259a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jan 16 13:10:38 2012 -0500

    Ignore the 0 signal for protected task RBAC checks

commit d513acd55f7a683f6e146a4f570cdb63300479ab
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jan 16 11:56:13 2012 -0500

    whitespace cleanup

commit ced261c4b82818c700aff8487f647f6f3e5b5122
Merge: d48751f 83555fb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 13 20:12:54 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 83555fb431e5be6c0e09687ff3bdc583f0caf9d9
Merge: fcd8129 93dad39
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 13 20:12:43 2012 -0500

    Merge branch 'linux-3.1.y' into pax-test

commit d48751f3919ae855fda0ff6c149db82442329253
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 11 19:05:47 2012 -0500

    Call our own set_user when forcing change to new id

commit 26d9d497f6b926bc1699980aa18c360a3d3c52a0
Merge: e6578ff fcd8129
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 10 16:00:10 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit fcd8129277601f2e2d5a2066120cf8b2472d7d1f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 10 15:58:43 2012 -0500

    Merge changes from pax-linux-3.1.8-test23.patch

commit e6578ff3e7629c432ed9b99bde6af2a1c00279b5
Merge: 8859ec3 a120549
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 21:45:56 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit a12054967a77090de1caa07c41e694a77db4e237
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 21:45:30 2012 -0500

    Merge changes from pax-linux-3.1.8-test22.patch

commit 8859ec32f9815c274df65448f9f2960176c380d3
Merge: a5016b4 ddd4114
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 21:26:08 2012 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        fs/binfmt_elf.c
        security/Kconfig

commit ddd41147e158a79704983a409b7433eba797cf66
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 21:12:42 2012 -0500

    Resync with PaX patch (whitespace difference)

commit 29e569df8205c5f0e043fe4803aa984406c8b118
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 21:09:47 2012 -0500

    Merge changes from pax-linux-3.1.8-test21.patch

commit a5016b4f9c09c337b17e063a7f369af1e86d944d
Merge: 0124c92 04231d5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 18:52:20 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 04231d52dc8d0d6788a6bc6709dc046d3eb37097
Merge: 7bdddeb a919904
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 18:51:50 2012 -0500

    Merge branch 'linux-3.1.y' into pax-test
    
    Conflicts:
        include/net/flow.h

commit 0124c9264234c450904a0a5fa2f8c608ab8e3796
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 18:33:05 2012 -0500

    Make GRKERNSEC_SETXID option compatible with credential debugging

commit 69919c6da7cf8a781439da15b597a7d6bc9b3abe
Author: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Date:   Wed Dec 28 15:57:11 2011 -0800

    mm/mempolicy.c: refix mbind_range() vma issue
    
    commit 8aacc9f550 ("mm/mempolicy.c: fix pgoff in mbind vma merge") is the
    slightly incorrect fix.
    
    Why? Think following case.
    
    1. map 4 pages of a file at offset 0
    
       [0123]
    
    2. map 2 pages just after the first mapping of the same file but with
       page offset 2
    
       [0123][23]
    
    3. mbind() 2 pages from the first mapping at offset 2.
       mbind_range() should treat new vma is,
    
       [0123][23]
         |23|
         mbind vma
    
       but it does
    
       [0123][23]
         |01|
         mbind vma
    
       Oops. then, it makes wrong vma merge and splitting ([01][0123] or similar).
    
    This patch fixes it.
    
    [testcase]
      test result - before the patch
    
        case4: 126: test failed. expect '2,4', actual '2,2,2'
                case5: passed
        case6: passed
        case7: passed
        case8: passed
        case_n: 246: test failed. expect '4,2', actual '1,4'
    
        ------------[ cut here ]------------
        kernel BUG at mm/filemap.c:135!
        invalid opcode: 0000 [#4] SMP DEBUG_PAGEALLOC
    
        (snip long bug on messages)
    
      test result - after the patch
    
        case4: passed
                case5: passed
        case6: passed
        case7: passed
        case8: passed
        case_n: passed
    
      source:  mbind_vma_test.c
    ============================================================
     #include <numaif.h>
     #include <numa.h>
     #include <sys/mman.h>
     #include <stdio.h>
     #include <unistd.h>
     #include <stdlib.h>
     #include <string.h>
    
    static unsigned long pagesize;
    void* mmap_addr;
    struct bitmask *nmask;
    char buf[1024];
    FILE *file;
    char retbuf[10240] = "";
    int mapped_fd;
    
    char *rubysrc = "ruby -e '\
      pid = %d; \
      vstart = 0x%llx; \
      vend = 0x%llx; \
      s = `pmap -q #{pid}`; \
      rary = []; \
      s.each_line {|line|; \
        ary=line.split(\" \"); \
        addr = ary[0].to_i(16); \
        if(vstart <= addr && addr < vend) then \
          rary.push(ary[1].to_i()/4); \
        end; \
      }; \
      print rary.join(\",\"); \
    '";
    
    void init(void)
    {
        void* addr;
        char buf[128];
    
        nmask = numa_allocate_nodemask();
        numa_bitmask_setbit(nmask, 0);
    
        pagesize = getpagesize();
    
        sprintf(buf, "%s", "mbind_vma_XXXXXX");
        mapped_fd = mkstemp(buf);
        if (mapped_fd == -1)
                perror("mkstemp "), exit(1);
        unlink(buf);
    
        if (lseek(mapped_fd, pagesize*8, SEEK_SET) < 0)
                perror("lseek "), exit(1);
        if (write(mapped_fd, "\0", 1) < 0)
                perror("write "), exit(1);
    
        addr = mmap(NULL, pagesize*8, PROT_NONE,
                    MAP_SHARED, mapped_fd, 0);
        if (addr == MAP_FAILED)
                perror("mmap "), exit(1);
    
        if (mprotect(addr+pagesize, pagesize*6, PROT_READ|PROT_WRITE) < 0)
                perror("mprotect "), exit(1);
    
        mmap_addr = addr + pagesize;
    
        /* make page populate */
        memset(mmap_addr, 0, pagesize*6);
    }
    
    void fin(void)
    {
        void* addr = mmap_addr - pagesize;
        munmap(addr, pagesize*8);
    
        memset(buf, 0, sizeof(buf));
        memset(retbuf, 0, sizeof(retbuf));
    }
    
    void mem_bind(int index, int len)
    {
        int err;
    
        err = mbind(mmap_addr+pagesize*index, pagesize*len,
                    MPOL_BIND, nmask->maskp, nmask->size, 0);
        if (err)
                perror("mbind "), exit(err);
    }
    
    void mem_interleave(int index, int len)
    {
        int err;
    
        err = mbind(mmap_addr+pagesize*index, pagesize*len,
                    MPOL_INTERLEAVE, nmask->maskp, nmask->size, 0);
        if (err)
                perror("mbind "), exit(err);
    }
    
    void mem_unbind(int index, int len)
    {
        int err;
    
        err = mbind(mmap_addr+pagesize*index, pagesize*len,
                    MPOL_DEFAULT, NULL, 0, 0);
        if (err)
                perror("mbind "), exit(err);
    }
    
    void Assert(char *expected, char *value, char *name, int line)
    {
        if (strcmp(expected, value) == 0) {
                fprintf(stderr, "%s: passed\n", name);
                return;
        }
        else {
                fprintf(stderr, "%s: %d: test failed. expect '%s', actual '%s'\n",
                        name, line,
                        expected, value);
    //          exit(1);
        }
    }
    
    /*
          AAAA
        PPPPPPNNNNNN
        might become
        PPNNNNNNNNNN
        case 4 below
    */
    void case4(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        mem_bind(0, 4);
        mem_unbind(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("2,4", retbuf, "case4", __LINE__);
    
        fin();
    }
    
    /*
           AAAA
     PPPPPPNNNNNN
     might become
     PPPPPPPPPPNN
     case 5 below
    */
    void case5(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        mem_bind(0, 2);
        mem_bind(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("4,2", retbuf, "case5", __LINE__);
    
        fin();
    }
    
    /*
            AAAA
        PPPPNNNNXXXX
        might become
        PPPPPPPPPPPP 6
    */
    void case6(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        mem_bind(0, 2);
        mem_bind(4, 2);
        mem_bind(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("6", retbuf, "case6", __LINE__);
    
        fin();
    }
    
    /*
        AAAA
    PPPPNNNNXXXX
    might become
    PPPPPPPPXXXX 7
    */
    void case7(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        mem_bind(0, 2);
        mem_interleave(4, 2);
        mem_bind(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("4,2", retbuf, "case7", __LINE__);
    
        fin();
    }
    
    /*
        AAAA
    PPPPNNNNXXXX
    might become
    PPPPNNNNNNNN 8
    */
    void case8(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        mem_bind(0, 2);
        mem_interleave(4, 2);
        mem_interleave(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("2,4", retbuf, "case8", __LINE__);
    
        fin();
    }
    
    void case_n(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        /* make redundunt mappings [0][1234][34][7] */
        mmap(mmap_addr + pagesize*4, pagesize*2, PROT_READ|PROT_WRITE,
             MAP_FIXED|MAP_SHARED, mapped_fd, pagesize*3);
    
        /* Expect to do nothing. */
        mem_unbind(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("4,2", retbuf, "case_n", __LINE__);
    
        fin();
    }
    
    int main(int argc, char** argv)
    {
        case4();
        case5();
        case6();
        case7();
        case8();
        case_n();
    
        return 0;
    }
    =============================================================
    
    Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
    Acked-by: Johannes Weiner <hannes@cmpxchg.org>
    Cc: Minchan Kim <minchan.kim@gmail.com>
    Cc: Caspar Zhang <caspar@casparzhang.com>
    Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
    Cc: Christoph Lameter <cl@linux.com>
    Cc: Hugh Dickins <hugh.dickins@tiscali.co.uk>
    Cc: Mel Gorman <mel@csn.ul.ie>
    Cc: Lee Schermerhorn <lee.schermerhorn@hp.com>
    Cc: <stable@vger.kernel.org>                [3.1.x]
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit f3a1082005781777086df235049f8c0b7efe524e
Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Date:   Tue Dec 27 22:32:41 2011 -0500

    packet: fix possible dev refcnt leak when bind fail
    
    If bind is fail when bind is called after set PACKET_FANOUT
    sock option, the dev refcnt will leak.
    
    Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 915f8b08dac68839dc7204ee81cf9852fda16d24
Author: Haogang Chen <haogangchen@gmail.com>
Date:   Mon Dec 19 17:11:56 2011 -0800

    nilfs2: potential integer overflow in nilfs_ioctl_clean_segments()
    
    There is a potential integer overflow in nilfs_ioctl_clean_segments().
    When a large argv[n].v_nmembs is passed from the userspace, the subsequent
    call to vmalloc() will allocate a buffer smaller than expected, which
    leads to out-of-bound access in nilfs_ioctl_move_blocks() and
    lfs_clean_segments().
    
    The following check does not prevent the overflow because nsegs is also
    controlled by the userspace and could be very large.
    
                if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment)
                        goto out_free;
    
    This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and
    returns -EINVAL when overflow.
    
    Signed-off-by: Haogang Chen <haogangchen@gmail.com>
    Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 006afb6eb7a7398edc0068c3a7b9510ffaf80f72
Author: Kautuk Consul <consul.kautuk@gmail.com>
Date:   Mon Dec 19 17:12:04 2011 -0800

    mm/vmalloc.c: remove static declaration of va from __get_vm_area_node
    
    Static storage is not required for the struct vmap_area in
    __get_vm_area_node.
    
    Removing "static" to store this variable on the stack instead.
    
    Signed-off-by: Kautuk Consul <consul.kautuk@gmail.com>
    Acked-by: David Rientjes <rientjes@google.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 461ecdf221edb089e5fa0d5563e1688cd0a36f66
Author: Michel Lespinasse <walken@google.com>
Date:   Mon Dec 19 17:12:06 2011 -0800

    binary_sysctl(): fix memory leak
    
    binary_sysctl() calls sysctl_getname() which allocates from names_cache
    slab usin __getname()
    
    The matching function to free the name is __putname(), and not putname()
    which should be used only to match getname() allocations.
    
    This is because when auditing is enabled, putname() calls audit_putname
    *instead* (not in addition) to __putname().  Then, if a syscall is in
    progress, audit_putname does not release the name - instead, it expects
    the name to get released when the syscall completes, but that will happen
    only if audit_getname() was called previously, i.e.  if the name was
    allocated with getname() rather than the naked __getname().  So,
    __getname() followed by putname() ends up leaking memory.
    
    Signed-off-by: Michel Lespinasse <walken@google.com>
    Acked-by: Al Viro <viro@zeniv.linux.org.uk>
    Cc: Christoph Hellwig <hch@infradead.org>
    Cc: Eric Paris <eparis@redhat.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 0a2cd3ef50c0bae70d59c74a77db0455d26fde56
Author: Sean Hefty <sean.hefty@intel.com>
Date:   Tue Dec 6 21:17:11 2011 +0000

    RDMA/cma: Verify private data length
    
    private_data_len is defined as a u8.  If the user specifies a large
    private_data size (> 220 bytes), we will calculate a total length that
    exceeds 255, resulting in private_data_len wrapping back to 0.  This
    can lead to overwriting random kernel memory.  Avoid this by verifying
    that the resulting size fits into a u8.
    
    Reported-by: B. Thery <benjamin.thery@bull.net>
    Addresses: <http://bugs.openfabrics.org/bugzilla/show_bug.cgi?id=2335>
    Signed-off-by: Sean Hefty <sean.hefty@intel.com>
    Signed-off-by: Roland Dreier <roland@purestorage.com>

commit 6b618c54aaec99078629ec5b9575cb7d6fc31176
Author: Xi Wang <xi.wang@gmail.com>
Date:   Sun Dec 11 23:40:56 2011 -0800

    Input: cma3000_d0x - fix signedness bug in cma3000_thread_irq()
    
    The error check (intr_status < 0) didn't work because intr_status is
    a u8.  Change its type to signed int.
    
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Signed-off-by: Dmitry Torokhov <dtor@mail.ru>

commit e27f34e383d7863b2528a63b81b23db09781f6b6
Author: Xi Wang <xi.wang@gmail.com>
Date:   Fri Dec 16 12:44:15 2011 +0000

    sctp: fix incorrect overflow check on autoclose
    
    Commit 8ffd3208 voids the previous patches f6778aab and 810c0719 for
    limiting the autoclose value.  If userspace passes in -1 on 32-bit
    platform, the overflow check didn't work and autoclose would be set
    to 0xffffffff.
    
    This patch defines a max_autoclose (in seconds) for limiting the value
    and exposes it through sysctl, with the following intentions.
    
    1) Avoid overflowing autoclose * HZ.
    
    2) Keep the default autoclose bound consistent across 32- and 64-bit
       platforms (INT_MAX / HZ in this patch).
    
    3) Keep the autoclose value consistent between setsockopt() and
       getsockopt() calls.
    
    Suggested-by: Vlad Yasevich <vladislav.yasevich@hp.com>
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 8ebdfaad2f46ff0ac9fef9858e436bcc712a1ac8
Author: Xi Wang <xi.wang@gmail.com>
Date:   Wed Dec 21 05:18:33 2011 -0500

    vmwgfx: fix incorrect VRAM size check in vmw_kms_fb_create()
    
    Commit e133e737 didn't correctly fix the integer overflow issue.
    
    -   unsigned int required_size;
    +   u64 required_size;
        ...
        required_size = mode_cmd->pitch * mode_cmd->height;
    -   if (unlikely(required_size > dev_priv->vram_size)) {
    +   if (unlikely(required_size > (u64) dev_priv->vram_size)) {
    
    Note that both pitch and height are u32.  Their product is still u32 and
    would overflow before being assigned to required_size.  A correct way is
    to convert pitch and height to u64 before the multiplication.
    
        required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height;
    
    This patch calls the existing vmw_kms_validate_mode_vram() for
    validation.
    
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Reviewed-and-tested-by: Thomas Hellstrom <thellstrom@vmware.com>
    Signed-off-by: Dave Airlie <airlied@redhat.com>
    
    Conflicts:
    
        drivers/gpu/drm/vmwgfx/vmwgfx_kms.c

commit eb8f0bd01fb994c9abc77dc84729794cd841753d
Author: Xi Wang <xi.wang@gmail.com>
Date:   Thu Dec 22 13:35:22 2011 +0000

    rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt()
    
    Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will
    cause a kernel oops due to insufficient bounds checking.
    
        if (count > 1<<30) {
                /* Enforce a limit to prevent overflow */
                return -EINVAL;
        }
        count = roundup_pow_of_two(count);
        table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count));
    
    Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as:
    
        ... + (count * sizeof(struct rps_dev_flow))
    
    where sizeof(struct rps_dev_flow) is 8.  (1 << 30) * 8 will overflow
    32 bits.
    
    This patch replaces the magic number (1 << 30) with a symbolic bound.
    
    Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 648188958672024b616c42c1f6c98c8cfc85619d
Author: Xi Wang <xi.wang@gmail.com>
Date:   Fri Dec 30 10:40:17 2011 -0500

    netfilter: ctnetlink: fix timeout calculation
    
    The sanity check (timeout < 0) never works; the dividend is unsigned
    and so is the division, which should have been a signed division.
    
        long timeout = (ct->timeout.expires - jiffies) / HZ;
        if (timeout < 0)
                timeout = 0;
    
    This patch converts the time values to signed for the division.
    
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

commit ab03a0973cee73f88655ff4981812ad316a6cd59
Merge: 76f82df 7bdddeb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 3 17:42:50 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 7bdddebd9d274a344a1c57a561152160c9e9a32a
Merge: 3e59cb5 55cc81a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 3 17:42:36 2012 -0500

    Merge branch 'linux-3.1.y' into pax-test

commit 76f82df18ba181687f454426fa9ced7a92b2ac1f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 22 20:15:02 2011 -0500

    Only further restrict futex targeting another process -- our modified
    permission check also happened to allow a case where a process retaining
    uid 0 could issue futex syscalls against other uid 0 tasks, despite the euid
    being non-zero (reported on forums by ben_w)

commit 6b235a4450a5fea41663ec35fa0608988b6078c6
Merge: 97c16f0 3e59cb5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 22 19:11:06 2011 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        fs/hfs/btree.c

commit 3e59cb503d4ca6ce0954b8d3eb508cf7d1a31f50
Merge: 285eb4e c26f60b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 22 19:09:57 2011 -0500

    Merge branch 'linux-3.1.y' into pax-test
    
    Conflicts:
        arch/x86/kernel/process.c

commit 97c16f0fcff592160c1787bd1c56ae7ad070ac17
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Dec 19 21:54:01 2011 -0500

    Add new option: "Enforce consistent multithreaded privileges"

commit 7d125a16a5245b2bafc9184b8f93e864394ba1cb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Dec 7 19:58:31 2011 -0500

    Remove harmless duplicate code -- exec_file would be null already so the
    second check would never pass.

commit 4e3304e94aa72737810bc50169519af157dce4ce
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Dec 7 19:50:39 2011 -0500

    Revert back to (possibly?) undocumented /proc/pid behavior that gdb
    depended on for attaching to a thread.  Entries exist in /proc for
    threads, but are not visible in a readdir.

commit 1bd899335f23815cfe8deac44c6b346398f3b95e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 18:03:28 2011 -0500

    Put the already-walked path if in RCU-walk mode

commit ec7ae36b7159f10649709779443a988662965d66
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 17:35:21 2011 -0500

    Fix memory leak introduced by recent (unpublished) commit
    75ab998b94a29d464518d6d501bdde3fbfcbfa14

commit 1e2318a8ea2e67eaf17236be374b5da8a5ba5e04
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 13:56:10 2011 -0500

    Explicitly check size copied to userland in override_release to silence gcc

commit c30a85d0fff67e0724e726febb934c0b6fa01c6c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 13:54:02 2011 -0500

    Initialize variable to silence erroneous gcc warning

commit 2cf8e7a3bf4e97b2cd3de9ebc453bc505dc7eb78
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 13:47:47 2011 -0500

    Future-proof other potential RCU-aware locations where we can log.

commit 0c904e8c7ea0338c47c7ae825e093a152dc8f8a8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 13:02:54 2011 -0500

    Fix freeze reported by 'vs' on the forums.  Bug occurred due to
    MAY_NOT_BLOCK added to Linux 3.1.  Our logging code, when a capability used
    in generic_permission() was in the task's effective set but disallowed by
    RBAC, would block when acquiring locks resulting in the freeze.
    
    Also update the ordering of checks so that CAP_DAC_READ_SEARCH isn't logged
    as being required when CAP_DAC_OVERRIDE is present (consistent with
    older patches).

commit ab694e5eccfbc369baa593ebc1269d1908cf16dc
Author: Xi Wang <xi.wang@gmail.com>
Date:   Tue Nov 29 09:26:30 2011 +0000

    sctp: better integer overflow check in sctp_auth_create_key()
    
    The check from commit 30c2235c is incomplete and cannot prevent
    cases like key_len = 0x80000000 (INT_MAX + 1).  In that case, the
    left-hand side of the check (INT_MAX - key_len), which is unsigned,
    becomes 0xffffffff (UINT_MAX) and bypasses the check.
    
    However this shouldn't be a security issue.  The function is called
    from the following two code paths:
    
     1) setsockopt()
    
     2) sctp_auth_asoc_set_secret()
    
    In case (1), sca_keylength is never going to exceed 65535 since it's
    bounded by a u16 from the user API.  As such, the key length will
    never overflow.
    
    In case (2), sca_keylength is computed based on the user key (1 short)
    and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still
    will not overflow.
    
    In other words, this overflow check is not really necessary.  Just
    make it more correct.
    
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Cc: Vlad Yasevich <vladislav.yasevich@hp.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit e565e28c3635a1d50f80541fbf6b606d742fec76
Author: Josh Boyer <jwboyer@redhat.com>
Date:   Fri Aug 19 14:50:26 2011 -0400

    fs/minix: Verify bitmap block counts before mounting
    
    Newer versions of MINIX can create filesystems that allocate an extra
    bitmap block.  Mounting of this succeeds, but doing a statfs call will
    result in an oops in count_free because of a negative number being used
    for the bh index.
    
    Avoid this by verifying the number of allocated blocks at mount time,
    erroring out if there are not enough and make statfs ignore the extras
    if there are too many.
    
    This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792
    
    Signed-off-by: Josh Boyer <jwboyer@redhat.com>
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

commit 6e134e398ec1a3f428261680e83df4319e64bed9
Author: Julia Lawall <julia@diku.dk>
Date:   Tue Nov 15 14:53:11 2011 -0800

    drivers/gpu/vga/vgaarb.c: add missing kfree
    
    kbuf is a buffer that is local to this function, so all of the error paths
    leaving the function should release it.
    
    Signed-off-by: Julia Lawall <julia@diku.dk>
    Cc: Jesper Juhl <jj@chaosbits.net>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Dave Airlie <airlied@redhat.com>

commit 2b9057b321e36860e8d63985b5c4e496f254b717
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Dec 3 21:33:28 2011 -0500

    Import changes between pax-linux-3.1.4-test18.patch and grsecurity-2.2.2-3.1.4-201112021740.patch

commit 5dfe6091dca281a456eaff5e7b4692d768a05cfd
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Dec 3 21:29:37 2011 -0500

    Import pax-linux-3.1.4-test18.patch

commit 285eb4ea45d853ae00426b3315a61c1368080dad
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Dec 10 18:33:46 2011 -0500

    Import changes from pax-linux-3.1.5-test20.patch

commit a6bda918fc90ec1d5c387e978d147ad2044153f1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 8 20:55:54 2011 -0500

    Import changes from pax-linux-3.1.4-test19.patch

commit e6d987bdb782b280f882cc20055e3d9cb28ad3a5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Dec 3 21:29:37 2011 -0500

    Import pax-linux-3.1.4-test18.patch
commit 4c61dba17c53d0a775c77aed0c0ddb15a12daa3c
Merge: c3ccfb2 777e08c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Sep 8 19:49:04 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 777e08c6a87ef43439f4431d8d458732ca5e17c6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Sep 8 19:47:32 2013 -0400

    Update to pax-linux-3.10.11-test26.patch:
    - reworked __SC_LONG to care about only int and smaller types, this eliminates size overflow false positives reported by hunger
    - fixed an uninitialized read in splice, reported by hunger

 fs/splice.c                       |    1 +
 include/linux/syscalls.h          |   14 +-
 tools/gcc/size_overflow_hash.data |  426 +++++++++++++++++++++----------------
 3 files changed, 247 insertions(+), 194 deletions(-)

commit 5c3161364270c842d901789faac731f79a9f9cd6
Merge: cf9c476 85cdabb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Sep 8 19:24:25 2013 -0400

    Merge branch 'linux-3.10.y' into pax-test

commit c3ccfb29794a03413095422100ce90d40ef7df0f
Author: Jakob Bornecrantz <jakob@vmware.com>
Date:   Thu Aug 29 02:32:53 2013 +0200

    Upstream commit: 6e4dcff3adbf25acb87e74500a58e3c07bdec40f
    
    drm/vmwgfx: Split GMR2_REMAP commands if they are to large
    
    This fixes the piglit test texturing/max-texture-size
    causing the VM to die due to a too large SVGA command.
    
    Signed-off-by: Jakob Bornecrantz <jakob@vmware.com>
    Reviewed-by: Biran Paul <brianp@vmware.com>
    Reviewed-by: Zack Rusin <zackr@vmware.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Dave Airlie <airlied@gmail.com>

 drivers/gpu/drm/vmwgfx/vmwgfx_gmr.c |   58 +++++++++++++++++++++++-----------
 1 files changed, 39 insertions(+), 19 deletions(-)

commit d260badf708d6aa16c44f56f54727532dcae826e
Author: Daniel Borkmann <dborkman@redhat.com>
Date:   Tue Sep 3 19:29:12 2013 +0200

    Upstream commit: 3a1c756590633c0e86df606e5c618c190926a0df
    
    net: ipv6: tcp: fix potential use after free in tcp_v6_do_rcv
    
    In tcp_v6_do_rcv() code, when processing pkt options, we soley work
    on our skb clone opt_skb that we've created earlier before entering
    tcp_rcv_established() on our way. However, only in condition ...
    
      if (np->rxopt.bits.rxtclass)
        np->rcv_tclass = ipv6_get_dsfield(ipv6_hdr(skb));
    
    ... we work on skb itself. As we extract every other information out
    of opt_skb in ipv6_pktoptions path, this seems wrong, since skb can
    already be released by tcp_rcv_established() earlier on. When we try
    to access it in ipv6_hdr(), we will dereference freed skb.
    
    [ Bug added by commit 4c507d2897bd9b ("net: implement IP_RECVTOS for
      IP_PKTOPTIONS") ]
    
    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
    Cc: Eric Dumazet <eric.dumazet@gmail.com>
    Acked-by: Eric Dumazet <edumazet@google.com>
    Acked-by: Jiri Benc <jbenc@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv6/tcp_ipv6.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit ee3db7a4fb3619d70b8e0c1a8de07402a67e8d31
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Thu Aug 29 11:47:00 2013 +0300

    Upstream commit: 0d63c27d9e879a0b54eb405636d60ab12040ca46
    
    mISDN: return -EINVAL on error in dsp_control_req()
    
    If skb->len is too short then we should return an error.  Otherwise we
    read beyond the end of skb->data for several bytes.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/isdn/mISDN/dsp_core.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

commit af7c2bc789c8fe5ef7474f22dacf212be22fd0af
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Sep 5 19:36:23 2013 -0400

    fix dependencies for GRKERNSEC_ROFS / GRKERNSEC_DENYUSB

 grsecurity/Kconfig |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit da68dbcd96c617923a0aedb177d36b2701f9c858
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Sep 5 19:17:02 2013 -0400

    Allow the deny_new_usb sysctl to be toggled off by a user with
    CAP_SYS_ADMIN.  This allows for more inventive uses of the feature
    that would be impossible otherwise (like toggling it while the screen is
    locked, etc)

 grsecurity/grsec_sysctl.c |    4 +---
 1 files changed, 1 insertions(+), 3 deletions(-)

commit ce0e893adc830ee110f97071cc17e661fb35ae3d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Sep 5 18:41:49 2013 -0400

    Add a new GRKERNSEC_DENYUSB_FORCE option that achieves what
    GRKERNSEC_DENYUSB does without the need for a sysctl toggle, for
    users who know they want the functionality but don't want to bother
    with modifying init scripts
    
    Also eliminate reset_security_ops() as a ROP target when
    SECURITY_SELINUX_DISABLE is disabled as it's the only user

 grsecurity/Kconfig        |   17 ++++++++++++++++-
 grsecurity/grsec_init.c   |    3 +++
 grsecurity/grsec_sysctl.c |    2 +-
 security/security.c       |    4 ++++
 4 files changed, 24 insertions(+), 2 deletions(-)

commit 0d5ca3a057ae48b5fdccb2f0a7a841a5cc76d3dd
Merge: 7ee3899 cf9c476
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Sep 1 13:56:57 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit cf9c47690fa0f3da590de766ea8c6a543984ee3c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Sep 1 13:56:16 2013 -0400

    Update to pax-linux-3.10.10-test25.patch:
    - fixed a few more REFCOUNT false positives, by Mathias Krause <minipli@googlemail.com>
    - got inet_getid and ipv6_select_ident rid of the cmpxchg loop

 block/blk-cgroup.c                |    4 ++--
 drivers/video/hyperv_fb.c         |    4 ++--
 fs/namespace.c                    |    4 ++--
 include/net/inetpeer.h            |   13 +++++--------
 kernel/trace/trace_clock.c        |    4 ++--
 net/ipv6/output_core.c            |   15 ++++++---------
 net/sunrpc/auth_gss/svcauth_gss.c |    4 ++--
 7 files changed, 21 insertions(+), 27 deletions(-)

commit 7ee3899312d611b85cadd3eda173f7a3952bb8aa
Merge: fd0338c 2bdeae7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 31 22:07:38 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 2bdeae76eab5c34e4b88c7090a435b969037a3c1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 31 22:06:55 2013 -0400

    Update to pax-linux-3.10.10-test24.patch:
    - fixed a REFCOUNT false positive, by Mathias Krause <minipli@googlemail.com>
    - fixed a bunch more after a quick audit of atomic_inc_return users

 drivers/acpi/apei/ghes.c                      |    4 ++--
 drivers/ata/libata-core.c                     |    4 ++--
 drivers/ata/libata-scsi.c                     |    2 +-
 drivers/ata/libata.h                          |    2 +-
 drivers/block/drbd/drbd_nl.c                  |    4 ++--
 drivers/crypto/hifn_795x.c                    |    4 ++--
 drivers/edac/edac_device.c                    |    4 ++--
 drivers/edac/edac_pci.c                       |    4 ++--
 drivers/firewire/core-card.c                  |    4 ++--
 drivers/hv/hv_balloon.c                       |   18 +++++++++---------
 drivers/infiniband/hw/mlx4/mad.c              |    2 +-
 drivers/infiniband/hw/mlx4/mlx4_ib.h          |    2 +-
 drivers/input/misc/ims-pcu.c                  |    4 ++--
 drivers/input/serio/serio_raw.c               |    4 ++--
 drivers/media/pci/ivtv/ivtv-driver.c          |    2 +-
 drivers/media/radio/radio-maxiradio.c         |    2 +-
 drivers/media/radio/radio-shark.c             |    2 +-
 drivers/media/radio/radio-shark2.c            |    2 +-
 drivers/media/radio/radio-si476x.c            |    2 +-
 drivers/media/rc/rc-main.c                    |    4 ++--
 drivers/media/v4l2-core/v4l2-device.c         |    4 ++--
 drivers/net/usb/sierra_net.c                  |    4 ++--
 drivers/pci/hotplug/pciehp_hpc.c              |    4 +---
 drivers/regulator/core.c                      |    4 ++--
 drivers/scsi/fcoe/fcoe_sysfs.c                |   12 ++++++------
 drivers/staging/android/timed_output.c        |    6 +++---
 drivers/staging/media/solo6x10/solo6x10-p2m.c |    2 +-
 drivers/staging/media/solo6x10/solo6x10.h     |    2 +-
 drivers/target/sbp/sbp_target.c               |    4 ++--
 drivers/tty/hvc/hvsi.c                        |   12 ++++++------
 drivers/tty/hvc/hvsi_lib.c                    |    6 +++---
 drivers/tty/serial/ioc4_serial.c              |    6 +++---
 drivers/tty/serial/msm_serial.c               |    4 ++--
 drivers/usb/misc/appledisplay.c               |    4 ++--
 fs/afs/inode.c                                |    4 ++--
 fs/btrfs/delayed-inode.c                      |    6 +++---
 fs/btrfs/delayed-inode.h                      |    4 ++--
 fs/fscache/cookie.c                           |    4 ++--
 include/media/v4l2-device.h                   |    2 +-
 net/ceph/messenger.c                          |    4 ++--
 net/core/netpoll.c                            |    4 ++--
 net/xfrm/xfrm_state.c                         |    4 ++--
 security/selinux/avc.c                        |    6 +++---
 43 files changed, 93 insertions(+), 95 deletions(-)

commit fd0338c8877c47789a9cc61f3a26c83e68aa3d37
Merge: 1bdf7ec 85099d2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 31 21:07:29 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 85099d220fb014b6e4c6ffe18a55b20c61f6daed
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 31 21:06:55 2013 -0400

    Update to pax-linux-3.10.10-test23.patch:
    - added the necessary atomic_unchecked_t conversion for mips
    - audited and fixed arm and sparc for proper atomic_unchecked_t usage

 arch/arm/kvm/arm.c            |    8 ++++----
 arch/arm/mm/context.c         |   10 +++++-----
 arch/mips/kernel/irq.c        |    6 +++---
 arch/mips/kernel/sync-r4k.c   |   24 ++++++++++++------------
 arch/mips/sgi-ip27/ip27-nmi.c |    6 +++---
 arch/sparc/kernel/smp_64.c    |   12 ++++++------
 arch/sparc/kernel/traps_64.c  |   14 +++++++-------
 arch/sparc/mm/init_64.c       |   10 +++++-----
 8 files changed, 45 insertions(+), 45 deletions(-)

commit 1bdf7ec39027ffd7c3099b78ff20c39295448b34
Merge: 995a168 38ee86c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Aug 30 19:23:36 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 38ee86c05df0f8db582df8776b9f23f317d42bbb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Aug 30 19:23:11 2013 -0400

    Update to pax-linux-3.10.10-test22.patch:
    - fixed !REFCOUNT/mips compilation, by Corey Minyard <cminyard@mvista.com>
    - fixed a few more format strings

 arch/mips/include/asm/atomic.h          |   20 ++++++++++++++++----
 drivers/md/bcache/super.c               |    2 +-
 drivers/net/wireless/iwlwifi/dvm/main.c |    3 +--
 drivers/pci/hotplug/pciehp_hpc.c        |    2 +-
 drivers/platform/x86/wmi.c              |    2 +-
 drivers/scsi/sd.c                       |    2 +-
 drivers/vfio/vfio.c                     |    4 ++--
 fs/ntfs/super.c                         |    6 +++---
 include/linux/workqueue.h               |    6 +++---
 net/mac80211/main.c                     |    2 +-
 sound/pci/hda/hda_codec.c               |    8 ++------
 11 files changed, 32 insertions(+), 25 deletions(-)

commit 995a16841e2097c3a9dfc652e856469679c4a0ba
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Aug 30 17:11:11 2013 -0400

    fix compilation with GRKERNSEC_DENYUSB as reported by slashbeast

 grsecurity/grsec_sysctl.c |    7 ++++---
 1 files changed, 4 insertions(+), 3 deletions(-)

commit 8ba1cc35ec5216383369ddf3ef2cde5e4aaacb57
Merge: be2497c 1052971
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Aug 29 20:44:29 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        include/linux/sched.h

commit 10529710192fe7f7d42ad7bb1dfef2143cca8ad2
Merge: e902dad 8bf3379
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Aug 29 20:39:50 2013 -0400

    Update to pax-linux-3.10.10-test21.patch
    
    Merge branch 'linux-3.10.y' into pax-test
    
    Conflicts:
        arch/x86/kernel/sys_x86_64.c
        arch/x86/mm/mmap.c
        include/linux/sched.h

commit be2497c1b629a5ad604a8b0ec265ef5d801c7de8
Merge: 081c22b e902dad
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Aug 28 20:52:44 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit e902dad6b609a176f58c1b9393b3a98f14bd4b74
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Aug 28 20:51:21 2013 -0400

    Update to pax-linux-3.10.9-test21.patch:
    - removed unnecessary type cast in do_PrefetchAbort, noticed by spender
    - since pax_report_refcount_overflow disables preemption inside, no need to do it explicitly in do_ov
    - fixed a REFCOUNT false positive in UHID
    - inspired by Dan Carpenter's recent fix (http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=909bd5926d474e275599094acad986af79671ac9)
      Emese Revfy wrote a gcc plugin to find other instances of the same error, here's the fallout
      (come to the 10th H2HC if you want to learn about the magic behind this and other plugins):
      - icmpv6_filter: no memory corruption, probably just some logical error in the caller
      - dccp_new/dccp_packet/dccp_error: probably remote kernel stack overflow (12 byte network data overwriting a local ptr variable)
      - gigaset_brkchars: causes DMA on the kernel stack, some archs don't like it (more of this is to come)
      - isdn_ioctl/IIOCDBGVAR: kernel heap address leak (by design), restricted to CAP_SYS_RAWIO now
      - __dwc3_gadget_ep_enable: probably forgotten memset, seems harmless
      - lowpan_header_create: leaks 3 bytes of a kernel heap address over the network

 arch/arm/mm/fault.c                        |    2 +-
 arch/mips/kernel/traps.c                   |    2 --
 drivers/hid/uhid.c                         |    6 +++---
 drivers/isdn/gigaset/usb-gigaset.c         |    2 +-
 drivers/isdn/i4l/isdn_common.c             |    2 ++
 drivers/net/wireless/hostap/hostap_ioctl.c |    4 ++--
 drivers/usb/dwc3/gadget.c                  |    2 --
 net/ieee802154/6lowpan.c                   |    2 +-
 net/ipv6/raw.c                             |    2 +-
 net/netfilter/nf_conntrack_proto_dccp.c    |    6 +++---
 10 files changed, 14 insertions(+), 16 deletions(-)

commit 081c22b436d4d4ac8c9ef7c3f3b9587cfb02d804
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Aug 28 20:42:39 2013 -0400

    add export of gr_handle_new_usb()

 grsecurity/grsec_usb.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 2e708ca9984ef74536d1d9b1d4e6e73d27561ed6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Aug 28 19:24:47 2013 -0400

    Add new GRKERNSEC_DENYUSB feature that I've been sitting on for a bit
    Kees' recent findings are motivation enough to publish it

 drivers/usb/core/hub.c     |    5 +++++
 grsecurity/Kconfig         |   20 ++++++++++++++++++++
 grsecurity/Makefile        |    3 ++-
 grsecurity/grsec_init.c    |    1 +
 grsecurity/grsec_sysctl.c  |   11 +++++++++++
 grsecurity/grsec_usb.c     |   13 +++++++++++++
 include/linux/grinternal.h |    1 +
 include/linux/grsecurity.h |    2 ++
 8 files changed, 55 insertions(+), 1 deletions(-)

commit 8044382257ec75a03f3d784ce048ef14e94b90ca
Author: Kees Cook <keescook@chromium.org>
Date:   Wed Aug 14 09:35:07 2013 -0700

    HID: zeroplus: validate output report details
    
    The zeroplus HID driver was not checking the size of allocated values
    in fields it used. A HID device could send a malicious output report
    that would cause the driver to write beyond the output report allocation
    during initialization, causing a heap overflow:
    
    [ 1442.728680] usb 1-1: New USB device found, idVendor=0c12, idProduct=0005
    ...
    [ 1466.243173] BUG kmalloc-192 (Tainted: G        W   ): Redzone overwritten
    
    CVE-2013-2889
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org

 drivers/hid/hid-zpff.c |   14 ++------------
 1 files changed, 2 insertions(+), 12 deletions(-)

commit 1ead832874dde8c45c3d4c8c704f2cd7ad6a328f
Author: Kees Cook <keescook@chromium.org>
Date:   Wed Aug 14 14:36:15 2013 -0700

    HID: provide a helper for validating hid reports
    
    Many drivers need to validate the characteristics of their HID report
    during initialization to avoid misusing the reports. This adds a common
    helper to perform validation of the report, its field count, and the
    value count within the fields.
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org

 drivers/hid/hid-core.c |   50 ++++++++++++++++++++++++++++++++++++++++++++++++
 include/linux/hid.h    |    4 +++
 2 files changed, 54 insertions(+), 0 deletions(-)

commit 270ba9096ddecdc3cf6c4d76e6892184820116be
Author: Kees Cook <keescook@chromium.org>
Date:   Wed Aug 14 09:14:34 2013 -0700

    HID: steelseries: validate output report details
    
    A HID device could send a malicious output report that would cause the
    steelseries HID driver to write beyond the output report allocation
    during initialization, causing a heap overflow:
    
    [  167.981534] usb 1-1: New USB device found, idVendor=1038, idProduct=1410
    ...
    [  182.050547] BUG kmalloc-256 (Tainted: G        W   ): Redzone overwritten
    
    CVE-2013-2891
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org

 drivers/hid/hid-steelseries.c |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

commit 366e6cf394366e4bb2598e5d3763c6ca53fb7248
Author: Kees Cook <keescook@chromium.org>
Date:   Wed Aug 14 08:49:21 2013 -0700

    HID: pantherlord: validate output report details
    
    A HID device could send a malicious output report that would cause the
    pantherlord HID driver to write beyond the output report allocation
    during initialization, causing a heap overflow:
    
    [  310.939483] usb 1-1: New USB device found, idVendor=0e8f, idProduct=0003
    ...
    [  315.980774] BUG kmalloc-192 (Tainted: G        W   ): Redzone overwritten
    
    CVE-2013-2892
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org

 drivers/hid/hid-pl.c |   10 ++++++++--
 1 files changed, 8 insertions(+), 2 deletions(-)

commit 60115e8108e508060815bce5ef9504233c81898c
Author: Kees Cook <keescook@chromium.org>
Date:   Tue Aug 13 16:49:01 2013 -0700

    HID: LG: validate HID output report details
    
    A HID device could send a malicious output report that would cause the
    lg, lg3, and lg4 HID drivers to write beyond the output report allocation
    during an event, causing a heap overflow:
    
    [  325.245240] usb 1-1: New USB device found, idVendor=046d, idProduct=c287
    ...
    [  414.518960] BUG kmalloc-4096 (Not tainted): Redzone overwritten
    
    Additionally, while lg2 did correctly validate the report details, it was
    cleaned up and shortened.
    
    CVE-2013-2893
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org

 drivers/hid/hid-lg2ff.c |   19 +++----------------
 drivers/hid/hid-lg3ff.c |   29 ++++++-----------------------
 drivers/hid/hid-lg4ff.c |   20 +-------------------
 drivers/hid/hid-lgff.c  |   17 ++---------------
 4 files changed, 12 insertions(+), 73 deletions(-)

commit 1814f6ffbd0d5feccce1f03e8cc17882528e8a9f
Author: Kees Cook <keescook@chromium.org>
Date:   Thu Aug 15 23:21:23 2013 -0700

    HID: lenovo-tpkbd: validate output report details
    
    A HID device could send a malicious output report that would cause the
    lenovo-tpkbd HID driver to write just beyond the output report allocation
    during initialization, causing a heap overflow:
    
    [   76.109807] usb 1-1: New USB device found, idVendor=17ef, idProduct=6009
    ...
    [   80.462540] BUG kmalloc-192 (Tainted: G        W   ): Redzone overwritten
    
    CVE-2013-2894
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org

 drivers/hid/hid-lenovo-tpkbd.c |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

commit 38627769bb2b9a550e251b2caf1babda7566fb4a
Author: Kees Cook <keescook@chromium.org>
Date:   Thu Aug 15 23:45:03 2013 -0700

    HID: logitech-dj: validate output report details
    
    A HID device could send a malicious output report that would cause the
    logitech-dj HID driver to leak kernel memory contents to the device, or
    trigger a NULL dereference during initialization:
    
    [  304.424553] usb 1-1: New USB device found, idVendor=046d, idProduct=c52b
    ...
    [  304.780467] BUG: unable to handle kernel NULL pointer dereference at 0000000000000028
    [  304.781409] IP: [<ffffffff815d50aa>] logi_dj_recv_send_report.isra.11+0x1a/0x90
    
    CVE-2013-2895
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org

 drivers/hid/hid-logitech-dj.c |   12 ++++++++++--
 1 files changed, 10 insertions(+), 2 deletions(-)

commit db334388c9d3f95aeb6aacdcec72169b6edd6f07
Author: Kees Cook <keescook@chromium.org>
Date:   Fri Aug 16 00:18:15 2013 -0700

    HID: ntrig: validate feature report details
    
    A HID device could send a malicious feature report that would cause the
    ntrig HID driver to trigger a NULL dereference during initialization:
    
    [57383.031190] usb 3-1: New USB device found, idVendor=1b96, idProduct=0001
    ...
    [57383.315193] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
    [57383.315308] IP: [<ffffffffa08102de>] ntrig_probe+0x25e/0x420 [hid_ntrig]
    
    CVE-2013-2896
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org

 drivers/hid/hid-ntrig.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 86adcfe96ceefd7d64593a493abe07c155bb8f88
Author: Kees Cook <keescook@chromium.org>
Date:   Fri Aug 16 00:11:32 2013 -0700

    HID: multitouch: validate feature report details
    
    When working on report indexes, always validate that they are in bounds.
    Without this, a HID device could report a malicious feature report that
    could trick the driver into a heap overflow:
    
    [  634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500
    ...
    [  676.469629] BUG kmalloc-192 (Tainted: G        W   ): Redzone overwritten
    
    CVE-2013-2897
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org

 drivers/hid/hid-multitouch.c |   25 ++++++++++++++++++++-----
 1 files changed, 20 insertions(+), 5 deletions(-)

commit 813f51e0881e4ea6d221da828b1cced02ad9694d
Author: Kees Cook <keescook@chromium.org>
Date:   Fri Aug 16 08:12:45 2013 -0700

    HID: sensor-hub: validate feature report details
    
    A HID device could send a malicious feature report that would cause the
    sensor-hub HID driver to read past the end of heap allocation, leaking
    kernel memory contents to the caller.
    
    CVE-2013-2898
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org

 drivers/hid/hid-sensor-hub.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 6ed7d602e322c67adcfa3ebe79ca2c4a3376330c
Author: Kees Cook <keescook@chromium.org>
Date:   Fri Aug 16 08:05:10 2013 -0700

    HID: picolcd_core: validate output report details
    
    A HID device could send a malicious output report that would cause the
    picolcd HID driver to trigger a NULL dereference during attr file writing.
    
    CVE-2013-2899
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org

 drivers/hid/hid-picolcd_core.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 95e3cfb5a995dabe45b98cafb77e59d074de151f
Author: Kees Cook <keescook@chromium.org>
Date:   Fri Aug 16 08:09:54 2013 -0700

    HID: check for NULL field when setting values
    
    Defensively check that the field to be worked on is not NULL.
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org

 drivers/hid/hid-core.c |    7 ++++++-
 1 files changed, 6 insertions(+), 1 deletions(-)

commit 96a55ce1b2f3af376c400a02059174e79ce4399c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Aug 28 18:09:18 2013 -0400

    http://marc.info/?l=linux-input&m=137772180514608&q=raw
    
    From: Kees Cook <keescook@chromium.org>
    
    The "Report ID" field of a HID report is used to build indexes of
    reports. The kernel's index of these is limited to 256 entries, so any
    malicious device that sets a Report ID greater than 255 will trigger
    memory corruption on the host:
    
    [ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878
    [ 1347.156261] IP: [<ffffffff813e4da0>] hid_register_report+0x2a/0x8b
    
    CVE-2013-2888
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org
    ---
     drivers/hid/hid-core.c |   10 +++++++---
     include/linux/hid.h    |    4 +++-
     2 files changed, 10 insertions(+), 4 deletions(-)

 drivers/hid/hid-core.c |   10 +++++++---
 include/linux/hid.h    |    4 +++-
 2 files changed, 10 insertions(+), 4 deletions(-)

commit eb1106eef5f17bfda833ca3cf89e315919173257
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Fri Aug 9 12:52:31 2013 +0300

    Upstream commit: 909bd5926d474e275599094acad986af79671ac9
    
    Hostap: copying wrong data prism2_ioctl_giwaplist()
    
    We want the data stored in "addr" and "qual", but the extra ampersands
    mean we are copying stack data instead.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: John W. Linville <linville@tuxdriver.com>

 drivers/net/wireless/hostap/hostap_ioctl.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit b12fdddbc01b0d855dd56fa6fea6b4100aae7af4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Aug 28 17:01:21 2013 -0400

    fix typo in ipv6 backport

 net/ipv6/addrconf.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit b42367d45ce67de82c38c5c7cb6f4cf521cca2f4
Author: Andy Lutomirski <luto@amacapital.net>
Date:   Thu Aug 22 11:39:15 2013 -0700

    Upstream commit: d661684cf6820331feae71146c35da83d794467e
    
    net: Check the correct namespace when spoofing pid over SCM_RIGHTS
    
    This is a security bug.
    
    The follow-up will fix nsproxy to discourage this type of issue from
    happening again.
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Andy Lutomirski <luto@amacapital.net>
    Reviewed-by: "Eric W. Biederman" <ebiederm@xmission.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/core/scm.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 10b2e7e1f75d1da2e0bbe0bff04233ea2ec1bed9
Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
Date:   Fri Aug 16 13:02:27 2013 +0200

    Upstream commit: 4b08a8f1bd8cb4541c93ec170027b4d0782dab52
    
    ipv6: remove max_addresses check from ipv6_create_tempaddr
    
    Because of the max_addresses check attackers were able to disable privacy
    extensions on an interface by creating enough autoconfigured addresses:
    
    <http://seclists.org/oss-sec/2012/q4/292>
    
    But the check is not actually needed: max_addresses protects the
    kernel to install too many ipv6 addresses on an interface and guards
    addrconf_prefix_rcv to install further addresses as soon as this limit
    is reached. We only generate temporary addresses in direct response of
    a new address showing up. As soon as we filled up the maximum number of
    addresses of an interface, we stop installing more addresses and thus
    also stop generating more temp addresses.
    
    Even if the attacker tries to generate a lot of temporary addresses
    by announcing a prefix and removing it again (lifetime == 0) we won't
    install more temp addresses, because the temporary addresses do count
    to the maximum number of addresses, thus we would stop installing new
    autoconfigured addresses when the limit is reached.
    
    This patch fixes CVE-2013-0343 (but other layer-2 attacks are still
    possible).
    
    Thanks to Ding Tianhong to bring this topic up again.
    
    Cc: Ding Tianhong <dingtianhong@huawei.com>
    Cc: George Kargiotakis <kargig@void.gr>
    Cc: P J P <ppandit@redhat.com>
    Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
    Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Acked-by: Ding Tianhong <dingtianhong@huawei.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    
    Conflicts:
    
        net/ipv6/addrconf.c

 net/ipv6/addrconf.c |   10 ++++------
 1 files changed, 4 insertions(+), 6 deletions(-)

commit 8333e0981469a226a47d0142ff31090a48db95a4
Author: David Vrabel <david.vrabel@citrix.com>
Date:   Thu Aug 15 13:21:06 2013 +0100

    Upstream commit: 84ca7a8e45dafb49cd5ca90a343ba033e2885c17
    
    xen/events: initialize local per-cpu mask for all possible events
    
    The sizeof() argument in init_evtchn_cpu_bindings() is incorrect
    resulting in only the first 64 (or 32 in 32-bit guests) ports having
    their bindings being initialized to VCPU 0.
    
    In most cases this does not cause a problem as request_irq() will set
    the irq affinity which will set the correct local per-cpu mask.
    However, if the request_irq() is called on a VCPU other than 0, there
    is a window between the unmasking of the event and the affinity being
    set were an event may be lost because it is not locally unmasked on
    any VCPU. If request_irq() is called on VCPU 0 then local irqs are
    disabled during the window and the race does not occur.
    
    Fix this by initializing all NR_EVENT_CHANNEL bits in the local
    per-cpu masks.
    
    Signed-off-by: David Vrabel <david.vrabel@citrix.com>
    Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
    CC: stable@vger.kernel.org

 drivers/xen/events.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 2a9a83768433937a2b7a97001ba1627156c0efed
Author: Roland Dreier <roland@purestorage.com>
Date:   Mon Aug 5 17:55:01 2013 -0700

    Upstream commit: 35dc248383bbab0a7203fca4d722875bc81ef091
    
    [SCSI] sg: Fix user memory corruption when SG_IO is interrupted by a signal
    
    There is a nasty bug in the SCSI SG_IO ioctl that in some circumstances
    leads to one process writing data into the address space of some other
    random unrelated process if the ioctl is interrupted by a signal.
    What happens is the following:
    
     - A process issues an SG_IO ioctl with direction DXFER_FROM_DEV (ie the
       underlying SCSI command will transfer data from the SCSI device to
       the buffer provided in the ioctl)
    
     - Before the command finishes, a signal is sent to the process waiting
       in the ioctl.  This will end up waking up the sg_ioctl() code:
    
                result = wait_event_interruptible(sfp->read_wait,
                        (srp_done(sfp, srp) || sdp->detached));
    
       but neither srp_done() nor sdp->detached is true, so we end up just
       setting srp->orphan and returning to userspace:
    
                srp->orphan = 1;
                write_unlock_irq(&sfp->rq_list_lock);
                return result;  /* -ERESTARTSYS because signal hit process */
    
       At this point the original process is done with the ioctl and
       blithely goes ahead handling the signal, reissuing the ioctl, etc.
    
     - Eventually, the SCSI command issued by the first ioctl finishes and
       ends up in sg_rq_end_io().  At the end of that function, we run through:
    
        write_lock_irqsave(&sfp->rq_list_lock, iflags);
        if (unlikely(srp->orphan)) {
                if (sfp->keep_orphan)
                        srp->sg_io_owned = 0;
                else
                        done = 0;
        }
        srp->done = done;
        write_unlock_irqrestore(&sfp->rq_list_lock, iflags);
    
        if (likely(done)) {
                /* Now wake up any sg_read() that is waiting for this
                 * packet.
                 */
                wake_up_interruptible(&sfp->read_wait);
                kill_fasync(&sfp->async_qp, SIGPOLL, POLL_IN);
                kref_put(&sfp->f_ref, sg_remove_sfp);
        } else {
                INIT_WORK(&srp->ew.work, sg_rq_end_io_usercontext);
                schedule_work(&srp->ew.work);
        }
    
       Since srp->orphan *is* set, we set done to 0 (assuming the
       userspace app has not set keep_orphan via an SG_SET_KEEP_ORPHAN
       ioctl), and therefore we end up scheduling sg_rq_end_io_usercontext()
       to run in a workqueue.
    
     - In workqueue context we go through sg_rq_end_io_usercontext() ->
       sg_finish_rem_req() -> blk_rq_unmap_user() -> ... ->
       bio_uncopy_user() -> __bio_copy_iov() -> copy_to_user().
    
       The key point here is that we are doing copy_to_user() on a
       workqueue -- that is, we're on a kernel thread with current->mm
       equal to whatever random previous user process was scheduled before
       this kernel thread.  So we end up copying whatever data the SCSI
       command returned to the virtual address of the buffer passed into
       the original ioctl, but it's quite likely we do this copying into a
       different address space!
    
    As suggested by James Bottomley <James.Bottomley@hansenpartnership.com>,
    add a check for current->mm (which is NULL if we're on a kernel thread
    without a real userspace address space) in bio_uncopy_user(), and skip
    the copy if we're on a kernel thread.
    
    There's no reason that I can think of for any caller of bio_uncopy_user()
    to want to do copying on a kernel thread with a random active userspace
    address space.
    
    Huge thanks to Costa Sapuntzakis <costa@purestorage.com> for the
    original pointer to this bug in the sg code.
    
    Signed-off-by: Roland Dreier <roland@purestorage.com>
    Tested-by: David Milburn <dmilburn@redhat.com>
    Cc: Jens Axboe <axboe@kernel.dk>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: James Bottomley <JBottomley@Parallels.com>

 fs/bio.c |   20 +++++++++++++++-----
 1 files changed, 15 insertions(+), 5 deletions(-)

commit e6fe57dee152671afd618d6bc8cbf23155be6c34
Merge: cdc8f7d f2095a4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Aug 27 18:13:35 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        arch/arm/mm/fault.c
        security/Kconfig

commit f2095a4787f7d332e5919f0bd00f8de6021ad612
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Aug 27 18:08:23 2013 -0400

    Update to pax-linux-3.10.9-test20.patch:
    - removed unnecessary mark_sym_for_renaming calls from the gcc plugins, reported by Emese Revfy
    - made some KERNEXEC/UDEREF induced fault handling on arm more robust (IFAR isn't always set on v7), by Corey Minyard <cminyard@mvista.com>
    - converted some mips atomic accessor macros to functions in preparation of REFCOUNT support, by Corey Minyard <cminyard@mvista.com>
    - __copy_from_user_inatomic on amd64 will now return unsigned long like other userland accessors do
    - added REFCOUNT support for mips, by Corey Minyard <cminyard@mvista.com>
    - fixed arm compilation with UDEREF disabled, reported by fabled (http://forums.grsecurity.net/viewtopic.php?f=1&t=3720)
    - fixed early boot panic due to a INVCPID/PCID mismatch, reported by Patrick McLean (https://bugs.gentoo.org/show_bug.cgi?id=482010)

 arch/arm/mm/fault.c               |   11 +-
 arch/mips/include/asm/atomic.h    |  722 +++++++++++++++++++++++++++++++++++--
 arch/mips/kernel/traps.c          |   14 +-
 arch/x86/include/asm/tlbflush.h   |    4 +
 arch/x86/include/asm/uaccess_64.h |    2 +-
 fs/ntfs/file.c                    |    2 +-
 kernel/events/internal.h          |    4 +-
 kernel/events/uprobes.c           |    2 +-
 kernel/futex.c                    |    2 +-
 mm/filemap.c                      |    8 +-
 security/Kconfig                  |    2 +-
 tools/gcc/kernexec_plugin.c       |   18 +-
 tools/gcc/latent_entropy_plugin.c |   26 +-
 tools/gcc/size_overflow_plugin.c  |    3 +-
 14 files changed, 750 insertions(+), 70 deletions(-)

commit cdc8f7d7a0d09f5ccec1717d1378ac284b5bb4e9
Merge: 5a9ae57 745975e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Aug 26 20:27:33 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 745975e3b3b74b64e00e85778f9a22714d1274f2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Aug 26 20:26:33 2013 -0400

    Fix compilation when UDEREF is enabled and KERNEXEC is disabled,
    as reported by fabled on the forums:
    http://forums.grsecurity.net/viewtopic.php?f=1&t=3720

 arch/arm/include/asm/pgtable.h |    4 +---
 1 files changed, 1 insertions(+), 3 deletions(-)

commit 5a9ae577def10802fc8ad6957f05ce2a180dfa36
Merge: 486ec00 f68df21
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Aug 20 20:15:20 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit f68df215c8bf7fada2710c14b3f3a0ea53fd9e43
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Aug 20 20:14:50 2013 -0400

    Update to pax-linux-3.10.9-test18.patch:
    - fixed missing export of cpu_pgd, reported by Alexander Tsoy (https://bugs.gentoo.org/show_bug.cgi?id=481786)
    - fixed UDEREF regression on !PCID processors, reported by Alexander Tsoy (https://bugs.gentoo.org/show_bug.cgi?id=481790)
    - forward port to 3.10.9

 arch/x86/kernel/entry_64.S       |   18 +++++++++---------
 arch/x86/kernel/i386_ksyms_32.c  |    4 ++++
 arch/x86/kernel/x8664_ksyms_64.c |    4 ++++
 3 files changed, 17 insertions(+), 9 deletions(-)

commit 486ec00945b5dd8826f625e4af8995c5c8cb2a6f
Merge: f47a293 d8fed0e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Aug 20 20:12:47 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit d8fed0eba89a7607afe296c0caf17bc72311d6e9
Merge: f6ace8e 0a4b6d4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Aug 20 20:12:33 2013 -0400

    Merge branch 'linux-3.10.y' into pax-test

commit f47a293a1440da2a3e2c239d43d636e37ca74f10
Merge: f1e8ec7 f6ace8e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Aug 20 18:20:05 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        arch/arm/kernel/perf_event.c
        include/linux/sched.h

commit f6ace8e1804aadc296bec38b4c4a2d711b9e7c72
Merge: b4fa847 6f54059
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Aug 20 18:18:02 2013 -0400

    Update to pax-linux-3.10.8-test18.patch
    
    Merge branch 'linux-3.10.y' into pax-test
    
    Conflicts:
        arch/x86/kernel/sys_x86_64.c
        arch/x86/mm/mmap.c
        include/linux/sched.h

commit f1e8ec79b6019ca0aa6a6cdde5668c1bbd9f51ca
Merge: 6f88011 b4fa847
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Aug 20 18:05:12 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit b4fa84790ec760430818ab9b74a8b5acc6b40e63
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Aug 20 18:04:14 2013 -0400

    Update to pax-linux-3.10.7-test18.patch:
    - reverted constification of zcache, problem reported by Marcin Mirosław (https://bugs.gentoo.org/show_bug.cgi?id=481752)
    - fixed a UDEREF resume regression due to the constification of clone_pgd_mask
    - fixed suspend/resume regression due to the recent constification of mmu_cr4_features, reported by Mathias Krause

 arch/arm/kernel/process.c        |    2 +-
 arch/x86/include/asm/processor.h |   25 ++-----------------------
 arch/x86/kernel/cpu/common.c     |    4 ++++
 arch/x86/kernel/setup.c          |   36 ++++++++++++++++++++++++++++++++++++
 drivers/staging/zcache/tmem.c    |    4 ++--
 drivers/staging/zcache/tmem.h    |    6 ++----
 6 files changed, 47 insertions(+), 30 deletions(-)

commit 6f88011297cb3b1b79ff4d96f8a9b8e2ed5a025f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Aug 19 22:10:04 2013 -0400

    fix bad git merge (call to __cpu_disable_lazy_restore was duplicated)
    as reported by pipacs

 arch/x86/kernel/smpboot.c |    3 ---
 1 files changed, 0 insertions(+), 3 deletions(-)

commit 07f718e061bc4696b64a98ac1cf56e9ca1275dc3
Merge: 6eba999 5de93c8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Aug 18 22:03:19 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 5de93c8e2a86865f7a2d62dbcf8702dbf12494db
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Aug 18 22:02:47 2013 -0400

    Update to pax-linux-3.10.7-test15.patch:
    - fixed more PCID fallout, reported by spender, Negres and GBit (http://forums.grsecurity.net/viewtopic.php?f=3&t=3705)
    - fixed some new REFCOUNT false positives, caught by inspection

 arch/x86/kernel/cpu/common.c |    5 +++--
 arch/x86/kernel/entry_64.S   |   11 +++++++----
 fs/ceph/super.c              |    4 ++--
 mm/backing-dev.c             |    4 ++--
 4 files changed, 14 insertions(+), 10 deletions(-)

commit 94c119587c76723c1072237b98fff9886ccb7689
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Aug 18 20:49:39 2013 -0400

    fix pipacs' DEMORGAN typo

 arch/x86/include/asm/tlbflush.h |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 6eba999a3263c2ed3f7e87222a5c9c55315c7f00
Merge: df347f6 64a293e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Aug 18 18:13:04 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 64a293ebd17bf4a7ce6bd921ed879673e79fe128
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Aug 18 18:12:37 2013 -0400

    Update to pax-linux-3.10.7-test14.patch:
    - fixed compile error introduced by the previous PCID change
    - fixed timer_create kernel stack leak, reported by Roman Žilka (https://bugs.gentoo.org/show_bug.cgi?id=470214)

 arch/x86/include/asm/tlbflush.h |    2 +-
 kernel/posix-timers.c           |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

commit df347f6db6cc0aaa40406d8a8b7284b7c15bc685
Merge: d8efbc5 e11b314
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Aug 18 08:15:00 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit e11b314734c5b7317f5468be75305ad812e78c2b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Aug 18 08:14:26 2013 -0400

    Update to pax-linux-3.10.7-test13.patch:
    - always enable the use of PCID and INVPCID when available in the CPU
      - kvm guest kernels can use these features even if the host kernel lacks UDEREF

 arch/x86/include/asm/tlbflush.h |   69 ++++++++++++++++++++++----------------
 arch/x86/kernel/cpu/common.c    |   48 +++++++++++++++++----------
 2 files changed, 70 insertions(+), 47 deletions(-)

commit d8efbc54f5c8aba589d4d12eed9257a754a67de8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 17 12:00:20 2013 -0400

    make kallsyms_lookup_size_offset available to approved source files

 include/linux/kallsyms.h |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit 6c8feffa95ce2db280160015027b52bb41a344c8
Merge: dbf6930 0bb1c2b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 17 11:57:50 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 0bb1c2b2d9ba9a15fb504d47270499e8e2764106
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 17 11:56:43 2013 -0400

    Update to pax-linux-3.10.7-test12.patch:
    - fixed superfluous initializer in __native_flush_tlb_single, reported by Mathias Krause
    - fixed some arm compile problems

 arch/x86/include/asm/tlbflush.h      |    2 +-
 drivers/clocksource/bcm_kona_timer.c |    2 +-
 kernel/signal.c                      |    4 ++++
 3 files changed, 6 insertions(+), 2 deletions(-)

commit dbf69305ad4f8a037aae95af90f9201f556dcb48
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 17 11:18:09 2013 -0400

    allow use of kallsyms_lookup_name to approved source files

 include/linux/kallsyms.h |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit a566c5f4dec33f410678c257e95ab6726ce8e4f9
Merge: 68bd16f f562e3e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 17 10:35:02 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit f562e3ef7737ea8d80431a722479b36a12504ace
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 17 10:34:51 2013 -0400

    add uderef_64.c

 arch/x86/mm/uderef_64.c |   37 +++++++++++++++++++++++++++++++++++++
 1 files changed, 37 insertions(+), 0 deletions(-)

commit 68bd16fce3cf51c4c407e2ac6bc3db0629783622
Author: Asbjoern Sloth Toennesen <ast@fiberby.net>
Date:   Mon Aug 12 16:30:09 2013 +0000

    Upstream commit: 3e805ad288c524bb65aad3f1e004402223d3d504
    
    rtnetlink: rtnl_bridge_getlink: Call nlmsg_find_attr() with ifinfomsg header
    
    Fix the iproute2 command `bridge vlan show`, after switching from
    rtgenmsg to ifinfomsg.
    
    Let's start with a little history:
    
    Feb 20:   Vlad Yasevich got his VLAN-aware bridge patchset included in
              the 3.9 merge window.
              In the kernel commit 6cbdceeb, he added attribute support to
              bridge GETLINK requests sent with rtgenmsg.
    
    Mar 6th:  Vlad got this iproute2 reference implementation of the bridge
              vlan netlink interface accepted (iproute2 9eff0e5c)
    
    Apr 25th: iproute2 switched from using rtgenmsg to ifinfomsg (63338dca)
              http://patchwork.ozlabs.org/patch/239602/
              http://marc.info/?t=136680900700007
    
    Apr 28th: Linus released 3.9
    
    Apr 30th: Stephen released iproute2 3.9.0
    
    The `bridge vlan show` command haven't been working since the switch to
    ifinfomsg, or in a released version of iproute2. Since the kernel side
    only supports rtgenmsg, which iproute2 switched away from just prior to
    the iproute2 3.9.0 release.
    
    I haven't been able to find any documentation, about neither rtgenmsg
    nor ifinfomsg, and in which situation to use which, but kernel commit
    88c5b5ce seams to suggest that ifinfomsg should be used.
    
    Fixing this in kernel will break compatibility, but I doubt that anybody
    have been using it due to this bug in the user space reference
    implementation, at least not without noticing this bug. That said the
    functionality is still fully functional in 3.9, when reversing iproute2
    commit 63338dca.
    
    This could also be fixed in iproute2, but thats an ugly patch that would
    reintroduce rtgenmsg in iproute2, and from searching in netdev it seams
    like rtgenmsg usage is discouraged. I'm assuming that the only reason
    that Vlad implemented the kernel side to use rtgenmsg, was because
    iproute2 was using it at the time.
    
    Signed-off-by: Asbjoern Sloth Toennesen <ast@fiberby.net>
    Reviewed-by: Vlad Yasevich <vyasevich@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/core/rtnetlink.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 8c7bc5bafddddff55ed4687203a977e96f72540a
Author: Johannes Berg <johannes.berg@intel.com>
Date:   Tue Aug 13 09:04:05 2013 +0200

    Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db
    
    genetlink: fix family dump race
    
    When dumping generic netlink families, only the first dump call
    is locked with genl_lock(), which protects the list of families,
    and thus subsequent calls can access the data without locking,
    racing against family addition/removal. This can cause a crash.
    Fix it - the locking needs to be conditional because the first
    time around it's already locked.
    
    A similar bug was reported to me on an old kernel (3.4.47) but
    the exact scenario that happened there is no longer possible,
    on those kernels the first round wasn't locked either. Looking
    at the current code I found the race described above, which had
    also existed on the old kernel.
    
    Cc: stable@vger.kernel.org
    Reported-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/netlink/genetlink.c |    7 +++++++
 1 files changed, 7 insertions(+), 0 deletions(-)

commit 0aef405c4f269d1e35abb5393cee4e7d452ed4bb
Author: Daniel Borkmann <dborkman@redhat.com>
Date:   Fri Aug 9 16:25:21 2013 +0200

    Upstream commit: 771085d6bf3c52de29fc213e5bad07a82e57c23e
    
    net: sctp: sctp_transport_destroy{, _rcu}: fix potential pointer corruption
    
    Probably this one is quite unlikely to be triggered, but it's more safe
    to do the call_rcu() at the end after we have dropped the reference on
    the asoc and freed sctp packet chunks. The reason why is because in
    sctp_transport_destroy_rcu() the transport is being kfree()'d, and if
    we're unlucky enough we could run into corrupted pointers. Probably
    that's more of theoretical nature, but it's safer to have this simple fix.
    
    Introduced by commit 8c98653f ("sctp: sctp_close: fix release of bindings
    for deferred call_rcu's"). I also did the 8c98653f regression test and
    it's fine that way.
    
    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
    Acked-by: Vlad Yasevich <vyasevich@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/sctp/transport.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 3925eab5483946fd746575a46f97bee9d566bb77
Author: Stephane Grosjean <s.grosjean@peak-system.com>
Date:   Fri Aug 9 11:44:06 2013 +0200

    Upstream commit: 3c322a56b01695df15c70bfdc2d02e0ccd80654e
    
    can: pcan_usb: fix wrong memcpy() bytes length
    
    Fix possibly wrong memcpy() bytes length since some CAN records received from
    PCAN-USB could define a DLC field in range [9..15].
    In that case, the real DLC value MUST be used to move forward the record pointer
    but, only 8 bytes max. MUST be copied into the data field of the struct
    can_frame object of the skb given to the network core.
    
    Cc: linux-stable <stable@vger.kernel.org>
    Signed-off-by: Stephane Grosjean <s.grosjean@peak-system.com>
    Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/can/usb/peak_usb/pcan_usb.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit c1ac6642baae4a400d1f87115024d1bb1ef53598
Author: Linus Lüssing <linus.luessing@web.de>
Date:   Tue Aug 6 20:21:15 2013 +0200

    Upstream commit: 9d2c9488cedb666bc8206fbdcdc1575e0fbc5929
    
    batman-adv: fix potential kernel paging errors for unicast transmissions
    
    There are several functions which might reallocate skb data. Currently
    some places keep reusing their old ethhdr pointer regardless of whether
    they became invalid after such a reallocation or not. This potentially
    leads to kernel paging errors.
    
    This patch fixes these by refetching the ethdr pointer after the
    potential reallocations.
    
    Signed-off-by: Linus Lüssing <linus.luessing@web.de>
    Signed-off-by: Marek Lindner <lindner_marek@yahoo.de>
    Signed-off-by: Antonio Quartulli <ordex@autistici.org>

 net/batman-adv/bridge_loop_avoidance.c |    2 ++
 net/batman-adv/gateway_client.c        |   13 ++++++++++++-
 net/batman-adv/gateway_client.h        |    3 +--
 net/batman-adv/soft-interface.c        |    9 ++++++++-
 net/batman-adv/unicast.c               |   13 ++++++++++---
 5 files changed, 33 insertions(+), 7 deletions(-)

commit d11ebb55757d366b2e445dea5a96e3ef1b4d22eb
Author: Yuchung Cheng <ycheng@google.com>
Date:   Fri Aug 9 17:21:27 2013 -0700

    Upstream commit: 356d7d88e088687b6578ca64601b0a2c9d145296
    
    netfilter: nf_conntrack: fix tcp_in_window for Fast Open
    
    Currently the conntrack checks if the ending sequence of a packet
    falls within the observed receive window. However it does so even
    if it has not observe any packet from the remote yet and uses an
    uninitialized receive window (td_maxwin).
    
    If a connection uses Fast Open to send a SYN-data packet which is
    dropped afterward in the network. The subsequent SYNs retransmits
    will all fail this check and be discarded, leading to a connection
    timeout. This is because the SYN retransmit does not contain data
    payload so
    
    end == initial sequence number (isn) + 1
    sender->td_end == isn + syn_data_len
    receiver->td_maxwin == 0
    
    The fix is to only apply this check after td_maxwin is initialized.
    
    Reported-by: Michael Chan <mcfchan@stanford.edu>
    Signed-off-by: Yuchung Cheng <ycheng@google.com>
    Acked-by: Eric Dumazet <edumazet@google.com>
    Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

 net/netfilter/nf_conntrack_proto_tcp.c |   12 ++++++++----
 1 files changed, 8 insertions(+), 4 deletions(-)

commit 94462727d1f151aa2e3f7fbf0dedb19d8545d2ec
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Thu Aug 1 12:36:57 2013 +0300

    Upstream commit: e4d091d7bf787cd303383725b8071d0bae76f981
    
    netfilter: nfnetlink_{log,queue}: fix information leaks in netlink message
    
    These structs have a "_pad" member.  Also the "phw" structs have an 8
    byte "hw_addr[]" array but sometimes only the first 6 bytes are
    initialized.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

 net/netfilter/nfnetlink_log.c        |    6 +++++-
 net/netfilter/nfnetlink_queue_core.c |    5 ++++-
 2 files changed, 9 insertions(+), 2 deletions(-)

commit c5b469d0a0b480a8b2dcac9b4e6532c0ac17f81f
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date:   Thu Jul 25 10:46:46 2013 +0200

    Upstream commit: a206bcb3b02025b23137f3228109d72e0f835c05
    
    netfilter: xt_TCPOPTSTRIP: fix possible off by one access
    
    Fix a possible off by one access since optlen()
    touches opt[offset+1] unsafely when i == tcp_hdrlen(skb) - 1.
    
    This patch replaces tcp_hdrlen() by the local variable tcp_hdrlen
    that stores the TCP header length, to save some cycles.
    
    Reported-by: Julian Anastasov <ja@ssi.bg>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

 net/netfilter/xt_TCPOPTSTRIP.c |   10 ++++++----
 1 files changed, 6 insertions(+), 4 deletions(-)

commit 4634def261cf5f635bc60afe8a6ad436b3ec151e
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date:   Thu Jul 25 10:37:49 2013 +0200

    Upstream commit: 71ffe9c77dd7a2b62207953091efa8dafec958dd
    
    netfilter: xt_TCPMSS: fix handling of malformed TCP header and options
    
    Make sure the packet has enough room for the TCP header and
    that it is not malformed.
    
    While at it, store tcph->doff*4 in a variable, as it is used
    several times.
    
    This patch also fixes a possible off by one in case of malformed
    TCP options.
    
    Reported-by: Julian Anastasov <ja@ssi.bg>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

 net/netfilter/xt_TCPMSS.c |   28 ++++++++++++++++------------
 1 files changed, 16 insertions(+), 12 deletions(-)

commit dc552b7b377b8b0cba23513ee09a2341d6714ae8
Author: Dave Jones <davej@redhat.com>
Date:   Fri Aug 9 11:16:34 2013 -0700

    Upstream commit: d06f5187469eee1b2932c02fd093d113cfc60d5e
    
    8139cp: Fix skb leak in rx_status_loop failure path.
    
    Introduced in cf3c4c03060b688cbc389ebc5065ebcce5653e96
    ("8139cp: Add dma_mapping_error checking")
    
    Signed-off-by: Dave Jones <davej@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/ethernet/realtek/8139cp.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 227b279491a0bbcc70ca3654f34903282c378600
Author: Timo Teräs <timo.teras@iki.fi>
Date:   Tue Aug 6 13:45:43 2013 +0300

    Upstream commit: 77a482bdb2e68d13fae87541b341905ba70d572b
    
    ip_gre: fix ipgre_header to return correct offset
    
    Fix ipgre_header() (header_ops->create) to return the correct
    amount of bytes pushed. Most callers of dev_hard_header() seem
    to care only if it was success, but af_packet.c uses it as
    offset to the skb to copy from userspace only once. In practice
    this fixes packet socket sendto()/sendmsg() to gre tunnels.
    
    Regression introduced in c54419321455631079c7d6e60bc732dd0c5914c5
    ("GRE: Refactor GRE tunneling code.")
    
    Cc: Pravin B Shelar <pshelar@nicira.com>
    Signed-off-by: Timo Teräs <timo.teras@iki.fi>
    Acked-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/ip_gre.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 4b37d11c0ebb440d9335861ce8f1e690a34c10fb
Author: Eric Dumazet <edumazet@google.com>
Date:   Mon Aug 5 11:18:49 2013 -0700

    Upstream commit: aab515d7c32a34300312416c50314e755ea6f765
    
    fib_trie: remove potential out of bound access
    
    AddressSanitizer [1] dynamic checker pointed a potential
    out of bound access in leaf_walk_rcu()
    
    We could allocate one more slot in tnode_new() to leave the prefetch()
    in-place but it looks not worth the pain.
    
    Bug added in commit 82cfbb008572b ("[IPV4] fib_trie: iterator recode")
    
    [1] :
    https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerForKernel
    
    Reported-by: Andrey Konovalov <andreyknvl@google.com>
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Cc: Dmitry Vyukov <dvyukov@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/fib_trie.c |    5 +----
 1 files changed, 1 insertions(+), 4 deletions(-)

commit 3928184d65fdaf3eef446f0e6c5f305352c1fd02
Author: Daniel Borkmann <dborkman@redhat.com>
Date:   Mon Aug 5 12:49:35 2013 +0200

    Upstream commit: 7921895a5e852fc99de347bc0600659997de9298
    
    net: esp{4,6}: fix potential MTU calculation overflows
    
    Commit 91657eafb ("xfrm: take net hdr len into account for esp payload
    size calculation") introduced a possible interger overflow in
    esp{4,6}_get_mtu() handlers in case of x->props.mode equals
    XFRM_MODE_TUNNEL. Thus, the following expression will overflow
    
      unsigned int net_adj;
      ...
      <case ipv{4,6} XFRM_MODE_TUNNEL>
             net_adj = 0;
      ...
      return ((mtu - x->props.header_len - crypto_aead_authsize(esp->aead) -
               net_adj) & ~(align - 1)) + (net_adj - 2);
    
    where (net_adj - 2) would be evaluated as <foo> + (0 - 2) in an unsigned
    context. Fix it by simply removing brackets as those operations here
    do not need to have special precedence.
    
    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
    Cc: Benjamin Poirier <bpoirier@suse.de>
    Cc: Steffen Klassert <steffen.klassert@secunet.com>
    Acked-by: Benjamin Poirier <bpoirier@suse.de>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/esp4.c |    2 +-
 net/ipv6/esp6.c |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

commit f02bce292d1c2fe610be509c96593e70b3de387b
Author: Julia Lawall <Julia.Lawall@lip6.fr>
Date:   Mon Aug 5 16:47:38 2013 +0200

    Upstream commit: d9af2d67e490b48f0d36f448d34e7bab9425f142
    
    net/vmw_vsock/af_vsock.c: drop unneeded semicolon
    
    Drop the semicolon at the end of the list_for_each_entry loop header.
    
    Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/vmw_vsock/af_vsock.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 4b62f0cbc3f949056e8bbe0af036acfc20e8e049
Author: Tiger Yang <tiger.yang@oracle.com>
Date:   Tue Aug 13 16:00:58 2013 -0700

    Upstream commit: c7dd3392ad469e6ba125170ad29f881bed85b678
    
    ocfs2: fix NULL pointer dereference in ocfs2_duplicate_clusters_by_page
    
    Since ocfs2_cow_file_pos will invoke ocfs2_refcount_icow with a NULL as
    the struct file pointer, it finally result in a null pointer dereference
    in ocfs2_duplicate_clusters_by_page.
    
    This patch replace file pointer with inode pointer in
    cow_duplicate_clusters to fix this issue.
    
    [jeff.liu@oracle.com: rebased patch against linux-next tree]
    Signed-off-by: Tiger Yang <tiger.yang@oracle.com>
    Signed-off-by: Jie Liu <jeff.liu@oracle.com>
    Cc: Joel Becker <jlbec@evilplan.org>
    Cc: Mark Fasheh <mfasheh@suse.com>
    Acked-by: Tao Ma <tm@tao.ma>
    Tested-by: David Weber <wb@munzinger.de>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 fs/ocfs2/aops.c         |    2 +-
 fs/ocfs2/file.c         |    6 ++--
 fs/ocfs2/move_extents.c |    2 +-
 fs/ocfs2/refcounttree.c |   53 +++++++---------------------------------------
 fs/ocfs2/refcounttree.h |    6 ++--
 5 files changed, 16 insertions(+), 53 deletions(-)

commit 433bf493c7472435b328b2bc85b6e54f6dd3d0d3
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Thu Aug 15 15:52:57 2013 +0300

    Upstream commit: 15718ea0d844e4816dbd95d57a8a0e3e264ba90e
    
    tun: signedness bug in tun_get_user()
    
    The recent fix d9bf5f1309 "tun: compare with 0 instead of total_len" is
    not totally correct.  Because "len" and "sizeof()" are size_t type, that
    means they are never less than zero.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Acked-by: Michael S. Tsirkin <mst@redhat.com>
    Acked-by: Neil Horman <nhorman@tuxdriver.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/tun.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

commit 26ad267ddda451919357965a0cf271ca24d1bcf2
Author: Weiping Pan <wpan@redhat.com>
Date:   Tue Aug 13 21:46:56 2013 +0800

    Upstream commit: d9bf5f130946695063469749bfd190087b7fad39
    
    tun: compare with 0 instead of total_len
    
    Since we set "len = total_len" in the beginning of tun_get_user(),
    so we should compare the new len with 0, instead of total_len,
    or the if statement always returns false.
    
    Signed-off-by: Weiping Pan <wpan@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/tun.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 70023d3ea40fae8b6b6a142a7a5c3db0bcc283f9
Author: Guenter Roeck <linux@roeck-us.net>
Date:   Fri Aug 16 20:50:55 2013 -0700

    Upstream commit: 215b28a5308f3d332df2ee09ef11fda45d7e4a92
    
    s390: Fix broken build
    
    Fix this build error:
    
      In file included from fs/exec.c:61:0:
      arch/s390/include/asm/tlb.h:35:23: error: expected identifier or '(' before 'unsigned'
      arch/s390/include/asm/tlb.h:36:1: warning: no semicolon at end of struct or union [enabled by default]
      arch/s390/include/asm/tlb.h: In function 'tlb_gather_mmu':
      arch/s390/include/asm/tlb.h:57:5: error: 'struct mmu_gather' has no member named 'end'
    
    Broken due to commit 2b047252d0 ("Fix TLB gather virtual address range
    invalidation corner cases").
    
    Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Cc: stable@vger.kernel.org
    Signed-off-by: Guenter Roeck <linux@roeck-us.net>
    [ Oh well. We had build testing for ppc amd um, but no s390  - Linus ]
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 arch/s390/include/asm/tlb.h |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 4e57312c2de2a25ddb181d129dafbc0251062c33
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date:   Thu Aug 15 11:42:25 2013 -0700

    Upstream commit: 2b047252d087be7f2ba088b4933cd904f92e6fce
    
    Fix TLB gather virtual address range invalidation corner cases
    
    Ben Tebulin reported:
    
     "Since v3.7.2 on two independent machines a very specific Git
      repository fails in 9/10 cases on git-fsck due to an SHA1/memory
      failures.  This only occurs on a very specific repository and can be
      reproduced stably on two independent laptops.  Git mailing list ran
      out of ideas and for me this looks like some very exotic kernel issue"
    
    and bisected the failure to the backport of commit 53a59fc67f97 ("mm:
    limit mmu_gather batching to fix soft lockups on !CONFIG_PREEMPT").
    
    That commit itself is not actually buggy, but what it does is to make it
    much more likely to hit the partial TLB invalidation case, since it
    introduces a new case in tlb_next_batch() that previously only ever
    happened when running out of memory.
    
    The real bug is that the TLB gather virtual memory range setup is subtly
    buggered.  It was introduced in commit 597e1c3580b7 ("mm/mmu_gather:
    enable tlb flush range in generic mmu_gather"), and the range handling
    was already fixed at least once in commit e6c495a96ce0 ("mm: fix the TLB
    range flushed when __tlb_remove_page() runs out of slots"), but that fix
    was not complete.
    
    The problem with the TLB gather virtual address range is that it isn't
    set up by the initial tlb_gather_mmu() initialization (which didn't get
    the TLB range information), but it is set up ad-hoc later by the
    functions that actually flush the TLB.  And so any such case that forgot
    to update the TLB range entries would potentially miss TLB invalidates.
    
    Rather than try to figure out exactly which particular ad-hoc range
    setup was missing (I personally suspect it's the hugetlb case in
    zap_huge_pmd(), which didn't have the same logic as zap_pte_range()
    did), this patch just gets rid of the problem at the source: make the
    TLB range information available to tlb_gather_mmu(), and initialize it
    when initializing all the other tlb gather fields.
    
    This makes the patch larger, but conceptually much simpler.  And the end
    result is much more understandable; even if you want to play games with
    partial ranges when invalidating the TLB contents in chunks, now the
    range information is always there, and anybody who doesn't want to
    bother with it won't introduce subtle bugs.
    
    Ben verified that this fixes his problem.
    
    Reported-bisected-and-tested-by: Ben Tebulin <tebulin@googlemail.com>
    Build-testing-by: Stephen Rothwell <sfr@canb.auug.org.au>
    Build-testing-by: Richard Weinberger <richard.weinberger@gmail.com>
    Reviewed-by: Michal Hocko <mhocko@suse.cz>
    Acked-by: Peter Zijlstra <peterz@infradead.org>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 arch/arm/include/asm/tlb.h   |    7 +++++--
 arch/arm64/include/asm/tlb.h |    7 +++++--
 arch/ia64/include/asm/tlb.h  |    9 ++++++---
 arch/s390/include/asm/tlb.h  |    8 ++++++--
 arch/sh/include/asm/tlb.h    |    6 ++++--
 arch/um/include/asm/tlb.h    |    6 ++++--
 fs/exec.c                    |    4 ++--
 include/asm-generic/tlb.h    |    2 +-
 mm/hugetlb.c                 |    2 +-
 mm/memory.c                  |   36 +++++++++++++++++++++---------------
 mm/mmap.c                    |    4 ++--
 11 files changed, 57 insertions(+), 34 deletions(-)

commit 771ed01c6027772eca1a0df8de65043e7f0d94f8
Merge: 5568c80 ffceabf
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 17 09:11:41 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit ffceabfcc65c60109ba5fca694d78d4dc7047809
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 17 09:10:44 2013 -0400

    Update to pax-linux-3.10.7-test11.patch:
    - simplified some arm code
    - disabled preemption when calling show_regs, reported by Corey Minyard
    - added PCID based support for UDEREF on amd64 (blog will have more details)
      - requires Westmere/Sandy Bridge/Ivy Bridge/Haswell/etc
      - nopcid turns it off
      - by default a strong form of UDEREF is used under PCID
      - pax_weakuderef switches to the older, less secure UDEREF
      - fixed several bugs that would also have manifested under SMAP
      - INVPCID is used when available (Haswell)
    - added a few more return insn instrumentation in new amd64 crypto code

 Documentation/kernel-parameters.txt          |    7 +
 arch/arm/include/asm/uaccess.h               |    3 +
 arch/x86/crypto/blowfish-avx2-asm_64.S       |    6 +
 arch/x86/crypto/camellia-aesni-avx-asm_64.S  |   10 ++
 arch/x86/crypto/camellia-aesni-avx2-asm_64.S |   10 ++
 arch/x86/crypto/crc32c-pcl-intel-asm_64.S    |    2 +
 arch/x86/crypto/ghash-clmulni-intel_asm.S    |    5 +
 arch/x86/crypto/serpent-avx2-asm_64.S        |    9 ++
 arch/x86/crypto/sha256-avx-asm.S             |    2 +
 arch/x86/crypto/sha256-avx2-asm.S            |    2 +
 arch/x86/crypto/sha256-ssse3-asm.S           |    2 +
 arch/x86/crypto/sha512-avx-asm.S             |    2 +
 arch/x86/crypto/sha512-avx2-asm.S            |    2 +
 arch/x86/crypto/sha512-ssse3-asm.S           |    2 +
 arch/x86/crypto/twofish-avx2-asm_64.S        |    8 ++
 arch/x86/ia32/ia32_signal.c                  |    2 +-
 arch/x86/ia32/ia32entry.S                    |   24 ++++-
 arch/x86/include/asm/cpufeature.h            |    3 +-
 arch/x86/include/asm/fpu-internal.h          |    2 +
 arch/x86/include/asm/futex.h                 |    4 +
 arch/x86/include/asm/mmu_context.h           |   80 +++++++++++---
 arch/x86/include/asm/pgtable.h               |   10 +-
 arch/x86/include/asm/processor.h             |   15 +++-
 arch/x86/include/asm/segment.h               |    5 +-
 arch/x86/include/asm/smap.h                  |   64 +++++++++++-
 arch/x86/include/asm/tlbflush.h              |   63 +++++++++--
 arch/x86/include/asm/uaccess.h               |   18 +++-
 arch/x86/include/asm/xsave.h                 |    4 +
 arch/x86/kernel/cpu/common.c                 |   38 +++++++
 arch/x86/kernel/entry_32.S                   |    2 +-
 arch/x86/kernel/entry_64.S                   |  152 +++++++++++++++++++++++---
 arch/x86/kernel/head_32.S                    |    2 +-
 arch/x86/kernel/head_64.S                    |    8 +-
 arch/x86/kernel/process_64.c                 |    5 +
 arch/x86/kernel/setup.c                      |    8 +-
 arch/x86/kernel/signal.c                     |    4 +-
 arch/x86/kernel/smpboot.c                    |   15 ++-
 arch/x86/lib/copy_user_64.S                  |   50 +--------
 arch/x86/lib/copy_user_nocache_64.S          |    2 +
 arch/x86/lib/csum-wrappers_64.c              |   11 ++-
 arch/x86/lib/memcpy_64.S                     |    4 +-
 arch/x86/lib/memmove_64.S                    |    2 +-
 arch/x86/lib/memset_64.S                     |    4 +-
 arch/x86/lib/usercopy_64.c                   |    5 +-
 arch/x86/mm/Makefile                         |    4 +
 arch/x86/mm/fault.c                          |   29 ++++--
 arch/x86/mm/init.c                           |    7 +-
 arch/x86/mm/init_64.c                        |    9 ++-
 arch/x86/mm/pageattr.c                       |    2 +-
 arch/x86/mm/pgtable.c                        |    3 +
 arch/x86/platform/efi/efi_32.c               |    2 +-
 arch/x86/platform/efi/efi_64.c               |    2 +-
 arch/x86/realmode/rm/trampoline_64.S         |    1 +
 fs/exec.c                                    |    2 +
 include/asm-generic/uaccess.h                |    8 ++
 include/linux/compat.h                       |    1 +
 include/linux/preempt.h                      |   19 +++
 include/linux/signal.h                       |    1 +
 include/linux/smp.h                          |    2 +
 init/main.c                                  |   14 ++-
 kernel/signal.c                              |   16 +++
 security/Kconfig                             |    5 +
 tools/lib/lk/Makefile                        |    2 +-
 tools/perf/Makefile                          |    2 +-
 64 files changed, 673 insertions(+), 136 deletions(-)

commit 5568c8059e78d6d002815409df4e90c83b3b08a8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 17 08:58:34 2013 -0400

    Fix two harmless compiler warnings

 arch/arm/kernel/process.c |    4 ++--
 fs/exec.c                 |    2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

commit e4a41a3eef8c6bdebdbe273cc0fbe372bcb62806
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Aug 16 22:55:24 2013 -0400

    Upstream commit: c95eb3184ea1a3a2551df57190c81da695e2144b

 arch/arm/kernel/perf_event.c |    5 ++++-
 1 files changed, 4 insertions(+), 1 deletions(-)

commit 3637bc893b57a227b01852fe34685ab237285b10
Author: Stephen Boyd <sboyd@codeaurora.org>
Date:   Wed Aug 7 16:18:08 2013 -0700

    Upstream commit: b88a2595b6d8aedbd275c07dfa784657b4f757eb
    
    perf/arm: Fix armpmu_map_hw_event()
    
    Fix constraint check in armpmu_map_hw_event().
    
    Reported-and-tested-by: Vince Weaver <vincent.weaver@maine.edu>
    Cc: <stable@kernel.org>
    Signed-off-by: Ingo Molnar <mingo@kernel.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 arch/arm/kernel/perf_event.c |    7 ++++++-
 1 files changed, 6 insertions(+), 1 deletions(-)

commit 11802e1f961a088c39af58d1c1b14d861eedfb35
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Aug 16 22:53:30 2013 -0400

    More ARM backports

 arch/arm/kernel/entry-armv.S |    3 ++-
 arch/arm/kernel/fiq.c        |    8 ++------
 2 files changed, 4 insertions(+), 7 deletions(-)

commit bf89938c71ddbd6efb2c2e43bf4f3f99fef623ea
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Aug 16 22:46:01 2013 -0400

    Fix HIDESYM compatibility with kprobes, as reported by feandil at:
    http://forums.grsecurity.net/viewtopic.php?t=3701&p=13376#p13376

 include/linux/kallsyms.h |    2 +-
 kernel/kprobes.c         |    3 +++
 2 files changed, 4 insertions(+), 1 deletions(-)

commit 3d1cf88bbdbe4c0e83dd7d731ecaf1741209d6b7
Author: yonghua zheng <younghua.zheng@gmail.com>
Date:   Tue Aug 13 16:01:03 2013 -0700

    fs/proc/task_mmu.c: fix buffer overflow in add_page_map()
    
    Recently we met quite a lot of random kernel panic issues after enabling
    CONFIG_PROC_PAGE_MONITOR.  After debuggind we found this has something
    to do with following bug in pagemap:
    
    In struct pagemapread:
    
      struct pagemapread {
          int pos, len;
          pagemap_entry_t *buffer;
          bool v2;
      };
    
    pos is number of PM_ENTRY_BYTES in buffer, but len is the size of
    buffer, it is a mistake to compare pos and len in add_page_map() for
    checking buffer is full or not, and this can lead to buffer overflow and
    random kernel panic issue.
    
    Correct len to be total number of PM_ENTRY_BYTES in buffer.
    
    [akpm@linux-foundation.org: document pagemapread.pos and .len units, fix PM_ENTRY_BYTES definition]
    Signed-off-by: Yonghua Zheng <younghua.zheng@gmail.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    Conflicts:
    
        fs/proc/task_mmu.c

 fs/proc/task_mmu.c |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

commit 0a3dac834746de241c10d4978bf61b4f146ba89d
Merge: dc19474 e12de30
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Aug 16 17:39:01 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit e12de30aa6b575fc3c9f5cd098dd03623598cb33
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Aug 16 17:34:47 2013 -0400

    Update to pax-linux-3.10.7-test9.patch:
    - Emese fixed a size overflow false positive reported by Sven Vermeulen
    - fixed some arm compile problems reported by spender
    - added empty unchecked wrappers for local_t accessors on mips, by Corey Minyard <cminyard@mvista.com>
      eventually we'll have full REFCOUNT support on mips

 arch/arm/kernel/process.c     |    5 ++-
 arch/arm/mm/Kconfig           |    2 +-
 arch/arm/mm/fault.c           |    3 ++
 arch/mips/include/asm/local.h |   57 +++++++++++++++++++++++++++++++++++++++++
 mm/internal.h                 |    2 +-
 5 files changed, 65 insertions(+), 4 deletions(-)

commit dc19474d0ea6ea3c939544ae5f906067b1784a10
Merge: 51b78c0 82266f9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Aug 15 21:47:37 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 82266f90a3f87ab5017329fb539aebf94c42253a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Aug 15 21:14:47 2013 -0400

    Update to pax-linux-3.10.7-test9.patch

 arch/arm/kernel/process.c |    6 ++----
 1 files changed, 2 insertions(+), 4 deletions(-)

commit 51b78c06d1f41614f593cd36456b4af559e9d7fa
Merge: e32d904 cb77ead
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Aug 15 20:53:45 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        security/Kconfig

commit cb77ead0eccb5abb75f7e437a3725d0254558ccd
Merge: 13675b8 519be45
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Aug 15 20:50:47 2013 -0400

    Update to pax-linux-3.10.7-test8.patch
    
    Merge branch 'linux-3.10.y' into pax-test

commit e32d904b87292288e74e2637b900fd1115687b8e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 10 09:41:40 2013 -0400

    propagate the threadstack offset through to the topdown/bottomup allocators
    on sparc64 hugepages

 arch/sparc/mm/hugetlbpage.c |   12 ++++++++----
 1 files changed, 8 insertions(+), 4 deletions(-)

commit cefa30759f6c977fff5cc1634ecfbfe0ee44391c
Author: Oleg Nesterov <oleg@redhat.com>
Date:   Thu Aug 8 18:55:32 2013 +0200

    Upstream commit: 8742f229b635bf1c1c84a3dfe5e47c814c20b5c8
    
    another local DoS found in reaction to the one I reported,
    we don't allow unpriv user ns use so this doesn't matter much to us
    
    userns: limit the maximum depth of user_namespace->parent chain
    
    Ensure that user_namespace->parent chain can't grow too much.
    Currently we use the hardroded 32 as limit.
    
    Reported-by: Andy Lutomirski <luto@amacapital.net>
    Signed-off-by: Oleg Nesterov <oleg@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 include/linux/user_namespace.h |    1 +
 kernel/user_namespace.c        |    4 ++++
 2 files changed, 5 insertions(+), 0 deletions(-)

commit 223ac007ef18bf3a5095ba0a56675c1f16200149
Merge: 1c92de4 13675b8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Aug 8 20:45:24 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        security/Kconfig

commit 13675b848cf02bffd26924b2b84d927095bc253d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Aug 8 20:43:52 2013 -0400

    Update to pax-linux-3.10.5-test8.patch:
    - Emese fixed a size overflow false positive, reported by markusle (http://forums.grsecurity.net/viewtopic.php?f=3&t=3692)
    - fixed the use of PXN for 2-level pages tables on arm, by Corey Minyard <cminyard@mvista.com>
    - added PAGEEXEC/XI violation reporting on mips, by Corey Minyard <cminyard@mvista.com>

 arch/arm/include/asm/pgtable-2level.h |    4 +++-
 arch/arm/mm/proc-v7-2level.S          |    3 ---
 arch/mips/mm/fault.c                  |    8 ++++++++
 arch/x86/include/asm/processor.h      |    3 ++-
 include/linux/math64.h                |    2 +-
 security/Kconfig                      |    2 --
 6 files changed, 14 insertions(+), 8 deletions(-)

commit 1c92de4b8811c330af033c31d83c9c45e3d064b2
Merge: e65aa3d 1660f49
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Aug 5 18:50:45 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 1660f496848b8400d263f7920989dae15e72185a
Merge: 7f91ba1 dc51cd2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Aug 5 18:50:12 2013 -0400

    Update to pax-linux-3.10.5-test7.patch
    
    Merge branch 'linux-3.10.y' into pax-test
    
    Conflicts:
        arch/x86/kernel/head_64.S
        mm/mempolicy.c

commit e65aa3dd447115cb79b4815bc1ceac7b3cacef15
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Aug 5 17:58:42 2013 -0400

    Disable RANDKSTACK for a VirtualBox host as mentioned on the
    gentoo-hardened bugzilla:
    https://bugs.gentoo.org/show_bug.cgi?id=382793

 security/Kconfig |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 60d8cffd7740fd1d527790caf9a24a35d8c45858
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Tue Jul 30 13:23:39 2013 +0300

    Upstream commit: 8cb3b9c3642c0263d48f31d525bcee7170eedc20
    
    net_sched: info leak in atm_tc_dump_class()
    
    The "pvc" struct has a hole after pvc.sap_family which is not cleared.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Reviewed-by: Jiri Pirko <jiri@resnulli.us>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/sched/sch_atm.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 50d20ebce56b6e0b9622685930e007e46c7c04bb
Author: Daniel Borkmann <dborkman@redhat.com>
Date:   Fri Aug 2 11:32:43 2013 +0200

    Upstream commit: 446266b0c742a2c9ee8f0dce759a0117bce58a86
    
    net: rtm_to_ifaddr: free ifa if ifa_cacheinfo processing fails
    
    Commit 5c766d642 ("ipv4: introduce address lifetime") leaves the ifa
    resource that was allocated via inet_alloc_ifa() unfreed when returning
    the function with -EINVAL. Thus, free it first via inet_free_ifa().
    
    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
    Reviewed-by: Jiri Pirko <jiri@resnulli.us>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/devinet.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

commit 0acaba4eea12097cc59bc61a46ba1ef4a468b260
Author: Himanshu Madhani <himanshu.madhani@qlogic.com>
Date:   Fri Aug 2 23:15:56 2013 -0400

    Upstream commit: f91bbcb0b82186b4d5669021b142c263b66505e1
    
    qlcnic: Free up memory in error path.
    
    Signed-off-by: Himanshu Madhani <himanshu.madhani@qlogic.com>
    Signed-off-by: Shahed Shaikh <shahed.shaikh@qlogic.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/ethernet/qlogic/qlcnic/qlcnic_ctx.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

commit 3626ec32c8b24cb38b8db2a1b2f5430bd898408a
Author: Shahed Shaikh <shahed.shaikh@qlogic.com>
Date:   Fri Aug 2 23:15:54 2013 -0400

    Upstream commit: 4a99ab56cea66f9f67b9d07ace5cd40a336c8e6f
    
    qlcnic: Fix MAC address filter issue on 82xx adapter
    
    Driver was passing the address of a pointer instead of
    the pointer itself.
    
    Signed-off-by: Shahed Shaikh <shahed.shaikh@qlogic.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/ethernet/qlogic/qlcnic/qlcnic_io.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 5570df953d6c143e05f1d60d9c23210e60dbbe81
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Aug 5 17:26:40 2013 -0400

    Move user namespace capability check to shared create_user_ns code so we
    cover unshare() as well.
    
    Also kill a trivial 1-line, 22-character upstream kernel DoS, thanks to
    user namespaces!

 kernel/fork.c           |   17 -----------------
 kernel/user_namespace.c |   24 ++++++++++++++++++++++--
 2 files changed, 22 insertions(+), 19 deletions(-)

commit 97112fe30de4ca84e79c82ebfa2353b9c9988ca1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Aug 5 16:05:41 2013 -0400

    silence a warning on older gcc

 grsecurity/gracl.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit b8966a5d577e9220fbc63306eee978f819f24e2e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 3 08:31:08 2013 -0400

    we only care about mmaps of the beginning of an ELF, filter out
    all others as suggested by pipacs

 mm/mmap.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 8aea9fe5866dec3c847a34f743f343e18cf1cdcb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Aug 2 23:54:51 2013 -0400

    add include

 grsecurity/grsec_log.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit d48425ef8cb3761ab6130e52f1f8e401f5b5a295
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Aug 2 23:49:13 2013 -0400

    fix compilation

 include/linux/grinternal.h |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 1704c23fdc55b68f512dc9927940e72237f3f43e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Aug 2 23:34:35 2013 -0400

    Improve PaX reporting (tells when anon mapping is stack or heap)
    Remove textrel logging option, combine into rwx logging option
    Enhance RWX logging option to display when PT_GNU_STACK-enabled library
    is loaded under an MPROTECTed binary
    Enhance RWX mprotect logging to display stack/heap instead of just
    anon mapping

 fs/binfmt_elf.c            |   37 +++++++++++++++++++++++++++++++++++++
 fs/exec.c                  |    4 ++++
 grsecurity/Kconfig         |   21 +++++----------------
 grsecurity/grsec_init.c    |    4 ----
 grsecurity/grsec_log.c     |   14 ++++++++++++++
 grsecurity/grsec_pax.c     |   19 ++++++++++++++-----
 grsecurity/grsec_sysctl.c  |    9 ---------
 include/linux/binfmts.h    |    1 +
 include/linux/grinternal.h |    2 +-
 include/linux/grmsg.h      |    3 ++-
 include/linux/grsecurity.h |    3 ++-
 mm/mmap.c                  |    7 +++++++
 mm/mprotect.c              |    2 +-
 13 files changed, 88 insertions(+), 38 deletions(-)

commit faf81c100c8565524e21c9af780a0ad2ce3fd925
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Aug 1 18:52:02 2013 -0400

    add missing #define

 grsecurity/gracl.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit e87232d1fcb4da72df971cbc623aac6c9b3871a0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Aug 1 18:43:53 2013 -0400

    fix compilation for !COMPAT as reported on the forums

 grsecurity/gracl.c |  195 ++++++++++++++++++++++++++--------------------------
 1 files changed, 97 insertions(+), 98 deletions(-)

commit 65c9b9c6c42939dc55be1b8842e7c2e05733056c
Merge: 65019c9 7f91ba1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jul 31 17:47:31 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 65019c9bd05f860437071cbf00e2027fd2d68615
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jul 31 17:47:20 2013 -0400

    Revert "revert recent PaX change that causes boot failures with 32bit userland"
    
    This reverts commit 23278a1ee1c7738dd1e7005241394d32b82196e4.

 arch/x86/include/asm/processor.h |    4 ++--
 arch/x86/kernel/cpu/common.c     |    2 +-
 arch/x86/kernel/process_64.c     |    2 +-
 arch/x86/kernel/smpboot.c        |    2 +-
 arch/x86/xen/smp.c               |    2 +-
 5 files changed, 6 insertions(+), 6 deletions(-)

commit 7f91ba11122fcaa96fc2dca42bddcd5f8db3b945
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jul 31 17:46:00 2013 -0400

    Update to pax-linux-3.10.4-test7.patch:
    - added a few more missing format strings
    - added reporting of mismatched MPROTECT/EMUTRAMP flags between libraries and the main executable
    - reverted the recent amd64 kstack alignment fix, it'll be done the harder way another time
    - fixed a UDEREF/i386 regression, __get_user_8 would always fail

 arch/x86/include/asm/processor.h           |    4 +-
 arch/x86/kernel/cpu/common.c               |    2 +-
 arch/x86/kernel/dumpstack.c                |    2 +-
 arch/x86/kernel/process_64.c               |    2 +-
 arch/x86/kernel/reboot_fixups_32.c         |    2 +-
 arch/x86/kernel/smpboot.c                  |    2 +-
 arch/x86/lib/getuser.S                     |    4 +-
 arch/x86/xen/smp.c                         |    2 +-
 drivers/net/wireless/iwlwifi/dvm/debugfs.c |    8 ++--
 drivers/video/backlight/backlight.c        |    2 +-
 drivers/video/backlight/lcd.c              |    2 +-
 fs/binfmt_elf.c                            |   51 +++++++++++++++++++++++++---
 fs/exec.c                                  |   50 +++++++++++++--------------
 include/linux/sched.h                      |    2 +
 14 files changed, 88 insertions(+), 47 deletions(-)

commit 043130da54cb7cc8dc44e0ce889d426e889a0532
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jul 31 16:26:58 2013 -0400

    compile fix for !COMPAT as mentioned on forums

 grsecurity/gracl.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit ed0a195abd4e41c2449a020a53a19c74dc866d78
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 22:33:14 2013 -0400

    perform compat conversion of rlimit infinity

 grsecurity/gracl_compat.c |   10 ++++++++--
 1 files changed, 8 insertions(+), 2 deletions(-)

commit a99c1b9f31678c1c72a63bea65aed1b2d3205259
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 22:21:40 2013 -0400

    remove debugging

 grsecurity/gracl_compat.c |   44 +++++++++++---------------------------------
 1 files changed, 11 insertions(+), 33 deletions(-)

commit e75b3f504692b97960a7530ad0855d91441d79c0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 22:20:32 2013 -0400

    eliminate compat_dev_t

 include/linux/gracl_compat.h |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit e5abbaf95313066a724e1a843d4fc902a9a6450e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 22:13:22 2013 -0400

    fix compat rlimit size

 grsecurity/gracl_compat.c    |   68 +++++++++++++++++++++++++++++-------------
 include/linux/gracl_compat.h |    4 +-
 2 files changed, 49 insertions(+), 23 deletions(-)

commit 877d6c2f8b3518ff39601084560bb33c58d35a1f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 21:20:18 2013 -0400

    compile fix

 grsecurity/gracl.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit a2062eae8d1dc48d338480e599fedee2dc5e2f98
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 21:14:29 2013 -0400

    copy correct pointer size in new compat code

 grsecurity/gracl.c        |    8 ++++----
 grsecurity/gracl_compat.c |    4 ++--
 2 files changed, 6 insertions(+), 6 deletions(-)

commit 23278a1ee1c7738dd1e7005241394d32b82196e4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 19:48:58 2013 -0400

    revert recent PaX change that causes boot failures with 32bit userland

 arch/x86/include/asm/processor.h |    4 ++--
 arch/x86/kernel/cpu/common.c     |    2 +-
 arch/x86/kernel/process_64.c     |    2 +-
 arch/x86/kernel/smpboot.c        |    2 +-
 arch/x86/xen/smp.c               |    2 +-
 5 files changed, 6 insertions(+), 6 deletions(-)

commit ec27f71a813656fea8ab37faecb2b485fe99d08e
Merge: 3a11bcf 05f0a61
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 19:42:21 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 05f0a610373fa95df838f97c3fcfb59a3d79c5b8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 19:41:44 2013 -0400

    Update to pax-linux-3.10.4-test6.patch:
    - fixed some size_overflow false positives on i386 caused by __SC_LONG, reported by spender

 include/linux/syscalls.h |    8 ++++++--
 1 files changed, 6 insertions(+), 2 deletions(-)

commit 3a11bcfcc738ed5dbf0d56713db872ed36351a26
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 19:15:50 2013 -0400

    compile fix

 grsecurity/gracl_compat.c |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

commit 1dbd99b5cb0b6757eadf22309501e7fdd84f5de7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 19:12:46 2013 -0400

    remove BUILD_BUG_ONs

 grsecurity/gracl_compat.c |   20 --------------------
 1 files changed, 0 insertions(+), 20 deletions(-)

commit a283b21cbd77622383a1dcb1f7bf1080db3bae88
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 00:18:36 2013 -0400

    compile fixes

 grsecurity/gracl_compat.c    |    8 ++++----
 include/linux/gracl_compat.h |    2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

commit 8b744005f8bae565e24c1fd88af77e6e619b9434
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 00:16:42 2013 -0400

    compile fixes

 grsecurity/gracl.c        |    4 ++--
 grsecurity/gracl_compat.c |    2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

commit 5cd86afa393bf9bf38c2e9063191709ac2beff2c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 00:13:51 2013 -0400

    compile fixes

 grsecurity/gracl.c |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

commit b93b829afcc98b6108b18d99ff63c53642d0b951
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 00:11:03 2013 -0400

    compile fixes

 grsecurity/gracl_compat.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit 7da096415fa633c4ad2b1f74bd43d3a58a63b5c0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 00:08:21 2013 -0400

    more compile fixes

 grsecurity/gracl.c |   28 ++++++++++++++--------------
 1 files changed, 14 insertions(+), 14 deletions(-)

commit 6c1fd80e19f1449b6895f1ed77f23f1245470b3b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jul 29 23:59:50 2013 -0400

    more compile fixes

 grsecurity/gracl.c |   10 +++++++++-
 1 files changed, 9 insertions(+), 1 deletions(-)

commit 89dda536f276dd4bb55fa0f9ea8980ac8b750d29
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jul 29 23:56:47 2013 -0400

    additional compile fixes

 grsecurity/gracl.c |   59 +++++++++++++++++++++++++++++++++++++++++++--------
 1 files changed, 49 insertions(+), 10 deletions(-)

commit ac695a081d1124fb28bec46814535d34c5e40611
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jul 29 23:47:15 2013 -0400

    fix typo

 grsecurity/gracl.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit d95dd21a8d6d00c5cf34fee3f45dd914b6da6093
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jul 29 23:46:59 2013 -0400

    compile fixes

 grsecurity/gracl.c |   53 ++++++++++++++++++++++++++++++++++++++-------------
 1 files changed, 39 insertions(+), 14 deletions(-)

commit 82631f451cc7432b6c5578cf8d24155473feb25c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jul 29 23:22:44 2013 -0400

    Initial commit of compat RBAC loading
    Permits 32bit gradm to load policy for a 64bit kernel
    
    Also removed code duplication for copying strings into the kernel
    
    Work performed as part of sponsorship

 grsecurity/Makefile          |    4 +
 grsecurity/gracl.c           |  315 +++++++++++++++++++++++-------------------
 grsecurity/gracl_compat.c    |  270 ++++++++++++++++++++++++++++++++++++
 include/linux/gracl_compat.h |  156 +++++++++++++++++++++
 4 files changed, 603 insertions(+), 142 deletions(-)

commit 84c4a433dfb096e4a1162ee5e68025122c70b421
Merge: c9d3ed3 9fe5897
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jul 29 17:08:56 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 9fe58978938e357642885866ca48090a7753d403
Merge: 8f693ad 6f7bb6b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jul 29 17:08:43 2013 -0400

    Merge branch 'linux-3.10.y' into pax-test

commit c9d3ed33c5370bbacfadf86f6a1566828a3d7775
Merge: d5e5bfd 8f693ad
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 28 10:03:08 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 8f693ade9b3e448f92706d34148b00a087637f70
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 28 10:02:16 2013 -0400

    Update to pax-linux-3.10.3-test5.patch:
    - fixed amd64 kstack alignment (caught by some crazy codegen by clang/llvm)
    - fixed handling of faulting userland accesses for UDEREF/arm, from spender
    - updated the size overflow hash table, from Emese

 arch/arm/kernel/entry-armv.S      |    3 +-
 arch/x86/include/asm/processor.h  |    4 +-
 arch/x86/kernel/cpu/common.c      |    2 +-
 arch/x86/kernel/process_64.c      |    2 +-
 arch/x86/kernel/smpboot.c         |    2 +-
 arch/x86/xen/smp.c                |    2 +-
 tools/gcc/size_overflow_hash.data |  553 +++++++++++++++++++++++++++++++++----
 7 files changed, 513 insertions(+), 55 deletions(-)

commit d5e5bfd6ecc1fc7e86d070df8eb0ce8d0643c558
Merge: 19e077b 8a8a0d0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 25 21:05:18 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 8a8a0d0b22a86bf65302d03bb6732e42bc0a2e56
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 25 21:04:09 2013 -0400

    Update to pax-linux-3.10.3-test4.patch:
    - introduced per-slab object sanitization, contributed by Mathias Krause and secunet.
      this is finer grained sanitization than the existing per-page based approach (which
      is still done) at a somewhat higher performance cost. the pax_sanitize_slab command
      line option can be used to enable/disable it on boot (it's enabled by default when
      CONFIG_PAX_MEMORY_SANITIZE is enabled).

 Documentation/kernel-parameters.txt |    4 ++++
 fs/buffer.c                         |    2 +-
 fs/dcache.c                         |    3 ++-
 include/linux/slab.h                |    7 +++++++
 include/linux/slab_def.h            |    4 ++++
 kernel/fork.c                       |    2 +-
 mm/rmap.c                           |    6 ++++--
 mm/slab.c                           |   27 +++++++++++++++++++++++++++
 mm/slab.h                           |   12 +++++++++++-
 mm/slab_common.c                    |   14 ++++++++++++++
 mm/slob.c                           |    5 +++++
 mm/slub.c                           |   11 +++++++++++
 net/core/skbuff.c                   |    6 ++++--
 security/Kconfig                    |   23 +++++++++++++++++------
 14 files changed, 112 insertions(+), 14 deletions(-)

commit 19e077bfff54ca211d0142c07cb6dd88069a390c
Merge: 960ec51 c8f7f51
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 25 19:53:34 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit c8f7f51591207b82530214300e86277028919286
Merge: d5142e3 81a4648
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 25 19:52:29 2013 -0400

    Update to pax-linux-3.10.3-test3.patch:
    - fixed some compile issues reported by Michael Tremer and spender
    - fixed an i386 regression with the lower address space gap on i386, reported by cnu
    
    Merge branch 'linux-3.10.y' into pax-test
    
    Conflicts:
        kernel/time/tick-broadcast.c

commit 960ec51ab2142544fbae563d4fd5744775408965
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Sat Jul 20 03:13:55 2013 +0400

    Upstream commit: acfec9a5a892f98461f52ed5770de99a3e571ae2
    
    livelock avoidance in sget()
    
    Eric Sandeen has found a nasty livelock in sget() - take a mount(2) about
    to fail.  The superblock is on ->fs_supers, ->s_umount is held exclusive,
    ->s_active is 1.  Along comes two more processes, trying to mount the same
    thing; sget() in each is picking that superblock, bumping ->s_count and
    trying to grab ->s_umount.  ->s_active is 3 now.  Original mount(2)
    finally gets to deactivate_locked_super() on failure; ->s_active is 2,
    superblock is still ->fs_supers because shutdown will *not* happen until
    ->s_active hits 0.  ->s_umount is dropped and now we have two processes
    chasing each other:
    s_active = 2, A acquired ->s_umount, B blocked
    A sees that the damn thing is stillborn, does deactivate_locked_super()
    s_active = 1, A drops ->s_umount, B gets it
    A restarts the search and finds the same superblock.  And bumps it ->s_active.
    s_active = 2, B holds ->s_umount, A blocked on trying to get it
    ... and we are in the earlier situation with A and B switched places.
    
    The root cause, of course, is that ->s_active should not grow until we'd
    got MS_BORN.  Then failing ->mount() will have deactivate_locked_super()
    shut the damn thing down.  Fortunately, it's easy to do - the key point
    is that grab_super() is called only for superblocks currently on ->fs_supers,
    so it can bump ->s_count and grab ->s_umount first, then check MS_BORN and
    bump ->s_active; we must never increment ->s_count for superblocks past
    ->kill_sb(), but grab_super() is never called for those.
    
    The bug is pretty old; we would've caught it by now, if not for accidental
    exclusion between sget() for block filesystems; the things like cgroup or
    e.g. mtd-based filesystems don't have anything of that sort, so they get
    bitten.  The right way to deal with that is obviously to fix sget()...
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

 fs/super.c |   25 ++++++++++---------------
 1 files changed, 10 insertions(+), 15 deletions(-)

commit 3540cebbbfa4aef94527ad3e0e49097848147fb9
Merge: ab95b58 d5142e3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 21 22:47:46 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit d5142e31785f8c32c7338c51fcc27313bdd4a84e
Merge: f36ae8c 0f4a56e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 21 22:47:34 2013 -0400

    Merge branch 'linux-3.10.y' into pax-test

commit ab95b5842899d61ff5c30f4582e72029b3155be8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 21 22:28:40 2013 -0400

    compile fix with constification reported by Michael Tremer

 drivers/gpu/host1x/drm/dc.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 817cd2d1e7a55720326599dd8f542578eef30927
Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
Date:   Fri Jul 12 23:46:33 2013 +0200

    Upstream commit: 307f2fb95e9b96b3577916e73d92e104f8f26494
    
    ipv6: only static routes qualify for equal cost multipathing
    
    Static routes in this case are non-expiring routes which did not get
    configured by autoconf or by icmpv6 redirects.
    
    To make sure we actually get an ecmp route while searching for the first
    one in this fib6_node's leafs, also make sure it matches the ecmp route
    assumptions.
    
    v2:
    a) Removed RTF_EXPIRE check in dst.from chain. The check of RTF_ADDRCONF
       already ensures that this route, even if added again without
       RTF_EXPIRES (in case of a RA announcement with infinite timeout),
       does not cause the rt6i_nsiblings logic to go wrong if a later RA
       updates the expiration time later.
    
    v3:
    a) Allow RTF_EXPIRES routes to enter the ecmp route set. We have to do so,
       because an pmtu event could update the RTF_EXPIRES flag and we would
       not count this route, if another route joins this set. We now filter
       only for RTF_GATEWAY|RTF_ADDRCONF|RTF_DYNAMIC, which are flags that
       don't get changed after rt6_info construction.
    
    Cc: Nicolas Dichtel <nicolas.dichtel@6wind.com>
    Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv6/ip6_fib.c |   15 +++++++++++----
 1 files changed, 11 insertions(+), 4 deletions(-)

commit 77db8196d51b043e2e2d124094da101b0f01bccb
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Fri Jul 12 09:39:03 2013 +0300

    Upstream commit: b2781e1021525649c0b33fffd005ef219da33926
    
    svcrdma: underflow issue in decode_write_list()
    
    My static checker marks everything from ntohl() as untrusted and it
    complains we could have an underflow problem doing:
    
        return (u32 *)&ary->wc_array[nchunks];
    
    Also on 32 bit systems the upper bound check could overflow.
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: J. Bruce Fields <bfields@redhat.com>

 net/sunrpc/xprtrdma/svc_rdma_marshal.c |   20 ++++++++++++++------
 1 files changed, 14 insertions(+), 6 deletions(-)

commit 926473317fd7953137ef97835edd36dabc584b01
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jul 17 21:29:02 2013 -0400

    add missing asm/pgtable.h include, reported by Michael Tremer

 drivers/clk/socfpga/clk.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit c592ae0001b31932ef1491784dfa374058797c66
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 16 20:40:24 2013 -0400

    allow viewing of ecryptfs version under SYSFS_RESTRICT

 fs/sysfs/dir.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 36db325ef3b07ea8cdb47f549e706e5d71398e14
Merge: 9c96441 f36ae8c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 14 19:23:13 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit f36ae8c741ae32b1caff10825be12c327792c925
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 14 19:22:15 2013 -0400

    Update to pax-linux-3.10-test2.patch:
    - spender fixed a compile regression in a recent arm/UDEREF change, reported by Michael Tremer
    - spender fixed arm/KERNEXEC for v5 and older CPUs, reported by Michael Tremer
    - spender fixed a new CONSTIFY victim on arm, reported by Michael Tremer
    - spender fixed an madvise regression, reported by Peter Keel
    - spender fixed a SLAB regression, reported by Thorsten (http://forums.grsecurity.net/viewtopic.php?f=3&t=3614) and Jens (http://forums.grsecurity.net/viewtopic.php?f=1&t=3616)
    - fixed a headers_install regression, reported by Mathias Krause
    - fixed a SLOB compile regression, reported by Mathias Krause

 arch/arm/include/asm/uaccess.h |    4 ++--
 arch/arm/mm/mmu.c              |   15 +++++++++++++--
 drivers/clk/socfpga/clk.c      |    6 ++++--
 mm/madvise.c                   |    4 ++--
 mm/slab.c                      |    4 ++--
 mm/slob.c                      |    4 ++--
 scripts/headers_install.sh     |    2 +-
 7 files changed, 26 insertions(+), 13 deletions(-)

commit 9c9644156a49637050741d9165df79174e59b0ef
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 14 19:19:54 2013 -0400

    Fix sparc64 compilation, reported by Blake Self

 arch/sparc/kernel/sys_sparc_64.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 7bcd3db081454768542c3d741bcf32cd61a50cf5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 14 11:49:17 2013 -0400

    Update PaX fix, just return the error

 mm/madvise.c |   15 +++++++--------
 1 files changed, 7 insertions(+), 8 deletions(-)

commit a10e377d0eddd37e8a3665b135e546ab03d9d171
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 14 11:36:00 2013 -0400

    Fix madvise oops reported by Peter Keel

 mm/madvise.c |   11 ++++++-----
 1 files changed, 6 insertions(+), 5 deletions(-)

commit 08c5adca34d408772255b313f90d82c250c1d967
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 14 11:26:34 2013 -0400

    don't make high vector mapping non-present on old ARM architectures, no
    point in emulating some vector entries when the processor doesn't even support XN

 arch/arm/mm/mmu.c |    7 +++++--
 1 files changed, 5 insertions(+), 2 deletions(-)

commit 2b40781d4197a89a003616af584884e36361c5b2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 14 09:51:58 2013 -0400

    Temporary compile fix for code incorrectly modifying const data
    Wrap a cast version of the code with open/close
    
    Thanks to Michael Tremer for the report

 drivers/clk/socfpga/clk.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

commit a8258c1b4098c396cd4ea719e20858182feac1c1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 14 09:41:16 2013 -0400

    Fix missing right parens in pipacs' "improvement" of my ARM code ;)
    Thanks to Michael Tremer for reporting

 arch/arm/include/asm/uaccess.h |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 8542e1e973be7cc9a009d2ada8033576b2890e6f
Merge: 86f446e 2577f8e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jul 13 20:46:58 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        mm/memcontrol.c

commit 2577f8e4ec41efb347706a59c6838de20f0c90da
Merge: 75a36f0 cb5d8be
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jul 13 20:43:42 2013 -0400

    Merge branch 'linux-3.10.y' into pax-test
    
    Conflicts:
        crypto/algapi.c
        drivers/block/nbd.c

commit 86f446e9d5c6b475d2e9360cc04f4361ad1b19b8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jul 12 23:02:11 2013 -0400

    we always want the vector page to be noaccess for userland
    therefore, when kernexec is disabled, instead of L_PTE_USER | L_PTE_RDONLY
    which turns into supervisor rwx, userland rx, we instead omit that entirely,
    leaving it as supervisor rwx only
    
    Fixes booting on ARMv5 and earlier, which need to write directly
    to the high vector mapping via set_tls when context switching
    
    Thanks to Michael Tremer for the bugreport

 arch/arm/mm/mmu.c |   12 ++++++++++--
 1 files changed, 10 insertions(+), 2 deletions(-)

commit 90cd0827eef656ec884f19c977873fefe2f2e47d
Author: Cong Wang <amwang@redhat.com>
Date:   Sat Jun 29 12:02:59 2013 +0800

    Upstream commit: 6c734fb8592f6768170e48e7102cb2f0a1bb9759
    
    gre: fix a regression in ioctl
    
    When testing GRE tunnel, I got:
    
     # ip tunnel show
     get tunnel gre0 failed: Invalid argument
     get tunnel gre1 failed: Invalid argument
    
    This is a regression introduced by commit c54419321455631079c7d
    ("GRE: Refactor GRE tunneling code.") because previously we
    only check the parameters for SIOCADDTUNNEL and SIOCCHGTUNNEL,
    after that commit, the check is moved for all commands.
    
    So, just check for SIOCADDTUNNEL and SIOCCHGTUNNEL.
    
    After this patch I got:
    
     # ip tunnel show
     gre0: gre/ip  remote any  local any  ttl inherit  nopmtudisc
     gre1: gre/ip  remote 192.168.122.101  local 192.168.122.45  ttl inherit
    
    Cc: Pravin B Shelar <pshelar@nicira.com>
    Cc: "David S. Miller" <davem@davemloft.net>
    Signed-off-by: Cong Wang <amwang@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/ip_gre.c |    9 +++++----
 1 files changed, 5 insertions(+), 4 deletions(-)

commit 50d4e90ec8da630eac8840da9c53b8738a2f98b5
Author: Cong Wang <amwang@redhat.com>
Date:   Sat Jun 29 13:00:57 2013 +0800

    Upstream commit: ab6c7a0a43c2eaafa57583822b619b22637b49c7
    
    vti: remove duplicated code to fix a memory leak
    
    vti module allocates dev->tstats twice: in vti_fb_tunnel_init()
    and in vti_tunnel_init(), this lead to a memory leak of
    dev->tstats.
    
    Just remove the duplicated operations in vti_fb_tunnel_init().
    
    (candidate for -stable)
    
    Cc: Stephen Hemminger <stephen@networkplumber.org>
    Cc: Saurabh Mohan <saurabh.mohan@vyatta.com>
    Cc: "David S. Miller" <davem@davemloft.net>
    Signed-off-by: Cong Wang <amwang@redhat.com>
    Acked-by: Stephen Hemminger <stephen@networkplumber.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/ip_vti.c |    7 -------
 1 files changed, 0 insertions(+), 7 deletions(-)

commit af9e57897a8fab9bbeceb984bd0aeaedb36aefcd
Author: Michal Schmidt <mschmidt@redhat.com>
Date:   Mon Jul 1 17:23:05 2013 +0200

    Upstream commit: 058eec4116935c5640299913e1e0715e87ec622a
    
    bnx2x: remove zeroing of dump data buffer
    
    There is no need to initialize the dump data with zeros.
    data is allocated with vzalloc, so it's already zero-filled.
    
    More importantly, the memset is harmful, because dump->len (the length
    requested by userspace) can be bigger than the allocated buffer (whose
    size is determined by asking the driver's .get_dump_flag method).
    
    Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 .../net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c    |    2 --
 1 files changed, 0 insertions(+), 2 deletions(-)

commit c771072b72c261f9bddd6734dca6979c1b96e7df
Author: Michal Schmidt <mschmidt@redhat.com>
Date:   Mon Jul 1 17:23:06 2013 +0200

    Upstream commit: 5bb680d6cbe36de9d7ba12b05f845c91a8692318
    
    bnx2x: fix dump flag handling
    
    bnx2x interprets the dump flag as an index of a register preset.
    It is important to validate the index to avoid out of bounds
    memory accesses.
    
    Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 .../net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c    |    3 +++
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c   |    2 ++
 2 files changed, 5 insertions(+), 0 deletions(-)

commit aed315c8fad9b2044143b46b239574b1b72135ce
Author: Michal Schmidt <mschmidt@redhat.com>
Date:   Mon Jul 1 17:23:30 2013 +0200

    Upstream commit: c590b5e2f05b5e98e614382582b7ae4cddb37599
    
    ethtool: make .get_dump_data() harder to misuse by drivers
    
    As the patch "bnx2x: remove zeroing of dump data buffer" showed,
    it is too easy implement .get_dump_data incorrectly in a driver.
    
    Let's make sure drivers cannot get confused by userspace requesting
    a too big dump.
    
    Also WARN if the driver sets dump->len to something weird and make
    sure the length reported to userspace is the actual length of data
    copied to userspace.
    
    Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
    Reviewed-by: Ben Hutchings <ben@decadent.org.uk>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/core/ethtool.c |   21 ++++++++++++++++++++-
 1 files changed, 20 insertions(+), 1 deletions(-)

commit 5c57991e66216e386dcc875d34c33f0edd038569
Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Date:   Tue Jul 2 09:02:07 2013 +0800

    Upstream commit: e1558a93b61962710733dc8c11a2bc765607f1cd
    
    l2tp: add missing .owner to struct pppox_proto
    
    Add missing .owner of struct pppox_proto. This prevents the
    module from being removed from underneath its users.
    
    Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/l2tp/l2tp_ppp.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 4613b8adae32cc774bb727d2ec71f3d0bd7ff1c4
Author: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Date:   Sun Jun 30 14:37:11 2013 +1000

    Upstream commit: 7cc47d139f9a815a91bd9e7377063238c69a0423
    
    cxgb3: Missing rtnl lock in error recovery
    
    When exercising error injection on IBM pseries machine, I hit the
    following warning:
    
    [  251.450043] RTAS: event: 89, Type: Platform Error, Severity: 2
    [  253.549822] cxgb3 0006:01:00.0: enabling device (0140 -> 0142)
    [  253.713560] cxgb3 0006:01:00.0: adapter recovering, PEX ERR 0x100
    [  254.895437] RTNL: assertion failed at net/core/dev.c (2031)
    [  254.895467] CPU: 6 PID: 5449 Comm: eehd Tainted: G        W    3.10.0-rc7-00157-gea461ab #19
    [  254.895474] Call Trace:
    [  254.895483] [c000000fac56f7d0] [c000000000014dcc] .show_stack+0x7c/0x1f0 (unreliable)
    [  254.895493] [c000000fac56f8a0] [c0000000007ba318] .dump_stack+0x28/0x3c
    [  254.895500] [c000000fac56f910] [c0000000006c0384] .netif_set_real_num_tx_queues+0x224/0x230
    [  254.895515] [c000000fac56f9b0] [d00000000ef35510] .cxgb_open+0x80/0x3f0 [cxgb3]
    [  254.895525] [c000000fac56fa50] [d00000000ef35914] .t3_resume_ports+0x94/0x100 [cxgb3]
    [  254.895533] [c000000fac56fae0] [c00000000005fc8c] .eeh_report_resume+0x8c/0xd0
    [  254.895539] [c000000fac56fb60] [c00000000005e9fc] .eeh_pe_dev_traverse+0x9c/0x190
    [  254.895545] [c000000fac56fc10] [c000000000060000] .eeh_handle_event+0x110/0x330
    [  254.895551] [c000000fac56fca0] [c000000000060350] .eeh_event_handler+0x130/0x1a0
    [  254.895558] [c000000fac56fd30] [c0000000000ad758] .kthread+0xe8/0xf0
    [  254.895566] [c000000fac56fe30] [c00000000000a05c] .ret_from_kernel_thread+0x5c/0x80
    
    It appears that t3_resume_ports() is called with the rtnl_lock held from
    the fatal error task but not from the PCI error callbacks. This fixes it.
    
    Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit ea8f4222cddf3250dbcfc7db0437ebf74c352370
Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
Date:   Mon Jul 1 20:21:30 2013 +0200

    Upstream commit: 8822b64a0fa64a5dd1dfcf837c5b0be83f8c05d1
    
    ipv6: call udp_push_pending_frames when uncorking a socket with AF_INET pending data
    
    We accidentally call down to ip6_push_pending_frames when uncorking
    pending AF_INET data on a ipv6 socket. This results in the following
    splat (from Dave Jones):
    
    skbuff: skb_under_panic: text:ffffffff816765f6 len:48 put:40 head:ffff88013deb6df0 data:ffff88013deb6dec tail:0x2c end:0xc0 dev:<NULL>
    ------------[ cut here ]------------
    kernel BUG at net/core/skbuff.c:126!
    invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
    Modules linked in: dccp_ipv4 dccp 8021q garp bridge stp dlci mpoa snd_seq_dummy sctp fuse hidp tun bnep nfnetlink scsi_transport_iscsi rfcomm can_raw can_bcm af_802154 appletalk caif_socket can caif ipt_ULOG x25 rose af_key pppoe pppox ipx phonet irda llc2 ppp_generic slhc p8023 psnap p8022 llc crc_ccitt atm bluetooth
    +netrom ax25 nfc rfkill rds af_rxrpc coretemp hwmon kvm_intel kvm crc32c_intel snd_hda_codec_realtek ghash_clmulni_intel microcode pcspkr snd_hda_codec_hdmi snd_hda_intel snd_hda_codec snd_hwdep usb_debug snd_seq snd_seq_device snd_pcm e1000e snd_page_alloc snd_timer ptp snd pps_core soundcore xfs libcrc32c
    CPU: 2 PID: 8095 Comm: trinity-child2 Not tainted 3.10.0-rc7+ #37
    task: ffff8801f52c2520 ti: ffff8801e6430000 task.ti: ffff8801e6430000
    RIP: 0010:[<ffffffff816e759c>]  [<ffffffff816e759c>] skb_panic+0x63/0x65
    RSP: 0018:ffff8801e6431de8  EFLAGS: 00010282
    RAX: 0000000000000086 RBX: ffff8802353d3cc0 RCX: 0000000000000006
    RDX: 0000000000003b90 RSI: ffff8801f52c2ca0 RDI: ffff8801f52c2520
    RBP: ffff8801e6431e08 R08: 0000000000000000 R09: 0000000000000000
    R10: 0000000000000001 R11: 0000000000000001 R12: ffff88022ea0c800
    R13: ffff88022ea0cdf8 R14: ffff8802353ecb40 R15: ffffffff81cc7800
    FS:  00007f5720a10740(0000) GS:ffff880244c00000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 0000000005862000 CR3: 000000022843c000 CR4: 00000000001407e0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
    Stack:
     ffff88013deb6dec 000000000000002c 00000000000000c0 ffffffff81a3f6e4
     ffff8801e6431e18 ffffffff8159a9aa ffff8801e6431e90 ffffffff816765f6
     ffffffff810b756b 0000000700000002 ffff8801e6431e40 0000fea9292aa8c0
    Call Trace:
     [<ffffffff8159a9aa>] skb_push+0x3a/0x40
     [<ffffffff816765f6>] ip6_push_pending_frames+0x1f6/0x4d0
     [<ffffffff810b756b>] ? mark_held_locks+0xbb/0x140
     [<ffffffff81694919>] udp_v6_push_pending_frames+0x2b9/0x3d0
     [<ffffffff81694660>] ? udplite_getfrag+0x20/0x20
     [<ffffffff8162092a>] udp_lib_setsockopt+0x1aa/0x1f0
     [<ffffffff811cc5e7>] ? fget_light+0x387/0x4f0
     [<ffffffff816958a4>] udpv6_setsockopt+0x34/0x40
     [<ffffffff815949f4>] sock_common_setsockopt+0x14/0x20
     [<ffffffff81593c31>] SyS_setsockopt+0x71/0xd0
     [<ffffffff816f5d54>] tracesys+0xdd/0xe2
    Code: 00 00 48 89 44 24 10 8b 87 d8 00 00 00 48 89 44 24 08 48 8b 87 e8 00 00 00 48 c7 c7 c0 04 aa 81 48 89 04 24 31 c0 e8 e1 7e ff ff <0f> 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 55
    RIP  [<ffffffff816e759c>] skb_panic+0x63/0x65
     RSP <ffff8801e6431de8>
    
    This patch adds a check if the pending data is of address family AF_INET
    and directly calls udp_push_ending_frames from udp_v6_push_pending_frames
    if that is the case.
    
    This bug was found by Dave Jones with trinity.
    
    (Also move the initialization of fl6 below the AF_INET check, even if
    not strictly necessary.)
    
    Cc: Dave Jones <davej@redhat.com>
    Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
    Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 include/net/udp.h |    1 +
 net/ipv4/udp.c    |    3 ++-
 net/ipv6/udp.c    |    7 ++++++-
 3 files changed, 9 insertions(+), 2 deletions(-)

commit cd83094a85d9bbd5a67332156407d53cf8835432
Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
Date:   Tue Jul 2 08:04:05 2013 +0200

    Upstream commit: 75a493e60ac4bbe2e977e7129d6d8cbb0dd236be
    
    ipv6: ip6_append_data_mtu did not care about pmtudisc and frag_size
    
    If the socket had an IPV6_MTU value set, ip6_append_data_mtu lost track
    of this when appending the second frame on a corked socket. This results
    in the following splat:
    
    [37598.993962] ------------[ cut here ]------------
    [37598.994008] kernel BUG at net/core/skbuff.c:2064!
    [37598.994008] invalid opcode: 0000 [#1] SMP
    [37598.994008] Modules linked in: tcp_lp uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_core videodev media vfat fat usb_storage fuse ebtable_nat xt_CHECKSUM bridge stp llc ipt_MASQUERADE nf_conntrack_netbios_ns nf_conntrack_broadcast ip6table_mangle ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 iptable_nat
    +nf_nat_ipv4 nf_nat iptable_mangle nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ebtable_filter ebtables ip6table_filter ip6_tables be2iscsi iscsi_boot_sysfs bnx2i cnic uio cxgb4i cxgb4 cxgb3i cxgb3 mdio libcxgbi ib_iser rdma_cm ib_addr iw_cm ib_cm ib_sa ib_mad ib_core iscsi_tcp libiscsi_tcp libiscsi
    +scsi_transport_iscsi rfcomm bnep iTCO_wdt iTCO_vendor_support snd_hda_codec_conexant arc4 iwldvm mac80211 snd_hda_intel acpi_cpufreq mperf coretemp snd_hda_codec microcode cdc_wdm cdc_acm
    [37598.994008]  snd_hwdep cdc_ether snd_seq snd_seq_device usbnet mii joydev btusb snd_pcm bluetooth i2c_i801 e1000e lpc_ich mfd_core ptp iwlwifi pps_core snd_page_alloc mei cfg80211 snd_timer thinkpad_acpi snd tpm_tis soundcore rfkill tpm tpm_bios vhost_net tun macvtap macvlan kvm_intel kvm uinput binfmt_misc
    +dm_crypt i915 i2c_algo_bit drm_kms_helper drm i2c_core wmi video
    [37598.994008] CPU 0
    [37598.994008] Pid: 27320, comm: t2 Not tainted 3.9.6-200.fc18.x86_64 #1 LENOVO 27744PG/27744PG
    [37598.994008] RIP: 0010:[<ffffffff815443a5>]  [<ffffffff815443a5>] skb_copy_and_csum_bits+0x325/0x330
    [37598.994008] RSP: 0018:ffff88003670da18  EFLAGS: 00010202
    [37598.994008] RAX: ffff88018105c018 RBX: 0000000000000004 RCX: 00000000000006c0
    [37598.994008] RDX: ffff88018105a6c0 RSI: ffff88018105a000 RDI: ffff8801e1b0aa00
    [37598.994008] RBP: ffff88003670da78 R08: 0000000000000000 R09: ffff88018105c040
    [37598.994008] R10: ffff8801e1b0aa00 R11: 0000000000000000 R12: 000000000000fff8
    [37598.994008] R13: 00000000000004fc R14: 00000000ffff0504 R15: 0000000000000000
    [37598.994008] FS:  00007f28eea59740(0000) GS:ffff88023bc00000(0000) knlGS:0000000000000000
    [37598.994008] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
    [37598.994008] CR2: 0000003d935789e0 CR3: 00000000365cb000 CR4: 00000000000407f0
    [37598.994008] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    [37598.994008] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
    [37598.994008] Process t2 (pid: 27320, threadinfo ffff88003670c000, task ffff88022c162ee0)
    [37598.994008] Stack:
    [37598.994008]  ffff88022e098a00 ffff88020f973fc0 0000000000000008 00000000000004c8
    [37598.994008]  ffff88020f973fc0 00000000000004c4 ffff88003670da78 ffff8801e1b0a200
    [37598.994008]  0000000000000018 00000000000004c8 ffff88020f973fc0 00000000000004c4
    [37598.994008] Call Trace:
    [37598.994008]  [<ffffffff815fc21f>] ip6_append_data+0xccf/0xfe0
    [37598.994008]  [<ffffffff8158d9f0>] ? ip_copy_metadata+0x1a0/0x1a0
    [37598.994008]  [<ffffffff81661f66>] ? _raw_spin_lock_bh+0x16/0x40
    [37598.994008]  [<ffffffff8161548d>] udpv6_sendmsg+0x1ed/0xc10
    [37598.994008]  [<ffffffff812a2845>] ? sock_has_perm+0x75/0x90
    [37598.994008]  [<ffffffff815c3693>] inet_sendmsg+0x63/0xb0
    [37598.994008]  [<ffffffff812a2973>] ? selinux_socket_sendmsg+0x23/0x30
    [37598.994008]  [<ffffffff8153a450>] sock_sendmsg+0xb0/0xe0
    [37598.994008]  [<ffffffff810135d1>] ? __switch_to+0x181/0x4a0
    [37598.994008]  [<ffffffff8153d97d>] sys_sendto+0x12d/0x180
    [37598.994008]  [<ffffffff810dfb64>] ? __audit_syscall_entry+0x94/0xf0
    [37598.994008]  [<ffffffff81020ed1>] ? syscall_trace_enter+0x231/0x240
    [37598.994008]  [<ffffffff8166a7e7>] tracesys+0xdd/0xe2
    [37598.994008] Code: fe 07 00 00 48 c7 c7 04 28 a6 81 89 45 a0 4c 89 4d b8 44 89 5d a8 e8 1b ac b1 ff 44 8b 5d a8 4c 8b 4d b8 8b 45 a0 e9 cf fe ff ff <0f> 0b 66 0f 1f 84 00 00 00 00 00 66 66 66 66 90 55 48 89 e5 48
    [37598.994008] RIP  [<ffffffff815443a5>] skb_copy_and_csum_bits+0x325/0x330
    [37598.994008]  RSP <ffff88003670da18>
    [37599.007323] ---[ end trace d69f6a17f8ac8eee ]---
    
    While there, also check if path mtu discovery is activated for this
    socket. The logic was adapted from ip6_append_data when first writing
    on the corked socket.
    
    This bug was introduced with commit
    0c1833797a5a6ec23ea9261d979aa18078720b74 ("ipv6: fix incorrect ipsec
    fragment").
    
    v2:
    a) Replace IPV6_PMTU_DISC_DO with IPV6_PMTUDISC_PROBE.
    b) Don't pass ipv6_pinfo to ip6_append_data_mtu (suggestion by Gao
       feng, thanks!).
    c) Change mtu to unsigned int, else we get a warning about
       non-matching types because of the min()-macro type-check.
    
    Acked-by: Gao feng <gaofeng@cn.fujitsu.com>
    Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
    Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv6/ip6_output.c |   16 ++++++++++------
 1 files changed, 10 insertions(+), 6 deletions(-)

commit 23151ca7ca80e58d2616dac7be9fd62943c9a72c
Author: Michael S. Tsirkin <mst@redhat.com>
Date:   Sun Jul 7 14:26:53 2013 +0300

    Upstream commit: dd7633ecd553a5e304d349aa6f8eb8a0417098c5
    
    vhost-net: fix use-after-free in vhost_net_flush
    
    vhost_net_ubuf_put_and_wait has a confusing name:
    it will actually also free it's argument.
    Thus since commit 1280c27f8e29acf4af2da914e80ec27c3dbd5c01
        "vhost-net: flush outstanding DMAs on memory change"
    vhost_net_flush tries to use the argument after passing it
    to vhost_net_ubuf_put_and_wait, this results
    in use after free.
    To fix, don't free the argument in vhost_net_ubuf_put_and_wait,
    add an new API for callers that want to free ubufs.
    
    Acked-by: Asias He <asias@redhat.com>
    Acked-by: Jason Wang <jasowang@redhat.com>
    Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/vhost/net.c |    9 +++++++--
 1 files changed, 7 insertions(+), 2 deletions(-)

commit 088806db74ac2f08c106202bc5498585a9ee529f
Author: Michal Hocko <mhocko@suse.cz>
Date:   Mon Jul 8 16:00:29 2013 -0700

    Upstream commit: f37a96914d1aea10fed8d9af10251f0b9caea31b
    
    memcg, kmem: fix reference count handling on the error path
    
    mem_cgroup_css_online calls mem_cgroup_put if memcg_init_kmem fails.
    This is not correct because only memcg_propagate_kmem takes an
    additional reference while mem_cgroup_sockets_init is allowed to fail as
    well (although no current implementation fails) but it doesn't take any
    reference.  This all suggests that it should be memcg_propagate_kmem
    that should clean up after itself so this patch moves mem_cgroup_put
    over there.
    
    Unfortunately this is not that easy (as pointed out by Li Zefan) because
    memcg_kmem_mark_dead marks the group dead (KMEM_ACCOUNTED_DEAD) if it is
    marked active (KMEM_ACCOUNTED_ACTIVE) which is the case even if
    memcg_propagate_kmem fails so the additional reference is dropped in
    that case in kmem_cgroup_destroy which means that the reference would be
    dropped two times.
    
    The easiest way then would be to simply remove mem_cgrroup_put from
    mem_cgroup_css_online and rely on kmem_cgroup_destroy doing the right
    thing.
    
    Signed-off-by: Michal Hocko <mhocko@suse.cz>
    Signed-off-by: Li Zefan <lizefan@huawei.com>
    Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
    Cc: Hugh Dickins <hughd@google.com>
    Cc: Tejun Heo <tj@kernel.org>
    Cc: Glauber Costa <glommer@openvz.org>
    Cc: Johannes Weiner <hannes@cmpxchg.org>
    Cc: <stable@vger.kernel.org>        [3.8]
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 mm/memcontrol.c |    8 --------
 1 files changed, 0 insertions(+), 8 deletions(-)

commit 08bfb6e700d13886ed722c2236e1ec10f03a95df
Author: Michal Hocko <mhocko@suse.cz>
Date:   Mon Jul 8 16:00:27 2013 -0700

    Upstream commit: fa460c2d37870e0a6f94c70e8b76d05ca11b6db0
    
    Revert "memcg: avoid dangling reference count in creation failure"
    
    This reverts commit e4715f01be697a.
    
    mem_cgroup_put is hierarchy aware so mem_cgroup_put(memcg) already drops
    an additional reference from all parents so the additional
    mem_cgrroup_put(parent) potentially causes use-after-free.
    
    Signed-off-by: Michal Hocko <mhocko@suse.cz>
    Signed-off-by: Li Zefan <lizefan@huawei.com>
    Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
    Cc: Hugh Dickins <hughd@google.com>
    Cc: Tejun Heo <tj@kernel.org>
    Cc: Glauber Costa <glommer@openvz.org>
    Cc: Johannes Weiner <hannes@cmpxchg.org>
    Cc: <stable@vger.kernel.org>        [3.9+]
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 mm/memcontrol.c |    2 --
 1 files changed, 0 insertions(+), 2 deletions(-)

commit 3267ec559f48327a1836eccecd53215afc5810d0
Author: Tyler Hicks <tyhicks@canonical.com>
Date:   Thu Jun 20 13:13:59 2013 -0700

    Upstream commit: 2cb33cac622afde897aa02d3dcd9fbba8bae839e
    
    libceph: Fix NULL pointer dereference in auth client code
    
    A malicious monitor can craft an auth reply message that could cause a
    NULL function pointer dereference in the client's kernel.
    
    To prevent this, the auth_none protocol handler needs an empty
    ceph_auth_client_ops->build_request() function.
    
    CVE-2013-1059
    
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Reported-by: Chanam Park <chanam.park@hkpco.kr>
    Reviewed-by: Seth Arnold <seth.arnold@canonical.com>
    Reviewed-by: Sage Weil <sage@inktank.com>
    Cc: stable@vger.kernel.org

 net/ceph/auth_none.c |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

commit cdfeb4049e7cb38702215b2c356ce0407974ac79
Author: Eric Paris <eparis@redhat.com>
Date:   Wed Jul 3 15:08:29 2013 -0700

    Upstream commit: b57922b6c76c3ee401bb32fd3f298409dd6e6a53
    
    fork: reorder permissions when violating number of processes limits
    
    When a task is attempting to violate the RLIMIT_NPROC limit we have a
    check to see if the task is sufficiently priviledged.  The check first
    looks at CAP_SYS_ADMIN, then CAP_SYS_RESOURCE, then if the task is uid=0.
    
    A result is that tasks which are allowed by the uid=0 check are first
    checked against the security subsystem.  This results in the security
    subsystem auditting a denial for sys_admin and sys_resource and then the
    task passing the uid=0 check.
    
    This patch rearranges the code to first check uid=0, since if we pass that
    we shouldn't hit the security system at all.  We then check sys_resource,
    since it is the smallest capability which will solve the problem.  Lastly
    we check the fallback everything cap_sysadmin.  We don't want to give this
    capability many places since it is so powerful.
    
    This will eliminate many of the false positive/needless denial messages we
    get when a root task tries to violate the nproc limit.  (note that
    kthreads count against root, so on a sufficiently large machine we can
    actually get past the default limits before any userspace tasks are
    launched.)
    
    Signed-off-by: Eric Paris <eparis@redhat.com>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 kernel/fork.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 08c87e049c8a50707908785d950fd48c334f4c09
Author: Chen Gang <gang.chen@asianux.com>
Date:   Sat Jun 22 13:26:09 2013 +0800

    Upstream commit: f118e9abddfae94d7ef88858159d7556e1c2f7f6
    
    arch: sparc: kernel: check the memory length before use strcpy().
    
    For the related next strcpy(), the destination length is less than 512,
    but the source maximize length may be 'OPROMMAXPARAM' (4096) which is
    more than 512.
    
    One work flow may:
      openprom_sunos_ioctl() ->  if (cmd == OPROMSETOPT)
        getstrings() ->  will alloc buffer with size 'OPROMMAXPARAM'.
        opromsetopt() ->  devide the buffer into 'var' and 'value'
          of_set_property() -> pass
            prom_setprop() -> pass
              ldom_set_var()
    
    And do not mind the additional 4 alignment buffer increasing, since
    'sizeof(pkt) - sizeof(pkt.header)' is 4 alignment at least.
    
    Signed-off-by: Chen Gang <gang.chen@asianux.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 arch/sparc/kernel/ds.c |   10 ++++++++++
 1 files changed, 10 insertions(+), 0 deletions(-)

commit 0f5d7e1171c65a8d4e9186b3656e1206121efb13
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jul 12 20:38:45 2013 -0400

    Fix SLAB boot errors due to PAX_USERCOPY reported on the forums
    
    Unlike slub, slab can initally create two of the kmalloc_caches
    which will be used later for generic kmallocs of their particular
    aligned size (since the later loop in the unified allocator code
    skips any already-existing kmalloc_caches)

 mm/slab.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 7afc9d07a4c0a676aa5c4ac2b30882f60be6bae3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 9 22:04:59 2013 -0400

    compile fixes

 fs/exec.c |    2 +-
 mm/mmap.c |    4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

commit e2d027c7e0f106be683c0c72482b8285daefcbe6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 9 20:58:40 2013 -0400

    commit successful merges

 Documentation/kernel-parameters.txt                |    4 +
 Makefile                                           |    8 +-
 arch/alpha/include/asm/cache.h                     |    4 +-
 arch/alpha/kernel/osf_sys.c                        |   12 +-
 arch/arm/include/asm/thread_info.h                 |    3 +-
 arch/arm/kernel/ptrace.c                           |    9 +
 arch/arm/kernel/traps.c                            |    7 +-
 arch/arm/mm/fault.c                                |   29 +-
 arch/arm/mm/mmap.c                                 |    8 +-
 arch/avr32/include/asm/cache.h                     |    4 +-
 arch/blackfin/include/asm/cache.h                  |    3 +-
 arch/cris/include/arch-v10/arch/cache.h            |    3 +-
 arch/cris/include/arch-v32/arch/cache.h            |    3 +-
 arch/frv/include/asm/cache.h                       |    3 +-
 arch/frv/mm/elf-fdpic.c                            |    4 +-
 arch/hexagon/include/asm/cache.h                   |    6 +-
 arch/ia64/include/asm/cache.h                      |    3 +-
 arch/ia64/kernel/sys_ia64.c                        |    2 +
 arch/ia64/mm/hugetlbpage.c                         |    2 +
 arch/m32r/include/asm/cache.h                      |    4 +-
 arch/m68k/include/asm/cache.h                      |    4 +-
 arch/metag/mm/hugetlbpage.c                        |    1 +
 arch/microblaze/include/asm/cache.h                |    3 +-
 arch/mips/include/asm/cache.h                      |    3 +-
 arch/mips/include/asm/thread_info.h                |    9 +-
 arch/mips/kernel/ptrace.c                          |    9 +
 arch/mips/kernel/scall32-o32.S                     |    2 +-
 arch/mips/kernel/scall64-64.S                      |    2 +-
 arch/mips/kernel/scall64-n32.S                     |    2 +-
 arch/mips/kernel/scall64-o32.S                     |    2 +-
 arch/mips/mm/mmap.c                                |    4 +-
 arch/mn10300/proc-mn103e010/include/proc/cache.h   |    4 +-
 arch/mn10300/proc-mn2ws0050/include/proc/cache.h   |    4 +-
 arch/openrisc/include/asm/cache.h                  |    4 +-
 arch/parisc/include/asm/cache.h                    |    5 +-
 arch/parisc/kernel/sys_parisc.c                    |   17 +-
 arch/powerpc/include/asm/cache.h                   |    3 +-
 arch/powerpc/kernel/process.c                      |   10 +-
 arch/powerpc/kernel/ptrace.c                       |   14 +
 arch/powerpc/kernel/traps.c                        |    5 +
 arch/s390/include/asm/cache.h                      |    4 +-
 arch/score/include/asm/cache.h                     |    4 +-
 arch/sh/include/asm/cache.h                        |    3 +-
 arch/sh/mm/mmap.c                                  |    6 +-
 arch/sparc/include/asm/cache.h                     |    4 +-
 arch/sparc/include/asm/thread_info_64.h            |    9 +-
 arch/sparc/kernel/process_32.c                     |    6 +-
 arch/sparc/kernel/process_64.c                     |    4 +-
 arch/sparc/kernel/ptrace_64.c                      |   14 +
 arch/sparc/kernel/sys_sparc_64.c                   |    8 +-
 arch/sparc/kernel/syscalls.S                       |    8 +-
 arch/sparc/kernel/traps_32.c                       |    8 +-
 arch/sparc/kernel/traps_64.c                       |   28 +-
 arch/sparc/kernel/unaligned_64.c                   |    2 +-
 arch/sparc/mm/fault_64.c                           |    2 +-
 arch/sparc/mm/hugetlbpage.c                        |    3 +-
 arch/tile/include/asm/cache.h                      |    3 +-
 arch/tile/mm/hugetlbpage.c                         |    2 +
 arch/um/defconfig                                  |    1 -
 arch/um/include/asm/cache.h                        |    3 +-
 arch/unicore32/include/asm/cache.h                 |    6 +-
 arch/x86/Kconfig                                   |    5 +-
 arch/x86/ia32/ia32_aout.c                          |    2 +
 arch/x86/include/asm/thread_info.h                 |    8 +-
 arch/x86/kernel/dumpstack.c                        |    8 +
 arch/x86/kernel/entry_32.S                         |    2 +-
 arch/x86/kernel/entry_64.S                         |    2 +-
 arch/x86/kernel/ioport.c                           |   13 +
 arch/x86/kernel/ptrace.c                           |   14 +
 arch/x86/kernel/signal.c                           |    9 +-
 arch/x86/kernel/smpboot.c                          |    3 +
 arch/x86/kernel/sys_i386_32.c                      |    9 +-
 arch/x86/kernel/sys_x86_64.c                       |    8 +-
 arch/x86/kernel/verify_cpu.S                       |    1 +
 arch/x86/kernel/vm86_32.c                          |    1 +
 arch/x86/mm/fault.c                                |   12 +-
 arch/x86/mm/hugetlbpage.c                          |   15 +-
 arch/x86/mm/init.c                                 |   66 +-
 arch/x86/net/bpf_jit_comp.c                        |  129 +-
 arch/xtensa/variants/dc232b/include/variant/core.h |    2 +-
 arch/xtensa/variants/fsf/include/variant/core.h    |    3 +-
 arch/xtensa/variants/s6000/include/variant/core.h  |    3 +-
 drivers/block/cciss.c                              |    2 +
 drivers/block/cpqarray.c                           |    1 +
 drivers/cdrom/cdrom.c                              |    4 +-
 drivers/char/Kconfig                               |    4 +-
 drivers/char/genrtc.c                              |    1 +
 drivers/char/mem.c                                 |   17 +
 drivers/char/mwave/tp3780i.c                       |    1 +
 drivers/char/random.c                              |   12 +
 drivers/gpu/drm/drm_info.c                         |    4 +
 drivers/hid/hid-wiimote-debug.c                    |    2 +-
 drivers/media/radio/radio-cadet.c                  |    2 +-
 drivers/message/fusion/mptbase.c                   |    9 +
 drivers/net/bonding/bond_main.c                    |    2 +-
 drivers/net/phy/mdio-bitbang.c                     |    1 +
 drivers/net/wireless/zd1211rw/zd_usb.c             |    2 +-
 drivers/pci/proc.c                                 |    9 +
 drivers/rtc/rtc-dev.c                              |    3 +
 drivers/tty/sysrq.c                                |    2 +-
 drivers/tty/vt/keyboard.c                          |   22 +-
 drivers/video/logo/logo_linux_clut224.ppm          | 2721 ++++++++------------
 drivers/xen/xenfs/xenstored.c                      |    5 +
 fs/attr.c                                          |    1 +
 fs/autofs4/waitq.c                                 |    9 +
 fs/binfmt_aout.c                                   |    7 +
 fs/binfmt_elf.c                                    |    8 +-
 fs/btrfs/ioctl.c                                   |    6 +-
 fs/compat.c                                        |   20 +-
 fs/coredump.c                                      |    9 +-
 fs/debugfs/inode.c                                 |    4 +
 fs/exec.c                                          |  184 ++-
 fs/ext2/balloc.c                                   |    4 +-
 fs/ext3/balloc.c                                   |    4 +-
 fs/ext4/resize.c                                   |   17 +-
 fs/fcntl.c                                         |    5 +
 fs/file.c                                          |    4 +
 fs/filesystems.c                                   |    4 +
 fs/fs_struct.c                                     |   13 +-
 fs/hugetlbfs/inode.c                               |    5 +-
 fs/namei.c                                         |  234 ++-
 fs/namespace.c                                     |   16 +
 fs/notify/fanotify/fanotify_user.c                 |    1 +
 fs/open.c                                          |   38 +
 fs/proc/Kconfig                                    |   10 +-
 fs/proc/array.c                                    |   59 +-
 fs/proc/base.c                                     |  168 ++-
 fs/proc/cmdline.c                                  |    4 +
 fs/proc/devices.c                                  |    4 +
 fs/proc/fd.c                                       |   17 +-
 fs/proc/inode.c                                    |    4 +
 fs/proc/kcore.c                                    |    3 +
 fs/proc/proc_net.c                                 |   12 +
 fs/proc/proc_sysctl.c                              |   43 +-
 fs/proc/root.c                                     |    8 +
 fs/proc/task_mmu.c                                 |   75 +-
 fs/readdir.c                                       |   19 +
 fs/select.c                                        |    2 +
 fs/seq_file.c                                      |   12 +-
 fs/stat.c                                          |   19 +-
 fs/sysfs/dir.c                                     |   12 +
 fs/utimes.c                                        |    7 +
 fs/xattr.c                                         |   19 +-
 include/linux/capability.h                         |    5 +
 include/linux/cred.h                               |    3 +
 include/linux/fs.h                                 |   10 +
 include/linux/fsnotify.h                           |    6 +
 include/linux/kallsyms.h                           |   14 +-
 include/linux/kmod.h                               |    2 +
 include/linux/mm.h                                 |    1 +
 include/linux/perf_event.h                         |   13 +-
 include/linux/printk.h                             |    3 +-
 include/linux/sched.h                              |   24 +-
 include/linux/security.h                           |    1 +
 include/linux/seq_file.h                           |    3 +
 include/linux/shm.h                                |    4 +
 include/linux/skbuff.h                             |    3 +
 include/linux/slab.h                               |    9 -
 include/linux/sysctl.h                             |    2 +
 include/linux/thread_info.h                        |    2 +
 include/linux/uidgid.h                             |    5 +
 include/linux/vermagic.h                           |    9 +-
 include/uapi/linux/personality.h                   |    1 +
 init/Kconfig                                       |    3 +-
 init/main.c                                        |   14 +
 ipc/mqueue.c                                       |    1 +
 ipc/shm.c                                          |   28 +
 kernel/capability.c                                |   39 +-
 kernel/cgroup.c                                    |    2 +-
 kernel/compat.c                                    |    1 +
 kernel/configs.c                                   |   11 +
 kernel/cred.c                                      |  110 +-
 kernel/events/core.c                               |   14 +-
 kernel/exit.c                                      |   10 +-
 kernel/fork.c                                      |   41 +-
 kernel/futex.c                                     |    1 +
 kernel/kallsyms.c                                  |    9 +
 kernel/kcmp.c                                      |    4 +
 kernel/kmod.c                                      |   64 +-
 kernel/kprobes.c                                   |    4 +-
 kernel/ksysfs.c                                    |    2 +
 kernel/lockdep_proc.c                              |   10 +-
 kernel/module.c                                    |   81 +-
 kernel/panic.c                                     |    2 +-
 kernel/pid.c                                       |   19 +-
 kernel/posix-timers.c                              |    7 +
 kernel/printk.c                                    |    5 +
 kernel/ptrace.c                                    |   20 +-
 kernel/resource.c                                  |   10 +
 kernel/sched/core.c                                |    6 +-
 kernel/signal.c                                    |   37 +-
 kernel/sys.c                                       |   45 +-
 kernel/sysctl.c                                    |   70 +-
 kernel/taskstats.c                                 |    6 +
 kernel/time.c                                      |    5 +
 kernel/time/timekeeping.c                          |    1 +
 kernel/time/timer_list.c                           |   12 +
 kernel/time/timer_stats.c                          |   10 +-
 lib/Kconfig.debug                                  |    5 +-
 lib/is_single_threaded.c                           |    3 +
 mm/Kconfig                                         |    4 +-
 mm/filemap.c                                       |    1 +
 mm/kmemleak.c                                      |    4 +-
 mm/mempolicy.c                                     |   12 +-
 mm/migrate.c                                       |    3 +-
 mm/mlock.c                                         |    3 +
 mm/mmap.c                                          |   63 +-
 mm/mprotect.c                                      |    8 +
 mm/process_vm_access.c                             |    6 +
 mm/slab.c                                          |    2 +-
 mm/slub.c                                          |   14 +-
 mm/vmalloc.c                                       |    4 +
 mm/vmstat.c                                        |   18 +-
 net/core/dev_ioctl.c                               |    4 +
 net/core/sock_diag.c                               |    7 +
 net/ipv4/inet_hashtables.c                         |    5 +
 net/ipv4/ip_sockglue.c                             |    3 +-
 net/ipv4/tcp_input.c                               |    4 +-
 net/ipv4/tcp_ipv4.c                                |   24 +-
 net/ipv4/tcp_minisocks.c                           |    9 +-
 net/ipv4/tcp_timer.c                               |   11 +
 net/ipv4/udp.c                                     |   24 +
 net/ipv6/tcp_ipv6.c                                |   23 +-
 net/ipv6/udp.c                                     |    4 +
 net/netfilter/Kconfig                              |   10 +
 net/netfilter/Makefile                             |    1 +
 net/netfilter/nf_conntrack_core.c                  |    8 +
 net/netrom/af_netrom.c                             |    1 -
 net/phonet/af_phonet.c                             |    2 +-
 net/sctp/proc.c                                    |    3 +-
 net/socket.c                                       |   66 +-
 net/sysctl_net.c                                   |    2 +-
 net/unix/af_unix.c                                 |   31 +-
 security/Kconfig                                   |  343 +++-
 security/apparmor/Kconfig                          |    9 +
 security/apparmor/apparmorfs.c                     |  231 ++
 security/commoncap.c                               |   29 +
 security/min_addr.c                                |    2 +
 security/security.c                                |    2 -
 security/selinux/hooks.c                           |    2 -
 security/tomoyo/mount.c                            |    4 +
 security/yama/Kconfig                              |    2 +-
 242 files changed, 4385 insertions(+), 2042 deletions(-)

commit 043a378c0f72ed92cc30182c48abce39867ac93f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 9 20:57:40 2013 -0400

    Commit merge of new files and rejected patches

 arch/arm/include/asm/thread_info.h     |    6 +-
 arch/arm/kernel/process.c              |    4 +-
 arch/powerpc/include/asm/thread_info.h |    7 +-
 arch/powerpc/mm/slice.c                |    2 +-
 arch/sparc/kernel/process_64.c         |    4 +-
 arch/x86/kernel/vm86_32.c              |   15 +
 fs/coredump.c                          |    1 +
 fs/ext4/balloc.c                       |    4 +-
 fs/namei.c                             |    7 +
 fs/namespace.c                         |    8 +
 fs/pipe.c                              |    2 +-
 fs/proc/inode.c                        |   13 +
 fs/proc/internal.h                     |    3 +
 grsecurity/Kconfig                     | 1054 +++++++++
 grsecurity/Makefile                    |   38 +
 grsecurity/gracl.c                     | 4073 ++++++++++++++++++++++++++++++++
 grsecurity/gracl_alloc.c               |  105 +
 grsecurity/gracl_cap.c                 |  110 +
 grsecurity/gracl_fs.c                  |  431 ++++
 grsecurity/gracl_ip.c                  |  387 +++
 grsecurity/gracl_learn.c               |  207 ++
 grsecurity/gracl_res.c                 |   68 +
 grsecurity/gracl_segv.c                |  305 +++
 grsecurity/gracl_shm.c                 |   40 +
 grsecurity/grsec_chdir.c               |   19 +
 grsecurity/grsec_chroot.c              |  370 +++
 grsecurity/grsec_disabled.c            |  434 ++++
 grsecurity/grsec_exec.c                |  187 ++
 grsecurity/grsec_fifo.c                |   24 +
 grsecurity/grsec_fork.c                |   23 +
 grsecurity/grsec_init.c                |  283 +++
 grsecurity/grsec_link.c                |   58 +
 grsecurity/grsec_log.c                 |  326 +++
 grsecurity/grsec_mem.c                 |   40 +
 grsecurity/grsec_mount.c               |   62 +
 grsecurity/grsec_pax.c                 |   36 +
 grsecurity/grsec_ptrace.c              |   30 +
 grsecurity/grsec_sig.c                 |  246 ++
 grsecurity/grsec_sock.c                |  244 ++
 grsecurity/grsec_sysctl.c              |  469 ++++
 grsecurity/grsec_time.c                |   16 +
 grsecurity/grsec_tpe.c                 |   73 +
 grsecurity/grsum.c                     |   61 +
 include/linux/gracl.h                  |  319 +++
 include/linux/gralloc.h                |    9 +
 include/linux/grdefs.h                 |  140 ++
 include/linux/grinternal.h             |  227 ++
 include/linux/grmsg.h                  |  112 +
 include/linux/grsecurity.h             |  241 ++
 include/linux/grsock.h                 |   19 +
 include/linux/netfilter/xt_gradm.h     |    9 +
 include/linux/proc_fs.h                |   13 +
 include/linux/sched.h                  |   48 +-
 include/trace/events/fs.h              |   53 +
 kernel/kmod.c                          |    7 +-
 kernel/panic.c                         |    2 +-
 kernel/posix-timers.c                  |    1 +
 kernel/time/timekeeping.c              |    2 +
 lib/Kconfig.debug                      |    2 +-
 lib/vsprintf.c                         |   31 +
 localversion-grsec                     |    1 +
 mm/mmap.c                              |   13 +-
 mm/shmem.c                             |    2 +-
 net/core/net-procfs.c                  |    5 +
 net/ipv6/udp.c                         |    3 +
 net/netfilter/xt_gradm.c               |   51 +
 66 files changed, 11184 insertions(+), 21 deletions(-)

commit 75a36f058b5abbc82f9b94ba5576eef4b40cd5d6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 9 17:35:47 2013 -0400

    Initial import of pax-linux-3.10-test1.patch

 Documentation/dontdiff                             |   46 +-
 Documentation/kernel-parameters.txt                |   12 +
 Makefile                                           |  100 +-
 arch/alpha/include/asm/atomic.h                    |   10 +
 arch/alpha/include/asm/elf.h                       |    7 +
 arch/alpha/include/asm/pgalloc.h                   |    6 +
 arch/alpha/include/asm/pgtable.h                   |   11 +
 arch/alpha/kernel/module.c                         |    2 +-
 arch/alpha/kernel/osf_sys.c                        |    8 +-
 arch/alpha/mm/fault.c                              |  141 +-
 arch/arm/Kconfig                                   |    2 +-
 arch/arm/include/asm/atomic.h                      |  444 ++-
 arch/arm/include/asm/cache.h                       |    5 +-
 arch/arm/include/asm/cacheflush.h                  |    2 +-
 arch/arm/include/asm/checksum.h                    |   14 +-
 arch/arm/include/asm/cmpxchg.h                     |    2 +
 arch/arm/include/asm/domain.h                      |   33 +-
 arch/arm/include/asm/elf.h                         |   13 +-
 arch/arm/include/asm/fncpy.h                       |    2 +
 arch/arm/include/asm/futex.h                       |   10 +
 arch/arm/include/asm/kmap_types.h                  |    2 +-
 arch/arm/include/asm/mach/dma.h                    |    2 +-
 arch/arm/include/asm/mach/map.h                    |    7 +-
 arch/arm/include/asm/outercache.h                  |    2 +-
 arch/arm/include/asm/page.h                        |    2 +-
 arch/arm/include/asm/pgalloc.h                     |   22 +-
 arch/arm/include/asm/pgtable-2level-hwdef.h        |    5 +
 arch/arm/include/asm/pgtable-2level.h              |    1 +
 arch/arm/include/asm/pgtable-3level-hwdef.h        |    2 +
 arch/arm/include/asm/pgtable-3level.h              |    2 +
 arch/arm/include/asm/pgtable.h                     |   56 +-
 arch/arm/include/asm/proc-fns.h                    |    2 +-
 arch/arm/include/asm/processor.h                   |    5 +-
 arch/arm/include/asm/psci.h                        |    2 +-
 arch/arm/include/asm/smp.h                         |    2 +-
 arch/arm/include/asm/thread_info.h                 |    6 +-
 arch/arm/include/asm/uaccess.h                     |   92 +-
 arch/arm/include/uapi/asm/ptrace.h                 |    2 +-
 arch/arm/kernel/armksyms.c                         |    8 +-
 arch/arm/kernel/entry-armv.S                       |  107 +-
 arch/arm/kernel/entry-common.S                     |   41 +-
 arch/arm/kernel/entry-header.S                     |   60 +
 arch/arm/kernel/fiq.c                              |    2 +
 arch/arm/kernel/head.S                             |    6 +-
 arch/arm/kernel/hw_breakpoint.c                    |    2 +-
 arch/arm/kernel/module.c                           |   29 +-
 arch/arm/kernel/patch.c                            |    2 +
 arch/arm/kernel/perf_event_cpu.c                   |    2 +-
 arch/arm/kernel/process.c                          |   14 +-
 arch/arm/kernel/psci.c                             |    2 +-
 arch/arm/kernel/setup.c                            |   22 +-
 arch/arm/kernel/signal.c                           |   24 +-
 arch/arm/kernel/smp.c                              |    2 +-
 arch/arm/kernel/traps.c                            |   15 +-
 arch/arm/kernel/vmlinux.lds.S                      |   22 +-
 arch/arm/lib/clear_user.S                          |    6 +-
 arch/arm/lib/copy_from_user.S                      |    6 +-
 arch/arm/lib/copy_page.S                           |    1 +
 arch/arm/lib/copy_to_user.S                        |    6 +-
 arch/arm/lib/csumpartialcopyuser.S                 |    4 +-
 arch/arm/lib/delay.c                               |    2 +-
 arch/arm/lib/uaccess_with_memcpy.c                 |    2 +-
 arch/arm/mach-kirkwood/common.c                    |   19 +-
 arch/arm/mach-omap2/board-n8x0.c                   |    2 +-
 arch/arm/mach-omap2/gpmc.c                         |   22 +-
 arch/arm/mach-omap2/omap-wakeupgen.c               |    2 +-
 arch/arm/mach-omap2/omap_device.c                  |    4 +-
 arch/arm/mach-omap2/omap_device.h                  |    4 +-
 arch/arm/mach-omap2/omap_hwmod.c                   |    4 +-
 arch/arm/mach-omap2/wd_timer.c                     |    6 +-
 arch/arm/mach-tegra/cpuidle-tegra20.c              |    2 +-
 arch/arm/mach-ux500/setup.h                        |    7 -
 arch/arm/mm/Kconfig                                |    3 +-
 arch/arm/mm/alignment.c                            |    8 +
 arch/arm/mm/fault.c                                |   91 +
 arch/arm/mm/fault.h                                |   12 +
 arch/arm/mm/init.c                                 |   41 +
 arch/arm/mm/ioremap.c                              |    4 +-
 arch/arm/mm/mmap.c                                 |   30 +-
 arch/arm/mm/mmu.c                                  |  187 +-
 arch/arm/mm/proc-v7-2level.S                       |    3 +
 arch/arm/plat-omap/sram.c                          |    2 +
 arch/arm/plat-samsung/include/plat/dma-ops.h       |    2 +-
 arch/arm64/kernel/debug-monitors.c                 |    2 +-
 arch/arm64/kernel/hw_breakpoint.c                  |    2 +-
 arch/avr32/include/asm/elf.h                       |    8 +-
 arch/avr32/include/asm/kmap_types.h                |    4 +-
 arch/avr32/mm/fault.c                              |   27 +
 arch/frv/include/asm/atomic.h                      |   10 +
 arch/frv/include/asm/kmap_types.h                  |    2 +-
 arch/frv/mm/elf-fdpic.c                            |    3 +-
 arch/ia64/include/asm/atomic.h                     |   10 +
 arch/ia64/include/asm/elf.h                        |    7 +
 arch/ia64/include/asm/pgalloc.h                    |   12 +
 arch/ia64/include/asm/pgtable.h                    |   13 +-
 arch/ia64/include/asm/spinlock.h                   |    2 +-
 arch/ia64/include/asm/uaccess.h                    |   26 +-
 arch/ia64/kernel/err_inject.c                      |    2 +-
 arch/ia64/kernel/mca.c                             |    2 +-
 arch/ia64/kernel/module.c                          |   48 +-
 arch/ia64/kernel/palinfo.c                         |    2 +-
 arch/ia64/kernel/salinfo.c                         |    2 +-
 arch/ia64/kernel/sys_ia64.c                        |    7 +
 arch/ia64/kernel/topology.c                        |    2 +-
 arch/ia64/kernel/vmlinux.lds.S                     |    2 +-
 arch/ia64/mm/fault.c                               |   32 +-
 arch/ia64/mm/init.c                                |   13 +
 arch/m32r/lib/usercopy.c                           |    6 +
 arch/mips/include/asm/atomic.h                     |   14 +
 arch/mips/include/asm/elf.h                        |   11 +-
 arch/mips/include/asm/exec.h                       |    2 +-
 arch/mips/include/asm/page.h                       |    2 +-
 arch/mips/include/asm/pgalloc.h                    |    5 +
 arch/mips/kernel/binfmt_elfn32.c                   |    7 +
 arch/mips/kernel/binfmt_elfo32.c                   |    7 +
 arch/mips/kernel/process.c                         |   12 -
 arch/mips/mm/fault.c                               |   17 +
 arch/mips/mm/mmap.c                                |   51 +-
 arch/parisc/include/asm/atomic.h                   |   10 +
 arch/parisc/include/asm/elf.h                      |    7 +
 arch/parisc/include/asm/pgalloc.h                  |    6 +
 arch/parisc/include/asm/pgtable.h                  |   11 +
 arch/parisc/include/asm/uaccess.h                  |    4 +-
 arch/parisc/kernel/module.c                        |   50 +-
 arch/parisc/kernel/sys_parisc.c                    |    9 +-
 arch/parisc/kernel/traps.c                         |    4 +-
 arch/parisc/mm/fault.c                             |  140 +-
 arch/powerpc/include/asm/atomic.h                  |   10 +
 arch/powerpc/include/asm/elf.h                     |   19 +-
 arch/powerpc/include/asm/exec.h                    |    2 +-
 arch/powerpc/include/asm/kmap_types.h              |    2 +-
 arch/powerpc/include/asm/mman.h                    |    2 +-
 arch/powerpc/include/asm/page.h                    |    8 +-
 arch/powerpc/include/asm/page_64.h                 |    7 +-
 arch/powerpc/include/asm/pgalloc-64.h              |    7 +
 arch/powerpc/include/asm/pgtable.h                 |    1 +
 arch/powerpc/include/asm/pte-hash32.h              |    1 +
 arch/powerpc/include/asm/reg.h                     |    1 +
 arch/powerpc/include/asm/smp.h                     |    2 +-
 arch/powerpc/include/asm/uaccess.h                 |  140 +-
 arch/powerpc/kernel/exceptions-64e.S               |    4 +-
 arch/powerpc/kernel/exceptions-64s.S               |    2 +-
 arch/powerpc/kernel/module_32.c                    |   13 +-
 arch/powerpc/kernel/process.c                      |   55 -
 arch/powerpc/kernel/signal_32.c                    |    2 +-
 arch/powerpc/kernel/signal_64.c                    |    2 +-
 arch/powerpc/kernel/sysfs.c                        |    2 +-
 arch/powerpc/kernel/vdso.c                         |    5 +-
 arch/powerpc/lib/usercopy_64.c                     |   18 -
 arch/powerpc/mm/fault.c                            |   54 +-
 arch/powerpc/mm/mmap_64.c                          |   16 +
 arch/powerpc/mm/mmu_context_nohash.c               |    2 +-
 arch/powerpc/mm/numa.c                             |    2 +-
 arch/powerpc/mm/slice.c                            |   13 +-
 arch/powerpc/platforms/cell/spufs/file.c           |    4 +-
 arch/powerpc/platforms/powermac/smp.c              |    2 +-
 arch/s390/include/asm/atomic.h                     |   10 +
 arch/s390/include/asm/elf.h                        |   13 +-
 arch/s390/include/asm/exec.h                       |    2 +-
 arch/s390/include/asm/uaccess.h                    |   15 +-
 arch/s390/kernel/module.c                          |   22 +-
 arch/s390/kernel/process.c                         |   36 -
 arch/s390/mm/mmap.c                                |   24 +
 arch/score/include/asm/exec.h                      |    2 +-
 arch/score/kernel/process.c                        |    5 -
 arch/sh/kernel/cpu/sh4a/smp-shx3.c                 |    2 +-
 arch/sh/mm/mmap.c                                  |   22 +-
 arch/sparc/include/asm/atomic_64.h                 |  106 +-
 arch/sparc/include/asm/cache.h                     |    2 +-
 arch/sparc/include/asm/elf_32.h                    |    7 +
 arch/sparc/include/asm/elf_64.h                    |    7 +
 arch/sparc/include/asm/pgalloc_32.h                |    1 +
 arch/sparc/include/asm/pgalloc_64.h                |    1 +
 arch/sparc/include/asm/pgtable_32.h                |   15 +-
 arch/sparc/include/asm/pgtsrmmu.h                  |    5 +
 arch/sparc/include/asm/spinlock_64.h               |   35 +-
 arch/sparc/include/asm/thread_info_32.h            |    2 +
 arch/sparc/include/asm/thread_info_64.h            |    2 +
 arch/sparc/include/asm/uaccess.h                   |    1 +
 arch/sparc/include/asm/uaccess_32.h                |   27 +-
 arch/sparc/include/asm/uaccess_64.h                |   19 +-
 arch/sparc/kernel/Makefile                         |    2 +-
 arch/sparc/kernel/prom_common.c                    |    2 +-
 arch/sparc/kernel/sys_sparc_32.c                   |    2 +-
 arch/sparc/kernel/sys_sparc_64.c                   |   48 +-
 arch/sparc/kernel/sysfs.c                          |    2 +-
 arch/sparc/kernel/traps_64.c                       |   13 +-
 arch/sparc/lib/Makefile                            |    2 +-
 arch/sparc/lib/atomic_64.S                         |  136 +-
 arch/sparc/lib/ksyms.c                             |    6 +
 arch/sparc/mm/Makefile                             |    2 +-
 arch/sparc/mm/fault_32.c                           |  292 +
 arch/sparc/mm/fault_64.c                           |  486 ++
 arch/sparc/mm/hugetlbpage.c                        |   21 +-
 arch/tile/include/asm/atomic_64.h                  |   10 +
 arch/tile/include/asm/uaccess.h                    |    4 +-
 arch/um/Makefile                                   |    4 +
 arch/um/include/asm/kmap_types.h                   |    2 +-
 arch/um/include/asm/page.h                         |    3 +
 arch/um/include/asm/pgtable-3level.h               |    1 +
 arch/um/kernel/process.c                           |   16 -
 arch/x86/Kconfig                                   |   10 +-
 arch/x86/Kconfig.cpu                               |    6 +-
 arch/x86/Kconfig.debug                             |    4 +-
 arch/x86/Makefile                                  |   10 +
 arch/x86/boot/Makefile                             |    3 +
 arch/x86/boot/bitops.h                             |    4 +-
 arch/x86/boot/boot.h                               |    4 +-
 arch/x86/boot/compressed/Makefile                  |    3 +
 arch/x86/boot/compressed/eboot.c                   |    2 -
 arch/x86/boot/compressed/efi_stub_32.S             |   16 +-
 arch/x86/boot/compressed/head_32.S                 |    7 +-
 arch/x86/boot/compressed/head_64.S                 |    8 +-
 arch/x86/boot/compressed/misc.c                    |    4 +-
 arch/x86/boot/cpucheck.c                           |   28 +-
 arch/x86/boot/header.S                             |    6 +-
 arch/x86/boot/memory.c                             |    2 +-
 arch/x86/boot/video-vesa.c                         |    1 +
 arch/x86/boot/video.c                              |    2 +-
 arch/x86/crypto/aes-x86_64-asm_64.S                |    4 +
 arch/x86/crypto/aesni-intel_asm.S                  |   22 +
 arch/x86/crypto/blowfish-x86_64-asm_64.S           |    7 +
 arch/x86/crypto/camellia-x86_64-asm_64.S           |    7 +
 arch/x86/crypto/cast5-avx-x86_64-asm_64.S          |    7 +
 arch/x86/crypto/cast6-avx-x86_64-asm_64.S          |    9 +
 arch/x86/crypto/salsa20-x86_64-asm_64.S            |    4 +
 arch/x86/crypto/serpent-avx-x86_64-asm_64.S        |    9 +
 arch/x86/crypto/serpent-sse2-x86_64-asm_64.S       |    4 +
 arch/x86/crypto/sha1_ssse3_asm.S                   |    2 +
 arch/x86/crypto/twofish-avx-x86_64-asm_64.S        |    9 +
 arch/x86/crypto/twofish-x86_64-asm_64-3way.S       |    4 +
 arch/x86/crypto/twofish-x86_64-asm_64.S            |    3 +
 arch/x86/ia32/ia32_signal.c                        |   14 +-
 arch/x86/ia32/ia32entry.S                          |  141 +-
 arch/x86/ia32/sys_ia32.c                           |    4 +-
 arch/x86/include/asm/alternative-asm.h             |   39 +
 arch/x86/include/asm/alternative.h                 |    4 +-
 arch/x86/include/asm/apic.h                        |    2 +-
 arch/x86/include/asm/apm.h                         |    4 +-
 arch/x86/include/asm/atomic.h                      |  307 +-
 arch/x86/include/asm/atomic64_32.h                 |  100 +
 arch/x86/include/asm/atomic64_64.h                 |  202 +-
 arch/x86/include/asm/bitops.h                      |    4 +-
 arch/x86/include/asm/boot.h                        |    7 +-
 arch/x86/include/asm/cache.h                       |    5 +-
 arch/x86/include/asm/cacheflush.h                  |    2 +-
 arch/x86/include/asm/checksum_32.h                 |   12 +-
 arch/x86/include/asm/cmpxchg.h                     |   35 +
 arch/x86/include/asm/compat.h                      |    2 +-
 arch/x86/include/asm/cpufeature.h                  |    4 +-
 arch/x86/include/asm/desc.h                        |   67 +-
 arch/x86/include/asm/desc_defs.h                   |    6 +
 arch/x86/include/asm/div64.h                       |    2 +-
 arch/x86/include/asm/elf.h                         |   31 +-
 arch/x86/include/asm/emergency-restart.h           |    2 +-
 arch/x86/include/asm/fpu-internal.h                |    6 +-
 arch/x86/include/asm/futex.h                       |   16 +-
 arch/x86/include/asm/hw_irq.h                      |    4 +-
 arch/x86/include/asm/i8259.h                       |    2 +-
 arch/x86/include/asm/io.h                          |   21 +-
 arch/x86/include/asm/irqflags.h                    |    5 +
 arch/x86/include/asm/kprobes.h                     |    9 +-
 arch/x86/include/asm/local.h                       |  142 +-
 arch/x86/include/asm/mman.h                        |   15 +
 arch/x86/include/asm/mmu.h                         |   16 +-
 arch/x86/include/asm/mmu_context.h                 |   76 +-
 arch/x86/include/asm/module.h                      |   17 +-
 arch/x86/include/asm/nmi.h                         |    6 +-
 arch/x86/include/asm/page.h                        |    1 +
 arch/x86/include/asm/page_64.h                     |    4 +-
 arch/x86/include/asm/paravirt.h                    |   46 +-
 arch/x86/include/asm/paravirt_types.h              |   17 +-
 arch/x86/include/asm/pgalloc.h                     |   23 +
 arch/x86/include/asm/pgtable-2level.h              |    2 +
 arch/x86/include/asm/pgtable-3level.h              |    4 +
 arch/x86/include/asm/pgtable.h                     |  122 +-
 arch/x86/include/asm/pgtable_32.h                  |   14 +-
 arch/x86/include/asm/pgtable_32_types.h            |   15 +-
 arch/x86/include/asm/pgtable_64.h                  |   19 +-
 arch/x86/include/asm/pgtable_64_types.h            |    5 +
 arch/x86/include/asm/pgtable_types.h               |   36 +-
 arch/x86/include/asm/processor.h                   |   39 +-
 arch/x86/include/asm/ptrace.h                      |   26 +-
 arch/x86/include/asm/realmode.h                    |    4 +-
 arch/x86/include/asm/reboot.h                      |   10 +-
 arch/x86/include/asm/rwsem.h                       |   60 +-
 arch/x86/include/asm/segment.h                     |   24 +-
 arch/x86/include/asm/smp.h                         |   14 +-
 arch/x86/include/asm/spinlock.h                    |   36 +-
 arch/x86/include/asm/stackprotector.h              |    4 +-
 arch/x86/include/asm/stacktrace.h                  |   32 +-
 arch/x86/include/asm/switch_to.h                   |    4 +-
 arch/x86/include/asm/thread_info.h                 |   83 +-
 arch/x86/include/asm/uaccess.h                     |   96 +-
 arch/x86/include/asm/uaccess_32.h                  |  106 +-
 arch/x86/include/asm/uaccess_64.h                  |  232 +-
 arch/x86/include/asm/word-at-a-time.h              |    2 +-
 arch/x86/include/asm/x86_init.h                    |   10 +-
 arch/x86/include/asm/xsave.h                       |   10 +-
 arch/x86/include/uapi/asm/e820.h                   |    2 +-
 arch/x86/kernel/Makefile                           |    2 +-
 arch/x86/kernel/acpi/boot.c                        |    4 +-
 arch/x86/kernel/acpi/sleep.c                       |    4 +
 arch/x86/kernel/acpi/wakeup_32.S                   |    6 +-
 arch/x86/kernel/alternative.c                      |   65 +-
 arch/x86/kernel/apic/apic.c                        |    4 +-
 arch/x86/kernel/apic/apic_flat_64.c                |    4 +-
 arch/x86/kernel/apic/apic_noop.c                   |    2 +-
 arch/x86/kernel/apic/bigsmp_32.c                   |    2 +-
 arch/x86/kernel/apic/es7000_32.c                   |    5 +-
 arch/x86/kernel/apic/io_apic.c                     |    8 +-
 arch/x86/kernel/apic/numaq_32.c                    |    3 +-
 arch/x86/kernel/apic/probe_32.c                    |    2 +-
 arch/x86/kernel/apic/summit_32.c                   |    2 +-
 arch/x86/kernel/apic/x2apic_cluster.c              |    4 +-
 arch/x86/kernel/apic/x2apic_phys.c                 |    2 +-
 arch/x86/kernel/apic/x2apic_uv_x.c                 |    2 +-
 arch/x86/kernel/apm_32.c                           |   19 +-
 arch/x86/kernel/asm-offsets.c                      |   20 +
 arch/x86/kernel/asm-offsets_64.c                   |    1 +
 arch/x86/kernel/cpu/Makefile                       |    4 -
 arch/x86/kernel/cpu/amd.c                          |    2 +-
 arch/x86/kernel/cpu/common.c                       |   75 +-
 arch/x86/kernel/cpu/intel_cacheinfo.c              |   50 +-
 arch/x86/kernel/cpu/mcheck/mce.c                   |   33 +-
 arch/x86/kernel/cpu/mcheck/p5.c                    |    3 +
 arch/x86/kernel/cpu/mcheck/therm_throt.c           |    2 +-
 arch/x86/kernel/cpu/mcheck/winchip.c               |    3 +
 arch/x86/kernel/cpu/mtrr/main.c                    |    2 +-
 arch/x86/kernel/cpu/mtrr/mtrr.h                    |    2 +-
 arch/x86/kernel/cpu/perf_event.c                   |    8 +-
 arch/x86/kernel/cpu/perf_event_intel.c             |    6 +-
 arch/x86/kernel/cpu/perf_event_intel_uncore.c      |    4 +-
 arch/x86/kernel/cpu/perf_event_intel_uncore.h      |    2 +-
 arch/x86/kernel/cpuid.c                            |    2 +-
 arch/x86/kernel/crash.c                            |    4 +-
 arch/x86/kernel/crash_dump_64.c                    |    2 +-
 arch/x86/kernel/doublefault_32.c                   |    8 +-
 arch/x86/kernel/dumpstack.c                        |   28 +-
 arch/x86/kernel/dumpstack_32.c                     |   34 +-
 arch/x86/kernel/dumpstack_64.c                     |   61 +-
 arch/x86/kernel/e820.c                             |    4 +-
 arch/x86/kernel/early_printk.c                     |    1 +
 arch/x86/kernel/entry_32.S                         |  354 +-
 arch/x86/kernel/entry_64.S                         |  548 ++-
 arch/x86/kernel/ftrace.c                           |   14 +-
 arch/x86/kernel/head64.c                           |   13 +-
 arch/x86/kernel/head_32.S                          |  237 +-
 arch/x86/kernel/head_64.S                          |  143 +-
 arch/x86/kernel/i386_ksyms_32.c                    |    8 +
 arch/x86/kernel/i387.c                             |    2 +-
 arch/x86/kernel/i8259.c                            |   10 +-
 arch/x86/kernel/io_delay.c                         |    2 +-
 arch/x86/kernel/ioport.c                           |    2 +-
 arch/x86/kernel/irq.c                              |    8 +-
 arch/x86/kernel/irq_32.c                           |   69 +-
 arch/x86/kernel/irq_64.c                           |    2 +-
 arch/x86/kernel/kdebugfs.c                         |    2 +-
 arch/x86/kernel/kgdb.c                             |   25 +-
 arch/x86/kernel/kprobes/core.c                     |   30 +-
 arch/x86/kernel/kprobes/opt.c                      |   16 +-
 arch/x86/kernel/kvm.c                              |    2 +-
 arch/x86/kernel/ldt.c                              |   31 +-
 arch/x86/kernel/machine_kexec_32.c                 |    6 +-
 arch/x86/kernel/microcode_core.c                   |    2 +-
 arch/x86/kernel/microcode_intel.c                  |    4 +-
 arch/x86/kernel/module.c                           |   76 +-
 arch/x86/kernel/msr.c                              |    2 +-
 arch/x86/kernel/nmi.c                              |   19 +-
 arch/x86/kernel/nmi_selftest.c                     |    4 +-
 arch/x86/kernel/paravirt-spinlocks.c               |    2 +-
 arch/x86/kernel/paravirt.c                         |   43 +-
 arch/x86/kernel/pci-calgary_64.c                   |    2 +-
 arch/x86/kernel/pci-iommu_table.c                  |    2 +-
 arch/x86/kernel/pci-swiotlb.c                      |    2 +-
 arch/x86/kernel/process.c                          |   55 +-
 arch/x86/kernel/process_32.c                       |   29 +-
 arch/x86/kernel/process_64.c                       |   15 +-
 arch/x86/kernel/ptrace.c                           |   25 +-
 arch/x86/kernel/pvclock.c                          |    8 +-
 arch/x86/kernel/reboot.c                           |   44 +-
 arch/x86/kernel/relocate_kernel_64.S               |    2 +
 arch/x86/kernel/setup.c                            |   21 +-
 arch/x86/kernel/setup_percpu.c                     |   29 +-
 arch/x86/kernel/signal.c                           |   15 +-
 arch/x86/kernel/smp.c                              |    2 +-
 arch/x86/kernel/smpboot.c                          |   15 +-
 arch/x86/kernel/step.c                             |   10 +-
 arch/x86/kernel/sys_i386_32.c                      |  184 +
 arch/x86/kernel/sys_x86_64.c                       |   22 +-
 arch/x86/kernel/tboot.c                            |   14 +-
 arch/x86/kernel/time.c                             |   10 +-
 arch/x86/kernel/tls.c                              |    7 +-
 arch/x86/kernel/traps.c                            |   64 +-
 arch/x86/kernel/uprobes.c                          |    4 +-
 arch/x86/kernel/vm86_32.c                          |    6 +-
 arch/x86/kernel/vmlinux.lds.S                      |  148 +-
 arch/x86/kernel/vsyscall_64.c                      |   12 +-
 arch/x86/kernel/x8664_ksyms_64.c                   |    2 -
 arch/x86/kernel/x86_init.c                         |    8 +-
 arch/x86/kernel/xsave.c                            |    2 +
 arch/x86/kvm/cpuid.c                               |   21 +-
 arch/x86/kvm/emulate.c                             |    4 +-
 arch/x86/kvm/lapic.c                               |    2 +-
 arch/x86/kvm/paging_tmpl.h                         |    2 +-
 arch/x86/kvm/svm.c                                 |    8 +
 arch/x86/kvm/vmx.c                                 |   61 +-
 arch/x86/kvm/x86.c                                 |    8 +-
 arch/x86/lguest/boot.c                             |    3 +-
 arch/x86/lib/atomic64_386_32.S                     |  164 +
 arch/x86/lib/atomic64_cx8_32.S                     |  103 +-
 arch/x86/lib/checksum_32.S                         |  100 +-
 arch/x86/lib/clear_page_64.S                       |    5 +-
 arch/x86/lib/cmpxchg16b_emu.S                      |    2 +
 arch/x86/lib/copy_page_64.S                        |   24 +-
 arch/x86/lib/copy_user_64.S                        |   47 +-
 arch/x86/lib/copy_user_nocache_64.S                |   20 +-
 arch/x86/lib/csum-copy_64.S                        |    2 +
 arch/x86/lib/csum-wrappers_64.c                    |    4 +-
 arch/x86/lib/getuser.S                             |   70 +-
 arch/x86/lib/insn.c                                |    6 +-
 arch/x86/lib/iomap_copy_64.S                       |    2 +
 arch/x86/lib/memcpy_64.S                           |   18 +-
 arch/x86/lib/memmove_64.S                          |   34 +-
 arch/x86/lib/memset_64.S                           |    7 +-
 arch/x86/lib/mmx_32.c                              |  243 +-
 arch/x86/lib/msr-reg.S                             |   18 +-
 arch/x86/lib/putuser.S                             |   90 +-
 arch/x86/lib/rwlock.S                              |   42 +
 arch/x86/lib/rwsem.S                               |    6 +-
 arch/x86/lib/thunk_64.S                            |    2 +
 arch/x86/lib/usercopy_32.c                         |  363 +-
 arch/x86/lib/usercopy_64.c                         |   13 +-
 arch/x86/mm/extable.c                              |   25 +-
 arch/x86/mm/fault.c                                |  556 ++-
 arch/x86/mm/gup.c                                  |    2 +-
 arch/x86/mm/highmem_32.c                           |    4 +
 arch/x86/mm/hugetlbpage.c                          |   30 +-
 arch/x86/mm/init.c                                 |   98 +-
 arch/x86/mm/init_32.c                              |  113 +-
 arch/x86/mm/init_64.c                              |   38 +-
 arch/x86/mm/iomap_32.c                             |    4 +
 arch/x86/mm/ioremap.c                              |   15 +-
 arch/x86/mm/kmemcheck/kmemcheck.c                  |    4 +-
 arch/x86/mm/mmap.c                                 |   41 +-
 arch/x86/mm/mmio-mod.c                             |   10 +-
 arch/x86/mm/numa.c                                 |    2 +-
 arch/x86/mm/pageattr-test.c                        |    2 +-
 arch/x86/mm/pageattr.c                             |   33 +-
 arch/x86/mm/pat.c                                  |   12 +-
 arch/x86/mm/pat_rbtree.c                           |    2 +-
 arch/x86/mm/pf_in.c                                |   10 +-
 arch/x86/mm/pgtable.c                              |  137 +-
 arch/x86/mm/pgtable_32.c                           |    3 +
 arch/x86/mm/physaddr.c                             |    4 +-
 arch/x86/mm/setup_nx.c                             |    7 +
 arch/x86/mm/tlb.c                                  |    4 +
 arch/x86/net/bpf_jit.S                             |   14 +
 arch/x86/net/bpf_jit_comp.c                        |   37 +-
 arch/x86/oprofile/backtrace.c                      |    8 +-
 arch/x86/oprofile/nmi_int.c                        |    8 +-
 arch/x86/oprofile/op_model_amd.c                   |    8 +-
 arch/x86/oprofile/op_model_ppro.c                  |    7 +-
 arch/x86/oprofile/op_x86_model.h                   |    2 +-
 arch/x86/pci/amd_bus.c                             |    2 +-
 arch/x86/pci/irq.c                                 |    8 +-
 arch/x86/pci/mrst.c                                |    4 +-
 arch/x86/pci/pcbios.c                              |  144 +-
 arch/x86/platform/efi/efi_32.c                     |   24 +
 arch/x86/platform/efi/efi_64.c                     |   10 +
 arch/x86/platform/efi/efi_stub_32.S                |   64 +-
 arch/x86/platform/efi/efi_stub_64.S                |    8 +
 arch/x86/platform/mrst/mrst.c                      |    6 +-
 arch/x86/platform/olpc/olpc_dt.c                   |    2 +-
 arch/x86/power/cpu.c                               |   11 +-
 arch/x86/realmode/init.c                           |   10 +-
 arch/x86/realmode/rm/Makefile                      |    3 +
 arch/x86/realmode/rm/header.S                      |    4 +-
 arch/x86/realmode/rm/trampoline_32.S               |   12 +-
 arch/x86/realmode/rm/trampoline_64.S               |    2 +-
 arch/x86/tools/Makefile                            |    2 +-
 arch/x86/tools/relocs.c                            |   94 +-
 arch/x86/um/tls_32.c                               |    2 +-
 arch/x86/vdso/Makefile                             |    2 +-
 arch/x86/vdso/vdso32-setup.c                       |   23 +-
 arch/x86/vdso/vma.c                                |   29 +-
 arch/x86/xen/enlighten.c                           |   47 +-
 arch/x86/xen/mmu.c                                 |    9 +
 arch/x86/xen/smp.c                                 |   18 +-
 arch/x86/xen/xen-asm_32.S                          |   12 +-
 arch/x86/xen/xen-head.S                            |   11 +
 arch/x86/xen/xen-ops.h                             |    2 -
 block/blk-iopoll.c                                 |    4 +-
 block/blk-map.c                                    |    2 +-
 block/blk-softirq.c                                |    4 +-
 block/bsg.c                                        |   12 +-
 block/compat_ioctl.c                               |    2 +-
 block/genhd.c                                      |   11 +-
 block/partitions/efi.c                             |    8 +-
 block/scsi_ioctl.c                                 |   27 +-
 crypto/algapi.c                                    |    2 +-
 crypto/cryptd.c                                    |    4 +-
 crypto/pcrypt.c                                    |    6 +-
 drivers/acpi/apei/apei-internal.h                  |    2 +-
 drivers/acpi/apei/cper.c                           |    8 +-
 drivers/acpi/bgrt.c                                |    6 +-
 drivers/acpi/blacklist.c                           |    4 +-
 drivers/acpi/ec_sys.c                              |   12 +-
 drivers/acpi/processor_idle.c                      |    2 +-
 drivers/acpi/sysfs.c                               |    4 +-
 drivers/ata/libahci.c                              |    2 +-
 drivers/ata/libata-core.c                          |    8 +-
 drivers/ata/pata_arasan_cf.c                       |    4 +-
 drivers/atm/adummy.c                               |    2 +-
 drivers/atm/ambassador.c                           |    8 +-
 drivers/atm/atmtcp.c                               |   14 +-
 drivers/atm/eni.c                                  |   10 +-
 drivers/atm/firestream.c                           |    8 +-
 drivers/atm/fore200e.c                             |   14 +-
 drivers/atm/he.c                                   |   18 +-
 drivers/atm/horizon.c                              |    4 +-
 drivers/atm/idt77252.c                             |   36 +-
 drivers/atm/iphase.c                               |   34 +-
 drivers/atm/lanai.c                                |   12 +-
 drivers/atm/nicstar.c                              |   46 +-
 drivers/atm/solos-pci.c                            |    4 +-
 drivers/atm/suni.c                                 |    4 +-
 drivers/atm/uPD98402.c                             |   16 +-
 drivers/atm/zatm.c                                 |    6 +-
 drivers/base/attribute_container.c                 |    2 +-
 drivers/base/bus.c                                 |    4 +-
 drivers/base/devtmpfs.c                            |    8 +-
 drivers/base/node.c                                |    2 +-
 drivers/base/power/domain.c                        |    4 +-
 drivers/base/power/sysfs.c                         |    2 +-
 drivers/base/power/wakeup.c                        |    8 +-
 drivers/base/syscore.c                             |    4 +-
 drivers/block/cciss.c                              |   28 +-
 drivers/block/cciss.h                              |    2 +-
 drivers/block/cpqarray.c                           |   28 +-
 drivers/block/cpqarray.h                           |    2 +-
 drivers/block/drbd/drbd_int.h                      |    6 +-
 drivers/block/drbd/drbd_main.c                     |    8 +-
 drivers/block/drbd/drbd_receiver.c                 |   22 +-
 drivers/block/loop.c                               |    2 +-
 drivers/block/nbd.c                                |    2 +-
 drivers/block/pktcdvd.c                            |    2 +-
 drivers/cdrom/cdrom.c                              |   11 +-
 drivers/cdrom/gdrom.c                              |    1 -
 drivers/char/agp/compat_ioctl.c                    |    2 +-
 drivers/char/agp/frontend.c                        |    4 +-
 drivers/char/hpet.c                                |    2 +-
 drivers/char/hw_random/intel-rng.c                 |    2 +-
 drivers/char/ipmi/ipmi_msghandler.c                |    8 +-
 drivers/char/ipmi/ipmi_si_intf.c                   |    8 +-
 drivers/char/mem.c                                 |   45 +-
 drivers/char/nvram.c                               |    2 +-
 drivers/char/pcmcia/synclink_cs.c                  |   18 +-
 drivers/char/random.c                              |   10 +-
 drivers/char/sonypi.c                              |    9 +-
 drivers/char/tpm/tpm_acpi.c                        |    3 +-
 drivers/char/tpm/tpm_eventlog.c                    |    7 +-
 drivers/char/virtio_console.c                      |    4 +-
 drivers/clk/clk-composite.c                        |    2 +-
 drivers/clocksource/arm_arch_timer.c               |    2 +-
 drivers/clocksource/metag_generic.c                |    2 +-
 drivers/cpufreq/acpi-cpufreq.c                     |   20 +-
 drivers/cpufreq/cpufreq.c                          |    9 +-
 drivers/cpufreq/cpufreq_governor.c                 |    6 +-
 drivers/cpufreq/cpufreq_governor.h                 |    2 +-
 drivers/cpufreq/cpufreq_ondemand.c                 |    8 +-
 drivers/cpufreq/cpufreq_stats.c                    |    2 +-
 drivers/cpufreq/p4-clockmod.c                      |   12 +-
 drivers/cpufreq/sparc-us3-cpufreq.c                |   69 +-
 drivers/cpufreq/speedstep-centrino.c               |    7 +-
 drivers/cpuidle/cpuidle.c                          |    2 +-
 drivers/cpuidle/governor.c                         |    4 +-
 drivers/cpuidle/sysfs.c                            |    2 +-
 drivers/devfreq/devfreq.c                          |    6 +-
 drivers/dma/sh/shdma.c                             |    2 +-
 drivers/edac/edac_mc_sysfs.c                       |   12 +-
 drivers/edac/edac_pci_sysfs.c                      |   22 +-
 drivers/edac/mce_amd.h                             |    2 +-
 drivers/firewire/core-card.c                       |    2 +-
 drivers/firewire/core-device.c                     |    2 +-
 drivers/firewire/core-transaction.c                |    1 +
 drivers/firewire/core.h                            |    1 +
 drivers/firmware/dmi-id.c                          |    2 +-
 drivers/firmware/dmi_scan.c                        |    7 +-
 drivers/firmware/efi/efi.c                         |   12 +-
 drivers/firmware/efi/efivars.c                     |    2 +-
 drivers/firmware/google/memconsole.c               |    4 +-
 drivers/gpio/gpio-ich.c                            |    2 +-
 drivers/gpio/gpio-vr41xx.c                         |    2 +-
 drivers/gpu/drm/drm_crtc_helper.c                  |    2 +-
 drivers/gpu/drm/drm_drv.c                          |    6 +-
 drivers/gpu/drm/drm_fops.c                         |   18 +-
 drivers/gpu/drm/drm_global.c                       |   14 +-
 drivers/gpu/drm/drm_info.c                         |   14 +-
 drivers/gpu/drm/drm_ioc32.c                        |   13 +-
 drivers/gpu/drm/drm_ioctl.c                        |    2 +-
 drivers/gpu/drm/drm_lock.c                         |    4 +-
 drivers/gpu/drm/drm_stub.c                         |    2 +-
 drivers/gpu/drm/drm_sysfs.c                        |    2 +-
 drivers/gpu/drm/i810/i810_dma.c                    |    8 +-
 drivers/gpu/drm/i810/i810_drv.h                    |    4 +-
 drivers/gpu/drm/i915/i915_debugfs.c                |    2 +-
 drivers/gpu/drm/i915/i915_dma.c                    |    2 +-
 drivers/gpu/drm/i915/i915_drv.h                    |    4 +-
 drivers/gpu/drm/i915/i915_gem_execbuffer.c         |    4 +-
 drivers/gpu/drm/i915/i915_ioc32.c                  |   11 +-
 drivers/gpu/drm/i915/i915_irq.c                    |   22 +-
 drivers/gpu/drm/i915/intel_display.c               |   26 +-
 drivers/gpu/drm/mga/mga_drv.h                      |    4 +-
 drivers/gpu/drm/mga/mga_ioc32.c                    |   11 +-
 drivers/gpu/drm/mga/mga_irq.c                      |    8 +-
 drivers/gpu/drm/nouveau/nouveau_bios.c             |    2 +-
 drivers/gpu/drm/nouveau/nouveau_drm.h              |    2 +-
 drivers/gpu/drm/nouveau/nouveau_gem.c              |    4 +-
 drivers/gpu/drm/nouveau/nouveau_ioc32.c            |    2 +-
 drivers/gpu/drm/nouveau/nouveau_vga.c              |    2 +-
 drivers/gpu/drm/qxl/qxl_ttm.c                      |   38 +-
 drivers/gpu/drm/r128/r128_cce.c                    |    2 +-
 drivers/gpu/drm/r128/r128_drv.h                    |    4 +-
 drivers/gpu/drm/r128/r128_ioc32.c                  |   11 +-
 drivers/gpu/drm/r128/r128_irq.c                    |    4 +-
 drivers/gpu/drm/r128/r128_state.c                  |    4 +-
 drivers/gpu/drm/radeon/mkregtable.c                |    4 +-
 drivers/gpu/drm/radeon/radeon_device.c             |    2 +-
 drivers/gpu/drm/radeon/radeon_drv.h                |    2 +-
 drivers/gpu/drm/radeon/radeon_ioc32.c              |   13 +-
 drivers/gpu/drm/radeon/radeon_irq.c                |    6 +-
 drivers/gpu/drm/radeon/radeon_state.c              |    4 +-
 drivers/gpu/drm/radeon/radeon_ttm.c                |   57 +-
 drivers/gpu/drm/radeon/rs690.c                     |    4 +-
 drivers/gpu/drm/ttm/ttm_memory.c                   |    4 +-
 drivers/gpu/drm/ttm/ttm_page_alloc.c               |    4 +-
 drivers/gpu/drm/udl/udl_fb.c                       |    1 -
 drivers/gpu/drm/via/via_drv.h                      |    4 +-
 drivers/gpu/drm/via/via_irq.c                      |   18 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_drv.h                |    2 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c               |    8 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c              |    4 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_irq.c                |    4 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_marker.c             |    2 +-
 drivers/hid/hid-core.c                             |    4 +-
 drivers/hv/channel.c                               |    4 +-
 drivers/hv/hv.c                                    |    2 +-
 drivers/hv/hyperv_vmbus.h                          |    2 +-
 drivers/hv/vmbus_drv.c                             |    4 +-
 drivers/hwmon/acpi_power_meter.c                   |    4 +-
 drivers/hwmon/applesmc.c                           |    2 +-
 drivers/hwmon/asus_atk0110.c                       |   10 +-
 drivers/hwmon/coretemp.c                           |    2 +-
 drivers/hwmon/ibmaem.c                             |    2 +-
 drivers/hwmon/iio_hwmon.c                          |    2 +-
 drivers/hwmon/pmbus/pmbus_core.c                   |   10 +-
 drivers/hwmon/sht15.c                              |   12 +-
 drivers/hwmon/via-cputemp.c                        |    2 +-
 drivers/i2c/busses/i2c-amd756-s4882.c              |    2 +-
 drivers/i2c/busses/i2c-nforce2-s4985.c             |    2 +-
 drivers/i2c/i2c-dev.c                              |    2 +-
 drivers/ide/ide-cd.c                               |    2 +-
 drivers/iio/industrialio-core.c                    |    2 +-
 drivers/infiniband/core/cm.c                       |   32 +-
 drivers/infiniband/core/fmr_pool.c                 |   20 +-
 drivers/infiniband/hw/cxgb4/mem.c                  |    4 +-
 drivers/infiniband/hw/ipath/ipath_rc.c             |    6 +-
 drivers/infiniband/hw/ipath/ipath_ruc.c            |    6 +-
 drivers/infiniband/hw/mthca/mthca_cmd.c            |    2 +-
 drivers/infiniband/hw/mthca/mthca_mr.c             |    2 +-
 drivers/infiniband/hw/nes/nes.c                    |    4 +-
 drivers/infiniband/hw/nes/nes.h                    |   40 +-
 drivers/infiniband/hw/nes/nes_cm.c                 |   62 +-
 drivers/infiniband/hw/nes/nes_mgt.c                |    8 +-
 drivers/infiniband/hw/nes/nes_nic.c                |   40 +-
 drivers/infiniband/hw/nes/nes_verbs.c              |   10 +-
 drivers/infiniband/hw/qib/qib.h                    |    1 +
 drivers/input/gameport/gameport.c                  |    4 +-
 drivers/input/input.c                              |    4 +-
 drivers/input/joystick/sidewinder.c                |    1 +
 drivers/input/joystick/xpad.c                      |    4 +-
 drivers/input/mouse/psmouse.h                      |    2 +-
 drivers/input/mousedev.c                           |    2 +-
 drivers/input/serio/serio.c                        |    4 +-
 drivers/iommu/iommu.c                              |    2 +-
 drivers/iommu/irq_remapping.c                      |   12 +-
 drivers/irqchip/irq-gic.c                          |    4 +-
 drivers/isdn/capi/capi.c                           |   10 +-
 drivers/isdn/gigaset/interface.c                   |    8 +-
 drivers/isdn/hardware/avm/b1.c                     |    4 +-
 drivers/isdn/i4l/isdn_tty.c                        |   22 +-
 drivers/isdn/icn/icn.c                             |    2 +-
 drivers/leds/leds-clevo-mail.c                     |    2 +-
 drivers/leds/leds-ss4200.c                         |    2 +-
 drivers/lguest/core.c                              |   10 +-
 drivers/lguest/page_tables.c                       |    2 +-
 drivers/lguest/x86/core.c                          |   12 +-
 drivers/lguest/x86/switcher_32.S                   |   27 +-
 drivers/md/bcache/closure.h                        |    2 +-
 drivers/md/bitmap.c                                |    2 +-
 drivers/md/dm-ioctl.c                              |    2 +-
 drivers/md/dm-raid1.c                              |   16 +-
 drivers/md/dm-stripe.c                             |   10 +-
 drivers/md/dm-table.c                              |    2 +-
 drivers/md/dm-thin-metadata.c                      |    4 +-
 drivers/md/dm.c                                    |   16 +-
 drivers/md/md.c                                    |   26 +-
 drivers/md/md.h                                    |    6 +-
 drivers/md/persistent-data/dm-space-map.h          |    1 +
 drivers/md/raid1.c                                 |    4 +-
 drivers/md/raid10.c                                |   16 +-
 drivers/md/raid5.c                                 |   10 +-
 drivers/media/dvb-core/dvbdev.c                    |    2 +-
 drivers/media/dvb-frontends/dib3000.h              |    2 +-
 drivers/media/pci/cx88/cx88-video.c                |    6 +-
 drivers/media/platform/omap/omap_vout.c            |   11 +-
 drivers/media/platform/s5p-tv/mixer.h              |    2 +-
 drivers/media/platform/s5p-tv/mixer_grp_layer.c    |    2 +-
 drivers/media/platform/s5p-tv/mixer_reg.c          |    2 +-
 drivers/media/platform/s5p-tv/mixer_video.c        |   24 +-
 drivers/media/platform/s5p-tv/mixer_vp_layer.c     |    2 +-
 drivers/media/radio/radio-cadet.c                  |    2 +
 drivers/media/usb/dvb-usb/cxusb.c                  |    2 +-
 drivers/media/usb/dvb-usb/dw2102.c                 |    2 +-
 drivers/media/v4l2-core/v4l2-compat-ioctl32.c      |    6 +-
 drivers/media/v4l2-core/v4l2-ioctl.c               |   11 +-
 drivers/message/fusion/mptsas.c                    |   34 +-
 drivers/message/fusion/mptscsih.c                  |   19 +-
 drivers/message/i2o/i2o_proc.c                     |   51 +-
 drivers/message/i2o/iop.c                          |    8 +-
 drivers/mfd/janz-cmodio.c                          |    1 +
 drivers/mfd/twl4030-irq.c                          |    9 +-
 drivers/mfd/twl6030-irq.c                          |   10 +-
 drivers/misc/c2port/core.c                         |    4 +-
 drivers/misc/kgdbts.c                              |    4 +-
 drivers/misc/lis3lv02d/lis3lv02d.c                 |    8 +-
 drivers/misc/lis3lv02d/lis3lv02d.h                 |    2 +-
 drivers/misc/sgi-gru/gruhandles.c                  |    4 +-
 drivers/misc/sgi-gru/gruprocfs.c                   |    8 +-
 drivers/misc/sgi-gru/grutables.h                   |  154 +-
 drivers/misc/sgi-xp/xp.h                           |    2 +-
 drivers/misc/sgi-xp/xpc.h                          |    3 +-
 drivers/misc/sgi-xp/xpc_main.c                     |    4 +-
 drivers/mmc/core/mmc_ops.c                         |    2 +-
 drivers/mmc/host/dw_mmc.h                          |    2 +-
 drivers/mmc/host/sdhci-s3c.c                       |    8 +-
 drivers/mtd/nand/denali.c                          |    1 +
 drivers/mtd/nftlmount.c                            |    1 +
 drivers/mtd/sm_ftl.c                               |    2 +-
 drivers/net/bonding/bond_main.c                    |    2 +-
 drivers/net/ethernet/8390/ax88796.c                |    4 +-
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h    |    2 +-
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c     |   11 +-
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h     |    3 +-
 drivers/net/ethernet/broadcom/tg3.h                |    1 +
 drivers/net/ethernet/chelsio/cxgb3/l2t.h           |    2 +-
 drivers/net/ethernet/dec/tulip/de4x5.c             |    4 +-
 drivers/net/ethernet/emulex/benet/be_main.c        |    2 +-
 drivers/net/ethernet/faraday/ftgmac100.c           |    2 +
 drivers/net/ethernet/faraday/ftmac100.c            |    2 +
 drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c       |    2 +-
 drivers/net/ethernet/neterion/vxge/vxge-config.c   |    7 +-
 .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c  |    4 +-
 .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c  |   12 +-
 drivers/net/ethernet/realtek/r8169.c               |    8 +-
 drivers/net/ethernet/sfc/ptp.c                     |    2 +-
 drivers/net/ethernet/stmicro/stmmac/mmc_core.c     |    4 +-
 drivers/net/hyperv/hyperv_net.h                    |    2 +-
 drivers/net/hyperv/rndis_filter.c                  |    4 +-
 drivers/net/ieee802154/fakehard.c                  |    2 +-
 drivers/net/macvlan.c                              |   18 +-
 drivers/net/macvtap.c                              |    2 +-
 drivers/net/ppp/ppp_generic.c                      |    4 +-
 drivers/net/slip/slhc.c                            |    2 +-
 drivers/net/team/team.c                            |    2 +-
 drivers/net/tun.c                                  |    5 +-
 drivers/net/usb/hso.c                              |   23 +-
 drivers/net/vxlan.c                                |    2 +-
 drivers/net/wireless/at76c50x-usb.c                |    2 +-
 drivers/net/wireless/ath/ath9k/ar9002_mac.c        |   30 +-
 drivers/net/wireless/ath/ath9k/ar9003_mac.c        |   58 +-
 drivers/net/wireless/ath/ath9k/hw.h                |    4 +-
 drivers/net/wireless/iwlegacy/3945-mac.c           |    4 +-
 drivers/net/wireless/iwlwifi/dvm/debugfs.c         |   26 +-
 drivers/net/wireless/iwlwifi/pcie/trans.c          |    4 +-
 drivers/net/wireless/mac80211_hwsim.c              |   32 +-
 drivers/net/wireless/rndis_wlan.c                  |    2 +-
 drivers/net/wireless/rt2x00/rt2x00.h               |    2 +-
 drivers/net/wireless/rt2x00/rt2x00queue.c          |    4 +-
 drivers/net/wireless/ti/wl1251/sdio.c              |   12 +-
 drivers/net/wireless/ti/wl12xx/main.c              |    8 +-
 drivers/net/wireless/ti/wl18xx/main.c              |    6 +-
 drivers/oprofile/buffer_sync.c                     |    8 +-
 drivers/oprofile/event_buffer.c                    |    2 +-
 drivers/oprofile/oprof.c                           |    2 +-
 drivers/oprofile/oprofile_files.c                  |    2 +-
 drivers/oprofile/oprofile_stats.c                  |   10 +-
 drivers/oprofile/oprofile_stats.h                  |   10 +-
 drivers/oprofile/oprofilefs.c                      |    2 +-
 drivers/oprofile/timer_int.c                       |    2 +-
 drivers/parport/procfs.c                           |    4 +-
 drivers/pci/hotplug/acpiphp_ibm.c                  |    4 +-
 drivers/pci/hotplug/cpcihp_generic.c               |    6 +-
 drivers/pci/hotplug/cpcihp_zt5550.c                |   14 +-
 drivers/pci/hotplug/cpqphp_nvram.c                 |    4 +
 drivers/pci/hotplug/pci_hotplug_core.c             |    6 +-
 drivers/pci/hotplug/pciehp_core.c                  |    2 +-
 drivers/pci/pci-sysfs.c                            |    6 +-
 drivers/pci/pci.h                                  |    2 +-
 drivers/pci/pcie/aspm.c                            |    6 +-
 drivers/pci/probe.c                                |    2 +-
 drivers/platform/x86/chromeos_laptop.c             |    2 +-
 drivers/platform/x86/msi-laptop.c                  |   14 +-
 drivers/platform/x86/sony-laptop.c                 |    2 +-
 drivers/platform/x86/thinkpad_acpi.c               |   70 +-
 drivers/pnp/pnpbios/bioscalls.c                    |   14 +-
 drivers/pnp/resource.c                             |    4 +-
 drivers/power/pda_power.c                          |    7 +-
 drivers/power/power_supply.h                       |    4 +-
 drivers/power/power_supply_core.c                  |    7 +-
 drivers/power/power_supply_sysfs.c                 |    6 +-
 drivers/regulator/max8660.c                        |    6 +-
 drivers/regulator/max8973-regulator.c              |    8 +-
 drivers/regulator/mc13892-regulator.c              |    6 +-
 drivers/rtc/rtc-cmos.c                             |    4 +-
 drivers/rtc/rtc-ds1307.c                           |    2 +-
 drivers/rtc/rtc-m48t59.c                           |    4 +-
 drivers/scsi/bfa/bfa_fcpim.h                       |    2 +-
 drivers/scsi/bfa/bfa_ioc.h                         |    4 +-
 drivers/scsi/hosts.c                               |    4 +-
 drivers/scsi/hpsa.c                                |   30 +-
 drivers/scsi/hpsa.h                                |    2 +-
 drivers/scsi/libfc/fc_exch.c                       |   50 +-
 drivers/scsi/libsas/sas_ata.c                      |    2 +-
 drivers/scsi/lpfc/lpfc.h                           |    8 +-
 drivers/scsi/lpfc/lpfc_debugfs.c                   |   18 +-
 drivers/scsi/lpfc/lpfc_init.c                      |    6 +-
 drivers/scsi/lpfc/lpfc_scsi.c                      |   16 +-
 drivers/scsi/pmcraid.c                             |   20 +-
 drivers/scsi/pmcraid.h                             |    8 +-
 drivers/scsi/qla2xxx/qla_attr.c                    |    4 +-
 drivers/scsi/qla2xxx/qla_gbl.h                     |    4 +-
 drivers/scsi/qla2xxx/qla_os.c                      |    6 +-
 drivers/scsi/qla4xxx/ql4_def.h                     |    2 +-
 drivers/scsi/qla4xxx/ql4_os.c                      |    6 +-
 drivers/scsi/scsi.c                                |    2 +-
 drivers/scsi/scsi_lib.c                            |    6 +-
 drivers/scsi/scsi_sysfs.c                          |    2 +-
 drivers/scsi/scsi_tgt_lib.c                        |    2 +-
 drivers/scsi/scsi_transport_fc.c                   |    8 +-
 drivers/scsi/scsi_transport_iscsi.c                |    6 +-
 drivers/scsi/scsi_transport_srp.c                  |    6 +-
 drivers/scsi/sd.c                                  |    2 +-
 drivers/scsi/sg.c                                  |    2 +-
 drivers/spi/spi.c                                  |    2 +-
 drivers/staging/media/solo6x10/solo6x10-core.c     |    2 +-
 drivers/staging/octeon/ethernet-rx.c               |   12 +-
 drivers/staging/octeon/ethernet.c                  |    8 +-
 drivers/staging/rtl8712/rtl871x_io.h               |    2 +-
 drivers/staging/sbe-2t3e3/netdev.c                 |    2 +-
 drivers/staging/usbip/vhci.h                       |    2 +-
 drivers/staging/usbip/vhci_hcd.c                   |    6 +-
 drivers/staging/usbip/vhci_rx.c                    |    2 +-
 drivers/staging/vt6655/hostap.c                    |    7 +-
 drivers/staging/vt6656/hostap.c                    |    7 +-
 drivers/staging/zcache/tmem.c                      |    4 +-
 drivers/staging/zcache/tmem.h                      |    2 +
 drivers/target/target_core_device.c                |    2 +-
 drivers/target/target_core_transport.c             |    2 +-
 drivers/tty/cyclades.c                             |    6 +-
 drivers/tty/hvc/hvc_console.c                      |   14 +-
 drivers/tty/hvc/hvcs.c                             |   21 +-
 drivers/tty/ipwireless/tty.c                       |   27 +-
 drivers/tty/moxa.c                                 |    2 +-
 drivers/tty/n_gsm.c                                |    4 +-
 drivers/tty/n_tty.c                                |    3 +-
 drivers/tty/pty.c                                  |    4 +-
 drivers/tty/rocket.c                               |    6 +-
 drivers/tty/serial/kgdboc.c                        |   32 +-
 drivers/tty/serial/samsung.c                       |    9 +-
 drivers/tty/serial/serial_core.c                   |    8 +-
 drivers/tty/synclink.c                             |   34 +-
 drivers/tty/synclink_gt.c                          |   28 +-
 drivers/tty/synclinkmp.c                           |   34 +-
 drivers/tty/tty_io.c                               |    2 +-
 drivers/tty/tty_ldisc.c                            |   10 +-
 drivers/tty/tty_port.c                             |   22 +-
 drivers/uio/uio.c                                  |   21 +-
 drivers/usb/atm/cxacru.c                           |    2 +-
 drivers/usb/atm/usbatm.c                           |   24 +-
 drivers/usb/core/devices.c                         |    6 +-
 drivers/usb/core/hcd.c                             |    4 +-
 drivers/usb/core/message.c                         |    2 +-
 drivers/usb/core/sysfs.c                           |    2 +-
 drivers/usb/core/usb.c                             |    2 +-
 drivers/usb/early/ehci-dbgp.c                      |   16 +-
 drivers/usb/gadget/u_serial.c                      |   22 +-
 drivers/usb/serial/console.c                       |    6 +-
 drivers/usb/storage/usb.h                          |    2 +-
 drivers/usb/wusbcore/wa-hc.h                       |    4 +-
 drivers/usb/wusbcore/wa-xfer.c                     |    2 +-
 drivers/vhost/vringh.c                             |    2 +-
 drivers/video/aty/aty128fb.c                       |    2 +-
 drivers/video/aty/atyfb_base.c                     |    8 +-
 drivers/video/aty/mach64_cursor.c                  |    5 +-
 drivers/video/backlight/kb3886_bl.c                |    2 +-
 drivers/video/fb_defio.c                           |    6 +-
 drivers/video/fbcmap.c                             |    3 +-
 drivers/video/fbmem.c                              |    6 +-
 drivers/video/i810/i810_accel.c                    |    1 +
 drivers/video/mb862xx/mb862xxfb_accel.c            |   16 +-
 drivers/video/nvidia/nvidia.c                      |   27 +-
 drivers/video/output.c                             |    2 +-
 drivers/video/s1d13xxxfb.c                         |    6 +-
 drivers/video/smscufx.c                            |    4 +-
 drivers/video/udlfb.c                              |   36 +-
 drivers/video/uvesafb.c                            |   53 +-
 drivers/video/vesafb.c                             |   58 +-
 drivers/video/via/via_clock.h                      |    2 +-
 fs/9p/vfs_addr.c                                   |    2 +-
 fs/9p/vfs_inode.c                                  |    2 +-
 fs/Kconfig.binfmt                                  |    2 +-
 fs/aio.c                                           |   12 +-
 fs/autofs4/waitq.c                                 |    2 +-
 fs/befs/endian.h                                   |    4 +-
 fs/befs/linuxvfs.c                                 |    2 +-
 fs/binfmt_aout.c                                   |   23 +-
 fs/binfmt_elf.c                                    |  607 ++-
 fs/binfmt_flat.c                                   |    6 +
 fs/bio.c                                           |    6 +-
 fs/block_dev.c                                     |    2 +-
 fs/btrfs/ctree.c                                   |    9 +-
 fs/btrfs/super.c                                   |    2 +-
 fs/cachefiles/bind.c                               |    6 +-
 fs/cachefiles/daemon.c                             |    8 +-
 fs/cachefiles/internal.h                           |   12 +-
 fs/cachefiles/namei.c                              |    2 +-
 fs/cachefiles/proc.c                               |   12 +-
 fs/cachefiles/rdwr.c                               |    2 +-
 fs/ceph/dir.c                                      |    2 +-
 fs/cifs/cifs_debug.c                               |   12 +-
 fs/cifs/cifsfs.c                                   |    8 +-
 fs/cifs/cifsglob.h                                 |   54 +-
 fs/cifs/link.c                                     |    2 +-
 fs/cifs/misc.c                                     |    4 +-
 fs/cifs/smb1ops.c                                  |   80 +-
 fs/cifs/smb2ops.c                                  |   84 +-
 fs/cifs/smb2pdu.c                                  |    3 +-
 fs/coda/cache.c                                    |   10 +-
 fs/compat.c                                        |    6 +-
 fs/compat_binfmt_elf.c                             |    2 +
 fs/compat_ioctl.c                                  |   12 +-
 fs/configfs/dir.c                                  |   10 +-
 fs/coredump.c                                      |   24 +-
 fs/dcache.c                                        |    2 +-
 fs/ecryptfs/inode.c                                |    4 +-
 fs/ecryptfs/miscdev.c                              |    2 +-
 fs/exec.c                                          |  362 ++-
 fs/ext4/ext4.h                                     |   20 +-
 fs/ext4/mballoc.c                                  |   44 +-
 fs/ext4/mmp.c                                      |    2 +-
 fs/ext4/super.c                                    |    4 +-
 fs/fhandle.c                                       |    3 +-
 fs/fs_struct.c                                     |    8 +-
 fs/fscache/cookie.c                                |   36 +-
 fs/fscache/internal.h                              |  196 +-
 fs/fscache/object.c                                |   28 +-
 fs/fscache/operation.c                             |   30 +-
 fs/fscache/page.c                                  |  110 +-
 fs/fscache/stats.c                                 |  344 +-
 fs/fuse/cuse.c                                     |   10 +-
 fs/fuse/dev.c                                      |    4 +-
 fs/fuse/dir.c                                      |    2 +-
 fs/gfs2/inode.c                                    |    2 +-
 fs/hugetlbfs/inode.c                               |   13 +-
 fs/inode.c                                         |    4 +-
 fs/jffs2/erase.c                                   |    3 +-
 fs/jffs2/wbuf.c                                    |    3 +-
 fs/jfs/super.c                                     |    2 +-
 fs/libfs.c                                         |   10 +-
 fs/lockd/clntproc.c                                |    4 +-
 fs/lockd/svc.c                                     |    2 +-
 fs/locks.c                                         |    8 +-
 fs/namei.c                                         |   15 +-
 fs/namespace.c                                     |   10 +-
 fs/nfs/callback.c                                  |    4 +-
 fs/nfs/callback_xdr.c                              |    2 +-
 fs/nfs/inode.c                                     |    6 +-
 fs/nfs/nfs4state.c                                 |    2 +-
 fs/nfsd/nfs4proc.c                                 |    2 +-
 fs/nfsd/nfs4xdr.c                                  |    6 +-
 fs/nfsd/nfscache.c                                 |    9 +-
 fs/nfsd/vfs.c                                      |    6 +-
 fs/nls/nls_base.c                                  |   18 +-
 fs/nls/nls_euc-jp.c                                |    6 +-
 fs/nls/nls_koi8-ru.c                               |    6 +-
 fs/notify/fanotify/fanotify_user.c                 |    4 +-
 fs/notify/notification.c                           |    4 +-
 fs/ntfs/dir.c                                      |    2 +-
 fs/ntfs/file.c                                     |    4 +-
 fs/ocfs2/localalloc.c                              |    2 +-
 fs/ocfs2/ocfs2.h                                   |   10 +-
 fs/ocfs2/suballoc.c                                |   12 +-
 fs/ocfs2/super.c                                   |   20 +-
 fs/pipe.c                                          |   61 +-
 fs/proc/array.c                                    |   20 +
 fs/proc/base.c                                     |    4 +-
 fs/proc/kcore.c                                    |   32 +-
 fs/proc/meminfo.c                                  |    2 +-
 fs/proc/nommu.c                                    |    2 +-
 fs/proc/proc_sysctl.c                              |   18 +-
 fs/proc/self.c                                     |    2 +-
 fs/proc/task_mmu.c                                 |   39 +-
 fs/proc/task_nommu.c                               |    4 +-
 fs/proc/vmcore.c                                   |   12 +-
 fs/qnx6/qnx6.h                                     |    4 +-
 fs/quota/netlink.c                                 |    4 +-
 fs/read_write.c                                    |    2 +-
 fs/readdir.c                                       |    2 +-
 fs/reiserfs/do_balan.c                             |    2 +-
 fs/reiserfs/procfs.c                               |    2 +-
 fs/reiserfs/reiserfs.h                             |    4 +-
 fs/seq_file.c                                      |    2 +-
 fs/splice.c                                        |   40 +-
 fs/sysfs/bin.c                                     |    6 +-
 fs/sysfs/dir.c                                     |    2 +-
 fs/sysfs/file.c                                    |   10 +-
 fs/sysfs/symlink.c                                 |    2 +-
 fs/sysv/sysv.h                                     |    2 +-
 fs/ubifs/io.c                                      |    2 +-
 fs/udf/misc.c                                      |    2 +-
 fs/ufs/swab.h                                      |    4 +-
 fs/xattr.c                                         |   21 +
 fs/xattr_acl.c                                     |    4 +-
 fs/xfs/xfs_bmap.c                                  |    2 +-
 fs/xfs/xfs_dir2_sf.c                               |   10 +-
 fs/xfs/xfs_ioctl.c                                 |    2 +-
 fs/xfs/xfs_iops.c                                  |    2 +-
 include/asm-generic/4level-fixup.h                 |    2 +
 include/asm-generic/atomic-long.h                  |  210 +
 include/asm-generic/atomic.h                       |    2 +-
 include/asm-generic/atomic64.h                     |   12 +
 include/asm-generic/cache.h                        |    4 +-
 include/asm-generic/emergency-restart.h            |    2 +-
 include/asm-generic/kmap_types.h                   |    4 +-
 include/asm-generic/local.h                        |   13 +
 include/asm-generic/pgtable-nopmd.h                |   18 +-
 include/asm-generic/pgtable-nopud.h                |   15 +-
 include/asm-generic/pgtable.h                      |    8 +
 include/asm-generic/vmlinux.lds.h                  |   10 +-
 include/crypto/algapi.h                            |    2 +-
 include/drm/drmP.h                                 |   17 +-
 include/drm/drm_crtc_helper.h                      |    2 +-
 include/drm/ttm/ttm_memory.h                       |    2 +-
 include/keys/asymmetric-subtype.h                  |    2 +-
 include/linux/atmdev.h                             |    4 +-
 include/linux/binfmts.h                            |    3 +-
 include/linux/blkdev.h                             |    2 +-
 include/linux/blktrace_api.h                       |    2 +-
 include/linux/cache.h                              |    4 +
 include/linux/cdrom.h                              |    1 -
 include/linux/cleancache.h                         |    2 +-
 include/linux/clk-provider.h                       |    1 +
 include/linux/compat.h                             |    4 +-
 include/linux/compiler-gcc4.h                      |   20 +
 include/linux/compiler.h                           |   65 +-
 include/linux/completion.h                         |    6 +-
 include/linux/configfs.h                           |    2 +-
 include/linux/cpu.h                                |    2 +-
 include/linux/cpufreq.h                            |    3 +-
 include/linux/cpuidle.h                            |    5 +-
 include/linux/cpumask.h                            |   12 +-
 include/linux/crypto.h                             |    6 +-
 include/linux/ctype.h                              |    2 +-
 include/linux/decompress/mm.h                      |    2 +-
 include/linux/devfreq.h                            |    2 +-
 include/linux/device.h                             |    7 +-
 include/linux/dma-mapping.h                        |    2 +-
 include/linux/dmaengine.h                          |    4 +-
 include/linux/efi.h                                |    1 +
 include/linux/elf.h                                |    2 +
 include/linux/err.h                                |    4 +-
 include/linux/extcon.h                             |    2 +-
 include/linux/fb.h                                 |    2 +-
 include/linux/filter.h                             |    4 +
 include/linux/frontswap.h                          |    2 +-
 include/linux/fs.h                                 |    3 +-
 include/linux/fs_struct.h                          |    2 +-
 include/linux/fscache-cache.h                      |    4 +-
 include/linux/fscache.h                            |    2 +-
 include/linux/fsnotify.h                           |    2 +-
 include/linux/genhd.h                              |    2 +-
 include/linux/genl_magic_func.h                    |    2 +-
 include/linux/gfp.h                                |   12 +-
 include/linux/highmem.h                            |   12 +
 include/linux/hwmon-sysfs.h                        |    5 +-
 include/linux/i2c.h                                |    1 +
 include/linux/i2o.h                                |    2 +-
 include/linux/if_pppox.h                           |    2 +-
 include/linux/init.h                               |   33 +-
 include/linux/init_task.h                          |    7 +
 include/linux/interrupt.h                          |    8 +-
 include/linux/iommu.h                              |    2 +-
 include/linux/ioport.h                             |    2 +-
 include/linux/irq.h                                |    3 +-
 include/linux/irqchip/arm-gic.h                    |    4 +-
 include/linux/key-type.h                           |    2 +-
 include/linux/kgdb.h                               |    6 +-
 include/linux/kobject.h                            |    3 +-
 include/linux/kobject_ns.h                         |    2 +-
 include/linux/kref.h                               |    2 +-
 include/linux/kvm_host.h                           |    4 +-
 include/linux/libata.h                             |    2 +-
 include/linux/list.h                               |   15 +
 include/linux/math64.h                             |    6 +-
 include/linux/mm.h                                 |  116 +-
 include/linux/mm_types.h                           |   20 +
 include/linux/mmiotrace.h                          |    4 +-
 include/linux/mmzone.h                             |    2 +-
 include/linux/mod_devicetable.h                    |    6 +-
 include/linux/module.h                             |   60 +-
 include/linux/moduleloader.h                       |   16 +
 include/linux/moduleparam.h                        |    4 +-
 include/linux/namei.h                              |    6 +-
 include/linux/net.h                                |    2 +-
 include/linux/netdevice.h                          |    3 +-
 include/linux/netfilter.h                          |    2 +-
 include/linux/netfilter/ipset/ip_set.h             |    2 +-
 include/linux/netfilter/nfnetlink.h                |    2 +-
 include/linux/nls.h                                |    2 +-
 include/linux/notifier.h                           |    3 +-
 include/linux/oprofile.h                           |    4 +-
 include/linux/pci_hotplug.h                        |    3 +-
 include/linux/perf_event.h                         |   12 +-
 include/linux/pipe_fs_i.h                          |    8 +-
 include/linux/platform_data/usb-ehci-s5p.h         |    2 +-
 include/linux/platform_data/usb-ohci-exynos.h      |    2 +-
 include/linux/pm_domain.h                          |    2 +-
 include/linux/pm_runtime.h                         |    2 +-
 include/linux/pnp.h                                |    2 +-
 include/linux/poison.h                             |    4 +-
 include/linux/power/smartreflex.h                  |    2 +-
 include/linux/ppp-comp.h                           |    2 +-
 include/linux/proc_ns.h                            |    2 +-
 include/linux/random.h                             |    5 +
 include/linux/rculist.h                            |   16 +
 include/linux/reboot.h                             |   14 +-
 include/linux/regset.h                             |    3 +-
 include/linux/relay.h                              |    2 +-
 include/linux/rio.h                                |    2 +-
 include/linux/rmap.h                               |    4 +-
 include/linux/sched.h                              |   65 +-
 include/linux/sched/sysctl.h                       |    1 +
 include/linux/seq_file.h                           |    1 +
 include/linux/skbuff.h                             |   12 +-
 include/linux/slab.h                               |   42 +-
 include/linux/slab_def.h                           |   28 +-
 include/linux/slob_def.h                           |    4 +-
 include/linux/slub_def.h                           |    8 +-
 include/linux/sock_diag.h                          |    2 +-
 include/linux/sonet.h                              |    2 +-
 include/linux/sunrpc/addr.h                        |    8 +-
 include/linux/sunrpc/clnt.h                        |    2 +-
 include/linux/sunrpc/svc.h                         |    2 +-
 include/linux/sunrpc/svc_rdma.h                    |   18 +-
 include/linux/sunrpc/svcauth.h                     |    2 +-
 include/linux/swiotlb.h                            |    3 +-
 include/linux/syscalls.h                           |   10 +-
 include/linux/syscore_ops.h                        |    2 +-
 include/linux/sysctl.h                             |    6 +-
 include/linux/sysfs.h                              |   10 +-
 include/linux/sysrq.h                              |    3 +-
 include/linux/thread_info.h                        |    7 +
 include/linux/tty.h                                |    4 +-
 include/linux/tty_driver.h                         |    2 +-
 include/linux/tty_ldisc.h                          |    2 +-
 include/linux/types.h                              |   16 +
 include/linux/uaccess.h                            |    6 +-
 include/linux/unaligned/access_ok.h                |   24 +-
 include/linux/usb.h                                |    4 +-
 include/linux/usb/renesas_usbhs.h                  |    2 +-
 include/linux/vermagic.h                           |   21 +-
 include/linux/vmalloc.h                            |   11 +-
 include/linux/vmstat.h                             |   20 +-
 include/linux/xattr.h                              |    5 +-
 include/linux/zlib.h                               |    3 +-
 include/media/v4l2-dev.h                           |    2 +-
 include/net/9p/transport.h                         |    2 +-
 include/net/bluetooth/l2cap.h                      |    2 +-
 include/net/caif/cfctrl.h                          |    6 +-
 include/net/flow.h                                 |    2 +-
 include/net/genetlink.h                            |    2 +-
 include/net/gro_cells.h                            |    2 +-
 include/net/inet_connection_sock.h                 |    2 +-
 include/net/inetpeer.h                             |    8 +-
 include/net/ip.h                                   |    2 +-
 include/net/ip_fib.h                               |    2 +-
 include/net/ip_vs.h                                |    8 +-
 include/net/irda/ircomm_tty.h                      |    1 +
 include/net/iucv/af_iucv.h                         |    2 +-
 include/net/llc_c_ac.h                             |    2 +-
 include/net/llc_c_ev.h                             |    4 +-
 include/net/llc_c_st.h                             |    2 +-
 include/net/llc_s_ac.h                             |    2 +-
 include/net/llc_s_st.h                             |    2 +-
 include/net/mac80211.h                             |    2 +-
 include/net/neighbour.h                            |    2 +-
 include/net/net_namespace.h                        |   12 +-
 include/net/netdma.h                               |    2 +-
 include/net/netlink.h                              |    2 +-
 include/net/netns/conntrack.h                      |    6 +-
 include/net/netns/ipv4.h                           |    2 +-
 include/net/netns/ipv6.h                           |    2 +-
 include/net/protocol.h                             |    4 +-
 include/net/rtnetlink.h                            |    2 +-
 include/net/sctp/sctp.h                            |    6 +-
 include/net/sctp/sm.h                              |    4 +-
 include/net/sctp/structs.h                         |    2 +-
 include/net/sock.h                                 |    6 +-
 include/net/tcp.h                                  |    8 +-
 include/net/xfrm.h                                 |    8 +-
 include/rdma/iw_cm.h                               |    2 +-
 include/scsi/libfc.h                               |    3 +-
 include/scsi/scsi_device.h                         |    6 +-
 include/scsi/scsi_transport_fc.h                   |    3 +-
 include/sound/compress_driver.h                    |    2 +-
 include/sound/soc.h                                |    4 +-
 include/target/target_core_base.h                  |    2 +-
 include/trace/events/irq.h                         |    4 +-
 include/uapi/linux/a.out.h                         |    8 +
 include/uapi/linux/byteorder/little_endian.h       |   28 +-
 include/uapi/linux/elf.h                           |   28 +
 include/uapi/linux/screen_info.h                   |    3 +-
 include/uapi/linux/swab.h                          |    6 +-
 include/uapi/linux/sysctl.h                        |    6 +-
 include/uapi/linux/xattr.h                         |    4 +
 include/video/udlfb.h                              |    8 +-
 include/video/uvesafb.h                            |    1 +
 init/Kconfig                                       |    2 +-
 init/Makefile                                      |    3 +
 init/do_mounts.c                                   |   14 +-
 init/do_mounts.h                                   |    8 +-
 init/do_mounts_initrd.c                            |   30 +-
 init/do_mounts_md.c                                |    6 +-
 init/init_task.c                                   |    4 +
 init/initramfs.c                                   |   42 +-
 init/main.c                                        |   83 +-
 ipc/ipc_sysctl.c                                   |   10 +-
 ipc/mq_sysctl.c                                    |    2 +-
 ipc/msg.c                                          |   11 +-
 ipc/sem.c                                          |   11 +-
 ipc/shm.c                                          |   17 +-
 kernel/acct.c                                      |    2 +-
 kernel/audit.c                                     |    8 +-
 kernel/auditfilter.c                               |    2 +-
 kernel/auditsc.c                                   |    4 +-
 kernel/capability.c                                |    3 +
 kernel/compat.c                                    |   38 +-
 kernel/debug/debug_core.c                          |   16 +-
 kernel/debug/kdb/kdb_main.c                        |    4 +-
 kernel/events/core.c                               |   30 +-
 kernel/events/internal.h                           |   10 +-
 kernel/exit.c                                      |    4 +-
 kernel/fork.c                                      |  167 +-
 kernel/futex.c                                     |    9 +
 kernel/futex_compat.c                              |    2 +-
 kernel/gcov/base.c                                 |    7 +-
 kernel/hrtimer.c                                   |    4 +-
 kernel/irq_work.c                                  |    7 +-
 kernel/jump_label.c                                |    5 +
 kernel/kallsyms.c                                  |   39 +-
 kernel/kexec.c                                     |    3 +-
 kernel/kmod.c                                      |    4 +-
 kernel/kprobes.c                                   |    8 +-
 kernel/ksysfs.c                                    |    2 +-
 kernel/lockdep.c                                   |    7 +-
 kernel/module.c                                    |  337 +-
 kernel/mutex-debug.c                               |   12 +-
 kernel/mutex-debug.h                               |    4 +-
 kernel/mutex.c                                     |   11 +-
 kernel/notifier.c                                  |   17 +-
 kernel/panic.c                                     |    3 +-
 kernel/pid.c                                       |    2 +-
 kernel/pid_namespace.c                             |    2 +-
 kernel/posix-cpu-timers.c                          |    4 +-
 kernel/posix-timers.c                              |   22 +-
 kernel/power/process.c                             |   12 +-
 kernel/profile.c                                   |   14 +-
 kernel/ptrace.c                                    |    8 +-
 kernel/rcupdate.c                                  |    4 +-
 kernel/rcutiny.c                                   |    4 +-
 kernel/rcutiny_plugin.h                            |    2 +-
 kernel/rcutorture.c                                |   56 +-
 kernel/rcutree.c                                   |   76 +-
 kernel/rcutree.h                                   |   24 +-
 kernel/rcutree_plugin.h                            |   20 +-
 kernel/rcutree_trace.c                             |   22 +-
 kernel/rtmutex-tester.c                            |   24 +-
 kernel/sched/auto_group.c                          |    4 +-
 kernel/sched/core.c                                |   51 +-
 kernel/sched/fair.c                                |    4 +-
 kernel/sched/sched.h                               |    2 +-
 kernel/signal.c                                    |   12 +-
 kernel/smp.c                                       |    2 +-
 kernel/smpboot.c                                   |    4 +-
 kernel/softirq.c                                   |   18 +-
 kernel/srcu.c                                      |    4 +-
 kernel/sys.c                                       |   10 +-
 kernel/sysctl.c                                    |   39 +-
 kernel/time.c                                      |    2 +-
 kernel/time/alarmtimer.c                           |    2 +-
 kernel/time/tick-broadcast.c                       |    2 +-
 kernel/time/timer_stats.c                          |   10 +-
 kernel/timer.c                                     |    6 +-
 kernel/trace/blktrace.c                            |    6 +-
 kernel/trace/ftrace.c                              |   18 +-
 kernel/trace/ring_buffer.c                         |   76 +-
 kernel/trace/trace.c                               |    2 +-
 kernel/trace/trace.h                               |    2 +-
 kernel/trace/trace_events.c                        |   25 +-
 kernel/trace/trace_mmiotrace.c                     |    8 +-
 kernel/trace/trace_output.c                        |   12 +-
 kernel/trace/trace_stack.c                         |    2 +-
 kernel/user_namespace.c                            |    2 +-
 kernel/utsname_sysctl.c                            |    2 +-
 kernel/watchdog.c                                  |    2 +-
 kernel/workqueue.c                                 |    2 +-
 lib/Kconfig.debug                                  |    8 +-
 lib/Makefile                                       |    2 +-
 lib/bitmap.c                                       |    8 +-
 lib/bug.c                                          |    2 +
 lib/debugobjects.c                                 |    2 +-
 lib/devres.c                                       |    4 +-
 lib/div64.c                                        |    4 +-
 lib/dma-debug.c                                    |    4 +-
 lib/inflate.c                                      |    2 +-
 lib/ioremap.c                                      |    4 +-
 lib/kobject.c                                      |    6 +-
 lib/list_debug.c                                   |  126 +-
 lib/radix-tree.c                                   |    2 +-
 lib/strncpy_from_user.c                            |    2 +-
 lib/strnlen_user.c                                 |    2 +-
 lib/swiotlb.c                                      |    2 +-
 lib/usercopy.c                                     |    6 +
 lib/vsprintf.c                                     |   12 +-
 mm/Kconfig                                         |    6 +-
 mm/backing-dev.c                                   |    4 +-
 mm/filemap.c                                       |    2 +-
 mm/fremap.c                                        |    5 +
 mm/highmem.c                                       |    7 +-
 mm/hugetlb.c                                       |   70 +-
 mm/internal.h                                      |    1 +
 mm/maccess.c                                       |    4 +-
 mm/madvise.c                                       |   41 +
 mm/memory-failure.c                                |   26 +-
 mm/memory.c                                        |  424 ++-
 mm/mempolicy.c                                     |   26 +
 mm/mlock.c                                         |   15 +-
 mm/mmap.c                                          |  606 ++-
 mm/mprotect.c                                      |  139 +-
 mm/mremap.c                                        |   44 +-
 mm/nommu.c                                         |   21 +-
 mm/page-writeback.c                                |    4 +-
 mm/page_alloc.c                                    |   41 +-
 mm/page_io.c                                       |    2 +-
 mm/percpu.c                                        |    2 +-
 mm/process_vm_access.c                             |   14 +-
 mm/rmap.c                                          |   38 +-
 mm/shmem.c                                         |   19 +-
 mm/slab.c                                          |   79 +-
 mm/slab.h                                          |    5 +-
 mm/slab_common.c                                   |   46 +-
 mm/slob.c                                          |  201 +-
 mm/slub.c                                          |   79 +-
 mm/sparse-vmemmap.c                                |    4 +-
 mm/sparse.c                                        |    2 +-
 mm/swap.c                                          |    3 +
 mm/swapfile.c                                      |   12 +-
 mm/util.c                                          |    6 +
 mm/vmalloc.c                                       |   77 +-
 mm/vmstat.c                                        |   12 +-
 net/8021q/vlan.c                                   |    5 +-
 net/9p/mod.c                                       |    4 +-
 net/9p/trans_fd.c                                  |    2 +-
 net/atm/atm_misc.c                                 |    8 +-
 net/atm/lec.h                                      |    2 +-
 net/atm/proc.c                                     |    6 +-
 net/atm/resources.c                                |    4 +-
 net/ax25/sysctl_net_ax25.c                         |    2 +-
 net/batman-adv/bat_iv_ogm.c                        |    8 +-
 net/batman-adv/hard-interface.c                    |    4 +-
 net/batman-adv/soft-interface.c                    |    4 +-
 net/batman-adv/types.h                             |    6 +-
 net/batman-adv/unicast.c                           |    2 +-
 net/bluetooth/hci_core.c                           |    8 +-
 net/bluetooth/hci_sock.c                           |    2 +-
 net/bluetooth/l2cap_core.c                         |    6 +-
 net/bluetooth/l2cap_sock.c                         |   12 +-
 net/bluetooth/rfcomm/sock.c                        |    4 +-
 net/bluetooth/rfcomm/tty.c                         |   10 +-
 net/bridge/netfilter/ebtables.c                    |    6 +-
 net/caif/cfctrl.c                                  |   11 +-
 net/can/af_can.c                                   |    2 +-
 net/can/gw.c                                       |    6 +-
 net/compat.c                                       |   34 +-
 net/core/datagram.c                                |    2 +-
 net/core/dev.c                                     |   16 +-
 net/core/flow.c                                    |    8 +-
 net/core/iovec.c                                   |    4 +-
 net/core/neighbour.c                               |    2 +-
 net/core/net-sysfs.c                               |    2 +-
 net/core/net_namespace.c                           |    8 +-
 net/core/rtnetlink.c                               |   13 +-
 net/core/scm.c                                     |    8 +-
 net/core/sock.c                                    |   24 +-
 net/core/sock_diag.c                               |    9 +-
 net/core/sysctl_net_core.c                         |   18 +-
 net/decnet/af_decnet.c                             |    1 +
 net/decnet/sysctl_net_decnet.c                     |    4 +-
 net/ipv4/af_inet.c                                 |    8 +-
 net/ipv4/ah4.c                                     |    2 +-
 net/ipv4/devinet.c                                 |   18 +-
 net/ipv4/esp4.c                                    |    2 +-
 net/ipv4/fib_frontend.c                            |    6 +-
 net/ipv4/fib_semantics.c                           |    2 +-
 net/ipv4/inet_connection_sock.c                    |    2 +-
 net/ipv4/inetpeer.c                                |    4 +-
 net/ipv4/ip_fragment.c                             |   15 +-
 net/ipv4/ip_gre.c                                  |    6 +-
 net/ipv4/ip_sockglue.c                             |    2 +-
 net/ipv4/ip_vti.c                                  |    4 +-
 net/ipv4/ipcomp.c                                  |    2 +-
 net/ipv4/ipconfig.c                                |    6 +-
 net/ipv4/ipip.c                                    |    4 +-
 net/ipv4/netfilter/arp_tables.c                    |   12 +-
 net/ipv4/netfilter/ip_tables.c                     |   12 +-
 net/ipv4/ping.c                                    |    2 +-
 net/ipv4/raw.c                                     |   14 +-
 net/ipv4/route.c                                   |   18 +-
 net/ipv4/sysctl_net_ipv4.c                         |   45 +-
 net/ipv4/tcp_input.c                               |    2 +-
 net/ipv4/tcp_probe.c                               |    2 +-
 net/ipv4/udp.c                                     |   10 +-
 net/ipv4/xfrm4_policy.c                            |   14 +-
 net/ipv6/addrconf.c                                |   12 +-
 net/ipv6/icmp.c                                    |    2 +-
 net/ipv6/ip6_gre.c                                 |    8 +-
 net/ipv6/ip6_tunnel.c                              |    4 +-
 net/ipv6/ipv6_sockglue.c                           |    2 +-
 net/ipv6/netfilter/ip6_tables.c                    |   12 +-
 net/ipv6/netfilter/nf_conntrack_reasm.c            |   14 +-
 net/ipv6/raw.c                                     |   19 +-
 net/ipv6/reassembly.c                              |   13 +-
 net/ipv6/route.c                                   |    2 +-
 net/ipv6/sit.c                                     |    4 +-
 net/ipv6/sysctl_net_ipv6.c                         |    2 +-
 net/ipv6/udp.c                                     |    8 +-
 net/ipv6/xfrm6_policy.c                            |   13 +-
 net/irda/ircomm/ircomm_tty.c                       |   18 +-
 net/iucv/af_iucv.c                                 |    4 +-
 net/iucv/iucv.c                                    |    2 +-
 net/key/af_key.c                                   |    4 +-
 net/mac80211/cfg.c                                 |    8 +-
 net/mac80211/ieee80211_i.h                         |    3 +-
 net/mac80211/iface.c                               |   16 +-
 net/mac80211/main.c                                |    2 +-
 net/mac80211/pm.c                                  |    6 +-
 net/mac80211/rate.c                                |    2 +-
 net/mac80211/rc80211_pid_debugfs.c                 |    2 +-
 net/mac80211/util.c                                |    4 +-
 net/netfilter/ipset/ip_set_core.c                  |    2 +-
 net/netfilter/ipvs/ip_vs_conn.c                    |    6 +-
 net/netfilter/ipvs/ip_vs_core.c                    |    4 +-
 net/netfilter/ipvs/ip_vs_ctl.c                     |   14 +-
 net/netfilter/ipvs/ip_vs_lblc.c                    |    2 +-
 net/netfilter/ipvs/ip_vs_lblcr.c                   |    2 +-
 net/netfilter/ipvs/ip_vs_sync.c                    |    6 +-
 net/netfilter/ipvs/ip_vs_xmit.c                    |    4 +-
 net/netfilter/nf_conntrack_acct.c                  |    2 +-
 net/netfilter/nf_conntrack_ecache.c                |    2 +-
 net/netfilter/nf_conntrack_helper.c                |    2 +-
 net/netfilter/nf_conntrack_proto.c                 |    2 +-
 net/netfilter/nf_conntrack_proto_dccp.c            |    4 +-
 net/netfilter/nf_conntrack_standalone.c            |    2 +-
 net/netfilter/nf_conntrack_timestamp.c             |    2 +-
 net/netfilter/nf_log.c                             |   10 +-
 net/netfilter/nf_sockopt.c                         |    4 +-
 net/netfilter/nfnetlink_log.c                      |    4 +-
 net/netfilter/xt_statistic.c                       |    8 +-
 net/netlink/af_netlink.c                           |    4 +-
 net/netlink/genetlink.c                            |   16 +-
 net/packet/af_packet.c                             |   12 +-
 net/phonet/pep.c                                   |    6 +-
 net/phonet/socket.c                                |    2 +-
 net/phonet/sysctl.c                                |    2 +-
 net/rds/cong.c                                     |    6 +-
 net/rds/ib.h                                       |    2 +-
 net/rds/ib_cm.c                                    |    2 +-
 net/rds/ib_recv.c                                  |    4 +-
 net/rds/iw.h                                       |    2 +-
 net/rds/iw_cm.c                                    |    2 +-
 net/rds/iw_recv.c                                  |    4 +-
 net/rds/rds.h                                      |    2 +-
 net/rds/tcp.c                                      |    2 +-
 net/rds/tcp_send.c                                 |    2 +-
 net/rxrpc/af_rxrpc.c                               |    2 +-
 net/rxrpc/ar-ack.c                                 |   14 +-
 net/rxrpc/ar-call.c                                |    2 +-
 net/rxrpc/ar-connection.c                          |    2 +-
 net/rxrpc/ar-connevent.c                           |    2 +-
 net/rxrpc/ar-input.c                               |    4 +-
 net/rxrpc/ar-internal.h                            |    8 +-
 net/rxrpc/ar-local.c                               |    2 +-
 net/rxrpc/ar-output.c                              |    4 +-
 net/rxrpc/ar-peer.c                                |    2 +-
 net/rxrpc/ar-proc.c                                |    4 +-
 net/rxrpc/ar-transport.c                           |    2 +-
 net/rxrpc/rxkad.c                                  |    4 +-
 net/sctp/ipv6.c                                    |    6 +-
 net/sctp/protocol.c                                |   10 +-
 net/sctp/sm_sideeffect.c                           |    2 +-
 net/sctp/socket.c                                  |   21 +-
 net/sctp/sysctl.c                                  |    4 +-
 net/socket.c                                       |   18 +-
 net/sunrpc/clnt.c                                  |    4 +-
 net/sunrpc/sched.c                                 |    4 +-
 net/sunrpc/svc.c                                   |    6 +-
 net/sunrpc/xprtrdma/svc_rdma.c                     |   38 +-
 net/sunrpc/xprtrdma/svc_rdma_recvfrom.c            |    6 +-
 net/sunrpc/xprtrdma/svc_rdma_sendto.c              |    2 +-
 net/sunrpc/xprtrdma/svc_rdma_transport.c           |   10 +-
 net/tipc/link.c                                    |    6 +-
 net/tipc/msg.c                                     |    2 +-
 net/tipc/subscr.c                                  |    2 +-
 net/unix/sysctl_net_unix.c                         |    2 +-
 net/wireless/wext-core.c                           |   19 +-
 net/xfrm/xfrm_policy.c                             |   27 +-
 net/xfrm/xfrm_state.c                              |   29 +-
 net/xfrm/xfrm_sysctl.c                             |    2 +-
 scripts/Makefile.build                             |    2 +-
 scripts/Makefile.clean                             |    3 +-
 scripts/Makefile.host                              |   28 +-
 scripts/basic/fixdep.c                             |   12 +-
 scripts/gcc-plugin.sh                              |   17 +
 scripts/headers_install.sh                         |    1 +
 scripts/link-vmlinux.sh                            |    2 +-
 scripts/mod/file2alias.c                           |   14 +-
 scripts/mod/modpost.c                              |   25 +-
 scripts/mod/modpost.h                              |    6 +-
 scripts/mod/sumversion.c                           |    2 +-
 scripts/package/builddeb                           |    1 +
 scripts/pnmtologo.c                                |    6 +-
 scripts/sortextable.h                              |    6 +-
 security/Kconfig                                   |  676 +++-
 security/apparmor/lsm.c                            |    2 +-
 security/integrity/ima/ima.h                       |    4 +-
 security/integrity/ima/ima_api.c                   |    2 +-
 security/integrity/ima/ima_fs.c                    |    4 +-
 security/integrity/ima/ima_queue.c                 |    2 +-
 security/keys/compat.c                             |    2 +-
 security/keys/internal.h                           |    2 +-
 security/keys/key.c                                |   18 +-
 security/keys/keyctl.c                             |    8 +-
 security/keys/keyring.c                            |    6 +-
 security/security.c                                |    9 +-
 security/selinux/hooks.c                           |    2 +-
 security/selinux/include/xfrm.h                    |    2 +-
 security/smack/smack_lsm.c                         |    2 +-
 security/tomoyo/tomoyo.c                           |    2 +-
 security/yama/yama_lsm.c                           |   22 +-
 sound/aoa/codecs/onyx.c                            |    7 +-
 sound/aoa/codecs/onyx.h                            |    1 +
 sound/core/oss/pcm_oss.c                           |   18 +-
 sound/core/pcm_compat.c                            |    2 +-
 sound/core/pcm_native.c                            |    4 +-
 sound/core/seq/seq_device.c                        |    8 +-
 sound/core/sound.c                                 |    2 +-
 sound/drivers/mts64.c                              |   14 +-
 sound/drivers/opl4/opl4_lib.c                      |    2 +-
 sound/drivers/portman2x4.c                         |    3 +-
 sound/firewire/amdtp.c                             |    4 +-
 sound/firewire/amdtp.h                             |    2 +-
 sound/firewire/isight.c                            |   10 +-
 sound/firewire/scs1x.c                             |    8 +-
 sound/oss/sb_audio.c                               |    2 +-
 sound/oss/swarm_cs4297a.c                          |    6 +-
 sound/pci/ymfpci/ymfpci.h                          |    2 +-
 sound/pci/ymfpci/ymfpci_main.c                     |   12 +-
 sound/soc/fsl/fsl_ssi.c                            |    2 +-
 sound/sound_core.c                                 |    2 +-
 tools/gcc/.gitignore                               |    1 +
 tools/gcc/Makefile                                 |   45 +
 tools/gcc/checker_plugin.c                         |  172 +
 tools/gcc/colorize_plugin.c                        |  151 +
 tools/gcc/constify_plugin.c                        |  560 ++
 tools/gcc/generate_size_overflow_hash.sh           |   94 +
 tools/gcc/kallocstat_plugin.c                      |  170 +
 tools/gcc/kernexec_plugin.c                        |  465 ++
 tools/gcc/latent_entropy_plugin.c                  |  327 ++
 tools/gcc/size_overflow_hash.data                  | 5893 ++++++++++++++++++++
 tools/gcc/size_overflow_plugin.c                   | 2114 +++++++
 tools/gcc/stackleak_plugin.c                       |  327 ++
 tools/gcc/structleak_plugin.c                      |  277 +
 tools/perf/util/include/asm/alternative-asm.h      |    3 +
 tools/perf/util/include/linux/compiler.h           |    8 +
 virt/kvm/kvm_main.c                                |   32 +-
 1607 files changed, 30734 insertions(+), 7318 deletions(-)
commit a00016a11e35e91aec8e2d9b6ec4c6fbb11d6d2b
Merge: 0949bd4 fc53d63
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 22 19:03:44 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit fc53d6338964741b368070ec5c935bc579b8c2a6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 22 19:02:45 2012 -0400

    Update to pax-linux-3.2.12-test33.patch

commit 0949bd46a6455b308f66ad7c993bfee62412db35
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 22 16:56:09 2012 -0400

    Use current_umask() instead of current->fs->umask

commit 22f6432d0fe733619cfcb523782ed7d80c46d645
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 21 19:42:42 2012 -0400

    compile fix

commit 0cad49d6b8fbb32395da924c1665a1110a9a9eef
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 21 19:34:56 2012 -0400

    Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain
    uses of domains with particular hash collisions

commit 47fc52e0a068a29d6cca2f809daf0679cba33c44
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 20:25:49 2012 -0400

    zero kernel_role

commit b00953b43c69238d181d21121ef1577c988d5f6b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 19:29:34 2012 -0400

    zero real_root after releasing it

commit 0b3ab73ce5d34a2c3206955cd65eddd6bdfd32a1
Merge: b724f59 273f98e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 19:11:26 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit 273f98e58cdac555d3b5dce5c1ca168349f95878
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 19:10:52 2012 -0400

    Temporary workaround for (most) size_overflow plugin false-positives
    Increase randomization for brk-managed heap to 21 bits
    Update to pax-linux-3.2.12-test32.patch

commit b724f59125304460c2af8bd4b02921993afbb5d3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 18:58:53 2012 -0400

    compile fix

commit 329f1a9d0f137d0a973316c53bbec18a6eeecd4f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 18:52:23 2012 -0400

    Require default and kernel role

commit a7c5c4f55bdd61cfcd0fb1be7a67160429409878
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 18:47:28 2012 -0400

    Allow policies without special roles
    don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles)

commit 402ec3d24d66d38403dc543c84851f5e72d39e22
Merge: 8e012dc f14661a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 19 18:06:59 2012 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        fs/namei.c

commit f14661aaf202155c97f66626cea0269017bb7775
Merge: eae671f 058b017
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 19 18:05:44 2012 -0400

    Merge branch 'linux-3.2.y' into pax-test

commit 8e012dcf7a50b7cde34c2cec93ecedd049123b75
Author: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
Date:   Fri Mar 16 17:08:39 2012 -0700

    nilfs2: fix NULL pointer dereference in nilfs_load_super_block()
    
    According to the report from Slicky Devil, nilfs caused kernel oops at
    nilfs_load_super_block function during mount after he shrank the
    partition without resizing the filesystem:
    
     BUG: unable to handle kernel NULL pointer dereference at 00000048
     IP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2]
     *pde = 00000000
     Oops: 0000 [#1] PREEMPT SMP
     ...
     Call Trace:
      [<d0d7a87b>] init_nilfs+0x4b/0x2e0 [nilfs2]
      [<d0d6f707>] nilfs_mount+0x447/0x5b0 [nilfs2]
      [<c0226636>] mount_fs+0x36/0x180
      [<c023d961>] vfs_kern_mount+0x51/0xa0
      [<c023ddae>] do_kern_mount+0x3e/0xe0
      [<c023f189>] do_mount+0x169/0x700
      [<c023fa9b>] sys_mount+0x6b/0xa0
      [<c04abd1f>] sysenter_do_call+0x12/0x28
     Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43
     20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72
     48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00
     EIP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc
     CR2: 0000000000000048
    
    This turned out due to a defect in an error path which runs if the
    calculated location of the secondary super block was invalid.
    
    This patch fixes it and eliminates the reported oops.
    
    Reported-by: Slicky Devil <slicky.dvl@gmail.com>
    Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
    Tested-by: Slicky Devil <slicky.dvl@gmail.com>
    Cc: <stable@vger.kernel.org>        [2.6.30+]
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 8067d7f69bf27dc08057a771cf125e71e4575bf2
Author: Haogang Chen <haogangchen@gmail.com>
Date:   Fri Mar 16 17:08:38 2012 -0700

    nilfs2: clamp ns_r_segments_percentage to [1, 99]
    
    ns_r_segments_percentage is read from the disk.  Bogus or malicious
    value could cause integer overflow and malfunction due to meaningless
    disk usage calculation.  This patch reports error when mounting such
    bogus volumes.
    
    Signed-off-by: Haogang Chen <haogangchen@gmail.com>
    Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit e1a90645643f9b0194a5984ec8febd06360d5c8b
Author: Eric Dumazet <eric.dumazet@gmail.com>
Date:   Sat Mar 10 09:20:21 2012 +0000

    tcp: fix syncookie regression
    
    commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit())
    added a serious regression on synflood handling.
    
    Simon Kirby discovered a successful connection was delayed by 20 seconds
    before being responsive.
    
    In my tests, I discovered that xmit frames were lost, and needed ~4
    retransmits and a socket dst rebuild before being really sent.
    
    In case of syncookie initiated connection, we use a different path to
    initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared.
    
    As ip_queue_xmit() now depends on inet flow being setup, fix this by
    copying the temp flowi4 we use in cookie_v4_check().
    
    Reported-by: Simon Kirby <sim@netnation.com>
    Bisected-by: Simon Kirby <sim@netnation.com>
    Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
    Tested-by: Eric Dumazet <eric.dumazet@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 06c6c8628bf38b08b4d97f4c55cde9fdecfb5d65
Author: Stanislav Kinsbursky <skinsbursky@parallels.com>
Date:   Mon Mar 12 02:59:41 2012 +0000

    tun: don't hold network namespace by tun sockets
    
    v3: added previously removed sock_put() to the tun_release() callback, because
    sk_release_kernel() doesn't drop the socket reference.
    
    v2: sk_release_kernel() used for socket release. Dummy tun_release() is
    required for sk_release_kernel() ---> sock_release() ---> sock->ops->release()
    call.
    
    TUN was designed to destroy it's socket on network namesapce shutdown. But this
    will never happen for persistent device, because it's socket holds network
    namespace.
    This patch removes of holding network namespace by TUN socket and replaces it
    by creating socket in init_net and then changing it's net it to desired one. On
    shutdown socket is moved back to init_net prior to final put.
    
    Signed-off-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 46ae7374bd387c58d673a9e58852a9fd31042c5c
Author: Tyler Hicks <tyhicks@canonical.com>
Date:   Mon Dec 12 10:02:30 2011 -0600

    vfs: Correctly set the dir i_mutex lockdep class
    
    9a7aa12f3911853a introduced additional logic around setting the i_mutex
    lockdep class for directory inodes. The idea was that some filesystems
    may want their own special lockdep class for different directory
    inodes and calling unlock_new_inode() should not clobber one of
    those special classes.
    
    I believe that the added conditional, around the *negated* return value
    of lockdep_match_class(), caused directory inodes to be placed in the
    wrong lockdep class.
    
    inode_init_always() sets the i_mutex lockdep class with i_mutex_key for
    all inodes. If the filesystem did not change the class during inode
    initialization, then the conditional mentioned above was false and the
    directory inode was incorrectly left in the non-directory lockdep class.
    If the filesystem did set a special lockdep class, then the conditional
    mentioned above was true and that class was clobbered with
    i_mutex_dir_key.
    
    This patch removes the negation from the conditional so that the i_mutex
    lockdep class is properly set for directory inodes. Special classes are
    preserved and directory inodes with unmodified classes are set with
    i_mutex_dir_key.
    
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Reviewed-by: Jan Kara <jack@suse.cz>
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

commit 603590b0d2eca61ce26499eac9c563bc567a18c9
Author: Jan Kara <jack@suse.cz>
Date:   Mon Feb 20 17:54:00 2012 +0100

    udf: Fix deadlock in udf_release_file()
    
    udf_release_file() can be called from munmap() path with mmap_sem held.  Thus
    we cannot take i_mutex there because that ranks above mmap_sem. Luckily,
    i_mutex is not needed in udf_release_file() anymore since protection by
    i_data_sem is enough to protect from races with write and truncate.
    
    Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
    Reviewed-by: Namjae Jeon <linkinjeon@gmail.com>
    Signed-off-by: Jan Kara <jack@suse.cz>
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

commit ca79ab9034f3c2f7e3f65c35e0d9ed3ecea529bf
Author: Miklos Szeredi <mszeredi@suse.cz>
Date:   Tue Mar 6 13:56:33 2012 +0100

    vfs: fix double put after complete_walk()
    
    complete_walk() already puts nd->path, no need to do it again at cleanup time.
    
    This would result in Oopses if triggered, apparently the codepath is not too
    well exercised.
    
    Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
    CC: stable@vger.kernel.org
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

commit 13885ba2b18400f3ef6540497d30f1af896605e5
Author: Miklos Szeredi <mszeredi@suse.cz>
Date:   Tue Mar 6 13:56:34 2012 +0100

    vfs: fix return value from do_last()
    
    complete_walk() returns either ECHILD or ESTALE.  do_last() turns this into
    ECHILD unconditionally.  If not in RCU mode, this error will reach userspace
    which is complete nonsense.
    
    Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
    CC: stable@vger.kernel.org
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    
    Conflicts:
    
        fs/namei.c

commit f5ab7572c99ffb58953eb1070622307e904c3b7f
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Sat Mar 10 17:07:28 2012 -0500

    restore smp_mb() in unlock_new_inode()
    
    wait_on_inode() doesn't have ->i_lock
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

commit f3e758cd08e3881982d4b78eb72fe8a1ead6b872
Author: David S. Miller <davem@davemloft.net>
Date:   Tue Mar 13 18:19:51 2012 -0700

    sparc32: Add -Av8 to assembler command line.
    
    Newer version of binutils are more strict about specifying the
    correct options to enable certain classes of instructions.
    
    The sparc32 build is done for v7 in order to support sun4c systems
    which lack hardware integer multiply and divide instructions.
    
    So we have to pass -Av8 when building the assembler routines that
    use these instructions and get patched into the kernel when we find
    out that we have a v8 capable cpu.
    
    Reported-by: Paul Gortmaker <paul.gortmaker@windriver.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 66276ec78b2a971d2e704e5ef963cdc8b6a049a4
Author: Thomas Gleixner <tglx@linutronix.de>
Date:   Fri Mar 9 20:55:10 2012 +0100

    x86: Derandom delay_tsc for 64 bit
    
    Commit f0fbf0abc093 ("x86: integrate delay functions") converted
    delay_tsc() into a random delay generator for 64 bit.  The reason is
    that it merged the mostly identical versions of delay_32.c and
    delay_64.c.  Though the subtle difference of the result was:
    
     static void delay_tsc(unsigned long loops)
     {
    -   unsigned bclock, now;
    +   unsigned long bclock, now;
    
    Now the function uses rdtscl() which returns the lower 32bit of the
    TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64
    bit this fails when the lower 32bit are close to wrap around when
    bclock is read, because the following check
    
           if ((now - bclock) >= loops)
                        break;
    
    evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0
    because the unsigned long (now - bclock) of these values results in
    0xffffffff00000001 which is definitely larger than the loops
    value. That explains Tvortkos observation:
    
    "Because I am seeing udelay(500) (_occasionally_) being short, and
     that by delaying for some duration between 0us (yep) and 491us."
    
    Make those variables explicitely u32 again, so this works for both 32
    and 64 bit.
    
    Reported-by: Tvrtko Ursulin <tvrtko.ursulin@onelan.co.uk>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Cc: stable@vger.kernel.org # >= 2.6.27
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 2d0ddb60f5031bdf79b4d51225f9f2d5856255bf
Author: Al Viro <viro@ZenIV.linux.org.uk>
Date:   Thu Mar 8 17:51:19 2012 +0000

    aio: fix the "too late munmap()" race
    
    Current code has put_ioctx() called asynchronously from aio_fput_routine();
    that's done *after* we have killed the request that used to pin ioctx,
    so there's nothing to stop io_destroy() waiting in wait_for_all_aios()
    from progressing.  As the result, we can end up with async call of
    put_ioctx() being the last one and possibly happening during exit_mmap()
    or elf_core_dump(), neither of which expects stray munmap() being done
    to them...
    
    We do need to prevent _freeing_ ioctx until aio_fput_routine() is done
    with that, but that's all we care about - neither io_destroy() nor
    exit_aio() will progress past wait_for_all_aios() until aio_fput_routine()
    does really_put_req(), so the ioctx teardown won't be done until then
    and we don't care about the contents of ioctx past that point.
    
    Since actual freeing of these suckers is RCU-delayed, we don't need to
    bump ioctx refcount when request goes into list for async removal.
    All we need is rcu_read_lock held just over the ->ctx_lock-protected
    area in aio_fput_routine().
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
    Acked-by: Benjamin LaHaise <bcrl@kvack.org>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 002124c055afbf09b52226af65621999e8316448
Author: Al Viro <viro@ZenIV.linux.org.uk>
Date:   Wed Mar 7 05:16:35 2012 +0000

    aio: fix io_setup/io_destroy race
    
    Have ioctx_alloc() return an extra reference, so that caller would drop it
    on success and not bother with re-grabbing it on failure exit.  The current
    code is obviously broken - io_destroy() from another thread that managed
    to guess the address io_setup() would've returned would free ioctx right
    under us; gets especially interesting if aio_context_t * we pass to
    io_setup() points to PROT_READ mapping, so put_user() fails and we end
    up doing io_destroy() on kioctx another thread has just got freed...
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Acked-by: Benjamin LaHaise <bcrl@kvack.org>
    Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit a1cd2719b8ed8e40dbd98c87713ac23a2169f6d8
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Thu Mar 15 15:17:12 2012 -0700

    drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode
    
    strict_strtoul() writes a long but ->gamma_mode only has space to store an
    int, so on 64 bit systems we end up scribbling over ->gamma_table_count as
    well.  I've changed it to use kstrtouint() instead.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Acked-by: Inki Dae <inki.dae@samsung.com>
    Signed-off-by: Florian Tobias Schandinat <FlorianSchandinat@gmx.de>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit cf83f735a5571f4341ee6eab947a1f7d833cea6e
Merge: e4b05b6 eae671f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 16 21:04:27 2012 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        security/Kconfig

commit eae671fafe93f04685c04a089cc13efebc05d600
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 16 20:58:01 2012 -0400

    Update to pax-linux-3.2.11-test31.patch
    Introduction of the size_overflow plugin from Emese Revfy
    Many thanks to Emese for her hard work :)

commit e4b05b65c645c412eceb9c950ee7b4771627e6b1
Merge: e55aa68 258c015
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 15 20:59:19 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit 258c0159fa6dd5044ca984eeaad57bb6e21bacea
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 15 20:59:05 2012 -0400

    fix ARM compilation

commit e55aa68f4bb20e75cd7423123aa612c2a69590c0
Merge: 8f95ea9 55b7573
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 14 19:33:41 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit 55b7573f6c2f3be26fb39c7bd6a9d742d02811ca
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 14 19:33:15 2012 -0400

    Update to pax-linux-3.2.10-test28.patch

commit 8f95ea9f718c293794a1f6bdd2a5f5f336f7bd64
Merge: c8786a2 886ac5e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 13 17:38:13 2012 -0400

    Merge branch 'pax-test' into grsec-test
    
    Greets and thanks to snq for his assistance in testing/debugging REFCOUNT on ARM :)

commit 886ac5eeb1835e87cf7398b8aae9e9ba6b36bf77
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 13 17:37:44 2012 -0400

    Update to pax-linux-3.2.10-test26.patch

commit c8786a2abed5e5327f68efa520c04db99bb6a63a
Merge: 219c982 c061fcf
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 13 17:25:06 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit c061fcfa6b78f3774800821144d8ac2d94d7da3e
Merge: 89373d2 3f4b3b2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 13 17:25:02 2012 -0400

    Merge branch 'linux-3.2.y' into pax-test

commit 219c982a05abe47be4ea7d749e1b408e0cb86f1f
Merge: 54e19a3 89373d2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 12 17:23:57 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit 89373d2abafb9bda97f78bdb157d1d05cf21e008
Merge: a778588 7459f11
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 12 17:23:49 2012 -0400

    Merge branch 'linux-3.2.y' into pax-test

commit 54e19a3979978fca902b14ae25125f26fbbbc7a7
Merge: c4650f1 a778588
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 12 16:51:25 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit a778588c9d1b75c48c1f09aac98c1b28bd87a749
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 12 16:51:12 2012 -0400

    Update to pax-linux-3.2.9-test24.patch

commit c4650f14b13f84735fe3de06a1f3ff5776473eff
Merge: fb2abee 1015790
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 11 21:08:28 2012 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        security/Kconfig

commit 101579028a736c224e590c7e12a7357018c424e1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 11 21:07:27 2012 -0400

    Update to pax-linux-3.2.9-test22.patch

commit fb2abee4b9b49f5f18342a8cdf7aa3ba2b7c9100
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 11 11:02:17 2012 -0400

    Allow 4096 CPUs

commit 96bae28cbe6a41d48e3b56e5904814096e956000
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 11 10:25:58 2012 -0400

    Use a per-cpu 48-bit counter instead of a global atomic64
    Initialize each counter to have the cpu number in the lower 16 bits
    instead of incrementing the counter each time by 1, perform the increments
    above the cpu number so that wrapping/exhausting the counter doesn't corrupt
    any state
    idea from PaX Team

commit b975688101da6e966aebb1bc6b8c5c5983974f9c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 10 20:33:12 2012 -0500

    Special vnsec edition! :)
    Further reduce argv/env allowance for suid/sgid apps to 512KB
    Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap)
    Clear 3GB personality on suid/sgid binaries
    Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64)
      with the main purpose of throwing off program stack -> arg/env alignment
    Update documentation

commit e5cfa902c4e891d11dd2086543d2555aa0c27d33
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 10 19:54:47 2012 -0500

    Resolve skbuff.h warnings that turn into errors during compilation in
    the grsecurity directory with -Werror

commit 2023210ad43a944033fcacc660ce410888f562ee
Merge: ece4383 5f66adf
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 9 19:48:01 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 5f66adf72f83730a07bc79a2fab56afed6dbbd0e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 9 19:47:06 2012 -0500

    Add colorize plugin

commit ece4383e5e91c92d138c4df84225a70b552f4d69
Merge: a366d0e ab4a5a1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 9 17:56:46 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit ab4a5a1a67289c3585e2ff8aa64ecece7bd17eea
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 9 17:56:26 2012 -0500

    Update to pax-linux-3.2.9-test21.patch

commit a366d0ed963ce93fce10121c1100989d5f064e75
Author: Mikulas Patocka <mpatocka@redhat.com>
Date:   Sun Mar 4 19:52:03 2012 -0500

    mm: fix find_vma_prev
    
    Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory
    management on PA-RISC.
    
    After application of the patch, programs that allocate big arrays on the
    stack crash with segfault, for example, this will crash if compiled
    without optimization:
    
      int main()
      {
        char array[200000];
        array[199999] = 0;
        return 0;
      }
    
    The reason is that PA-RISC has up-growing stack and the stack is usually
    the last memory area.  In the above example, a page fault happens above
    the stack.
    
    Previously, if we passed too high address to find_vma_prev, it returned
    NULL and stored the last VMA in *pprev.  After "simplify find_vma_prev"
    change, it stores NULL in *pprev.  Consequently, the stack area is not
    found and it is not expanded, as it used to be before the change.
    
    This patch restores the old behavior and makes it return the last VMA in
    *pprev if the requested address is higher than address of any other VMA.
    
    Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
    Acked-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 9cd8dd4d56051099f11563f72fcd91cd0ce19604
Author: Hugh Dickins <hughd@google.com>
Date:   Tue Mar 6 12:28:52 2012 -0800

    mmap: EINVAL not ENOMEM when rejecting VM_GROWS
    
    Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP
    from shared anonymous: hoist the file case's -EINVAL up for both.
    
    Signed-off-by: Hugh Dickins <hughd@google.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 97745dce6c87f9d9ca5b4be9bd4c2fc1684ca04c
Author: Al Viro <viro@ZenIV.linux.org.uk>
Date:   Mon Mar 5 06:38:42 2012 +0000

    aout: move setup_arg_pages() prior to reading/mapping the binary
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 3b20ce55ae8cffee43cb4afdf5be438b5ac4fef0
Author: Jan Beulich <JBeulich@suse.com>
Date:   Mon Mar 5 16:49:24 2012 +0000

    vsprintf: make %pV handling compatible with kasprintf()
    
    kasprintf() (and potentially other functions that I didn't run across so
    far) want to evaluate argument lists twice.  Caring to do so for the
    primary list is obviously their job, but they can't reasonably be
    expected to check the format string for instances of %pV, which however
    need special handling too: On architectures like x86-64 (as opposed to
    e.g.  ix86), using the same argument list twice doesn't produce the
    expected results, as an internally managed cursor gets updated during
    the first run.
    
    Fix the problem by always acting on a copy of the original list when
    handling %pV.
    
    Signed-off-by: Jan Beulich <jbeulich@suse.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 4146896ab9674f51d4909f3a52bc7fe80f04e4cb
Author: Al Viro <viro@ZenIV.linux.org.uk>
Date:   Mon Mar 5 06:39:47 2012 +0000

    VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit a831bd53764695ea680cc1fa3c98759a610ed2ac
Author: Christian König <deathsimple@vodafone.de>
Date:   Tue Feb 28 23:19:20 2012 +0100

    drm/radeon: fix uninitialized variable
    
    Without this fix the driver randomly treats
    textures as arrays and I'm really wondering
    why gcc isn't complaining about it.
    
    Signed-off-by: Christian König <deathsimple@vodafone.de>
    Reviewed-by: Jerome Glisse <jglisse@redhat.com>
    Signed-off-by: Dave Airlie <airlied@redhat.com>

commit aa2cd55f97f3cc03bdd895b6e8ba99619ee69dfc
Author: H. Peter Anvin <hpa@zytor.com>
Date:   Fri Mar 2 10:43:48 2012 -0800

    regset: Prevent null pointer reference on readonly regsets
    
    The regset common infrastructure assumed that regsets would always
    have .get and .set methods, but not necessarily .active methods.
    Unfortunately people have since written regsets without .set methods.
    
    Rather than putting in stub functions everywhere, handle regsets with
    null .get or .set methods explicitly.
    
    Signed-off-by: H. Peter Anvin <hpa@zytor.com>
    Reviewed-by: Oleg Nesterov <oleg@redhat.com>
    Acked-by: Roland McGrath <roland@hack.frob.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 072ddd99401c79b53c6bf6bff9deb93022124c79
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 5 18:12:57 2012 -0500

    Fix compiler errors reported on forums

commit 1606774b48af24e6f99d99c624c0e447d4b66474
Merge: 3127bd5 4ca2ffd
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 5 17:31:35 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 4ca2ffd9da024f4ba2d0cb6245ba1b2726169452
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 5 17:31:21 2012 -0500

    Update to pax-linux-3.2.9-test20.patch

commit 3127bd581a292966b1057c7433219dac188c3720
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 2 21:30:37 2012 -0500

    Fix memory leak on logged exec_id check failure in /proc/pid/statm
    Thanks to Djalal Harouni for the report

commit d9f1a3be0e97e0632f97379322712d8deeb3ce23
Merge: 0a56be8 9aa8288
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 2 18:38:22 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 9aa8288a09e6e03ce37c08136b26bff17a093b5c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 2 18:37:43 2012 -0500

    Update to pax-linux-3.2.9-test19.patch

commit 0a56be884bbd7ce733cac0b879c45383494d73b0
Merge: 9e66745 3f5c52a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 1 20:18:01 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 3f5c52aba100b3bb252980f9d363aafde52da1a2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 1 20:16:56 2012 -0500

    Update to pax-linux-3.2.9-test18.patch

commit ae53ec231d12719a36bf871f8c5841020ed692ee
Merge: b255baf 44fb317
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 1 20:15:31 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test

commit 9e667456c03eadea2f305be761abe4de9a5877a3
Merge: 5e4e200 b255baf
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 27 20:53:59 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit b255baf50365d39b406f43aab2c64745607baaa2
Merge: 340ce90 1de504e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 27 20:53:29 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test
    Update to pax-linux-3.2.8-test17.patch
    
    Conflicts:
        arch/x86/include/asm/i387.h
        arch/x86/kernel/process_32.c
        arch/x86/kernel/traps.c

commit 5e4e200ac530452884b625cb75de240e1e98c731
Merge: 44306d7 340ce90
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 27 18:02:13 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 340ce90d98a043fa8e4ed9ffc229d4c1f86e2fec
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 27 18:01:48 2012 -0500

    Update to pax-linux-3.2.7-test17.patch

commit 44306d7b3097f77e73040dd25f4f6750751bae7a
Merge: 29d0b07 521c411
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 26 19:04:15 2012 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        Makefile

commit 521c411bb4ca66ce01146fde8bac9dd22414076d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 26 19:03:33 2012 -0500

    Update to pax-linux-3.2.7-test16.patch

commit 29d0b07290bb9a10cdfcc3c30058e16265330dea
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 26 17:12:44 2012 -0500

    fix typo

commit 344f6d84e5d3fdc6ec40a078fc2f5861d340b2ef
Merge: f45b3be caa8f83
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 20:59:27 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit caa8f83456c4d0b204beefffaa1d1993f2348d08
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 20:59:12 2012 -0500

    Update to pax-linux-3.2.7-test15.patch

commit f45b3be34a345502a302e736af9a65742ddef7cb
Merge: 62f35fd 9f1309b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 11:40:15 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 9f1309b0b935e3b30fc87a9e3009b84cf943ef47
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 11:39:57 2012 -0500

    Update to pax-linux-3.2.7-test14.patch

commit 62f35fdbecc58f2988fe13638d907b87a15776bb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 09:08:55 2012 -0500

    We could log on attempted exploits of writing /proc/self/mem, but the current
    log function declares the access a read, so just swap the ordering for now

commit 066ee8f9c26f1549b4ad893508777b549c8d4b79
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 08:46:14 2012 -0500

    Log /proc/pid/mem attempts

commit 674471e581893a94d475acac3e3c4496209b3ac9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 08:15:00 2012 -0500

    Make use of f_version for protecting /proc file structs (fine since we're not a directory
    or seq_file)

commit eab42cfdd237ffcdd8ec24bedecc275a3a9e987f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 24 20:02:19 2012 -0500

    Fix ia64 compilation

commit 50dfea412fd395e0183c2ade368efa525d38b267
Merge: 12db845 4c6f99b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 24 19:00:53 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 4c6f99bf338e03966356b147d0360cb3b522a44f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 24 19:00:36 2012 -0500

    (6:57:09 PM) pipacs: but you can be proactive
    (Fix other-arch atomic64/REFCOUNT compilation failures)

commit 12db8453f6bb0a756f369c9151668ba1249bc478
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 23 21:10:12 2012 -0500

    Remove unnecessary copies, as suggested by solar

commit cc02cab84368467ea03cb35f861a8a7092d91ab4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 23 20:59:35 2012 -0500

    Make global_exec_counter static, as suggested by solar

commit e642091a475ebb3a30e81f85e7751233d0c2af43
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 23 19:00:26 2012 -0500

    sync with stable tree

commit 6df09c3d8e371905b7b8fe90c4188f23614c6be5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 23 18:48:47 2012 -0500

    Remove unneeded gr_acl_handle_fchmod, as the code is shared now by gr_acl_handle_chmod
    Remove handling of old kludge in chmod/fchmod

commit 815cb62f2ca7b58efc39778b3a855feb675ab56c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 23 18:18:49 2012 -0500

    Apply umask checks to chmod/fchmod as well, as requested by sponsor
    Union the enforced umask with the existing one to produce minimal privilege
    Change umask type to u16

commit 0e7668c6abbdbcd3f7f9759e3994d6f4bc9953f0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 22 18:16:11 2012 -0500

    Add per-role umask enforcement to RBAC, requested by a sponsor

commit ad5ac943fe58199f1cc475912a39edb157acb77b
Merge: dda0bb5 41722e3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 20 20:04:42 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 41722e342e116d95f3d3556d66c97c888d752d39
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 20 20:04:00 2012 -0500

    Merge changes from pax-linux-3.2.7-test12.patch, fixes KVM incompatibility with
    KERNEXEC plugin

commit dda0bb57137846a476a866c60db2681aaf6052c0
Merge: 4fd554e d70927a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 20 20:01:41 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit d70927afec977d489a54c106a3c3ddc32e953050
Merge: 1daebf1 9d0231c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 20 20:01:33 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test

commit 4fd554e3a097b22c5049fcdc423897477deff5ef
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 20 09:17:57 2012 -0500

    Fix wrong logic on capability checks for switching roles, broke policies
    Thanks to Richard Kojedzinszky for reporting

commit 12f97d52ac603f24344f8d71569c412a307e9422
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 21:20:10 2012 -0500

    sparc64 compile fix

commit 07af3d8e76a6a47ce1836e5b20ed8c0f879c8201
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 18:38:32 2012 -0500

    Update configuration help and name for GRKERNSEC_PROC_MEMMAP

commit 5ced6f8def06c2176b40b5fa07345fc723dc4dcb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 18:18:01 2012 -0500

    optimize the check a bit

commit 03159050f64989be44ae03be769cbed62a7cd2e5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 18:00:45 2012 -0500

    smile VUPEN :D
    (limit argv+env to 1MB for suid/sgid binaries)

commit dd759d8800d225a397e4de49fe729c7d601298d2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 17:49:33 2012 -0500

    Address Space Protection -> Memory Protections (suggested on IRC for consistency)

commit 4de635bda8ebfb85312e3bf851bdbff93de400da
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 17:45:06 2012 -0500

    Change the long long type for exec_id to the proper u64

commit 4feb07e7cb64b3d0f0f8cca1aef70bc725cae6fa
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Thu Feb 9 00:46:47 2012 +0000

    isdn: type bug in isdn_net_header()
    
    We use len to store the return value from eth_header().  eth_header()
    can return -ETH_HLEN (-14).  We want to pass this back instead of
    truncating it to 65522 and returning that.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Acked-by: Neil Horman <nhorman@tuxdriver.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 134ac8545b47f0f27d550ea6e1edb3a1ed7a9748
Author: Heiko Carstens <heiko.carstens@de.ibm.com>
Date:   Sat Feb 4 10:47:10 2012 +0100

    exec: fix use-after-free bug in setup_new_exec()
    
    Setting the task name is done within setup_new_exec() by accessing
    bprm->filename. However this happens after flush_old_exec().
    This may result in a use after free bug, flush_old_exec() may
    "complete" vfork_done, which will wake up the parent which in turn
    may free the passed in filename.
    To fix this add a new tcomm field in struct linux_binprm which
    contains the now early generated task name until it is used.
    
    Fixes this bug on s390:
    
      Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000
      Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818)
      Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374)
      Call Trace:
      ([<0000000000282e2c>] setup_new_exec+0x38/0x374)
       [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4
       [<0000000000280a42>] search_binary_handler+0x38e/0x5bc
       [<0000000000282b6c>] do_execve_common+0x410/0x514
       [<0000000000282cb6>] do_execve+0x46/0x58
       [<00000000005bce58>] kernel_execve+0x28/0x70
       [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140
       [<00000000005bc8da>] kernel_thread_starter+0x6/0xc
       [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc
      Last Breaking-Event-Address:
       [<00000000002830f0>] setup_new_exec+0x2fc/0x374
    
      Kernel panic - not syncing: Fatal exception: panic_on_oops
    
    Reported-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
    Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit d758ee9f5230893dabb5aab737b3109684bde196
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Fri Feb 10 09:03:58 2012 +0100

    relay: prevent integer overflow in relay_open()
    
    "subbuf_size" and "n_subbufs" come from the user and they need to be
    capped to prevent an integer overflow.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Cc: stable@kernel.org
    Signed-off-by: Jens Axboe <axboe@kernel.dk>

commit 40ed7b34848b8e0d7bf9a3fc21a7c75ce1ae507c
Merge: b1baadf 1daebf1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 13 17:47:04 2012 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        fs/proc/base.c

commit 1daebf1d623fe5b0efdd329f78562eb7078bc772
Merge: 1413df2 c2db2e2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 13 17:45:54 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test

commit b1baadf5047ab67cf61cd20bf58c6afb09c37c7d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 12 16:44:05 2012 -0500

    add missing declaration

commit 3981059c35e8463002517935c28f3d74b8e3703c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 12 16:36:04 2012 -0500

    Require CAP_SETUID/CAP_SETGID in a subject in order to change roles
    in addition to existing checks (this handles the setresuid ruid = euid case)

commit 0beab03263c773f463412c350ad9064b44b6ede0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 12 16:13:40 2012 -0500

    Revert setreuid changes when RBAC is enabled, breaks freeradius
    I'll fix the learning issue Lavish reported a different way through
    gradm modifications
    
    This reverts commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111.

commit 0c61cb1cfbbfec7d07647268c922d51434d22621
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 11 14:22:46 2012 -0500

    copy exec_id on fork

commit 000c08e0890630086b2ed04084050ed856a7ec31
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 10 20:00:36 2012 -0500

    compile fix

commit 54b8c8f54484e5ee18040657827158bc4b63bccc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 10 19:19:52 2012 -0500

    Introduce enhancement to CONFIG_GRKERNSEC_PROC_MEMMAP
    denies reading of sensitive /proc/pid entries where the file descriptor
    was opened in a different task than the one performing the read

commit dd19579049186e2648b9ae5e42af04cfda7ab2dc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 10 17:43:24 2012 -0500

    Remove duplicate signal check

commit 6ff60c34155bb73a4eec7bbfe6f59e9d35e1c0c6
Merge: 4eba97e 1413df2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 8 19:24:34 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 1413df258d4664d928b876ffb57e1bdc1ccd06f6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 8 19:24:08 2012 -0500

    Merge changes from pax-linux-3.2.4-test11.patch

commit 4eba97eda7f7d25b7ab6ad5c9de094545e749044
Merge: 0e058dd 8dd90a2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 6 17:50:12 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 8dd90a21adfeefd86134d1fedf77b958bc59eaa3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 6 17:49:07 2012 -0500

    Merge changes from pax-linux-3.2.4-test10.patch, fixes BPF JIT double-free

commit a6b5dfed0937a0eb386b4b519a387f8e8177ffdc
Merge: 7e4169c 6133971
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 6 17:48:57 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test

commit 0e058dd6d14e0c67c44dd332a871f1fe1bb06095
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 5 19:24:45 2012 -0500

    We now allow configurations with no PaX markings, giving the system no way to override the defaults

commit 9afb0110287e31c3c56d861b4927f64f8dbd7857
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 5 10:01:23 2012 -0500

    Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory

commit a6a0ad24a5f7bef90236d94c1bdfe21d291fc834
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 4 21:01:16 2012 -0500

    Improve security of ptrace-based monitoring/sandboxing
    See:
    http://article.gmane.org/gmane.linux.kernel.lsm/15156

commit ca4ca5a1027b41f9528794e52a53ce9c47926101
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 20:42:55 2012 -0500

    fix typo

commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 20:25:38 2012 -0500

    Reported by lavish on IRC:
    If a suid/sgid binary did not learn any setuid/setgid call during learning,
    we would not any CAP_SETUID/CAP_SETGID capability to the task, nor
    any restrictions on uid/gid changes.  uid and gid can however be changed
    within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to
    euid/egid.
    
    My fix:
    POSIX doesn't specify whether unprivileged users can perform the above
    setresuid/setresgid as an unprivileged user, though Linux has historically
    permitted them.  Modify this behavior when RBAC is enabled to require
    CAP_SETUID/CAP_SETGID for these operations.
    
    Thanks to Lavish for the report!
    
    Conflicts:
    
        kernel/sys.c

commit e55be1f30908f1ad4450cb0558cde71ff5c7247f
Merge: ba586eb 7e4169c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 20:10:21 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 7e4169c6c880ec9641f1178c88545913c8a21e1f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 20:10:05 2012 -0500

    Merge changes from pax-linux-3.2.4-test9.patch

commit ba586ebbcd0ed781e38a99c580a757a00347c6eb
Author: Christopher Yeoh <cyeoh@au1.ibm.com>
Date:   Thu Feb 2 11:34:09 2012 +1030

    Fix race in process_vm_rw_core
    
    This fixes the race in process_vm_core found by Oleg (see
    
      http://article.gmane.org/gmane.linux.kernel/1235667/
    
    for details).
    
    This has been updated since I last sent it as the creation of the new
    mm_access() function did almost exactly the same thing as parts of the
    previous version of this patch did.
    
    In order to use mm_access() even when /proc isn't enabled, we move it to
    kernel/fork.c where other related process mm access functions already
    are.
    
    Signed-off-by: Chris Yeoh <yeohc@au1.ibm.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    Conflicts:
    
        fs/proc/base.c
        mm/process_vm_access.c

commit b9194d60fb9fe579f5c34817ed822abde18939a0
Author: Oleg Nesterov <oleg@redhat.com>
Date:   Tue Jan 31 17:15:11 2012 +0100

    proc: make sure mem_open() doesn't pin the target's memory
    
    Once /proc/pid/mem is opened, the memory can't be released until
    mem_release() even if its owner exits.
    
    Change mem_open() to do atomic_inc(mm_count) + mmput(), this only
    pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count)
    before access_remote_vm(), this verifies that this mm is still alive.
    
    I am not sure what should mem_rw() return if atomic_inc_not_zero()
    fails. With this patch it returns zero to match the "mm == NULL" case,
    may be it should return -EINVAL like it did before e268337d.
    
    Perhaps it makes sense to add the additional fatal_signal_pending()
    check into the main loop, to ensure we do not hold this memory if
    the target task was oom-killed.
    
    Cc: stable@kernel.org
    Signed-off-by: Oleg Nesterov <oleg@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit d4500134f9363bc79556e0e7a1fd811cd8552cc4
Author: Oleg Nesterov <oleg@redhat.com>
Date:   Tue Jan 31 17:14:38 2012 +0100

    proc: mem_release() should check mm != NULL
    
    mem_release() can hit mm == NULL, add the necessary check.
    
    Cc: stable@kernel.org
    Signed-off-by: Oleg Nesterov <oleg@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 5d1c11221a86f233fdbb232312a561f85d0a3a05
Author: Oleg Nesterov <oleg@redhat.com>
Date:   Tue Jan 31 17:14:54 2012 +0100

    note: redisabled mem_write
    
    proc: unify mem_read() and mem_write()
    
    No functional changes, cleanup and preparation.
    
    mem_read() and mem_write() are very similar. Move this code into the
    new common helper, mem_rw(), which takes the additional "int write"
    argument.
    
    Cc: stable@kernel.org
    Signed-off-by: Oleg Nesterov <oleg@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    Conflicts:
    
        fs/proc/base.c

commit af966b421d9f55ab7e1a8b2741beba44b22bc2e0
Merge: 3903f01 01fee18
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 19:50:40 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 01fee1851aef26b898ccba5312cabf1f919b74cb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 19:49:46 2012 -0500

    Merge changes from pax-linux-3.2.4-test8.patch

commit c2490ddbfc3f5dd664dd0e1b8575856c3be01879
Merge: 201c0db 141936c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 19:49:01 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test

commit 3903f0172ecadf7a575ba3535402a1506133640a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jan 30 23:26:44 2012 -0500

    Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT
    
    We'll whitelist required directories for compatibility instead of requiring
    that people disable the feature entirely if they use SELinux, fuse, etc
    
    Conflicts:
    
        fs/sysfs/mount.c

commit e3618feaa7e63807f1b88c199882075b3ec9bd05
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 29 01:12:19 2012 -0500

    perform RBAC check if TPE is on but match fails, matches previous behavior

commit 627b7fe22799a86e2f81a74f0e0c53474bec3100
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jan 28 13:17:06 2012 -0500

    log more information about the reason for a TPE denial for novice users, requested by a sponsor

commit efefd67008cbad8a8591e2484410966a300a39a5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:58:53 2012 -0500

    merge upstream sha512 changes

commit 8a79280377db78fb2091fe01eddb9e24f75d9fe1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:49:07 2012 -0500

    drop lock on error in xfs_readlink
    
    http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0

commit aa5f2f63e37f426bf2211c5fb8f7bc70de14f08a
Author: Li Wang <liwang@nudt.edu.cn>
Date:   Thu Jan 19 09:44:36 2012 +0800

    eCryptfs: Infinite loop due to overflow in ecryptfs_write()
    
    ecryptfs_write() can enter an infinite loop when truncating a file to a
    size larger than 4G. This only happens on architectures where size_t is
    represented by 32 bits.
    
    This was caused by a size_t overflow due to it incorrectly being used to
    store the result of a calculation which uses potentially large values of
    type loff_t.
    
    [tyhicks@canonical.com: rewrite subject and commit message]
    Signed-off-by: Li Wang <liwang@nudt.edu.cn>
    Signed-off-by: Yunchuan Wen <wenyunchuan@kylinos.com.cn>
    Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>

commit a7607747d0f74f357d78bb796d70635dd05f46e8
Author: Tyler Hicks <tyhicks@canonical.com>
Date:   Thu Jan 19 20:33:44 2012 -0600

    eCryptfs: Check inode changes in setattr
    
    Most filesystems call inode_change_ok() very early in ->setattr(), but
    eCryptfs didn't call it at all. It allowed the lower filesystem to make
    the call in its ->setattr() function. Then, eCryptfs would copy the
    appropriate inode attributes from the lower inode to the eCryptfs inode.
    
    This patch changes that and actually calls inode_change_ok() on the
    eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call
    would happen earlier in ecryptfs_setattr(), but there are some possible
    inode initialization steps that must happen first.
    
    Since the call was already being made on the lower inode, the change in
    functionality should be minimal, except for the case of a file extending
    truncate call. In that case, inode_newsize_ok() was never being
    called on the eCryptfs inode. Rather than inode_newsize_ok() catching
    maximum file size errors early on, eCryptfs would encrypt zeroed pages
    and write them to the lower filesystem until the lower filesystem's
    write path caught the error in generic_write_checks(). This patch
    introduces a new function, called ecryptfs_inode_newsize_ok(), which
    checks if the new lower file size is within the appropriate limits when
    the truncate operation will be growing the lower file.
    
    In summary this change prevents eCryptfs truncate operations (and the
    resulting page encryptions), which would exceed the lower filesystem
    limits or FSIZE rlimits, from ever starting.
    
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Reviewed-by: Li Wang <liwang@nudt.edu.cn>
    Cc: <stable@vger.kernel.org>

commit 0d96f190a39505254ace4e9330219aaeda9b64e3
Author: Tyler Hicks <tyhicks@canonical.com>
Date:   Wed Jan 18 18:30:04 2012 -0600

    eCryptfs: Make truncate path killable
    
    ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a
    page, zeroes out the appropriate portions, and then encrypts the page
    before writing it to the lower filesystem. It was unkillable and due to
    the lack of sparse file support could result in tying up a large portion
    of system resources, while encrypting pages of zeros, with no way for
    the truncate operation to be stopped from userspace.
    
    This patch adds the ability for ecryptfs_write() to detect a pending
    fatal signal and return as gracefully as possible. The intent is to
    leave the lower file in a useable state, while still allowing a user to
    break out of the encryption loop. If a pending fatal signal is detected,
    the eCryptfs inode size is updated to reflect the modified inode size
    and then -EINTR is returned.
    
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Cc: <stable@vger.kernel.org>

commit a02d0d2516b9e92edffeb8fca87462bca49c1f6f
Author: Tyler Hicks <tyhicks@canonical.com>
Date:   Tue Jan 24 10:02:22 2012 -0600

    eCryptfs: Fix oops when printing debug info in extent crypto functions
    
    If pages passed to the eCryptfs extent-based crypto functions are not
    mapped and the module parameter ecryptfs_verbosity=1 was specified at
    loading time, a NULL pointer dereference will occur.
    
    Note that this wouldn't happen on a production system, as you wouldn't
    pass ecryptfs_verbosity=1 on a production system. It leaks private
    information to the system logs and is for debugging only.
    
    The debugging info printed in these messages is no longer very useful
    and rather than doing a kmap() in these debugging paths, it will be
    better to simply remove the debugging paths completely.
    
    https://launchpad.net/bugs/913651
    
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Reported-by: Daniel DeFreez
    Cc: <stable@vger.kernel.org>

commit b1c44d3054dc7f293b2e0a98c0e9e5e03e01f04c
Author: Tyler Hicks <tyhicks@canonical.com>
Date:   Thu Jan 12 11:30:44 2012 +0100

    eCryptfs: Sanitize write counts of /dev/ecryptfs
    
    A malicious count value specified when writing to /dev/ecryptfs may
    result in a a very large kernel memory allocation.
    
    This patch peeks at the specified packet payload size, adds that to the
    size of the packet headers and compares the result with the write count
    value. The resulting maximum memory allocation size is approximately 532
    bytes.
    
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Reported-by: Sasha Levin <levinsasha928@gmail.com>
    Cc: <stable@vger.kernel.org>

commit 96dcb7282d323813181a1791f51c0ab7696b675b
Merge: 6c09fa5 201c0db
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:44:15 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 201c0dbf177527367676028151e36d340923f033
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:43:24 2012 -0500

    Merge changes from pax-linux-3.2.2-test6.patch, fixes 0 order vmalloc allocation errors
    on loading modules with empty sections

commit 6c09fa566a7c29f00556ca12f343f2db91c4f42b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:42:13 2012 -0500

    compile fix

commit 917ae526b4fcec2b3e1afefa13de9dff7d8a5423
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:39:28 2012 -0500

    use LSM flags instead of duplicating checks

commit 0cf3be2ea2ae43c9dd4933fb26c0429041b8acb8
Merge: 44b9f11 558718b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 18:56:23 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 558718b2217beff69edf60f34a6f9893d910e9ac
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 18:56:04 2012 -0500

    Merge changes from pax-linux-3.2.2-test6.patch

commit 44b9f1132b2de7cbf5f57525fe0f7f9fb0a76507
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 18:53:55 2012 -0500

    don't increase the size of task_struct when unnecessary
    change ptrace_readexec log message

commit a9c9626e054adb885883aa64f85506852894dd33
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 18:16:28 2012 -0500

    Update documentation for CONFIG_GRKERNSEC_PTRACE_READEXEC --
    the protection applies to all unreadable binaries.

commit 98fdf4ab69eba7a72efb2054295daafdbbc2fb8f
Merge: 7b3f3af 05a1349
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 25 20:52:09 2012 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        block/scsi_ioctl.c
        drivers/scsi/sd.c
        fs/proc/base.c

commit 05a134966efb9cb9346ad3422888969ffc79ac1d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 25 20:47:36 2012 -0500

    Resync with pax-linux-3.2.2-test5.patch

commit 5ecaafd81b229aeeb5656df36f9c8da86307f82a
Merge: c6d443d 3499d64
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 25 20:45:16 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test (and pax-linux-3.2.2-test5.patch)
    
    Conflicts:
        ipc/shm.c

commit 7b3f3afd7444613c759d68ff8c2efaebfae3bab1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 24 19:42:01 2012 -0500

    Add two new features, one is automatic by enabling CONFIG_GRKERNSEC
    (may be changed if it breaks some userland), the other has its own
    config option
    
    First feature requires CAP_SYS_ADMIN to write to any sysctl entry via
    the syscall or /proc/sys.
    
    Second feature requires read access to a suid/sgid binary in order
    to ptrace it, preventing infoleaking of binaries in situations where
    the admin has specified 4711 or 2711 perms.  Feature has been
    given the config option CONFIG_GRKERNSEC_PTRACE_READEXEC and
    a sysctl entry of ptrace_readexec

commit 11a7bb25c411c9dccfdca5718639b4becdffd388
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 22 14:37:10 2012 -0500

    Compilation fixes

commit cd400e21c7c352baba47d6f375297a7847afb33a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 22 14:20:27 2012 -0500

    Initial port of grsecurity 2.2.2 for Linux 3.2.1
    Note that the new syscalls added to this kernel for remote process read/write
    are subject to ptrace hardening/other relevant RBAC features
    /proc/slabinfo is S_IRUSR via mainline now, so I made slab_allocators S_IRUSR by default
    as well
    pax_track_stack has been removed from support for this kernel -- if you're running this kernel
    you should be using a version of gcc with plugin support

commit c6d443d1270f455c56a4ffe0f1dd3d3e7ec12a2f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 22 11:47:31 2012 -0500

    Import pax-linux-3.2.1-test5.patch
commit bfd7db842f835f9837cd43644459b3a95b0b488d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 22 11:02:02 2012 -0500

    Allow processes to access others' /proc/pid/maps files (subject to the normal modification of data)
    instead of returning -EACCES
    thanks to Wraith from irc for the report

commit 873ac13576506cd48ddb527c2540f274e249da50
Merge: 34083dd 8a44fcc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 20 18:04:02 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 8a44fcc90cf3368003dc84e1ed013b2e4248c9b2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 20 18:02:15 2012 -0500

    Merge the diff between pax-linux-3.2.1-test4.patch and pax-linux-3.2.1-test5.patch
    Denies executable shared memory when MPROTECT is active
    Fixes ia32 emulation crash on 64bit host introduced in a recent patch

commit 34083ddf5c0b2b1c0f5e9f7d9e32ddcba223446b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jan 19 20:23:14 2012 -0500

    Introduce new GRKERNSEC_SETXID implementation
    We're not able to change the credentials of other threads in the process until at most
    one syscall after the first thread does it, since we mark the threads as needing rescheduling
    and such work occurs on syscall exit.
    This does however ensure that we're only modifying the current task's credentials
    which upholds RCU expectations
    
    Many thanks to corsac for testing

commit 5f900ad54d3992a4e1cda88273acc2f897a42e71
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jan 19 17:42:48 2012 -0500

    Simplify backport

commit f02e444f7b2fb286f99d3b4031ff4e44a4606c37
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jan 19 17:08:16 2012 -0500

    Commit the latest silent fix for a local privilege escalation from Linus
    Also disable writing to /proc/pid/mem
    http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc

commit 814d38c72b1ee3338294576a05af4f6ca9cffa6c
Merge: 0394a3f 7e6299b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 18 20:22:09 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 7e6299b4733c082dde930375dd207b63237751ec
Merge: 83555fb 9bb1282
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 18 20:21:37 2012 -0500

    Merge branch 'linux-3.1.y' into pax-test

commit 0394a3f36c6195dcaf22e265c94d11bb7338c6f7
Author: Jesper Juhl <jj@chaosbits.net>
Date:   Sun Jan 8 22:44:29 2012 +0100

    audit: always follow va_copy() with va_end()
    
    A call to va_copy() should always be followed by a call to va_end() in
    the same function.  In kernel/autit.c::audit_log_vformat() this is not
    always done.  This patch makes sure va_end() is always called.
    
    Signed-off-by: Jesper Juhl <jj@chaosbits.net>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: Eric Paris <eparis@redhat.com>
    Cc: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit fcbb39319e88bfdf70efe3931cf80a9f23b1a4d9
Author: Andi Kleen <ak@linux.intel.com>
Date:   Thu Jan 12 17:20:30 2012 -0800

    panic: don't print redundant backtraces on oops
    
    When an oops causes a panic and panic prints another backtrace it's pretty
    common to have the original oops data be scrolled away on a 80x50 screen.
    
    The second backtrace is quite redundant and not needed anyways.
    
    So don't print the panic backtrace when oops_in_progress is true.
    
    [akpm@linux-foundation.org: add comment]
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
    Cc: Michael Holzheu <holzheu@linux.vnet.ibm.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 22e4717d04333e2aff6d5d1b2c1b16045f367a1f
Author: Miklos Szeredi <mszeredi@suse.cz>
Date:   Thu Jan 12 17:59:46 2012 +0100

    fsnotify: don't BUG in fsnotify_destroy_mark()
    
    Removing the parent of a watched file results in "kernel BUG at
    fs/notify/mark.c:139".
    
    To reproduce
    
      add "-w /tmp/audit/dir/watched_file" to audit.rules
      rm -rf /tmp/audit/dir
    
    This is caused by fsnotify_destroy_mark() being called without an
    extra reference taken by the caller.
    
    Reported by Francesco Cosoleto here:
    
      https://bugzilla.novell.com/show_bug.cgi?id=689860
    
    Fix by removing the BUG_ON and adding a comment about not accessing mark after
    the iput.
    
    Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
    CC: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 1a90cff66ed00cd57bf00a990d13e95060fa362c
Author: Paolo Bonzini <pbonzini@redhat.com>
Date:   Thu Jan 12 16:01:28 2012 +0100

    block: fail SCSI passthrough ioctls on partition devices
    
    Linux allows executing the SG_IO ioctl on a partition or LVM volume, and
    will pass the command to the underlying block device.  This is
    well-known, but it is also a large security problem when (via Unix
    permissions, ACLs, SELinux or a combination thereof) a program or user
    needs to be granted access only to part of the disk.
    
    This patch lets partitions forward a small set of harmless ioctls;
    others are logged with printk so that we can see which ioctls are
    actually sent.  In my tests only CDROM_GET_CAPABILITY actually occurred.
    Of course it was being sent to a (partition on a) hard disk, so it would
    have failed with ENOTTY and the patch isn't changing anything in
    practice.  Still, I'm treating it specially to avoid spamming the logs.
    
    In principle, this restriction should include programs running with
    CAP_SYS_RAWIO.  If for example I let a program access /dev/sda2 and
    /dev/sdb, it still should not be able to read/write outside the
    boundaries of /dev/sda2 independent of the capabilities.  However, for
    now programs with CAP_SYS_RAWIO will still be allowed to send the
    ioctls.  Their actions will still be logged.
    
    This patch does not affect the non-libata IDE driver.  That driver
    however already tests for bd != bd->bd_contains before issuing some
    ioctl; it could be restricted further to forbid these ioctls even for
    programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO.
    
    Cc: linux-scsi@vger.kernel.org
    Cc: Jens Axboe <axboe@kernel.dk>
    Cc: James Bottomley <JBottomley@parallels.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    [ Make it also print the command name when warning - Linus ]
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit b41a1178caa15bd7d6d5b36c04c7b1ead05717e2
Author: Paolo Bonzini <pbonzini@redhat.com>
Date:   Thu Jan 12 16:01:27 2012 +0100

    block: add and use scsi_blk_cmd_ioctl
    
    Introduce a wrapper around scsi_cmd_ioctl that takes a block device.
    
    The function will then be enhanced to detect partition block devices
    and, in that case, subject the ioctls to whitelisting.
    
    Cc: linux-scsi@vger.kernel.org
    Cc: Jens Axboe <axboe@kernel.dk>
    Cc: James Bottomley <JBottomley@parallels.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 97a79814903fc350e1d13704ea31528a42705401
Author: Kees Cook <keescook@chromium.org>
Date:   Sat Jan 7 10:41:04 2012 -0800

    audit: treat s_id as an untrusted string
    
    The use of s_id should go through the untrusted string path, just to be
    extra careful.
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Acked-by: Mimi Zohar <zohar@us.ibm.com>
    Signed-off-by: Eric Paris <eparis@redhat.com>

commit 2d3f39e9dd73f26a8248fd4442f110d983c5b419
Author: Xi Wang <xi.wang@gmail.com>
Date:   Tue Dec 20 18:39:41 2011 -0500

    audit: fix signedness bug in audit_log_execve_info()
    
    In the loop, a size_t "len" is used to hold the return value of
    audit_log_single_execve_arg(), which returns -1 on error.  In that
    case the error handling (len <= 0) will be bypassed since "len" is
    unsigned, and the loop continues with (p += len) being wrapped.
    Change the type of "len" to signed int to fix the error handling.
    
        size_t len;
        ...
        for (...) {
                len = audit_log_single_execve_arg(...);
                if (len <= 0)
                        break;
                p += len;
        }
    
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Signed-off-by: Eric Paris <eparis@redhat.com>

commit 1b3dc2ea3204fb22b9d0d30b2b7953991f5be594
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Tue Jan 17 03:28:51 2012 -0300

    [media] ds3000: using logical && instead of bitwise &
    
    The intent here was to test if the FE_HAS_LOCK was set.  The current
    test is equivalent to "if (status) { ..."
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>

commit 36522330dc59d2fc70c042f3f081d75c32b6259a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jan 16 13:10:38 2012 -0500

    Ignore the 0 signal for protected task RBAC checks

commit d513acd55f7a683f6e146a4f570cdb63300479ab
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jan 16 11:56:13 2012 -0500

    whitespace cleanup

commit ced261c4b82818c700aff8487f647f6f3e5b5122
Merge: d48751f 83555fb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 13 20:12:54 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 83555fb431e5be6c0e09687ff3bdc583f0caf9d9
Merge: fcd8129 93dad39
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 13 20:12:43 2012 -0500

    Merge branch 'linux-3.1.y' into pax-test

commit d48751f3919ae855fda0ff6c149db82442329253
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 11 19:05:47 2012 -0500

    Call our own set_user when forcing change to new id

commit 26d9d497f6b926bc1699980aa18c360a3d3c52a0
Merge: e6578ff fcd8129
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 10 16:00:10 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit fcd8129277601f2e2d5a2066120cf8b2472d7d1f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 10 15:58:43 2012 -0500

    Merge changes from pax-linux-3.1.8-test23.patch

commit e6578ff3e7629c432ed9b99bde6af2a1c00279b5
Merge: 8859ec3 a120549
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 21:45:56 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit a12054967a77090de1caa07c41e694a77db4e237
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 21:45:30 2012 -0500

    Merge changes from pax-linux-3.1.8-test22.patch

commit 8859ec32f9815c274df65448f9f2960176c380d3
Merge: a5016b4 ddd4114
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 21:26:08 2012 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        fs/binfmt_elf.c
        security/Kconfig

commit ddd41147e158a79704983a409b7433eba797cf66
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 21:12:42 2012 -0500

    Resync with PaX patch (whitespace difference)

commit 29e569df8205c5f0e043fe4803aa984406c8b118
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 21:09:47 2012 -0500

    Merge changes from pax-linux-3.1.8-test21.patch

commit a5016b4f9c09c337b17e063a7f369af1e86d944d
Merge: 0124c92 04231d5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 18:52:20 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 04231d52dc8d0d6788a6bc6709dc046d3eb37097
Merge: 7bdddeb a919904
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 18:51:50 2012 -0500

    Merge branch 'linux-3.1.y' into pax-test
    
    Conflicts:
        include/net/flow.h

commit 0124c9264234c450904a0a5fa2f8c608ab8e3796
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 18:33:05 2012 -0500

    Make GRKERNSEC_SETXID option compatible with credential debugging

commit 69919c6da7cf8a781439da15b597a7d6bc9b3abe
Author: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Date:   Wed Dec 28 15:57:11 2011 -0800

    mm/mempolicy.c: refix mbind_range() vma issue
    
    commit 8aacc9f550 ("mm/mempolicy.c: fix pgoff in mbind vma merge") is the
    slightly incorrect fix.
    
    Why? Think following case.
    
    1. map 4 pages of a file at offset 0
    
       [0123]
    
    2. map 2 pages just after the first mapping of the same file but with
       page offset 2
    
       [0123][23]
    
    3. mbind() 2 pages from the first mapping at offset 2.
       mbind_range() should treat new vma is,
    
       [0123][23]
         |23|
         mbind vma
    
       but it does
    
       [0123][23]
         |01|
         mbind vma
    
       Oops. then, it makes wrong vma merge and splitting ([01][0123] or similar).
    
    This patch fixes it.
    
    [testcase]
      test result - before the patch
    
        case4: 126: test failed. expect '2,4', actual '2,2,2'
                case5: passed
        case6: passed
        case7: passed
        case8: passed
        case_n: 246: test failed. expect '4,2', actual '1,4'
    
        ------------[ cut here ]------------
        kernel BUG at mm/filemap.c:135!
        invalid opcode: 0000 [#4] SMP DEBUG_PAGEALLOC
    
        (snip long bug on messages)
    
      test result - after the patch
    
        case4: passed
                case5: passed
        case6: passed
        case7: passed
        case8: passed
        case_n: passed
    
      source:  mbind_vma_test.c
    ============================================================
     #include <numaif.h>
     #include <numa.h>
     #include <sys/mman.h>
     #include <stdio.h>
     #include <unistd.h>
     #include <stdlib.h>
     #include <string.h>
    
    static unsigned long pagesize;
    void* mmap_addr;
    struct bitmask *nmask;
    char buf[1024];
    FILE *file;
    char retbuf[10240] = "";
    int mapped_fd;
    
    char *rubysrc = "ruby -e '\
      pid = %d; \
      vstart = 0x%llx; \
      vend = 0x%llx; \
      s = `pmap -q #{pid}`; \
      rary = []; \
      s.each_line {|line|; \
        ary=line.split(\" \"); \
        addr = ary[0].to_i(16); \
        if(vstart <= addr && addr < vend) then \
          rary.push(ary[1].to_i()/4); \
        end; \
      }; \
      print rary.join(\",\"); \
    '";
    
    void init(void)
    {
        void* addr;
        char buf[128];
    
        nmask = numa_allocate_nodemask();
        numa_bitmask_setbit(nmask, 0);
    
        pagesize = getpagesize();
    
        sprintf(buf, "%s", "mbind_vma_XXXXXX");
        mapped_fd = mkstemp(buf);
        if (mapped_fd == -1)
                perror("mkstemp "), exit(1);
        unlink(buf);
    
        if (lseek(mapped_fd, pagesize*8, SEEK_SET) < 0)
                perror("lseek "), exit(1);
        if (write(mapped_fd, "\0", 1) < 0)
                perror("write "), exit(1);
    
        addr = mmap(NULL, pagesize*8, PROT_NONE,
                    MAP_SHARED, mapped_fd, 0);
        if (addr == MAP_FAILED)
                perror("mmap "), exit(1);
    
        if (mprotect(addr+pagesize, pagesize*6, PROT_READ|PROT_WRITE) < 0)
                perror("mprotect "), exit(1);
    
        mmap_addr = addr + pagesize;
    
        /* make page populate */
        memset(mmap_addr, 0, pagesize*6);
    }
    
    void fin(void)
    {
        void* addr = mmap_addr - pagesize;
        munmap(addr, pagesize*8);
    
        memset(buf, 0, sizeof(buf));
        memset(retbuf, 0, sizeof(retbuf));
    }
    
    void mem_bind(int index, int len)
    {
        int err;
    
        err = mbind(mmap_addr+pagesize*index, pagesize*len,
                    MPOL_BIND, nmask->maskp, nmask->size, 0);
        if (err)
                perror("mbind "), exit(err);
    }
    
    void mem_interleave(int index, int len)
    {
        int err;
    
        err = mbind(mmap_addr+pagesize*index, pagesize*len,
                    MPOL_INTERLEAVE, nmask->maskp, nmask->size, 0);
        if (err)
                perror("mbind "), exit(err);
    }
    
    void mem_unbind(int index, int len)
    {
        int err;
    
        err = mbind(mmap_addr+pagesize*index, pagesize*len,
                    MPOL_DEFAULT, NULL, 0, 0);
        if (err)
                perror("mbind "), exit(err);
    }
    
    void Assert(char *expected, char *value, char *name, int line)
    {
        if (strcmp(expected, value) == 0) {
                fprintf(stderr, "%s: passed\n", name);
                return;
        }
        else {
                fprintf(stderr, "%s: %d: test failed. expect '%s', actual '%s'\n",
                        name, line,
                        expected, value);
    //          exit(1);
        }
    }
    
    /*
          AAAA
        PPPPPPNNNNNN
        might become
        PPNNNNNNNNNN
        case 4 below
    */
    void case4(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        mem_bind(0, 4);
        mem_unbind(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("2,4", retbuf, "case4", __LINE__);
    
        fin();
    }
    
    /*
           AAAA
     PPPPPPNNNNNN
     might become
     PPPPPPPPPPNN
     case 5 below
    */
    void case5(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        mem_bind(0, 2);
        mem_bind(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("4,2", retbuf, "case5", __LINE__);
    
        fin();
    }
    
    /*
            AAAA
        PPPPNNNNXXXX
        might become
        PPPPPPPPPPPP 6
    */
    void case6(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        mem_bind(0, 2);
        mem_bind(4, 2);
        mem_bind(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("6", retbuf, "case6", __LINE__);
    
        fin();
    }
    
    /*
        AAAA
    PPPPNNNNXXXX
    might become
    PPPPPPPPXXXX 7
    */
    void case7(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        mem_bind(0, 2);
        mem_interleave(4, 2);
        mem_bind(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("4,2", retbuf, "case7", __LINE__);
    
        fin();
    }
    
    /*
        AAAA
    PPPPNNNNXXXX
    might become
    PPPPNNNNNNNN 8
    */
    void case8(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        mem_bind(0, 2);
        mem_interleave(4, 2);
        mem_interleave(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("2,4", retbuf, "case8", __LINE__);
    
        fin();
    }
    
    void case_n(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        /* make redundunt mappings [0][1234][34][7] */
        mmap(mmap_addr + pagesize*4, pagesize*2, PROT_READ|PROT_WRITE,
             MAP_FIXED|MAP_SHARED, mapped_fd, pagesize*3);
    
        /* Expect to do nothing. */
        mem_unbind(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("4,2", retbuf, "case_n", __LINE__);
    
        fin();
    }
    
    int main(int argc, char** argv)
    {
        case4();
        case5();
        case6();
        case7();
        case8();
        case_n();
    
        return 0;
    }
    =============================================================
    
    Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
    Acked-by: Johannes Weiner <hannes@cmpxchg.org>
    Cc: Minchan Kim <minchan.kim@gmail.com>
    Cc: Caspar Zhang <caspar@casparzhang.com>
    Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
    Cc: Christoph Lameter <cl@linux.com>
    Cc: Hugh Dickins <hugh.dickins@tiscali.co.uk>
    Cc: Mel Gorman <mel@csn.ul.ie>
    Cc: Lee Schermerhorn <lee.schermerhorn@hp.com>
    Cc: <stable@vger.kernel.org>                [3.1.x]
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit f3a1082005781777086df235049f8c0b7efe524e
Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Date:   Tue Dec 27 22:32:41 2011 -0500

    packet: fix possible dev refcnt leak when bind fail
    
    If bind is fail when bind is called after set PACKET_FANOUT
    sock option, the dev refcnt will leak.
    
    Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 915f8b08dac68839dc7204ee81cf9852fda16d24
Author: Haogang Chen <haogangchen@gmail.com>
Date:   Mon Dec 19 17:11:56 2011 -0800

    nilfs2: potential integer overflow in nilfs_ioctl_clean_segments()
    
    There is a potential integer overflow in nilfs_ioctl_clean_segments().
    When a large argv[n].v_nmembs is passed from the userspace, the subsequent
    call to vmalloc() will allocate a buffer smaller than expected, which
    leads to out-of-bound access in nilfs_ioctl_move_blocks() and
    lfs_clean_segments().
    
    The following check does not prevent the overflow because nsegs is also
    controlled by the userspace and could be very large.
    
                if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment)
                        goto out_free;
    
    This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and
    returns -EINVAL when overflow.
    
    Signed-off-by: Haogang Chen <haogangchen@gmail.com>
    Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 006afb6eb7a7398edc0068c3a7b9510ffaf80f72
Author: Kautuk Consul <consul.kautuk@gmail.com>
Date:   Mon Dec 19 17:12:04 2011 -0800

    mm/vmalloc.c: remove static declaration of va from __get_vm_area_node
    
    Static storage is not required for the struct vmap_area in
    __get_vm_area_node.
    
    Removing "static" to store this variable on the stack instead.
    
    Signed-off-by: Kautuk Consul <consul.kautuk@gmail.com>
    Acked-by: David Rientjes <rientjes@google.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 461ecdf221edb089e5fa0d5563e1688cd0a36f66
Author: Michel Lespinasse <walken@google.com>
Date:   Mon Dec 19 17:12:06 2011 -0800

    binary_sysctl(): fix memory leak
    
    binary_sysctl() calls sysctl_getname() which allocates from names_cache
    slab usin __getname()
    
    The matching function to free the name is __putname(), and not putname()
    which should be used only to match getname() allocations.
    
    This is because when auditing is enabled, putname() calls audit_putname
    *instead* (not in addition) to __putname().  Then, if a syscall is in
    progress, audit_putname does not release the name - instead, it expects
    the name to get released when the syscall completes, but that will happen
    only if audit_getname() was called previously, i.e.  if the name was
    allocated with getname() rather than the naked __getname().  So,
    __getname() followed by putname() ends up leaking memory.
    
    Signed-off-by: Michel Lespinasse <walken@google.com>
    Acked-by: Al Viro <viro@zeniv.linux.org.uk>
    Cc: Christoph Hellwig <hch@infradead.org>
    Cc: Eric Paris <eparis@redhat.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 0a2cd3ef50c0bae70d59c74a77db0455d26fde56
Author: Sean Hefty <sean.hefty@intel.com>
Date:   Tue Dec 6 21:17:11 2011 +0000

    RDMA/cma: Verify private data length
    
    private_data_len is defined as a u8.  If the user specifies a large
    private_data size (> 220 bytes), we will calculate a total length that
    exceeds 255, resulting in private_data_len wrapping back to 0.  This
    can lead to overwriting random kernel memory.  Avoid this by verifying
    that the resulting size fits into a u8.
    
    Reported-by: B. Thery <benjamin.thery@bull.net>
    Addresses: <http://bugs.openfabrics.org/bugzilla/show_bug.cgi?id=2335>
    Signed-off-by: Sean Hefty <sean.hefty@intel.com>
    Signed-off-by: Roland Dreier <roland@purestorage.com>

commit 6b618c54aaec99078629ec5b9575cb7d6fc31176
Author: Xi Wang <xi.wang@gmail.com>
Date:   Sun Dec 11 23:40:56 2011 -0800

    Input: cma3000_d0x - fix signedness bug in cma3000_thread_irq()
    
    The error check (intr_status < 0) didn't work because intr_status is
    a u8.  Change its type to signed int.
    
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Signed-off-by: Dmitry Torokhov <dtor@mail.ru>

commit e27f34e383d7863b2528a63b81b23db09781f6b6
Author: Xi Wang <xi.wang@gmail.com>
Date:   Fri Dec 16 12:44:15 2011 +0000

    sctp: fix incorrect overflow check on autoclose
    
    Commit 8ffd3208 voids the previous patches f6778aab and 810c0719 for
    limiting the autoclose value.  If userspace passes in -1 on 32-bit
    platform, the overflow check didn't work and autoclose would be set
    to 0xffffffff.
    
    This patch defines a max_autoclose (in seconds) for limiting the value
    and exposes it through sysctl, with the following intentions.
    
    1) Avoid overflowing autoclose * HZ.
    
    2) Keep the default autoclose bound consistent across 32- and 64-bit
       platforms (INT_MAX / HZ in this patch).
    
    3) Keep the autoclose value consistent between setsockopt() and
       getsockopt() calls.
    
    Suggested-by: Vlad Yasevich <vladislav.yasevich@hp.com>
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 8ebdfaad2f46ff0ac9fef9858e436bcc712a1ac8
Author: Xi Wang <xi.wang@gmail.com>
Date:   Wed Dec 21 05:18:33 2011 -0500

    vmwgfx: fix incorrect VRAM size check in vmw_kms_fb_create()
    
    Commit e133e737 didn't correctly fix the integer overflow issue.
    
    -   unsigned int required_size;
    +   u64 required_size;
        ...
        required_size = mode_cmd->pitch * mode_cmd->height;
    -   if (unlikely(required_size > dev_priv->vram_size)) {
    +   if (unlikely(required_size > (u64) dev_priv->vram_size)) {
    
    Note that both pitch and height are u32.  Their product is still u32 and
    would overflow before being assigned to required_size.  A correct way is
    to convert pitch and height to u64 before the multiplication.
    
        required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height;
    
    This patch calls the existing vmw_kms_validate_mode_vram() for
    validation.
    
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Reviewed-and-tested-by: Thomas Hellstrom <thellstrom@vmware.com>
    Signed-off-by: Dave Airlie <airlied@redhat.com>
    
    Conflicts:
    
        drivers/gpu/drm/vmwgfx/vmwgfx_kms.c

commit eb8f0bd01fb994c9abc77dc84729794cd841753d
Author: Xi Wang <xi.wang@gmail.com>
Date:   Thu Dec 22 13:35:22 2011 +0000

    rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt()
    
    Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will
    cause a kernel oops due to insufficient bounds checking.
    
        if (count > 1<<30) {
                /* Enforce a limit to prevent overflow */
                return -EINVAL;
        }
        count = roundup_pow_of_two(count);
        table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count));
    
    Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as:
    
        ... + (count * sizeof(struct rps_dev_flow))
    
    where sizeof(struct rps_dev_flow) is 8.  (1 << 30) * 8 will overflow
    32 bits.
    
    This patch replaces the magic number (1 << 30) with a symbolic bound.
    
    Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 648188958672024b616c42c1f6c98c8cfc85619d
Author: Xi Wang <xi.wang@gmail.com>
Date:   Fri Dec 30 10:40:17 2011 -0500

    netfilter: ctnetlink: fix timeout calculation
    
    The sanity check (timeout < 0) never works; the dividend is unsigned
    and so is the division, which should have been a signed division.
    
        long timeout = (ct->timeout.expires - jiffies) / HZ;
        if (timeout < 0)
                timeout = 0;
    
    This patch converts the time values to signed for the division.
    
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

commit ab03a0973cee73f88655ff4981812ad316a6cd59
Merge: 76f82df 7bdddeb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 3 17:42:50 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 7bdddebd9d274a344a1c57a561152160c9e9a32a
Merge: 3e59cb5 55cc81a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 3 17:42:36 2012 -0500

    Merge branch 'linux-3.1.y' into pax-test

commit 76f82df18ba181687f454426fa9ced7a92b2ac1f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 22 20:15:02 2011 -0500

    Only further restrict futex targeting another process -- our modified
    permission check also happened to allow a case where a process retaining
    uid 0 could issue futex syscalls against other uid 0 tasks, despite the euid
    being non-zero (reported on forums by ben_w)

commit 6b235a4450a5fea41663ec35fa0608988b6078c6
Merge: 97c16f0 3e59cb5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 22 19:11:06 2011 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        fs/hfs/btree.c

commit 3e59cb503d4ca6ce0954b8d3eb508cf7d1a31f50
Merge: 285eb4e c26f60b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 22 19:09:57 2011 -0500

    Merge branch 'linux-3.1.y' into pax-test
    
    Conflicts:
        arch/x86/kernel/process.c

commit 97c16f0fcff592160c1787bd1c56ae7ad070ac17
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Dec 19 21:54:01 2011 -0500

    Add new option: "Enforce consistent multithreaded privileges"

commit 7d125a16a5245b2bafc9184b8f93e864394ba1cb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Dec 7 19:58:31 2011 -0500

    Remove harmless duplicate code -- exec_file would be null already so the
    second check would never pass.

commit 4e3304e94aa72737810bc50169519af157dce4ce
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Dec 7 19:50:39 2011 -0500

    Revert back to (possibly?) undocumented /proc/pid behavior that gdb
    depended on for attaching to a thread.  Entries exist in /proc for
    threads, but are not visible in a readdir.

commit 1bd899335f23815cfe8deac44c6b346398f3b95e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 18:03:28 2011 -0500

    Put the already-walked path if in RCU-walk mode

commit ec7ae36b7159f10649709779443a988662965d66
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 17:35:21 2011 -0500

    Fix memory leak introduced by recent (unpublished) commit
    75ab998b94a29d464518d6d501bdde3fbfcbfa14

commit 1e2318a8ea2e67eaf17236be374b5da8a5ba5e04
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 13:56:10 2011 -0500

    Explicitly check size copied to userland in override_release to silence gcc

commit c30a85d0fff67e0724e726febb934c0b6fa01c6c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 13:54:02 2011 -0500

    Initialize variable to silence erroneous gcc warning

commit 2cf8e7a3bf4e97b2cd3de9ebc453bc505dc7eb78
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 13:47:47 2011 -0500

    Future-proof other potential RCU-aware locations where we can log.

commit 0c904e8c7ea0338c47c7ae825e093a152dc8f8a8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 13:02:54 2011 -0500

    Fix freeze reported by 'vs' on the forums.  Bug occurred due to
    MAY_NOT_BLOCK added to Linux 3.1.  Our logging code, when a capability used
    in generic_permission() was in the task's effective set but disallowed by
    RBAC, would block when acquiring locks resulting in the freeze.
    
    Also update the ordering of checks so that CAP_DAC_READ_SEARCH isn't logged
    as being required when CAP_DAC_OVERRIDE is present (consistent with
    older patches).

commit ab694e5eccfbc369baa593ebc1269d1908cf16dc
Author: Xi Wang <xi.wang@gmail.com>
Date:   Tue Nov 29 09:26:30 2011 +0000

    sctp: better integer overflow check in sctp_auth_create_key()
    
    The check from commit 30c2235c is incomplete and cannot prevent
    cases like key_len = 0x80000000 (INT_MAX + 1).  In that case, the
    left-hand side of the check (INT_MAX - key_len), which is unsigned,
    becomes 0xffffffff (UINT_MAX) and bypasses the check.
    
    However this shouldn't be a security issue.  The function is called
    from the following two code paths:
    
     1) setsockopt()
    
     2) sctp_auth_asoc_set_secret()
    
    In case (1), sca_keylength is never going to exceed 65535 since it's
    bounded by a u16 from the user API.  As such, the key length will
    never overflow.
    
    In case (2), sca_keylength is computed based on the user key (1 short)
    and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still
    will not overflow.
    
    In other words, this overflow check is not really necessary.  Just
    make it more correct.
    
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Cc: Vlad Yasevich <vladislav.yasevich@hp.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit e565e28c3635a1d50f80541fbf6b606d742fec76
Author: Josh Boyer <jwboyer@redhat.com>
Date:   Fri Aug 19 14:50:26 2011 -0400

    fs/minix: Verify bitmap block counts before mounting
    
    Newer versions of MINIX can create filesystems that allocate an extra
    bitmap block.  Mounting of this succeeds, but doing a statfs call will
    result in an oops in count_free because of a negative number being used
    for the bh index.
    
    Avoid this by verifying the number of allocated blocks at mount time,
    erroring out if there are not enough and make statfs ignore the extras
    if there are too many.
    
    This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792
    
    Signed-off-by: Josh Boyer <jwboyer@redhat.com>
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

commit 6e134e398ec1a3f428261680e83df4319e64bed9
Author: Julia Lawall <julia@diku.dk>
Date:   Tue Nov 15 14:53:11 2011 -0800

    drivers/gpu/vga/vgaarb.c: add missing kfree
    
    kbuf is a buffer that is local to this function, so all of the error paths
    leaving the function should release it.
    
    Signed-off-by: Julia Lawall <julia@diku.dk>
    Cc: Jesper Juhl <jj@chaosbits.net>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Dave Airlie <airlied@redhat.com>

commit 2b9057b321e36860e8d63985b5c4e496f254b717
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Dec 3 21:33:28 2011 -0500

    Import changes between pax-linux-3.1.4-test18.patch and grsecurity-2.2.2-3.1.4-201112021740.patch

commit 5dfe6091dca281a456eaff5e7b4692d768a05cfd
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Dec 3 21:29:37 2011 -0500

    Import pax-linux-3.1.4-test18.patch

commit 285eb4ea45d853ae00426b3315a61c1368080dad
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Dec 10 18:33:46 2011 -0500

    Import changes from pax-linux-3.1.5-test20.patch

commit a6bda918fc90ec1d5c387e978d147ad2044153f1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 8 20:55:54 2011 -0500

    Import changes from pax-linux-3.1.4-test19.patch

commit e6d987bdb782b280f882cc20055e3d9cb28ad3a5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Dec 3 21:29:37 2011 -0500

    Import pax-linux-3.1.4-test18.patch
commit d92091aac493a547d85ddf1b98bd9aaa8c7112a5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 4 23:05:14 2013 -0400

    always enforce a non-zero gap for RAND_THREADSTACK

 mm/mmap.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 40d67e38a42d4e94b43b3d7400addc662b9857dc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 4 16:09:28 2013 -0400

    fix up file comparisons

 grsecurity/gracl_segv.c    |    2 +-
 grsecurity/grsec_sig.c     |    4 ++--
 include/linux/grinternal.h |   12 ++++++++++++
 3 files changed, 15 insertions(+), 3 deletions(-)

commit a1fff2c95162314626dd96bec71d951a8c1c4708
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 4 15:33:18 2013 -0400

    fix suid binary matching

 grsecurity/grsec_sig.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 00131c458eea5200971c8fc326e90fdb6c2d0baa
Merge: 37b97a9 47beb61
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 4 15:02:31 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 47beb61be9d430ab3fdb79a3b1e2099b4cfcf798
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 4 15:01:37 2013 -0400

    Update to pax-linux-3.9.9-test13.patch:
    - hopefully fixed the EFI boot regression (https://bugs.gentoo.org/show_bug.cgi?id=471626)
    - fixed some arm compilation issues (http://forums.grsecurity.net/viewtopic.php?f=1&t=3586 and http://forums.grsecurity.net/viewtopic.php?f=1&t=3587)

 arch/arm/include/asm/uaccess.h |   20 ++++++++++----------
 arch/arm/kernel/armksyms.c     |    2 +-
 arch/arm/kernel/entry-armv.S   |    4 ++--
 arch/arm/mm/Kconfig            |    2 +-
 arch/x86/ia32/ia32entry.S      |    4 ++--
 arch/x86/include/asm/page.h    |    1 +
 arch/x86/kernel/entry_32.S     |    4 ++--
 arch/x86/kernel/entry_64.S     |    8 ++++----
 arch/x86/kernel/head64.c       |   12 ++++++------
 arch/x86/kernel/head_64.S      |   16 ++++++++++++----
 arch/x86/mm/init.c             |    8 ++++++++
 arch/x86/mm/init_32.c          |    6 ------
 arch/x86/mm/init_64.c          |    6 ------
 arch/x86/platform/efi/efi_32.c |    5 +++++
 arch/x86/platform/efi/efi_64.c |   10 ++++++++++
 15 files changed, 64 insertions(+), 44 deletions(-)

commit 89085d2d0643813a62f23d1199a335dc1e129bc0
Merge: 963af7f 0adf2e7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 4 14:55:44 2013 -0400

    Merge branch 'linux-3.9.y' into pax-test

commit 37b97a95e97badc79cc8b6e092f0f94ac24e4ae4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 4 13:46:02 2013 -0400

    fix typo

 grsecurity/gracl.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 32538dba4959a290a1de81a7f8eeaba99f952aa6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 4 13:29:51 2013 -0400

    update log arguments

 grsecurity/grsec_sig.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 5c7ee197d6ecb3ec9b3b9588d2b0cb8541d9fa71
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 4 13:20:23 2013 -0400

    Update logging of suid exec ban
    
    Conflicts:
    
        grsecurity/grsec_sig.c

 grsecurity/grsec_sig.c |    3 +--
 include/linux/grmsg.h  |    1 +
 2 files changed, 2 insertions(+), 2 deletions(-)

commit ef808866c070aa1901bd2224521baaf5d145a3a7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 4 12:58:33 2013 -0400

    Additional improvements to the user banning code:
    
    Separate the kernel-bruteforcing case from the suid bruteforcing case
    In the suid bruteforcing case, only kill existing copies of the bruteforced
    binary.  Instead of preventing all future execs by this user, prevent them
    from executing any suid/sgid binaries for the next 15 minutes.
    
    Kernel case is mostly unchanged from before, except the task trying to change
    real uid to the banned user will be terminated instead of failing the setuid
    call.
    
    Configuration help has been updated to reflect the new changes.

 fs/exec.c                  |   13 +++++---
 grsecurity/Kconfig         |    5 ++-
 grsecurity/gracl.c         |    6 ++--
 grsecurity/grsec_sig.c     |   76 ++++++++++++++++++++++++++------------------
 include/linux/grsecurity.h |    1 -
 include/linux/sched.h      |    9 +++--
 6 files changed, 65 insertions(+), 45 deletions(-)

commit 0f0b6c9d67d429364621b8784ef4a048b7e40736
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jul 3 16:14:09 2013 -0400

    fix renamed export of csum_partial_copy_from_user, as reported by fabled
    on the forums

 arch/arm/kernel/armksyms.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 318235973c2a548c3d25562645d6b69f66e85934
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jul 3 16:09:16 2013 -0400

    make CPU_USE_DOMAINS depend on !PAX_MEMORY_UDEREF, fixes compile error
    reported on the forums by fabled

 arch/arm/mm/Kconfig |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit b569a7f60fab7a522d8c142765c8b847bbce8a1e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jul 3 15:53:12 2013 -0400

    Revise the user ban code to kill the process issuing a banned
    set*id instead of returning an error.  For the sake of keeping
    unified user banning between the suid and kernel bruteforce case,
    we will apply this killing to the suid bruteforce case, despite
    a check just at exec time (that already existed) being sufficient.
    
    Returning an error could enable exploitation of the "failure to check
    setuid return value" case which was recently effectively closed
    upstream, albeit in a rare situation with a suitable binary and
    two colluding users.
    
    Many thanks to stealth for reviewing the user ban code.

 grsecurity/gracl.c     |    4 ++--
 grsecurity/grsec_sig.c |   16 +++++++++++++---
 2 files changed, 15 insertions(+), 5 deletions(-)

commit 4a0808a0aa34bf3692f9ade0f11f6fbe30418c4f
Author: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
Date:   Fri Jun 28 14:15:15 2013 +0300

    Upstream commit: 605c912bb843c024b1ed173dc427cd5c08e5d54d
    
    UBIFS: fix a horrid bug
    
    Al Viro pointed me to the fact that '->readdir()' and '->llseek()' have no
    mutual exclusion, which means the 'ubifs_dir_llseek()' can be run while we are
    in the middle of 'ubifs_readdir()'.
    
    This means that 'file->private_data' can be freed while 'ubifs_readdir()' uses
    it, and this is a very bad bug: not only 'ubifs_readdir()' can return garbage,
    but this may corrupt memory and lead to all kinds of problems like crashes an
    security holes.
    
    This patch fixes the problem by using the 'file->f_version' field, which
    '->llseek()' always unconditionally sets to zero. We set it to 1 in
    'ubifs_readdir()' and whenever we detect that it became 0, we know there was a
    seek and it is time to clear the state saved in 'file->private_data'.
    
    I tested this patch by writing a user-space program which runds readdir and
    seek in parallell. I could easily crash the kernel without these patches, but
    could not crash it with these patches.
    
    Cc: stable@vger.kernel.org
    Reported-by: Al Viro <viro@zeniv.linux.org.uk>
    Tested-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
    Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

 fs/ubifs/dir.c |   30 +++++++++++++++++++++++++++---
 1 files changed, 27 insertions(+), 3 deletions(-)

commit c22280b85088978bd8b45bd23096879459b48008
Author: Stephane Eranian <eranian@google.com>
Date:   Thu Jun 20 11:36:28 2013 +0200

    Upstream commit: 2976b10f05bd7f6dab9f9e7524451ddfed656a89
    
    perf: Disable monitoring on setuid processes for regular users
    
    There was a a bug in setup_new_exec(), whereby
    the test to disabled perf monitoring was not
    correct because the new credentials for the
    process were not yet committed and therefore
    the get_dumpable() test was never firing.
    
    The patch fixes the problem by moving the
    perf_event test until after the credentials
    are committed.
    
    Signed-off-by: Stephane Eranian <eranian@google.com>
    Tested-by: Jiri Olsa <jolsa@redhat.com>
    Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
    Cc: <stable@kernel.org>
    Signed-off-by: Ingo Molnar <mingo@kernel.org>

 fs/exec.c |   16 +++++++++-------
 1 files changed, 9 insertions(+), 7 deletions(-)

commit 16e6a61c34ae5ed0fbfa9151b24dc6a751cca7c0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jun 29 13:10:02 2013 -0400

    on context switch, make sure we switch DACR when domain support and
    KERNEXEC is disabled but UDEREF is enabled

 arch/arm/kernel/entry-armv.S |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 08d017fa51370921694ce087b28c96fec92993d4
Author: Michael S. Tsirkin <mst@redhat.com>
Date:   Sun Jun 23 17:26:58 2013 +0300

    Upstream commit: 4c7ab054ab4f5d63625508ed6f8a607184cae7c2
    
    macvtap: fix recovery from gup errors
    
    get user pages might fail partially in macvtap zero copy
    mode. To recover we need to put all pages that we got,
    but code used a wrong index resulting in double-free
    errors.
    
    Reported-by: Brad Hubbard <bhubbard@redhat.com>
    Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
    Acked-by: Jason Wang <jasowang@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/macvtap.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

commit 8118c60e6478b9d0687c2aa7779e45ac7859b1be
Author: Michael S. Tsirkin <mst@redhat.com>
Date:   Sun Jun 23 17:19:03 2013 +0300

    Upstream commit: 7e24bfbe43b545b1689a5f134ed83645b9e34b86
    
    tun: fix recovery from gup errors
    
    get user pages might fail partially in tun zero copy
    mode. To recover we need to put all pages that we got,
    but code used a wrong index resulting in double-free
    errors.
    
    Reported-by: Brad Hubbard <bhubbard@redhat.com>
    Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
    Acked-by: Jason Wang <jasowang@redhat.com>
    Acked-by: Neil Horman <nhorman@tuxdriver.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/tun.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

commit c71e53d3b87fba6f7ba29a440d4c835f03aadf28
Author: Balazs Peter Odor <balazs@obiserver.hu>
Date:   Sat Jun 22 19:24:43 2013 +0200

    Upstream commit: 5aed93875cd88502f04a0d4517b8a2d89a849773
    
    netfilter: nf_nat_sip: fix mangling
    
    In (b20ab9c netfilter: nf_ct_helper: better logging for dropped packets)
    there were some missing brackets around the logging information, thus
    always returning drop.
    
    Closes https://bugzilla.kernel.org/show_bug.cgi?id=60061
    
    Signed-off-by: Balazs Peter Odor <balazs@obiserver.hu>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

 net/netfilter/nf_nat_sip.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 87c18924aecb841586b8972fabb20c5b75ca2fc9
Author: Anderson Lizardo <anderson.lizardo@openbossa.org>
Date:   Sun Jun 2 16:30:40 2013 -0400

    Upstream commit: 300b962e5244a1ea010df7e88595faa0085b461d
    
    Bluetooth: Fix crash in l2cap_build_cmd() with small MTU
    
    If a too small MTU value is set with ioctl(HCISETACLMTU) or by a bogus
    controller, memory corruption happens due to a memcpy() call with
    negative length.
    
    Fix this crash on either incoming or outgoing connections with a MTU
    smaller than L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE:
    
    [   46.885433] BUG: unable to handle kernel paging request at f56ad000
    [   46.888037] IP: [<c03d94cd>] memcpy+0x1d/0x40
    [   46.888037] *pdpt = 0000000000ac3001 *pde = 00000000373f8067 *pte = 80000000356ad060
    [   46.888037] Oops: 0002 [#1] SMP DEBUG_PAGEALLOC
    [   46.888037] Modules linked in: hci_vhci bluetooth virtio_balloon i2c_piix4 uhci_hcd usbcore usb_common
    [   46.888037] CPU: 0 PID: 1044 Comm: kworker/u3:0 Not tainted 3.10.0-rc1+ #12
    [   46.888037] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007
    [   46.888037] Workqueue: hci0 hci_rx_work [bluetooth]
    [   46.888037] task: f59b15b0 ti: f55c4000 task.ti: f55c4000
    [   46.888037] EIP: 0060:[<c03d94cd>] EFLAGS: 00010212 CPU: 0
    [   46.888037] EIP is at memcpy+0x1d/0x40
    [   46.888037] EAX: f56ac1c0 EBX: fffffff8 ECX: 3ffffc6e EDX: f55c5cf2
    [   46.888037] ESI: f55c6b32 EDI: f56ad000 EBP: f55c5c68 ESP: f55c5c5c
    [   46.888037]  DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
    [   46.888037] CR0: 8005003b CR2: f56ad000 CR3: 3557d000 CR4: 000006f0
    [   46.888037] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
    [   46.888037] DR6: ffff0ff0 DR7: 00000400
    [   46.888037] Stack:
    [   46.888037]  fffffff8 00000010 00000003 f55c5cac f8c6a54c ffffffff f8c69eb2 00000000
    [   46.888037]  f4783cdc f57f0070 f759c590 1001c580 00000003 0200000a 00000000 f5a88560
    [   46.888037]  f5ba2600 f5a88560 00000041 00000000 f55c5d90 f8c6f4c7 00000008 f55c5cf2
    [   46.888037] Call Trace:
    [   46.888037]  [<f8c6a54c>] l2cap_send_cmd+0x1cc/0x230 [bluetooth]
    [   46.888037]  [<f8c69eb2>] ? l2cap_global_chan_by_psm+0x152/0x1a0 [bluetooth]
    [   46.888037]  [<f8c6f4c7>] l2cap_connect+0x3f7/0x540 [bluetooth]
    [   46.888037]  [<c019b37b>] ? trace_hardirqs_off+0xb/0x10
    [   46.888037]  [<c01a0ff8>] ? mark_held_locks+0x68/0x110
    [   46.888037]  [<c064ad20>] ? mutex_lock_nested+0x280/0x360
    [   46.888037]  [<c064b9d9>] ? __mutex_unlock_slowpath+0xa9/0x150
    [   46.888037]  [<c01a118c>] ? trace_hardirqs_on_caller+0xec/0x1b0
    [   46.888037]  [<c064ad08>] ? mutex_lock_nested+0x268/0x360
    [   46.888037]  [<c01a125b>] ? trace_hardirqs_on+0xb/0x10
    [   46.888037]  [<f8c72f8d>] l2cap_recv_frame+0xb2d/0x1d30 [bluetooth]
    [   46.888037]  [<c01a0ff8>] ? mark_held_locks+0x68/0x110
    [   46.888037]  [<c064b9d9>] ? __mutex_unlock_slowpath+0xa9/0x150
    [   46.888037]  [<c01a118c>] ? trace_hardirqs_on_caller+0xec/0x1b0
    [   46.888037]  [<f8c754f1>] l2cap_recv_acldata+0x2a1/0x320 [bluetooth]
    [   46.888037]  [<f8c491d8>] hci_rx_work+0x518/0x810 [bluetooth]
    [   46.888037]  [<f8c48df2>] ? hci_rx_work+0x132/0x810 [bluetooth]
    [   46.888037]  [<c0158979>] process_one_work+0x1a9/0x600
    [   46.888037]  [<c01588fb>] ? process_one_work+0x12b/0x600
    [   46.888037]  [<c015922e>] ? worker_thread+0x19e/0x320
    [   46.888037]  [<c015922e>] ? worker_thread+0x19e/0x320
    [   46.888037]  [<c0159187>] worker_thread+0xf7/0x320
    [   46.888037]  [<c0159090>] ? rescuer_thread+0x290/0x290
    [   46.888037]  [<c01602f8>] kthread+0xa8/0xb0
    [   46.888037]  [<c0656777>] ret_from_kernel_thread+0x1b/0x28
    [   46.888037]  [<c0160250>] ? flush_kthread_worker+0x120/0x120
    [   46.888037] Code: c3 90 8d 74 26 00 e8 63 fc ff ff eb e8 90 55 89 e5 83 ec 0c 89 5d f4 89 75 f8 89 7d fc 3e 8d 74 26 00 89 cb 89 c7 c1 e9 02 89 d6 <f3> a5 89 d9 83 e1 03 74 02 f3 a4 8b 5d f4 8b 75 f8 8b 7d fc 89
    [   46.888037] EIP: [<c03d94cd>] memcpy+0x1d/0x40 SS:ESP 0068:f55c5c5c
    [   46.888037] CR2: 00000000f56ad000
    [   46.888037] ---[ end trace 0217c1f4d78714a9 ]---
    
    Signed-off-by: Anderson Lizardo <anderson.lizardo@openbossa.org>
    Cc: stable@vger.kernel.org
    Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
    Signed-off-by: John W. Linville <linville@tuxdriver.com>

 net/bluetooth/l2cap_core.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit b0471b6c1160858fc646d8e94628fd1299f61692
Author: Jaganath Kanakkassery <jaganath.k@samsung.com>
Date:   Fri Jun 21 19:55:11 2013 +0530

    Upstream commit: 3f6fa3d489e127ca5a5b298eabac3ff5dbe0e112
    
    Bluetooth: Fix invalid length check in l2cap_information_rsp()
    
    The length check is invalid since the length varies with type of
    info response.
    
    This was introduced by the commit cb3b3152b2f5939d67005cff841a1ca748b19888
    
    Because of this, l2cap info rsp is not handled and command reject is sent.
    
    > ACL data: handle 11 flags 0x02 dlen 16
            L2CAP(s): Info rsp: type 2 result 0
              Extended feature mask 0x00b8
                Enhanced Retransmission mode
                Streaming mode
                FCS Option
                Fixed Channels
    < ACL data: handle 11 flags 0x00 dlen 10
            L2CAP(s): Command rej: reason 0
              Command not understood
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Jaganath Kanakkassery <jaganath.k@samsung.com>
    Signed-off-by: Chan-Yeol Park <chanyeol.park@samsung.com>
    Acked-by: Johan Hedberg <johan.hedberg@intel.com>
    Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>

 net/bluetooth/l2cap_core.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 4184af98c360d825e638b268b1a9847232e8d299
Author: Eric Dumazet <edumazet@google.com>
Date:   Wed Jun 26 04:15:07 2013 -0700

    Upstream commit: a963a37d384d71ad43b3e9e79d68d42fbe0901f3
    
    ipv6: ip6_sk_dst_check() must not assume ipv6 dst
    
    It's possible to use AF_INET6 sockets and to connect to an IPv4
    destination. After this, socket dst cache is a pointer to a rtable,
    not rt6_info.
    
    ip6_sk_dst_check() should check the socket dst cache is IPv6, or else
    various corruptions/crashes can happen.
    
    Dave Jones can reproduce immediate crash with
    trinity -q -l off -n -c sendmsg -c connect
    
    With help from Hannes Frederic Sowa
    
    Reported-by: Dave Jones <davej@redhat.com>
    Reported-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv6/ip6_output.c |    8 +++++++-
 1 files changed, 7 insertions(+), 1 deletions(-)

commit a9909c4993e8547ebeeafc4a4f5ff8570a941eb2
Author: Zefan Li <lizefan@huawei.com>
Date:   Wed Jun 26 15:29:54 2013 +0800

    Upstream commit: 11eb2645cbf38a08ae491bf6c602eea900ec0bb5
    
    dlci: acquire rtnl_lock before calling __dev_get_by_name()
    
    Otherwise the net device returned can be freed at anytime.
    
    Signed-off-by: Li Zefan <lizefan@huawei.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/wan/dlci.c |   14 +++++++++-----
 1 files changed, 9 insertions(+), 5 deletions(-)

commit 1fe6f23c9acd14d832d056909ff326bde418e645
Author: Zefan Li <lizefan@huawei.com>
Date:   Wed Jun 26 15:31:58 2013 +0800

    Upstream commit: 578a1310f2592ba90c5674bca21c1dbd1adf3f0a
    
    dlci: validate the net device in dlci_del()
    
    We triggered an oops while running trinity with 3.4 kernel:
    
    BUG: unable to handle kernel paging request at 0000000100000d07
    IP: [<ffffffffa0109738>] dlci_ioctl+0xd8/0x2d4 [dlci]
    PGD 640c0d067 PUD 0
    Oops: 0000 [#1] PREEMPT SMP
    CPU 3
    ...
    Pid: 7302, comm: trinity-child3 Not tainted 3.4.24.09+ 40 Huawei Technologies Co., Ltd. Tecal RH2285          /BC11BTSA
    RIP: 0010:[<ffffffffa0109738>]  [<ffffffffa0109738>] dlci_ioctl+0xd8/0x2d4 [dlci]
    ...
    Call Trace:
      [<ffffffff8137c5c3>] sock_ioctl+0x153/0x280
      [<ffffffff81195494>] do_vfs_ioctl+0xa4/0x5e0
      [<ffffffff8118354a>] ? fget_light+0x3ea/0x490
      [<ffffffff81195a1f>] sys_ioctl+0x4f/0x80
      [<ffffffff81478b69>] system_call_fastpath+0x16/0x1b
    ...
    
    It's because the net device is not a dlci device.
    
    Reported-by: Li Jinyue <lijinyue@huawei.com>
    Signed-off-by: Li Zefan <lizefan@huawei.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/wan/dlci.c |   12 ++++++++++++
 1 files changed, 12 insertions(+), 0 deletions(-)

commit 4d4464407611527ef6b6b5475cfcab6121b3da66
Merge: 59571a9 963af7f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jun 27 18:54:52 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 963af7f7f591759b731ce6325ceb583a72fcf423
Merge: c51e25a 55db48a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jun 27 18:54:42 2013 -0400

    Merge branch 'linux-3.9.y' into pax-test

commit 59571a9db7485f530a1e865a13cacc4c991ec41f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jun 26 18:39:08 2013 -0400

    From: Mathias Krause <minipli@googlemail.com>
    To: Steffen Klassert <steffen.klassert@secunet.com>,
            "David S. Miller" <davem@davemloft.net>
    Cc: Mathias Krause <minipli@googlemail.com>, netdev@vger.kernel.org,
            Herbert Xu <herbert@gondor.apana.org.au>
    Subject: [PATCH] af_key: fix info leaks in notify messages
    
    key_notify_sa_flush() and key_notify_policy_flush() miss to initialize
    the sadb_msg_reserved member of the broadcasted message and thereby
    leak 2 bytes of heap memory to listeners. Fix that.
    
    Signed-off-by: Mathias Krause <minipli@googlemail.com>
    Cc: Steffen Klassert <steffen.klassert@secunet.com>
    Cc: "David S. Miller" <davem@davemloft.net>
    Cc: Herbert Xu <herbert@gondor.apana.org.au>

 net/key/af_key.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit e1dd9fb168b3597f15fd5bd4bc88a7dd4cce5fd9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jun 26 18:33:06 2013 -0400

    update rand_threadstack code to continue the search for a gap if the first
    choice doesn't have enough space, instead of returning ENOMEM

 mm/mmap.c |   17 ++++++++++-------
 1 files changed, 10 insertions(+), 7 deletions(-)

commit 87020d4a4d83038d65ff1fd519938840f6888b9e
Merge: 2682346 c51e25a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jun 26 18:25:32 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit c51e25a23f30a1198076bd085f19b2073caf164d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jun 26 18:24:54 2013 -0400

    Update to pax-linux-3.9.7-test12.patch:
    - fixed a regression on PARAVIRT/amd64 kernels
    - simplified the recent vm_unmapped_area_info based change

 arch/x86/kernel/entry_64.S |    8 ++++----
 mm/mmap.c                  |   22 ++++++++++++----------
 2 files changed, 16 insertions(+), 14 deletions(-)

commit 26823469a08e59cb67bea18d448d9e8c65f82e08
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jun 25 21:26:51 2013 -0400

    re-enable GRKERNSEC_RAND_THREADSTACK now that the generic PaX
    vm_unmapped_area code is complete

 arch/x86/kernel/sys_i386_32.c |    5 +++++
 grsecurity/Kconfig            |    2 +-
 mm/mmap.c                     |   11 ++++++++++-
 3 files changed, 16 insertions(+), 2 deletions(-)

commit bcd93cc348a8faba1716f5cc137a48f25d6a67e7
Merge: e58fe8c c4e0704
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jun 25 19:08:52 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        arch/x86/kernel/sys_i386_32.c

commit c4e07040c2c32c9eb2b093e5ae6e5bb050cb7511
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jun 25 19:05:39 2013 -0400

    Update to pax-linux-3.9.7-test11.patch:
    - fixed some fallout from the recent executable vmalloc changes (http://forums.grsecurity.net/viewtopic.php?t=3562#p13111)
    - moved the PaX specific heap-stack gap check code over to the vm_unmapped_area_info based infrastructure
    - fixed the recent nested nmi related fixes some more
    - fixed a regression in kernel memory initialization on relocatable i386 kernels
    - empty_zero_page can be read-only on amd64 as well

 arch/arm/mm/mmap.c            |    6 --
 arch/x86/kernel/entry_64.S    |    8 +--
 arch/x86/kernel/head_64.S     |    1 -
 arch/x86/kernel/setup.c       |    2 +-
 arch/x86/kernel/sys_i386_32.c |  160 ++++++++++++----------------------------
 drivers/lguest/core.c         |    2 +-
 include/linux/mm.h            |    6 +-
 include/linux/vmalloc.h       |    2 +-
 mm/mmap.c                     |   30 +++++++-
 9 files changed, 83 insertions(+), 134 deletions(-)

commit e58fe8c43f6ee7047ac830ebfa9a70626b7ed11d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jun 23 14:37:14 2013 -0400

    second compile fix, reported by forsaken on forums

 include/linux/vmalloc.h |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 0ee10d89b09b56b46bc242ce760a1d9598276e2f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jun 23 14:36:35 2013 -0400

    compile fix, reported by KDE on forums

 kernel/printk.c |    7 -------
 1 files changed, 0 insertions(+), 7 deletions(-)

commit 1fc9a5e2e267205d28302e1e86ca0da434561111
Author: Ben Hutchings <ben@decadent.org.uk>
Date:   Sun Jun 16 21:27:12 2013 +0100

    Upstream commit: b8cb62f82103083a6e8fa5470bfe634a2c06514d
    
    x86/efi: Fix dummy variable buffer allocation
    
    1. Check for allocation failure
    2. Clear the buffer contents, as they may actually be written to flash
    3. Don't leak the buffer
    
    Compile-tested only.
    
    [ Tested successfully on my buggy ASUS machine - Matt ]
    
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
    Cc: stable@vger.kernel.org
    Signed-off-by: Matt Fleming <matt.fleming@intel.com>

 arch/x86/platform/efi/efi.c |    7 ++++++-
 1 files changed, 6 insertions(+), 1 deletions(-)

commit 83e15c8baaa620d8c777e84aa037b4302f0487c5
Author: Dave Kleikamp <dave.kleikamp@oracle.com>
Date:   Tue Jun 18 09:05:36 2013 -0500

    Upstream commit: 23a01138efe216f8084cfaa74b0b90dd4b097441
    
    sparc: tsb must be flushed before tlb
    
    This fixes a race where a cpu may re-load a tlb from a stale tsb right
    after it has been flushed by a remote function call.
    
    I still see some instability when stressing the system with parallel
    kernel builds while creating memory pressure by writing to
    /proc/sys/vm/nr_hugepages, but this patch improves the stability
    significantly.
    
    Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
    Acked-by: Bob Picco <bob.picco@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 arch/sparc/mm/tlb.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit d93b62f6485db9aadda34322a6867868db07f56f
Merge: 4ef62f5 71d83e9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jun 21 16:52:55 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        security/Kconfig

commit 71d83e97c936563913bcfb5a25c45b2021a331eb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jun 21 16:48:42 2013 -0400

    Update to pax-linux-3.9.7-test10.patch:
    - fixed a few format string problems uncovered by -Wformat-nonliteral
    - another attempt at fixing the nested nmi/cr0.wp problem
    - fixed vmalloc when used for allocating executable memory on non-modular kernels, reported by Lorand Kelemen (https://bugs.gentoo.org/show_bug.cgi?id=473866)
    - worked around an intentional gcc overflow in nfscache that tripped up the size overflow plugin (https://bugs.gentoo.org/show_bug.cgi?id=472274)
    - fixed a locking issue with track_exec_limit reported by spender
    - hunger reported a size overflow event in kobj_map that turned out to be a real bug, fix by Tejun Heo (https://patchwork.kernel.org/patch/2676631/)

 Documentation/dontdiff                  |    1 +
 arch/x86/boot/compressed/efi_stub_32.S  |   16 ++-----
 arch/x86/kernel/cpu/mcheck/mce.c        |    2 +-
 arch/x86/kernel/e820.c                  |    4 +-
 arch/x86/kernel/entry_64.S              |   74 ++++++++++++++++++------------
 arch/x86/kernel/vmlinux.lds.S           |    2 +-
 block/genhd.c                           |   11 +++--
 crypto/algapi.c                         |    2 +-
 crypto/pcrypt.c                         |    6 +-
 drivers/base/attribute_container.c      |    2 +-
 drivers/base/power/sysfs.c              |    2 +-
 drivers/block/nbd.c                     |    2 +-
 drivers/cdrom/cdrom.c                   |    2 +-
 drivers/char/hw_random/intel-rng.c      |    2 +-
 drivers/char/mem.c                      |    2 +-
 drivers/devfreq/devfreq.c               |    2 +-
 drivers/gpu/drm/drm_encoder_slave.c     |    6 +--
 drivers/gpu/drm/drm_sysfs.c             |    2 +-
 drivers/gpu/drm/ttm/ttm_memory.c        |    4 +-
 drivers/iommu/irq_remapping.c           |    2 +-
 drivers/video/output.c                  |    2 +-
 fs/ext4/mmp.c                           |    2 +-
 fs/ext4/super.c                         |    2 +-
 fs/lockd/svc.c                          |    2 +-
 fs/nfs/callback.c                       |    4 +-
 fs/nfs/nfs4state.c                      |    2 +-
 fs/nfsd/nfscache.c                      |    3 +-
 init/initramfs.c                        |    2 +-
 kernel/rcutree.c                        |    2 +-
 lib/kobject.c                           |    2 +-
 mm/backing-dev.c                        |    4 +-
 mm/mmap.c                               |    4 +-
 mm/slub.c                               |    2 +-
 mm/vmalloc.c                            |   15 +++----
 net/bluetooth/hci_core.c                |    8 ++--
 net/netfilter/nf_conntrack_proto_dccp.c |    4 +-
 net/sunrpc/svc.c                        |    2 +-
 security/Kconfig                        |   15 +++---
 sound/core/sound.c                      |    2 +-
 sound/sound_core.c                      |    2 +-
 40 files changed, 116 insertions(+), 111 deletions(-)

commit 4ef62f52ab23ed87aaf0106be3eddf2019bc7d2c
Merge: 39efd8f 256eff7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jun 21 16:45:15 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        kernel/printk.c

commit 256eff7a817d5faa18cd56fb97cc8c25112ec0a6
Merge: e6e3059 485f25f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jun 20 22:14:24 2013 -0400

    Merge branch 'linux-3.9.y' into pax-test

commit 39efd8f4b9573d1ce31f47cdbea00b6c12054d4d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jun 18 17:20:18 2013 -0400

    add apparmor compat patch

 security/apparmor/Kconfig      |    9 ++
 security/apparmor/apparmorfs.c |  231 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 240 insertions(+), 0 deletions(-)

commit 49bee3c5341687504669bf62becf4a419a226ba0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jun 17 18:48:04 2013 -0400

    Revert "Upstream commit: cf7df378aa4ff7da3a44769b7ff6e9eef1a9f3db"
    
    This reverts commit 066d9226bc6c569d5f420c978b758e0bddd23444.

 kernel/sys.c |   29 +++--------------------------
 1 files changed, 3 insertions(+), 26 deletions(-)

commit bece88b4276babb2039a3e4f3e3b0cdeb8cd8328
Author: Al Viro <viro@ZenIV.linux.org.uk>
Date:   Sun Jun 16 18:06:06 2013 +0100

    Upstream commit: 8177a9d79c0e942dcac3312f15585d0344d505a5
    
    lseek(fd, n, SEEK_END) does *not* go to eof - n
    
    When you copy some code, you are supposed to read it.  If nothing else,
    there's a chance to spot and fix an obvious bug instead of sharing it...
    
    X-Song: "I Got It From Agnes", by Tom Lehrer
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    [ Tom Lehrer? You're dating yourself, Al ]
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 drivers/net/ethernet/brocade/bna/bnad_debugfs.c |    2 +-
 drivers/scsi/bfa/bfad_debugfs.c                 |    2 +-
 drivers/scsi/fnic/fnic_debugfs.c                |    2 +-
 drivers/scsi/lpfc/lpfc_debugfs.c                |    2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

commit 5a450f1c46f0c84379518aee878993d3f4a331b6
Author: Theodore Ts'o <tytso@mit.edu>
Date:   Thu Jun 6 11:14:31 2013 -0400

    Upstream commit: 40c87e7a5404861cef33f6ced9809525a5ee2c50
    
    ext4: verify group number in verify_group_input() before using it
    
    Check the group number for sanity earilier, before calling routines
    such as ext4_bg_has_super() or ext4_group_overhead_blocks().
    
    Reported-by: Jonathan Salwan <jonathan.salwan@gmail.com>
    Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>

 fs/ext4/resize.c |   17 +++++++++++------
 1 files changed, 11 insertions(+), 6 deletions(-)

commit e2700ce1305cc746d2d9000392f00d96fdf28fb8
Author: Neil Horman <nhorman@tuxdriver.com>
Date:   Wed Jun 12 14:26:44 2013 -0400

    Upstream commit: c5c7774d7eb4397891edca9ebdf750ba90977a69
    
    sctp: fully initialize sctp_outq in sctp_outq_init
    
    In commit 2f94aabd9f6c925d77aecb3ff020f1cc12ed8f86
    (refactor sctp_outq_teardown to insure proper re-initalization)
    we modified sctp_outq_teardown to use sctp_outq_init to fully re-initalize the
    outq structure.  Steve West recently asked me why I removed the q->error = 0
    initalization from sctp_outq_teardown.  I did so because I was operating under
    the impression that sctp_outq_init would properly initalize that value for us,
    but it doesn't.  sctp_outq_init operates under the assumption that the outq
    struct is all 0's (as it is when called from sctp_association_init), but using
    it in __sctp_outq_teardown violates that assumption. We should do a memset in
    sctp_outq_init to ensure that the entire structure is in a known state there
    instead.
    
    Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
    Reported-by: "West, Steve (NSN - US/Fort Worth)" <steve.west@nsn.com>
    CC: Vlad Yasevich <vyasevich@gmail.com>
    CC: netdev@vger.kernel.org
    CC: davem@davemloft.net
    Acked-by: Vlad Yasevich <vyasevich@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    
    Conflicts:
    
        net/sctp/outqueue.c

 net/sctp/outqueue.c |    8 ++------
 1 files changed, 2 insertions(+), 6 deletions(-)

commit e13515ad7a9c7634599a105b2527752e527a905d
Author: Saurabh Mohan <saurabh@vyatta.com>
Date:   Mon Jun 10 17:45:10 2013 -0700

    Upstream commit: baafc77b32f647daa7c45825f7af8cdd55d00817
    
    net/ipv4: ip_vti clear skb cb before tunneling.
    
    If users apply shaper to vti tunnel then it will cause a kernel crash. The
    problem seems to be due to the vti_tunnel_xmit function not clearing
    skb->opt field before passing the packet to xfrm tunneling code.
    
    Signed-off-by: Saurabh Mohan <saurabh@vyatta.com>
    Acked-by: Stephen Hemminger <stephen@networkplumber.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/ip_vti.c |    3 +--
 1 files changed, 1 insertions(+), 2 deletions(-)

commit e63056a252ed6fc0f16ab158d7c34cb57bd762e4
Author: Guillaume Nault <g.nault@alphalink.fr>
Date:   Wed Jun 12 16:07:36 2013 +0200

    Upstream commit: a6f79d0f26704214b5b702bbac525cb72997f984
    
    l2tp: Fix sendmsg() return value
    
    PPPoL2TP sockets should comply with the standard send*() return values
    (i.e. return number of bytes sent instead of 0 upon success).
    
    Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/l2tp/l2tp_ppp.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit af361b412e816e894fb42ddff7a0545b7def64c0
Author: Guillaume Nault <g.nault@alphalink.fr>
Date:   Wed Jun 12 16:07:23 2013 +0200

    Upstream commit: 55b92b7a11690bc377b5d373872a6b650ae88e64
    
    l2tp: Fix PPP header erasure and memory leak
    
    Copy user data after PPP framing header. This prevents erasure of the
    added PPP header and avoids leaking two bytes of uninitialised memory
    at the end of skb's data buffer.
    
    Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/l2tp/l2tp_ppp.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 1f43aca088c35dda35abf76e08544e534c71fed4
Author: Daniel Borkmann <dborkman@redhat.com>
Date:   Wed Jun 12 16:02:27 2013 +0200

    Upstream commit: 2dc85bf323515e59e15dfa858d1472bb25cad0fe
    
    packet: packet_getname_spkt: make sure string is always 0-terminated
    
    uaddr->sa_data is exactly of size 14, which is hard-coded here and
    passed as a size argument to strncpy(). A device name can be of size
    IFNAMSIZ (== 16), meaning we might leave the destination string
    unterminated. Thus, use strlcpy() and also sizeof() while we're
    at it. We need to memset the data area beforehand, since strlcpy
    does not padd the remaining buffer with zeroes for user space, so
    that we do not possibly leak anything.
    
    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/packet/af_packet.c |    5 ++---
 1 files changed, 2 insertions(+), 3 deletions(-)

commit d0ae62fae5528bf2a393377f50b8dd9888d1e49f
Author: Andy Lutomirski <luto@amacapital.net>
Date:   Wed Jun 5 19:38:26 2013 +0000

    Upstream commit: a7526eb5d06b0084ef12d7b168d008fcf516caab
    
    net: Unbreak compat_sys_{send,recv}msg
    
    I broke them in this commit:
    
        commit 1be374a0518a288147c6a7398792583200a67261
        Author: Andy Lutomirski <luto@amacapital.net>
        Date:   Wed May 22 14:07:44 2013 -0700
    
            net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg
    
    This patch adds __sys_sendmsg and __sys_sendmsg as common helpers that accept
    MSG_CMSG_COMPAT and blocks MSG_CMSG_COMPAT at the syscall entrypoints.  It
    also reverts some unnecessary checks in sys_socketcall.
    
    Apparently I was suffering from underscore blindness the first time around.
    
    Signed-off-by: Andy Lutomirski <luto@amacapital.net>
    Tested-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 include/linux/socket.h |    3 ++
 net/compat.c           |   13 +++++++-
 net/socket.c           |   72 ++++++++++++++++++++++--------------------------
 3 files changed, 47 insertions(+), 41 deletions(-)

commit b481a366021e5db07a9ea138bc0c1fe598a5ba2f
Author: Andy Lutomirski <luto@amacapital.net>
Date:   Wed May 22 14:07:44 2013 -0700

    Upstream commit: 1be374a0518a288147c6a7398792583200a67261
    
    net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg
    
    To: linux-kernel@vger.kernel.org
    Cc: x86@kernel.org, trinity@vger.kernel.org, Andy Lutomirski <luto@amacapital.net>, netdev@vger.kernel.org, "David S.
        Miller" <davem@davemloft.net>
    Subject: [PATCH 5/5] net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg
    
    MSG_CMSG_COMPAT is (AFAIK) not intended to be part of the API --
    it's a hack that steals a bit to indicate to other networking code
    that a compat entry was used.  So don't allow it from a non-compat
    syscall.
    
    This prevents an oops when running this code:
    
    int main()
    {
        int s;
        struct sockaddr_in addr;
        struct msghdr *hdr;
    
        char *highpage = mmap((void*)(TASK_SIZE_MAX - 4096), 4096,
                              PROT_READ | PROT_WRITE,
                              MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0);
        if (highpage == MAP_FAILED)
                err(1, "mmap");
    
        s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
        if (s == -1)
                err(1, "socket");
    
            addr.sin_family = AF_INET;
            addr.sin_port = htons(1);
            addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
        if (connect(s, (struct sockaddr*)&addr, sizeof(addr)) != 0)
                err(1, "connect");
    
        void *evil = highpage + 4096 - COMPAT_MSGHDR_SIZE;
        printf("Evil address is %p\n", evil);
    
        if (syscall(__NR_sendmmsg, s, evil, 1, MSG_CMSG_COMPAT) < 0)
                err(1, "sendmmsg");
    
        return 0;
    }
    
    Cc: David S. Miller <davem@davemloft.net>
    Signed-off-by: Andy Lutomirski <luto@amacapital.net>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/socket.c |   33 +++++++++++++++++++++++++++++++--
 1 files changed, 31 insertions(+), 2 deletions(-)

commit 6ccb09f408cc4ff23adbf68c7d2307f5fffcf88e
Author: Kees Cook <keescook@chromium.org>
Date:   Fri May 10 14:48:21 2013 -0700

    Upstream commit: e0e29b683d6784ef59bbc914eac85a04b650e63c
    
    b43: stop format string leaking into error msgs
    
    The module parameter "fwpostfix" is userspace controllable, unfiltered,
    and is used to define the firmware filename. b43_do_request_fw() populates
    ctx->errors[] on error, containing the firmware filename. b43err()
    parses its arguments as a format string. For systems with b43 hardware,
    this could lead to a uid-0 to ring-0 escalation.
    
    CVE-2013-2852
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@vger.kernel.org
    Signed-off-by: John W. Linville <linville@tuxdriver.com>

 drivers/net/wireless/b43/main.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit dfb67a67049ace7b94ad7e2febfac69816d50d85
Author: Mark A. Greer <mgreer@animalcreek.com>
Date:   Wed May 29 12:25:34 2013 -0700

    Upstream commit: f873ded213d6d8c36354c0fc903af44da4fd6ac5
    
    mwifiex: debugfs: Fix out of bounds array access
    
    When reading the contents of '/sys/kernel/debug/mwifiex/p2p0/info',
    the following panic occurs:
    
    $ cat /sys/kernel/debug/mwifiex/p2p0/info
    Unable to handle kernel paging request at virtual address 74706164
    pgd = de530000
    [74706164] *pgd=00000000
    Internal error: Oops: 5 [#1] SMP ARM
    Modules linked in: phy_twl4030_usb omap2430 musb_hdrc mwifiex_sdio mwifiex
    CPU: 0 PID: 1635 Comm: cat Not tainted 3.10.0-rc1-00010-g1268390 #1
    task: de16b6c0 ti: de048000 task.ti: de048000
    PC is at strnlen+0xc/0x4c
    LR is at string+0x3c/0xf8
    pc : [<c02c123c>]    lr : [<c02c2d1c>]    psr: a0000013
    sp : de049e10  ip : c06efba0  fp : de6d2092
    r10: bf01a260  r9 : ffffffff  r8 : 74706164
    r7 : 0000ffff  r6 : ffffffff  r5 : de6d209c  r4 : 00000000
    r3 : ff0a0004  r2 : 74706164  r1 : ffffffff  r0 : 74706164
    Flags: NzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
    Control: 10c5387d  Table: 9e530019  DAC: 00000015
    Process cat (pid: 1635, stack limit = 0xde048240)
    Stack: (0xde049e10 to 0xde04a000)
    9e00:                                     de6d2092 00000002 bf01a25e de6d209c
    9e20: de049e80 c02c438c 0000000a ff0a0004 ffffffff 00000000 00000000 de049e48
    9e40: 00000000 2192df6d ff0a0004 ffffffff 00000000 de6d2092 de049ef8 bef3cc00
    9e60: de6b0000 dc358000 de6d2000 00000000 00000003 c02c45a4 bf01790c bf01a254
    9e80: 74706164 bf018698 00000000 de59c3c0 de048000 de049f80 00001000 bef3cc00
    9ea0: 00000008 00000000 00000000 00000000 00000000 00000000 00000000 00000000
    9ec0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
    9ee0: 00000000 00000000 00000000 00000001 00000000 00000000 6669776d 20786569
    9f00: 20302e31 2e343128 392e3636 3231702e 00202933 00000000 00000003 c0294898
    9f20: 00000000 00000000 00000000 00000000 de59c3c0 c0107c04 de554000 de59c3c0
    9f40: 00001000 bef3cc00 de049f80 bef3cc00 de049f80 00000000 00000003 c0108a00
    9f60: de048000 de59c3c0 00000000 00000000 de59c3c0 00001000 bef3cc00 c0108b60
    9f80: 00000000 00000000 00001000 bef3cc00 00000003 00000003 c0014128 de048000
    9fa0: 00000000 c0013f80 00001000 bef3cc00 00000003 bef3cc00 00001000 00000000
    9fc0: 00001000 bef3cc00 00000003 00000003 00000001 00000001 00000001 00000003
    9fe0: 00000000 bef3cbdc 00011984 b6f1127c 60000010 00000003 18dbdd2c 7f7bfffd
    [<c02c123c>] (strnlen+0xc/0x4c) from [<c02c2d1c>] (string+0x3c/0xf8)
    [<c02c2d1c>] (string+0x3c/0xf8) from [<c02c438c>] (vsnprintf+0x1e8/0x3e8)
    [<c02c438c>] (vsnprintf+0x1e8/0x3e8) from [<c02c45a4>] (sprintf+0x18/0x24)
    [<c02c45a4>] (sprintf+0x18/0x24) from [<bf01790c>] (mwifiex_info_read+0xfc/0x3e8 [mwifiex])
    [<bf01790c>] (mwifiex_info_read+0xfc/0x3e8 [mwifiex]) from [<c0108a00>] (vfs_read+0xb0/0x144)
    [<c0108a00>] (vfs_read+0xb0/0x144) from [<c0108b60>] (SyS_read+0x44/0x70)
    [<c0108b60>] (SyS_read+0x44/0x70) from [<c0013f80>] (ret_fast_syscall+0x0/0x30)
    Code: e12fff1e e3510000 e1a02000 0a00000d (e5d03000)
    ---[ end trace ca98273dc605a04f ]---
    
    The panic is caused by the mwifiex_info_read() routine assuming that
    there can only be four modes (0-3) which is an invalid assumption.
    For example, when testing P2P, the mode is '8' (P2P_CLIENT) so the
    code accesses data beyond the bounds of the bss_modes[] array which
    causes the panic.  Fix this by updating bss_modes[] to support the
    current list of modes and adding a check to prevent the out-of-bounds
    access from occuring in the future when more modes are added.
    
    Signed-off-by: Mark A. Greer <mgreer@animalcreek.com>
    Acked-by: Bing Zhao <bzhao@marvell.com>
    Signed-off-by: John W. Linville <linville@tuxdriver.com>

 drivers/net/wireless/mwifiex/debugfs.c |   22 +++++++++++++++++-----
 1 files changed, 17 insertions(+), 5 deletions(-)

commit 04152dec6e99ca4c0fc52219f7cf2152dafe6b52
Author: Johan Hedberg <johan.hedberg@intel.com>
Date:   Tue May 28 13:46:30 2013 +0300

    Upstream commit: cb3b3152b2f5939d67005cff841a1ca748b19888
    
    Bluetooth: Fix missing length checks for L2CAP signalling PDUs
    
    There has been code in place to check that the L2CAP length header
    matches the amount of data received, but many PDU handlers have not been
    checking that the data received actually matches that expected by the
    specific PDU. This patch adds passing the length header to the specific
    handler functions and ensures that those functions fail cleanly in the
    case of an incorrect amount of data.
    
    Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
    Signed-off-by: John W. Linville <linville@tuxdriver.com>

 net/bluetooth/l2cap_core.c |   70 ++++++++++++++++++++++++++++++++-----------
 1 files changed, 52 insertions(+), 18 deletions(-)

commit 628be2427afb241b5a1aa24bc5907d05287e1f25
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Mon Jun 3 12:00:49 2013 +0300

    Upstream commit: a8241c63517ec0b900695daa9003cddc41c536a1
    
    ipvs: info leak in __ip_vs_get_dest_entries()
    
    The entry struct has a 2 byte hole after ->port and another 4 byte
    hole after ->stats.outpkts.  You must have CAP_NET_ADMIN in your
    namespace to hit this information leak.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Acked-by: Julian Anastasov <ja@ssi.bg>
    Signed-off-by: Simon Horman <horms@verge.net.au>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

 net/netfilter/ipvs/ip_vs_ctl.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 066d9226bc6c569d5f420c978b758e0bddd23444
Author: Robin Holt <holt@sgi.com>
Date:   Wed Jun 12 14:04:37 2013 -0700

    Upstream commit: cf7df378aa4ff7da3a44769b7ff6e9eef1a9f3db
    
    reboot: rigrate shutdown/reboot to boot cpu
    
    We recently noticed that reboot of a 1024 cpu machine takes approx 16
    minutes of just stopping the cpus.  The slowdown was tracked to commit
    f96972f2dc63 ("kernel/sys.c: call disable_nonboot_cpus() in
    kernel_restart()").
    
    The current implementation does all the work of hot removing the cpus
    before halting the system.  We are switching to just migrating to the
    boot cpu and then continuing with shutdown/reboot.
    
    This also has the effect of not breaking x86's command line parameter
    for specifying the reboot cpu.  Note, this code was shamelessly copied
    from arch/x86/kernel/reboot.c with bits removed pertaining to the
    reboot_cpu command line parameter.
    
    Signed-off-by: Robin Holt <holt@sgi.com>
    Tested-by: Shawn Guo <shawn.guo@linaro.org>
    Cc: "Srivatsa S. Bhat" <srivatsa.bhat@linux.vnet.ibm.com>
    Cc: H. Peter Anvin <hpa@zytor.com>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: Ingo Molnar <mingo@elte.hu>
    Cc: Russ Anderson <rja@sgi.com>
    Cc: Robin Holt <holt@sgi.com>
    Cc: Russell King <linux@arm.linux.org.uk>
    Cc: Guan Xuetao <gxt@mprc.pku.edu.cn>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 kernel/sys.c |   29 ++++++++++++++++++++++++++---
 1 files changed, 26 insertions(+), 3 deletions(-)

commit 94e2a91600b07d39825e7059195f35eb611a39a2
Merge: 20cc761 e6e3059
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jun 13 16:23:46 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit e6e3059de5525ebcd55af43b20c9cdbf43b9d30a
Merge: c6aadb1 4b73feb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jun 13 16:23:39 2013 -0400

    Merge branch 'linux-3.9.y' into pax-test

commit 20cc7613e38cde07adc73179a91d6c15292e8d43
Author: Daniel Borkmann <dborkman@redhat.com>
Date:   Thu Jun 6 15:53:47 2013 +0200

    Upstream commit: 1abd165ed757db1afdefaac0a4bc8a70f97d258c
    
    net: sctp: fix NULL pointer dereference in socket destruction
    
    While stress testing sctp sockets, I hit the following panic:
    
    BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
    IP: [<ffffffffa0490c4e>] sctp_endpoint_free+0xe/0x40 [sctp]
    PGD 7cead067 PUD 7ce76067 PMD 0
    Oops: 0000 [#1] SMP
    Modules linked in: sctp(F) libcrc32c(F) [...]
    CPU: 7 PID: 2950 Comm: acc Tainted: GF            3.10.0-rc2+ #1
    Hardware name: Dell Inc. PowerEdge T410/0H19HD, BIOS 1.6.3 02/01/2011
    task: ffff88007ce0e0c0 ti: ffff88007b568000 task.ti: ffff88007b568000
    RIP: 0010:[<ffffffffa0490c4e>]  [<ffffffffa0490c4e>] sctp_endpoint_free+0xe/0x40 [sctp]
    RSP: 0018:ffff88007b569e08  EFLAGS: 00010292
    RAX: 0000000000000000 RBX: ffff88007db78a00 RCX: dead000000200200
    RDX: ffffffffa049fdb0 RSI: ffff8800379baf38 RDI: 0000000000000000
    RBP: ffff88007b569e18 R08: ffff88007c230da0 R09: 0000000000000001
    R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
    R13: ffff880077990d00 R14: 0000000000000084 R15: ffff88007db78a00
    FS:  00007fc18ab61700(0000) GS:ffff88007fc60000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
    CR2: 0000000000000020 CR3: 000000007cf9d000 CR4: 00000000000007e0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
    Stack:
     ffff88007b569e38 ffff88007db78a00 ffff88007b569e38 ffffffffa049fded
     ffffffff81abf0c0 ffff88007db78a00 ffff88007b569e58 ffffffff8145b60e
     0000000000000000 0000000000000000 ffff88007b569eb8 ffffffff814df36e
    Call Trace:
     [<ffffffffa049fded>] sctp_destroy_sock+0x3d/0x80 [sctp]
     [<ffffffff8145b60e>] sk_common_release+0x1e/0xf0
     [<ffffffff814df36e>] inet_create+0x2ae/0x350
     [<ffffffff81455a6f>] __sock_create+0x11f/0x240
     [<ffffffff81455bf0>] sock_create+0x30/0x40
     [<ffffffff8145696c>] SyS_socket+0x4c/0xc0
     [<ffffffff815403be>] ? do_page_fault+0xe/0x10
     [<ffffffff8153cb32>] ? page_fault+0x22/0x30
     [<ffffffff81544e02>] system_call_fastpath+0x16/0x1b
    Code: 0c c9 c3 66 2e 0f 1f 84 00 00 00 00 00 e8 fb fe ff ff c9 c3 66 0f
          1f 84 00 00 00 00 00 55 48 89 e5 53 48 83 ec 08 66 66 66 66 90 <48>
          8b 47 20 48 89 fb c6 47 1c 01 c6 40 12 07 e8 9e 68 01 00 48
    RIP  [<ffffffffa0490c4e>] sctp_endpoint_free+0xe/0x40 [sctp]
     RSP <ffff88007b569e08>
    CR2: 0000000000000020
    ---[ end trace e0d71ec1108c1dd9 ]---
    
    I did not hit this with the lksctp-tools functional tests, but with a
    small, multi-threaded test program, that heavily allocates, binds,
    listens and waits in accept on sctp sockets, and then randomly kills
    some of them (no need for an actual client in this case to hit this).
    Then, again, allocating, binding, etc, and then killing child processes.
    
    This panic then only occurs when ``echo 1 > /proc/sys/net/sctp/auth_enable''
    is set. The cause for that is actually very simple: in sctp_endpoint_init()
    we enter the path of sctp_auth_init_hmacs(). There, we try to allocate
    our crypto transforms through crypto_alloc_hash(). In our scenario,
    it then can happen that crypto_alloc_hash() fails with -EINTR from
    crypto_larval_wait(), thus we bail out and release the socket via
    sk_common_release(), sctp_destroy_sock() and hit the NULL pointer
    dereference as soon as we try to access members in the endpoint during
    sctp_endpoint_free(), since endpoint at that time is still NULL. Now,
    if we have that case, we do not need to do any cleanup work and just
    leave the destruction handler.
    
    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
    Acked-by: Neil Horman <nhorman@tuxdriver.com>
    Acked-by: Vlad Yasevich <vyasevich@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/sctp/socket.c |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

commit 386ba837978cc8a1111440bdcd8600f2df4634a4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jun 12 20:37:48 2013 -0400

    fix deadlock when booting i386 kernel without NX

 mm/mmap.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

commit fe96e11acb36fcda9a9e6f6439557db4aa4e8da0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jun 11 22:18:07 2013 -0400

    fix elif / elif defined() typo in recent change

 kernel/events/core.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit bc43377e1e757cd37a06be0187884a42af718aab
Merge: 3cdea63 c6aadb1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jun 11 18:50:39 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit c6aadb12ae8dd3d12c2d6b8fbe80d29e514d60c0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jun 11 18:49:36 2013 -0400

    Update to pax-linux-3.9.4-test9.patch:
    - fixed a KERNEXEC regression resulting in unusable RAM regions (http://forums.grsecurity.net/viewtopic.php?f=3&t=3506)
    - removed a user-triggerable BUG_ON, fixing it properly wasn't worth the effort

 arch/x86/kernel/setup.c |    2 +-
 mm/mlock.c              |    1 -
 2 files changed, 1 insertions(+), 2 deletions(-)

commit 3cdea63e90607d8d55820b101854091623feedb8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jun 10 21:21:44 2013 -0400

    Fix fanotify infoleak reported by Dan Carpenter at:
    https://lkml.org/lkml/2013/6/3/128
    
    Requires CAP_SYS_ADMIN, so this is about as low priority as it gets

 fs/notify/fanotify/fanotify_user.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 373a2b5df78f82b9d3db72bd6577e29a71591323
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jun 10 21:16:46 2013 -0400

    Backport infoleak fix by Dan Carpenter in cpqarray:
    https://lkml.org/lkml/2013/6/3/131

 drivers/block/cpqarray.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 251e84b9b05e063981b20be154c9389862f94759
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jun 10 21:04:17 2013 -0400

    Backport 050e4b8fb7cdd7096c987a9cd556029c622c7fe2

 drivers/cdrom/cdrom.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 383d89bf95818b05a485a6e8b118963b5bcbc83e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jun 10 18:34:32 2013 -0400

    change const to __read_only

 kernel/sysctl.c |   18 +++++++++---------
 1 files changed, 9 insertions(+), 9 deletions(-)

commit 8f08f803f605649e63f0857a1b9a9805b629eaa4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jun 10 17:34:13 2013 -0400

    compile fix, make const values const

 kernel/sysctl.c |   18 +++++++++---------
 1 files changed, 9 insertions(+), 9 deletions(-)

commit 6b90c228f6d4a3c2cc9c2b9a6a7ac14534ebd42d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jun 10 17:37:13 2013 -0400

    Backport upstream commit: af733960ca59f7d59ea337e1f633771c9e67101a

 drivers/char/mwave/tp3780i.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 1c590aa70c95ebd76ba9672aa23d800b81780615
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jun 9 19:50:35 2013 -0400

    allow -1 perf_event_paranoid

 kernel/sysctl.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit defdc4a2bd3efda4af2bb6f3aa8f495fa8078584
Merge: 4e85539 117c3fa
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jun 9 17:30:12 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 117c3fa8d26c3806103123560f807d99071b60b6
Merge: ed9b427 5dd2e98
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jun 9 17:30:00 2013 -0400

    Merge branch 'linux-3.9.y' into pax-test

commit 4e8553989b0406f15be4a2dccdbc7599cc2b4f42
Author: Eric Dumazet <edumazet@google.com>
Date:   Mon May 13 21:25:52 2013 +0000

    Upstream commit: 54d27fcb338bd9c42d1dfc5a39e18f6f9d373c2e
    
    tcp: fix tcp_md5_hash_skb_data()
    
    TCP md5 communications fail [1] for some devices, because sg/crypto code
    assume page offsets are below PAGE_SIZE.
    
    This was discovered using mlx4 driver [2], but I suspect loopback
    might trigger the same bug now we use order-3 pages in tcp_sendmsg()
    
    [1] Failure is giving following messages.
    
    huh, entered softirq 3 NET_RX ffffffff806ad230 preempt_count 00000100,
    exited with 00000101?
    
    [2] mlx4 driver uses order-2 pages to allocate RX frags
    
    Reported-by: Matt Schnall <mischnal@google.com>
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Cc: Bernhard Beck <bbeck@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/tcp.c |    7 +++++--
 1 files changed, 5 insertions(+), 2 deletions(-)

commit 4f1ed254c28a1b3e03c0b0b744c5042661c295eb
Author: Eric Dumazet <edumazet@google.com>
Date:   Fri May 17 04:53:13 2013 +0000

    Upstream commit: 284041ef21fdf2e0d216ab6b787bc9072b4eb58a
    
    ipv6: fix possible crashes in ip6_cork_release()
    
    commit 0178b695fd6b4 ("ipv6: Copy cork options in ip6_append_data")
    added some code duplication and bad error recovery, leading to potential
    crash in ip6_cork_release() as kfree() could be called with garbage.
    
    use kzalloc() to make sure this wont happen.
    
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Cc: Herbert Xu <herbert@gondor.apana.org.au>
    Cc: Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>
    Cc: Neal Cardwell <ncardwell@google.com>

 net/ipv6/ip6_output.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 5771263fe368cd384127dd17d7596a7e1a4e2eec
Author: Chen Gang <gang.chen@asianux.com>
Date:   Thu May 16 23:13:04 2013 +0000

    Upstream commit: ff0102ee104847023c36357e2b9f133f3f40d211
    
    net: irda: using kzalloc() instead of kmalloc() to avoid strncpy() issue.
    
    'discovery->data.info' length is 22, NICKNAME_MAX_LEN is 21, so the
    strncpy() will always left the last byte of 'discovery->data.info'
    uninitialized.
    
    When 'text' length is longer than 21 (NICKNAME_MAX_LEN), if still left
    the last byte of 'discovery->data.info' uninitialized, the next
    strlen() will cause issue.
    
    Also 'discovery->data' is 'struct irda_device_info' which defined in
    "include/uapi/...", it may copy to user mode, so need whole initialized.
    
    All together, need use kzalloc() instead of kmalloc() to initialize all
    members firstly.
    
    Signed-off-by: Chen Gang <gang.chen@asianux.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/irda/irlap_frame.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit c01c9af268cb066f240aec53454b8b74d8d01688
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Sun May 19 08:36:36 2013 +0000

    Upstream commit: 25dff94ff9df40d4d663bb6ea3193a7758cc50e5
    
    isdn/kcapi: fix a small underflow
    
    In get_capi_ctr_by_nr() and get_capi_appl_by_nr() the parameter comes
    from skb->data.  The current code can underflow to one space before the
    start of the array.
    
    The sanity check isn't needed in __get_capi_appl_by_nr() but I changed
    it to match the others.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/isdn/capi/kcapi.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

commit 4a3f12a9df775147b0c4b0277de1aa99eddc5c66
Author: Timo Teräs <timo.teras@iki.fi>
Date:   Wed May 22 01:40:47 2013 +0000

    Upstream commit: 497574c72c9922cf20c12aed15313c389f722fa0
    
    xfrm: properly handle invalid states as an error
    
    The error exit path needs err explicitly set. Otherwise it
    returns success and the only caller, xfrm_output_resume(),
    would oops in skb_dst(skb)->ops derefence as skb_dst(skb) is
    NULL.
    
    Bug introduced in commit bb65a9cb (xfrm: removes a superfluous
    check and add a statistic).
    
    Signed-off-by: Timo Teräs <timo.teras@iki.fi>
    Cc: Li RongQing <roy.qing.li@gmail.com>
    Cc: Steffen Klassert <steffen.klassert@secunet.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/xfrm/xfrm_output.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 61d8e1e848afa93cd971f6d1da875ad98b6ddfbd
Author: Jeff Mahoney <jeffm@jeffreymahoney.com>
Date:   Fri May 31 15:07:52 2013 -0400

    Upstream commit: 0bdc7acba56a7ca4232f15f37b16f7ec079385ab
    
    reiserfs: fix spurious multiple-fill in reiserfs_readdir_dentry
    
    After sleeping for filldir(), we check to see if the file system has
    changed and research. The next_pos pointer is updated but its value
    isn't pushed into the key used for the search itself. As a result,
    the search returns the same item that the last cycle of the loop did
    and filldir() is called multiple times with the same data.
    
    The end result is that the buffer can contain the same name multiple
    times. This can be returned to userspace or used internally in the
    xattr code where it can manifest with the following warning:
    
    jdm-20004 reiserfs_delete_xattrs: Couldn't delete all xattrs (-2)
    
    reiserfs_for_each_xattr uses reiserfs_readdir_dentry to iterate over
    the xattr names and ends up trying to unlink the same name twice. The
    second attempt fails with -ENOENT and the error is returned. At some
    point I'll need to add support into reiserfsck to remove the orphaned
    directories left behind when this occurs.
    
    The fix is to push the value into the key before researching.
    
    Signed-off-by: Jeff Mahoney <jeffm@suse.com>
    Signed-off-by: Jan Kara <jack@suse.cz>

 fs/reiserfs/dir.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit ca0746bf380eec77d75d1741ac4742ded0e55ec7
Author: Jeff Mahoney <jeffm@suse.com>
Date:   Fri May 31 15:51:17 2013 -0400

    Upstream commit: a1457c0ce976bad1356b9b0437f2a5c3ab8a9cfc
    
    reiserfs: fix deadlock with nfs racing on create/lookup
    
    Reiserfs is currently able to be deadlocked by having two NFS clients
    where one has removed and recreated a file and another is accessing the
    file with an open file handle.
    
    If one client deletes and recreates a file with timing such that the
    recreated file obtains the same [dirid, objectid] pair as the original
    file while another client accesses the file via file handle, the create
    and lookup can race and deadlock if the lookup manages to create the
    in-memory inode first.
    
    The create thread, in insert_inode_locked4, will hold the write lock
    while waiting on the other inode to be unlocked. The lookup thread,
    anywhere in the iget path, will release and reacquire the write lock while
    it schedules. If it needs to reacquire the lock while the create thread
    has it, it will never be able to make forward progress because it needs
    to reacquire the lock before ultimately unlocking the inode.
    
    This patch drops the write lock across the insert_inode_locked4 call so
    that the ordering of inode_wait -> write lock is retained. Since this
    would have been the case before the BKL push-down, this is safe.
    
    Signed-off-by: Jeff Mahoney <jeffm@suse.com>
    Signed-off-by: Jan Kara <jack@suse.cz>

 fs/reiserfs/inode.c |    9 +++++++--
 1 files changed, 7 insertions(+), 2 deletions(-)

commit cd21c0eb4950498be46a07257426c0cea4aa2bf1
Author: Jeff Mahoney <jeffm@suse.com>
Date:   Fri May 31 15:54:17 2013 -0400

    Upstream commit: 4a8570112b76a63ad21cfcbe2783f98f7fd5ba1b
    
    reiserfs: fix problems with chowning setuid file w/ xattrs
    
    reiserfs_chown_xattrs() takes the iattr struct passed into ->setattr
    and uses it to iterate over all the attrs associated with a file to change
    ownership of xattrs (and transfer quota associated with the xattr files).
    
    When the setuid bit is cleared during chown, ATTR_MODE and iattr->ia_mode
    are passed to all the xattrs as well. This means that the xattr directory
    will have S_IFREG added to its mode bits.
    
    This has been prevented in practice by a missing IS_PRIVATE check
    in reiserfs_acl_chmod, which caused a double-lock to occur while holding
    the write lock. Since the file system was completely locked up, the
    writeout of the corrupted mode never happened.
    
    This patch temporarily clears everything but ATTR_UID|ATTR_GID for the
    calls to reiserfs_setattr and adds the missing IS_PRIVATE check.
    
    Signed-off-by: Jeff Mahoney <jeffm@suse.com>
    Signed-off-by: Jan Kara <jack@suse.cz>

 fs/reiserfs/xattr.c     |   14 +++++++++++++-
 fs/reiserfs/xattr_acl.c |    3 +++
 2 files changed, 16 insertions(+), 1 deletions(-)

commit c18cef940310c06bdf86d64d8cb227e56e165300
Author: Dave Chinner <dchinner@redhat.com>
Date:   Mon May 27 16:38:25 2013 +1000

    Upstream commit: 2962f5a5dcc56f69cbf62121a7be67cc15d6940b
    
    xfs: kill suid/sgid through the truncate path.
    
    XFS has failed to kill suid/sgid bits correctly when truncating
    files of non-zero size since commit c4ed4243 ("xfs: split
    xfs_setattr") introduced in the 3.1 kernel. Fix it.
    
    Fix it.
    
    cc: stable kernel <stable@vger.kernel.org>
    Signed-off-by: Dave Chinner <dchinner@redhat.com>
    Reviewed-by: Brian Foster <bfoster@redhat.com>
    Signed-off-by: Ben Myers <bpm@sgi.com>
    
    (cherry picked from commit 56c19e89b38618390addfc743d822f99519055c6)

 fs/xfs/xfs_iops.c |   47 ++++++++++++++++++++++++++++++++---------------
 1 files changed, 32 insertions(+), 15 deletions(-)

commit 8e62c6a0946a4b11a55540094a0ee5d3a222dbcc
Author: Trond Myklebust <Trond.Myklebust@netapp.com>
Date:   Wed May 29 15:36:40 2013 -0400

    Upstream commit: f448badd34700ae728a32ba024249626d49c10e1
    
    NFSv4: Fix a thinko in nfs4_try_open_cached
    
    We need to pass the full open mode flags to nfs_may_open() when doing
    a delegated open.
    
    Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
    Cc: stable@vger.kernel.org

 fs/nfs/nfs4proc.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit c47de62893a9f269be0a272c2840aac1e2a35c68
Author: Chen Gang <gang.chen@asianux.com>
Date:   Thu May 30 01:18:43 2013 +0000

    Upstream commit: ea99b1adf22abd62bdcf14b1c9a0a4d3664eefd8
    
    parisc: kernel: using strlcpy() instead of strcpy()
    
    'boot_args' is an input args, and 'boot_command_line' has a fix length.
    So use strlcpy() instead of strcpy() to avoid memory overflow.
    
    Signed-off-by: Chen Gang <gang.chen@asianux.com>
    Acked-by: Kyle McMartin <kyle@mcmartin.ca>
    Signed-off-by: Helge Deller <deller@gmx.de>

 arch/parisc/kernel/setup.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit ce869e6f799f95fcac340420ba3612503df80dbf
Author: Chen Gang <gang.chen@asianux.com>
Date:   Mon May 27 04:57:09 2013 +0000

    Upstream commit: 3f108de96ba449a8df3d7e3c053bf890fee2cb95
    
    parisc: memory overflow, 'name' length is too short for using
    
    'path.bc[i]' can be asigned by PCI_SLOT() which can '> 10', so sizeof(6
    * "%u:" + "%u" + '\0') may be 21.
    
    Since 'name' length is 20, it may be memory overflow.
    
    And 'path.bc[i]' is 'unsigned char' for printing, we can be sure the
    max length of 'name' must be less than 28.
    
    So simplify thinking, we can use 28 instead of 20 directly, and do not
    think of whether 'patchc.bc[i]' can '> 100'.
    
    Signed-off-by: Chen Gang <gang.chen@asianux.com>
    Signed-off-by: Helge Deller <deller@gmx.de>

 arch/parisc/kernel/drivers.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 5dc65cd34d442783118a17c518e2daedb90a31d0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jun 4 17:52:23 2013 -0400

    add PERF_HARDEN recommendation

 grsecurity/Kconfig |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit 45b0f6e97666ca330b9a69e7fd2d2d9345d9618c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jun 4 17:22:44 2013 -0400

    Introduce new feature: CONFIG_GRKERNSEC_PERF_HARDEN

 grsecurity/Kconfig         |   19 +++++++++++++++++++
 include/linux/perf_event.h |    5 +++++
 kernel/events/core.c       |   10 +++++++++-
 kernel/sysctl.c            |    9 ++++++++-
 4 files changed, 41 insertions(+), 2 deletions(-)

commit 84619a3501fd38285a72d9e963f58d1827beedd6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jun 1 14:23:31 2013 -0400

    remove user-triggerable BUG_ON in do_munlockall()

 mm/mlock.c |    1 -
 1 files changed, 0 insertions(+), 1 deletions(-)

commit f4bcf6087bd7b9a5b9c9021790396865c5362da0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jun 1 13:44:05 2013 -0400

    Upstream commit: cea4dcfdad926a27a18e188720efe0f2c9403456
    
    From: Kees Cook <keescook@chromium.org>
    Date: Thu, 23 May 2013 17:32:17 +0000
    Subject: iscsi-target: fix heap buffer overflow on error
    
    If a key was larger than 64 bytes, as checked by iscsi_check_key(), the
    error response packet, generated by iscsi_add_notunderstood_response(),
    would still attempt to copy the entire key into the packet, overflowing
    the structure on the heap.
    
    Remote preauthentication kernel memory corruption was possible if a
    target was configured and listening on the network.
    
    CVE-2013-2850
    
    Embargo-screwup-by: Kees Cook <keescook@chromium.org>
    Cc: stable@vger.kernel.org
    Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>

 drivers/target/iscsi/iscsi_target_parameters.c |    8 +++-----
 drivers/target/iscsi/iscsi_target_parameters.h |    4 +++-
 2 files changed, 6 insertions(+), 6 deletions(-)

commit 2fdc3e0a0ecd44f22d49ea2230638ed650dd5e7e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jun 1 13:43:26 2013 -0400

    Revert "Fix distro-embargoed bug CVE-2013-2850, bad strncpy parameters"
    Applying upstream fix instead
    
    This reverts commit 8c237f4a53a038ab0f1c4fdc3656bdb3d77b7291.

 drivers/target/iscsi/iscsi_target_parameters.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

commit 8ad50b7b6bbaaec7f07f894c15d76abe801f0769
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Sun May 19 21:52:20 2013 +0300

    Upstream commit: e75b61897276c5100e61c9c74fd55ded28f31431
    
    USB: cxacru: potential underflow in cxacru_cm_get_array()
    
    commit 2a0ebf80aa95cc758d4725f74a7016e992606a39 upstream.
    
    The value of "offd" comes off the instance->rcv_buf[] and we used it as
    the offset into an array.  The problem is that we check the upper bound
    but not for negative values.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

 drivers/usb/atm/cxacru.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 8c237f4a53a038ab0f1c4fdc3656bdb3d77b7291
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jun 1 11:30:17 2013 -0400

    Fix distro-embargoed bug CVE-2013-2850, bad strncpy parameters

 drivers/target/iscsi/iscsi_target_parameters.c |    5 ++---
 1 files changed, 2 insertions(+), 3 deletions(-)

commit 8578566969d91678a3d7d5251b4eafc6d7775314
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu May 30 17:44:15 2013 -0400

    Apply compatibility fix to previous RLIMIT_NPROC change
    don't enforce the rlimit check at exec time if the user is root
    Prevents problems with sudo if root is listed as part of a group
    in limits.conf with process limits enforced

 kernel/sys.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 0ed0c927ce3db94e2d0c0f328e24a28fe4f143e7
Merge: 643b294 ed9b427
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed May 29 19:19:28 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit ed9b4276488528d0c3803df1dc0df804238241e0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed May 29 19:18:45 2013 -0400

    Updated to pax-linux-3.9.4-test8.patch:
    - fixed some fallout detected by the checker plugin

 arch/x86/kernel/crash_dump_64.c               |    2 +-
 drivers/base/devtmpfs.c                       |    6 +++---
 drivers/char/agp/compat_ioctl.c               |    2 +-
 drivers/char/agp/frontend.c                   |    2 +-
 drivers/char/mem.c                            |    2 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c         |    4 ++--
 drivers/i2c/i2c-dev.c                         |    2 +-
 drivers/media/v4l2-core/v4l2-compat-ioctl32.c |    6 +++---
 drivers/media/v4l2-core/v4l2-ioctl.c          |   20 ++++++++++++--------
 fs/9p/vfs_addr.c                              |    2 +-
 fs/binfmt_elf.c                               |    4 ++--
 fs/compat_ioctl.c                             |    4 ++--
 fs/exec.c                                     |    2 +-
 fs/namespace.c                                |    8 ++++----
 fs/proc/vmcore.c                              |   12 ++++++++----
 fs/read_write.c                               |    2 +-
 include/linux/syscalls.h                      |    8 ++++----
 init/do_mounts_initrd.c                       |    8 ++++----
 init/main.c                                   |    4 ++--
 kernel/events/core.c                          |    2 +-
 kernel/events/internal.h                      |   10 +++++-----
 mm/page_io.c                                  |    2 +-
 security/keys/internal.h                      |    2 +-
 tools/gcc/checker_plugin.c                    |    1 +
 24 files changed, 63 insertions(+), 54 deletions(-)

commit 643b294b41c6adcad1cf107efe4ae52a834e6f15
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed May 29 18:51:31 2013 -0400

    eliminate gcc warning

 fs/exec.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit cf6f73059387ffeddb7b1de3e97a3cf588bcef86
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed May 29 18:30:20 2013 -0400

    use BUILD_BUG() instead of BUILD_BUG_ON(1)

 arch/x86/net/bpf_jit_comp.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 5343410354267368e5809f3ad8d9a264f141be18
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed May 29 17:57:41 2013 -0400

    defensively handle additions to the BPF JIT by introducing a BUILD_BUG_ON
    for unknown opcodes

 arch/x86/net/bpf_jit_comp.c |   11 +++++++----
 1 files changed, 7 insertions(+), 4 deletions(-)

commit 01f78a604b47c93fb26e8aeb68ef619bb3b8579d
Author: Xiao Guangrong <xiaoguangrong@linux.vnet.ibm.com>
Date:   Fri May 24 15:55:11 2013 -0700

    Upstream commit: d34883d4e35c0a994e91dd847a82b4c9e0c31d83
    
    mm: mmu_notifier: re-fix freed page still mapped in secondary MMU
    
    Commit 751efd8610d3 ("mmu_notifier_unregister NULL Pointer deref and
    multiple ->release()") breaks the fix 3ad3d901bbcf ("mm: mmu_notifier:
    fix freed page still mapped in secondary MMU").
    
    Since hlist_for_each_entry_rcu() is changed now, we can not revert that
    patch directly, so this patch reverts the commit and simply fix the bug
    spotted by that patch
    
    This bug spotted by commit 751efd8610d3 is:
    
        There is a race condition between mmu_notifier_unregister() and
        __mmu_notifier_release().
    
        Assume two tasks, one calling mmu_notifier_unregister() as a result
        of a filp_close() ->flush() callout (task A), and the other calling
        mmu_notifier_release() from an mmput() (task B).
    
                            A                               B
        t1                                            srcu_read_lock()
        t2            if (!hlist_unhashed())
        t3                                            srcu_read_unlock()
        t4            srcu_read_lock()
        t5                                            hlist_del_init_rcu()
        t6                                            synchronize_srcu()
        t7            srcu_read_unlock()
        t8            hlist_del_rcu()  <--- NULL pointer deref.
    
    This can be fixed by using hlist_del_init_rcu instead of hlist_del_rcu.
    
    The another issue spotted in the commit is "multiple ->release()
    callouts", we needn't care it too much because it is really rare (e.g,
    can not happen on kvm since mmu-notify is unregistered after
    exit_mmap()) and the later call of multiple ->release should be fast
    since all the pages have already been released by the first call.
    Anyway, this issue should be fixed in a separate patch.
    
    -stable suggestions: Any version that has commit 751efd8610d3 need to be
    backported.  I find the oldest version has this commit is 3.0-stable.
    
    [akpm@linux-foundation.org: tweak comments]
    Signed-off-by: Xiao Guangrong <xiaoguangrong@linux.vnet.ibm.com>
    Tested-by: Robin Holt <holt@sgi.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 mm/mmu_notifier.c |   79 ++++++++++++++++++++++++++---------------------------
 1 files changed, 39 insertions(+), 40 deletions(-)

commit 163a5539b36247865d39b2bcfa8efc03a62124a6
Author: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
Date:   Fri May 24 15:55:21 2013 -0700

    Upstream commit: 7c3425123ddfdc5f48e7913ff59d908789712b18
    
    mm/THP: use pmd_populate() to update the pmd with pgtable_t pointer
    
    We should not use set_pmd_at to update pmd_t with pgtable_t pointer.
    set_pmd_at is used to set pmd with huge pte entries and architectures
    like ppc64, clear few flags from the pte when saving a new entry.
    Without this change we observe bad pte errors like below on ppc64 with
    THP enabled.
    
      BUG: Bad page map in process ld mm=0xc000001ee39f4780 pte:7fc3f37848000001 pmd:c000001ec0000000
    
    Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
    Cc: Hugh Dickins <hughd@google.com>
    Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
    Reviewed-by: Andrea Arcangeli <aarcange@redhat.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 mm/huge_memory.c |    7 ++++++-
 1 files changed, 6 insertions(+), 1 deletions(-)

commit 3e54faf888d324d5f362dcba16173ea7bba61e8a
Author: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
Date:   Fri May 24 15:55:08 2013 -0700

    Upstream commit: 7b92d03c3239f43e5b86c9cc9630f026d36ee995
    
    fat: fix possible overflow for fat_clusters
    
    Intermediate value of fat_clusters can be overflowed on 32bits arch.
    
    Reported-by: Krzysztof Strasburger <strasbur@chkw386.ch.pwr.wroc.pl>
    Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 fs/fat/inode.c |   15 ++++++++++++++-
 1 files changed, 14 insertions(+), 1 deletions(-)

commit 2d9fc67d9d63641e6bbf389edba8d8514c68655d
Author: Jarod Wilson <jarod@redhat.com>
Date:   Fri May 24 15:55:31 2013 -0700

    Upstream commit: 1e7e2e05c179a68aaf8830fe91547a87f4589e53
    
    drivers/char/random.c: fix priming of last_data
    
    Commit ec8f02da9ea5 ("random: prime last_data value per fips
    requirements") added priming of last_data per fips requirements.
    
    Unfortuantely, it did so in a way that can lead to multiple threads all
    incrementing nbytes, but only one actually doing anything with the extra
    data, which leads to some fun random corruption and panics.
    
    The fix is to simply do everything needed to prime last_data in a single
    shot, so there's no window for multiple cpus to increment nbytes -- in
    fact, we won't even increment or decrement nbytes anymore, we'll just
    extract the needed EXTRACT_SIZE one time per pool and then carry on with
    the normal routine.
    
    All these changes have been tested across multiple hosts and
    architectures where panics were previously encoutered.  The code changes
    are are strictly limited to areas only touched when when booted in fips
    mode.
    
    This change should also go into 3.8-stable, to make the myriads of fips
    users on 3.8.x happy.
    
    Signed-off-by: Jarod Wilson <jarod@redhat.com>
    Tested-by: Jan Stancek <jstancek@redhat.com>
    Tested-by: Jan Stodola <jstodola@redhat.com>
    Cc: Herbert Xu <herbert@gondor.apana.org.au>
    Acked-by: Neil Horman <nhorman@tuxdriver.com>
    Cc: "David S. Miller" <davem@davemloft.net>
    Cc: Matt Mackall <mpm@selenic.com>
    Cc: "Theodore Ts'o" <tytso@mit.edu>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 drivers/char/random.c |   30 +++++++++++++++---------------
 1 files changed, 15 insertions(+), 15 deletions(-)

commit 2d74639040ba6ce47f57ec010714ec06529c4b42
Author: Jiri Kosina <jkosina@suse.cz>
Date:   Fri May 24 15:55:33 2013 -0700

    Upstream commit: 10b3a32d292c21ea5b3ad5ca5975e88bb20b8d68
    
    random: fix accounting race condition with lockless irq entropy_count update
    
    Commit 902c098a3663 ("random: use lockless techniques in the interrupt
    path") turned IRQ path from being spinlock protected into lockless
    cmpxchg-retry update.
    
    That commit removed r->lock serialization between crediting entropy bits
    from IRQ context and accounting when extracting entropy on userspace
    read path, but didn't turn the r->entropy_count reads/updates in
    account() to use cmpxchg as well.
    
    It has been observed, that under certain circumstances this leads to
    read() on /dev/urandom to return 0 (EOF), as r->entropy_count gets
    corrupted and becomes negative, which in turn results in propagating 0
    all the way from account() to the actual read() call.
    
    Convert the accounting code to be the proper lockless counterpart of
    what has been partially done by 902c098a3663.
    
    Signed-off-by: Jiri Kosina <jkosina@suse.cz>
    Cc: Theodore Ts'o <tytso@mit.edu>
    Cc: Greg KH <greg@kroah.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 drivers/char/random.c |   26 +++++++++++++++++---------
 1 files changed, 17 insertions(+), 9 deletions(-)

commit 65d05c7ea468c23c175105526dd4f163302a92cf
Merge: 1a98d0a 6ce3a135
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat May 25 07:48:15 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        arch/x86/kernel/vm86_32.c

commit 6ce3a13567ec17c1e72a88871ddf46da61ad5166
Merge: 79bdd65 0bfd8ff
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat May 25 07:46:55 2013 -0400

    Merge branch 'linux-3.9.y' into pax-test

commit 1a98d0a10ede55ae99fabfb2d67eb536d3de9444
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu May 23 18:42:23 2013 -0400

    use existing local variable

 fs/exec.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit b2b80ef8586061e32e986b31608717c25d1e7c54
Merge: cb45fbd 79bdd65
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu May 23 17:58:53 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 79bdd65dac68267bc1b201c6b4a99966a373c305
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu May 23 17:57:46 2013 -0400

    Update to pax-linux-3.9.3-test7.patch:
    - fixed some size overflow related warnings (hash table, attributes)
    - fixed a gcc bug/feature exposed by constification, the investigation was prompted by http://rikiji.it/2013/05/10/CVE-2013-2094-x86.html

 arch/x86/include/asm/page_64.h    |    2 +-
 arch/x86/kernel/head64.c          |    2 +-
 tools/gcc/constify_plugin.c       |   48 ++-
 tools/gcc/size_overflow_hash.data | 1191 +++++++++++++++++++------------------
 4 files changed, 651 insertions(+), 592 deletions(-)

commit cb45fbda4967b1b544a754fbdc92d73283379522
Merge: 62588fa 57c11b8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon May 20 17:32:17 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 57c11b85acd841a088aa4df8e60be337880df8cd
Merge: 0598b37 4bb0869
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon May 20 17:32:08 2013 -0400

    Merge branch 'linux-3.9.y' into pax-test

commit 62588fa72b82a8ff7027f52dc2a05729f41e0f53
Merge: e261c7b 0598b37
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri May 17 22:57:36 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 0598b3778624dbc6c3887af025c040dbd6e92ba5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri May 17 22:57:07 2013 -0400

    Update to pax-linux-3.9.2-test6.patch:
    - fixed a gcc assert in the structleak plugin, reported by Emese Revfy
    - fixed pfn extraction from pud/pgd entries, reported by ousado

 arch/x86/include/asm/pgtable.h |    9 +++++++--
 tools/gcc/structleak_plugin.c  |    3 ++-
 2 files changed, 9 insertions(+), 3 deletions(-)

commit e261c7bc611e9127bbb7bd95cddd51524bf255ae
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu May 16 22:54:12 2013 -0400

    add offset to topdown check, fixes compilation

 arch/x86/kernel/sys_x86_64.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 455c5ed5279cf546f5d5c3844fb16f17300b2219
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu May 16 20:57:41 2013 -0400

    CONFIG_GRKERNSEC depends on the recently-introduced CONFIG_TTY,
    reported by lulzh3ad on irc

 security/Kconfig |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 0d4593e84707cdf6deb6b925c18c676a476b1613
Merge: 43cd0c0 39a877f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu May 16 20:39:11 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 39a877f192ed305d88edac10a14a9e8e1e161f3f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu May 16 20:37:35 2013 -0400

    Update to pax-linux-3.9.2-test105.patch:
    - fixed !EFI boot problem, reported by spender
    - fixed a few compile warnings
    - fixed some more compile errors due to constification
    - fixed some arm fallout, reported by Michael Tremer

 arch/arm/include/asm/psci.h                        |    2 +-
 arch/arm/kernel/psci.c                             |    2 +-
 arch/x86/kernel/sys_x86_64.c                       |    3 +--
 arch/x86/realmode/init.c                           |    2 +-
 drivers/hwmon/pmbus/pmbus_core.c                   |   10 +++++-----
 drivers/irqchip/irq-gic.c                          |    2 +-
 .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c  |    4 +++-
 .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c  |   12 +++++++++---
 drivers/platform/x86/chromeos_laptop.c             |    2 +-
 fs/jfs/super.c                                     |    4 ++--
 include/linux/irqchip/arm-gic.h                    |    2 ++
 include/sound/compress_driver.h                    |    2 +-
 net/mac80211/cfg.c                                 |    4 ++--
 sound/soc/fsl/fsl_ssi.c                            |    2 +-
 14 files changed, 31 insertions(+), 22 deletions(-)

commit 43cd0c0c7bf3f3331689f88130a8e8ce58fc8540
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu May 16 20:35:22 2013 -0400

    Fix usercopy false positive under gcc 4.1

 arch/x86/kernel/signal.c |    9 +++++++--
 1 files changed, 7 insertions(+), 2 deletions(-)

commit 56a166129d817f6634c8c230e6ec497669bdfaca
Author: Amerigo Wang <amwang@redhat.com>
Date:   Thu May 9 21:56:37 2013 +0000

    Upstream commit: 5dbd5068430b8bd1c19387d46d6c1a88b261257f
    
    ipv6,gre: do not leak info to user-space
    
    There is a hole in struct ip6_tnl_parm2, so we have to
    zero the struct on stack before copying it to user-space.
    
    Cc: David S. Miller <davem@davemloft.net>
    Signed-off-by: Cong Wang <amwang@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv6/ip6_gre.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit d6f50dae2653ad912952da40417a8ccbd59c7699
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue May 14 16:52:35 2013 -0400

    disable unprivileged kernel profiling under HIDESYM, rename
    the variable to something more appropriate

 include/linux/perf_event.h |    8 ++++----
 kernel/events/core.c       |    6 +++++-
 kernel/sysctl.c            |    4 ++--
 3 files changed, 11 insertions(+), 7 deletions(-)

commit 01322c6951bed4eedefbd2178dbd99292b365d99
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon May 13 17:19:57 2013 -0400

    mark GRKERNSEC_RAND_THREADSTACK broken until PaX fixes its
    existing stack-heap gap code for the new unified vm_unmapped_area

 grsecurity/Kconfig |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 8e576ddc2196770ba2b86ba8f7b9e76c141d1083
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon May 13 15:40:32 2013 -0400

    fix NX fault on early boot

 arch/x86/realmode/init.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 85ce9b6f668f9b02f21d23ae61a1bacc8804f615
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon May 13 10:48:13 2013 -0400

    compile fix, we weren't using %pa anyway and it's now being used
    by upstream for physical address printing

 lib/vsprintf.c |    3 +--
 1 files changed, 1 insertions(+), 2 deletions(-)

commit 4eeaeea04d4776b8263f0e9b018edcdbe66c929d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon May 13 10:39:52 2013 -0400

    compile fix

 grsecurity/grsec_chroot.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 155fe84d0b966e41b077781e6b3bc6f6ed5b294b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon May 13 10:35:36 2013 -0400

    compile fixes

 grsecurity/grsec_chroot.c  |    2 +-
 include/linux/grinternal.h |    8 ++++----
 include/linux/grsecurity.h |    4 ++--
 3 files changed, 7 insertions(+), 7 deletions(-)

commit f92047409f0a843ec0b44033ca4c37e539f9a1d5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon May 13 10:27:18 2013 -0400

    compile fix

 fs/exec.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

commit 0e4123608755ab6af3f448cca6f6a8a57dbdcff1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon May 13 10:23:17 2013 -0400

    Initial port of grsecurity for 3.9.2

 Documentation/kernel-parameters.txt                |    4 +
 Makefile                                           |    8 +-
 arch/alpha/include/asm/cache.h                     |    4 +-
 arch/alpha/kernel/osf_sys.c                        |   12 +-
 arch/arm/include/asm/thread_info.h                 |    9 +-
 arch/arm/kernel/process.c                          |    4 +-
 arch/arm/kernel/ptrace.c                           |    9 +
 arch/arm/kernel/traps.c                            |    7 +-
 arch/arm/mm/fault.c                                |   29 +-
 arch/arm/mm/mmap.c                                 |    8 +-
 arch/avr32/include/asm/cache.h                     |    4 +-
 arch/blackfin/include/asm/cache.h                  |    3 +-
 arch/cris/include/arch-v10/arch/cache.h            |    3 +-
 arch/cris/include/arch-v32/arch/cache.h            |    3 +-
 arch/frv/include/asm/cache.h                       |    3 +-
 arch/frv/mm/elf-fdpic.c                            |    4 +-
 arch/hexagon/include/asm/cache.h                   |    6 +-
 arch/ia64/include/asm/cache.h                      |    3 +-
 arch/ia64/kernel/sys_ia64.c                        |    2 +
 arch/ia64/mm/hugetlbpage.c                         |    2 +
 arch/m32r/include/asm/cache.h                      |    4 +-
 arch/m68k/include/asm/cache.h                      |    4 +-
 arch/metag/mm/hugetlbpage.c                        |    1 +
 arch/microblaze/include/asm/cache.h                |    3 +-
 arch/mips/include/asm/cache.h                      |    3 +-
 arch/mips/include/asm/thread_info.h                |    9 +-
 arch/mips/kernel/ptrace.c                          |    9 +
 arch/mips/kernel/scall32-o32.S                     |    2 +-
 arch/mips/kernel/scall64-64.S                      |    2 +-
 arch/mips/kernel/scall64-n32.S                     |    2 +-
 arch/mips/kernel/scall64-o32.S                     |    2 +-
 arch/mips/mm/mmap.c                                |    4 +-
 arch/mn10300/proc-mn103e010/include/proc/cache.h   |    4 +-
 arch/mn10300/proc-mn2ws0050/include/proc/cache.h   |    4 +-
 arch/openrisc/include/asm/cache.h                  |    4 +-
 arch/parisc/include/asm/cache.h                    |    5 +-
 arch/parisc/kernel/sys_parisc.c                    |   17 +-
 arch/powerpc/include/asm/cache.h                   |    3 +-
 arch/powerpc/include/asm/thread_info.h             |    8 +-
 arch/powerpc/kernel/process.c                      |   10 +-
 arch/powerpc/kernel/ptrace.c                       |   14 +
 arch/powerpc/kernel/traps.c                        |    5 +
 arch/powerpc/mm/slice.c                            |    8 +-
 arch/s390/include/asm/cache.h                      |    4 +-
 arch/score/include/asm/cache.h                     |    4 +-
 arch/sh/include/asm/cache.h                        |    3 +-
 arch/sh/mm/mmap.c                                  |    6 +-
 arch/sparc/include/asm/cache.h                     |    4 +-
 arch/sparc/include/asm/thread_info_64.h            |    9 +-
 arch/sparc/kernel/process_32.c                     |    6 +-
 arch/sparc/kernel/process_64.c                     |    8 +-
 arch/sparc/kernel/ptrace_64.c                      |   14 +
 arch/sparc/kernel/sys_sparc_64.c                   |    8 +-
 arch/sparc/kernel/syscalls.S                       |    8 +-
 arch/sparc/kernel/traps_32.c                       |    8 +-
 arch/sparc/kernel/traps_64.c                       |   28 +-
 arch/sparc/kernel/unaligned_64.c                   |    2 +-
 arch/sparc/mm/fault_64.c                           |    2 +-
 arch/sparc/mm/hugetlbpage.c                        |    3 +-
 arch/tile/include/asm/cache.h                      |    3 +-
 arch/tile/mm/hugetlbpage.c                         |    2 +
 arch/um/defconfig                                  |    1 -
 arch/um/include/asm/cache.h                        |    3 +-
 arch/unicore32/include/asm/cache.h                 |    6 +-
 arch/x86/Kconfig                                   |    5 +-
 arch/x86/Kconfig.debug                             |    2 +-
 arch/x86/ia32/ia32_aout.c                          |    2 +
 arch/x86/include/asm/thread_info.h                 |    8 +-
 arch/x86/kernel/dumpstack.c                        |    8 +
 arch/x86/kernel/entry_32.S                         |    2 +-
 arch/x86/kernel/entry_64.S                         |    2 +-
 arch/x86/kernel/ioport.c                           |   13 +
 arch/x86/kernel/ptrace.c                           |   14 +
 arch/x86/kernel/smpboot.c                          |    3 +
 arch/x86/kernel/sys_i386_32.c                      |   14 +-
 arch/x86/kernel/sys_x86_64.c                       |    6 +-
 arch/x86/kernel/verify_cpu.S                       |    1 +
 arch/x86/kernel/vm86_32.c                          |   16 +
 arch/x86/mm/fault.c                                |   12 +-
 arch/x86/mm/hugetlbpage.c                          |   15 +-
 arch/x86/mm/init.c                                 |   66 +-
 arch/x86/net/bpf_jit_comp.c                        |  126 +-
 arch/xtensa/variants/dc232b/include/variant/core.h |    2 +-
 arch/xtensa/variants/fsf/include/variant/core.h    |    3 +-
 arch/xtensa/variants/s6000/include/variant/core.h  |    3 +-
 drivers/block/cciss.c                              |    2 +
 drivers/char/Kconfig                               |    4 +-
 drivers/char/genrtc.c                              |    1 +
 drivers/char/mem.c                                 |   17 +
 drivers/char/random.c                              |   12 +
 drivers/gpu/drm/drm_info.c                         |    4 +
 drivers/hid/hid-wiimote-debug.c                    |    2 +-
 drivers/media/radio/radio-cadet.c                  |    2 +-
 drivers/message/fusion/mptbase.c                   |    9 +
 drivers/net/bonding/bond_main.c                    |    2 +-
 drivers/net/phy/mdio-bitbang.c                     |    1 +
 drivers/net/wireless/zd1211rw/zd_usb.c             |    2 +-
 drivers/pci/proc.c                                 |    9 +
 drivers/rtc/rtc-dev.c                              |    3 +
 drivers/tty/sysrq.c                                |    2 +-
 drivers/tty/vt/keyboard.c                          |   22 +-
 drivers/usb/storage/realtek_cr.c                   |    2 +-
 drivers/video/logo/logo_linux_clut224.ppm          | 2721 ++++++--------
 drivers/xen/xenfs/xenstored.c                      |    5 +
 fs/attr.c                                          |    1 +
 fs/autofs4/waitq.c                                 |    9 +
 fs/binfmt_aout.c                                   |    7 +
 fs/binfmt_elf.c                                    |    8 +-
 fs/btrfs/ioctl.c                                   |    6 +-
 fs/compat.c                                        |   20 +-
 fs/coredump.c                                      |   10 +-
 fs/debugfs/inode.c                                 |    4 +
 fs/exec.c                                          |  181 +-
 fs/ext2/balloc.c                                   |    4 +-
 fs/ext3/balloc.c                                   |    4 +-
 fs/ext4/balloc.c                                   |    4 +-
 fs/fcntl.c                                         |    5 +
 fs/file.c                                          |    4 +
 fs/filesystems.c                                   |    4 +
 fs/fs_struct.c                                     |   13 +-
 fs/hugetlbfs/inode.c                               |    5 +-
 fs/namei.c                                         |  241 ++-
 fs/namespace.c                                     |   24 +
 fs/open.c                                          |   38 +
 fs/pipe.c                                          |    2 +-
 fs/proc/Kconfig                                    |   10 +-
 fs/proc/array.c                                    |   59 +-
 fs/proc/base.c                                     |  168 +-
 fs/proc/cmdline.c                                  |    4 +
 fs/proc/devices.c                                  |    4 +
 fs/proc/fd.c                                       |   17 +-
 fs/proc/inode.c                                    |   17 +
 fs/proc/internal.h                                 |    3 +
 fs/proc/kcore.c                                    |    3 +
 fs/proc/proc_net.c                                 |   12 +
 fs/proc/proc_sysctl.c                              |   43 +-
 fs/proc/root.c                                     |    8 +
 fs/proc/task_mmu.c                                 |   75 +-
 fs/readdir.c                                       |   19 +
 fs/select.c                                        |    2 +
 fs/seq_file.c                                      |   12 +-
 fs/stat.c                                          |   19 +-
 fs/sysfs/dir.c                                     |   12 +
 fs/utimes.c                                        |    7 +
 fs/xattr.c                                         |   19 +-
 grsecurity/Kconfig                                 | 1031 +++++
 grsecurity/Makefile                                |   38 +
 grsecurity/gracl.c                                 | 4073 ++++++++++++++++++++
 grsecurity/gracl_alloc.c                           |  105 +
 grsecurity/gracl_cap.c                             |  110 +
 grsecurity/gracl_fs.c                              |  431 +++
 grsecurity/gracl_ip.c                              |  387 ++
 grsecurity/gracl_learn.c                           |  207 +
 grsecurity/gracl_res.c                             |   68 +
 grsecurity/gracl_segv.c                            |  305 ++
 grsecurity/gracl_shm.c                             |   40 +
 grsecurity/grsec_chdir.c                           |   19 +
 grsecurity/grsec_chroot.c                          |  370 ++
 grsecurity/grsec_disabled.c                        |  434 +++
 grsecurity/grsec_exec.c                            |  187 +
 grsecurity/grsec_fifo.c                            |   24 +
 grsecurity/grsec_fork.c                            |   23 +
 grsecurity/grsec_init.c                            |  283 ++
 grsecurity/grsec_link.c                            |   58 +
 grsecurity/grsec_log.c                             |  326 ++
 grsecurity/grsec_mem.c                             |   40 +
 grsecurity/grsec_mount.c                           |   62 +
 grsecurity/grsec_pax.c                             |   36 +
 grsecurity/grsec_ptrace.c                          |   30 +
 grsecurity/grsec_sig.c                             |  222 ++
 grsecurity/grsec_sock.c                            |  244 ++
 grsecurity/grsec_sysctl.c                          |  469 +++
 grsecurity/grsec_time.c                            |   16 +
 grsecurity/grsec_tpe.c                             |   73 +
 grsecurity/grsum.c                                 |   61 +
 include/linux/capability.h                         |    5 +
 include/linux/cred.h                               |    3 +
 include/linux/fs.h                                 |   10 +
 include/linux/fsnotify.h                           |    6 +
 include/linux/gracl.h                              |  319 ++
 include/linux/gralloc.h                            |    9 +
 include/linux/grdefs.h                             |  140 +
 include/linux/grinternal.h                         |  215 +
 include/linux/grmsg.h                              |  111 +
 include/linux/grsecurity.h                         |  242 ++
 include/linux/grsock.h                             |   19 +
 include/linux/kallsyms.h                           |   14 +-
 include/linux/kmod.h                               |    2 +
 include/linux/mm.h                                 |    1 +
 include/linux/netfilter/xt_gradm.h                 |    9 +
 include/linux/printk.h                             |    3 +-
 include/linux/proc_fs.h                            |   12 +
 include/linux/sched.h                              |   68 +-
 include/linux/security.h                           |    1 +
 include/linux/seq_file.h                           |    3 +
 include/linux/shm.h                                |    4 +
 include/linux/skbuff.h                             |    3 +
 include/linux/slab.h                               |    9 -
 include/linux/sysctl.h                             |    2 +
 include/linux/thread_info.h                        |    2 +
 include/linux/uidgid.h                             |    5 +
 include/linux/vermagic.h                           |    9 +-
 include/net/secure_seq.h                           |    1 +
 include/trace/events/fs.h                          |   53 +
 include/uapi/linux/personality.h                   |    1 +
 init/Kconfig                                       |    3 +-
 init/main.c                                        |   14 +
 ipc/mqueue.c                                       |    1 +
 ipc/shm.c                                          |   28 +
 kernel/capability.c                                |   39 +-
 kernel/cgroup.c                                    |    2 +-
 kernel/compat.c                                    |    1 +
 kernel/configs.c                                   |   11 +
 kernel/cred.c                                      |  110 +-
 kernel/exit.c                                      |   10 +-
 kernel/fork.c                                      |   41 +-
 kernel/futex.c                                     |    1 +
 kernel/kallsyms.c                                  |    9 +
 kernel/kcmp.c                                      |    4 +
 kernel/kmod.c                                      |   71 +-
 kernel/kprobes.c                                   |    4 +-
 kernel/ksysfs.c                                    |    2 +
 kernel/lockdep_proc.c                              |   10 +-
 kernel/module.c                                    |   81 +-
 kernel/panic.c                                     |    4 +-
 kernel/pid.c                                       |   19 +-
 kernel/posix-timers.c                              |    8 +
 kernel/printk.c                                    |   13 +-
 kernel/ptrace.c                                    |   20 +-
 kernel/resource.c                                  |   10 +
 kernel/sched/core.c                                |    6 +-
 kernel/signal.c                                    |   37 +-
 kernel/sys.c                                       |   45 +-
 kernel/sysctl.c                                    |   39 +-
 kernel/taskstats.c                                 |    6 +
 kernel/time.c                                      |    5 +
 kernel/time/timekeeping.c                          |    3 +
 kernel/time/timer_list.c                           |   12 +
 kernel/time/timer_stats.c                          |   10 +-
 lib/Kconfig.debug                                  |    5 +-
 lib/is_single_threaded.c                           |    3 +
 lib/vsprintf.c                                     |   35 +-
 localversion-grsec                                 |    1 +
 mm/Kconfig                                         |    4 +-
 mm/filemap.c                                       |    1 +
 mm/kmemleak.c                                      |    4 +-
 mm/mempolicy.c                                     |   12 +-
 mm/migrate.c                                       |    3 +-
 mm/mlock.c                                         |    3 +
 mm/mmap.c                                          |   64 +-
 mm/mprotect.c                                      |    8 +
 mm/process_vm_access.c                             |    6 +
 mm/shmem.c                                         |    2 +-
 mm/slab.c                                          |    2 +-
 mm/slub.c                                          |   14 +-
 mm/vmalloc.c                                       |    4 +
 mm/vmstat.c                                        |   18 +-
 net/8021q/vlan.c                                   |    7 +
 net/core/dev_ioctl.c                               |    4 +
 net/core/net-procfs.c                              |    5 +
 net/core/secure_seq.c                              |    4 +-
 net/core/sock_diag.c                               |    7 +
 net/ipv4/af_inet.c                                 |    5 +-
 net/ipv4/inet_hashtables.c                         |    5 +
 net/ipv4/ip_sockglue.c                             |    3 +-
 net/ipv4/tcp_input.c                               |    4 +-
 net/ipv4/tcp_ipv4.c                                |   24 +-
 net/ipv4/tcp_minisocks.c                           |    9 +-
 net/ipv4/tcp_timer.c                               |   11 +
 net/ipv4/udp.c                                     |   24 +
 net/ipv6/tcp_ipv6.c                                |   23 +-
 net/ipv6/udp.c                                     |    7 +
 net/netfilter/Kconfig                              |   10 +
 net/netfilter/Makefile                             |    1 +
 net/netfilter/nf_conntrack_core.c                  |    8 +
 net/netfilter/xt_gradm.c                           |   51 +
 net/netrom/af_netrom.c                             |    2 +-
 net/phonet/af_phonet.c                             |    2 +-
 net/sctp/probe.c                                   |    2 +-
 net/sctp/proc.c                                    |    3 +-
 net/socket.c                                       |   66 +-
 net/sysctl_net.c                                   |    2 +-
 net/tipc/link.c                                    |   11 +-
 net/unix/af_unix.c                                 |   31 +-
 security/Kconfig                                   |  342 ++-
 security/commoncap.c                               |   29 +
 security/min_addr.c                                |    2 +
 security/security.c                                |    2 -
 security/selinux/hooks.c                           |    2 -
 security/tomoyo/mount.c                            |    4 +
 security/yama/Kconfig                              |    2 +-
 291 files changed, 15221 insertions(+), 2052 deletions(-)

commit 88854c350c899bceca4a94598c42bed44d0dc91b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon May 13 07:37:47 2013 -0400

    Initial import of pax-linux-3.9.2-test2.patch

 Documentation/dontdiff                           |   45 +-
 Documentation/kernel-parameters.txt              |   12 +
 Makefile                                         |  100 +-
 arch/alpha/include/asm/atomic.h                  |   10 +
 arch/alpha/include/asm/elf.h                     |    7 +
 arch/alpha/include/asm/pgalloc.h                 |    6 +
 arch/alpha/include/asm/pgtable.h                 |   11 +
 arch/alpha/kernel/module.c                       |    2 +-
 arch/alpha/kernel/osf_sys.c                      |    8 +-
 arch/alpha/mm/fault.c                            |  141 +-
 arch/arm/Kconfig                                 |    2 +-
 arch/arm/include/asm/atomic.h                    |  421 ++-
 arch/arm/include/asm/cache.h                     |    5 +-
 arch/arm/include/asm/cacheflush.h                |    2 +-
 arch/arm/include/asm/checksum.h                  |   14 +-
 arch/arm/include/asm/cmpxchg.h                   |    2 +
 arch/arm/include/asm/domain.h                    |   33 +-
 arch/arm/include/asm/elf.h                       |   13 +-
 arch/arm/include/asm/fncpy.h                     |    2 +
 arch/arm/include/asm/futex.h                     |   10 +
 arch/arm/include/asm/kmap_types.h                |    2 +-
 arch/arm/include/asm/mach/dma.h                  |    2 +-
 arch/arm/include/asm/mach/map.h                  |    7 +-
 arch/arm/include/asm/outercache.h                |    2 +-
 arch/arm/include/asm/page.h                      |    2 +-
 arch/arm/include/asm/pgalloc.h                   |   22 +-
 arch/arm/include/asm/pgtable-2level-hwdef.h      |    5 +
 arch/arm/include/asm/pgtable-2level.h            |    1 +
 arch/arm/include/asm/pgtable-3level-hwdef.h      |    2 +
 arch/arm/include/asm/pgtable-3level.h            |    2 +
 arch/arm/include/asm/pgtable.h                   |   56 +-
 arch/arm/include/asm/proc-fns.h                  |    2 +-
 arch/arm/include/asm/processor.h                 |    5 +-
 arch/arm/include/asm/smp.h                       |    2 +-
 arch/arm/include/asm/thread_info.h               |    6 +-
 arch/arm/include/asm/uaccess.h                   |   92 +-
 arch/arm/include/uapi/asm/ptrace.h               |    2 +-
 arch/arm/kernel/armksyms.c                       |    6 +-
 arch/arm/kernel/entry-armv.S                     |  107 +-
 arch/arm/kernel/entry-common.S                   |   41 +-
 arch/arm/kernel/entry-header.S                   |   60 +
 arch/arm/kernel/fiq.c                            |    2 +
 arch/arm/kernel/head.S                           |    6 +-
 arch/arm/kernel/hw_breakpoint.c                  |    2 +-
 arch/arm/kernel/module.c                         |   29 +-
 arch/arm/kernel/patch.c                          |    2 +
 arch/arm/kernel/perf_event_cpu.c                 |    2 +-
 arch/arm/kernel/process.c                        |   15 +-
 arch/arm/kernel/setup.c                          |   22 +-
 arch/arm/kernel/signal.c                         |   24 +-
 arch/arm/kernel/smp.c                            |    2 +-
 arch/arm/kernel/traps.c                          |   15 +-
 arch/arm/kernel/vmlinux.lds.S                    |   22 +-
 arch/arm/lib/clear_user.S                        |    6 +-
 arch/arm/lib/copy_from_user.S                    |    6 +-
 arch/arm/lib/copy_page.S                         |    1 +
 arch/arm/lib/copy_to_user.S                      |    6 +-
 arch/arm/lib/csumpartialcopyuser.S               |    4 +-
 arch/arm/lib/delay.c                             |    2 +-
 arch/arm/lib/uaccess_with_memcpy.c               |    2 +-
 arch/arm/mach-kirkwood/common.c                  |   19 +-
 arch/arm/mach-omap2/board-n8x0.c                 |    2 +-
 arch/arm/mach-omap2/gpmc.c                       |   22 +-
 arch/arm/mach-omap2/omap-wakeupgen.c             |    2 +-
 arch/arm/mach-omap2/omap_device.c                |    4 +-
 arch/arm/mach-omap2/omap_device.h                |    4 +-
 arch/arm/mach-omap2/omap_hwmod.c                 |    4 +-
 arch/arm/mach-omap2/wd_timer.c                   |    6 +-
 arch/arm/mach-ux500/include/mach/setup.h         |    7 -
 arch/arm/mm/Kconfig                              |    3 +-
 arch/arm/mm/alignment.c                          |    8 +
 arch/arm/mm/fault.c                              |   91 +
 arch/arm/mm/fault.h                              |   12 +
 arch/arm/mm/init.c                               |   41 +
 arch/arm/mm/ioremap.c                            |    4 +-
 arch/arm/mm/mmap.c                               |   36 +-
 arch/arm/mm/mmu.c                                |  187 +-
 arch/arm/mm/proc-v7-2level.S                     |    3 +
 arch/arm/plat-omap/sram.c                        |    2 +
 arch/arm/plat-samsung/include/plat/dma-ops.h     |    2 +-
 arch/arm64/kernel/debug-monitors.c               |    2 +-
 arch/arm64/kernel/hw_breakpoint.c                |    2 +-
 arch/avr32/include/asm/elf.h                     |    8 +-
 arch/avr32/include/asm/kmap_types.h              |    4 +-
 arch/avr32/mm/fault.c                            |   27 +
 arch/frv/include/asm/atomic.h                    |   10 +
 arch/frv/include/asm/kmap_types.h                |    2 +-
 arch/frv/mm/elf-fdpic.c                          |    3 +-
 arch/ia64/include/asm/atomic.h                   |   10 +
 arch/ia64/include/asm/elf.h                      |    7 +
 arch/ia64/include/asm/pgalloc.h                  |   12 +
 arch/ia64/include/asm/pgtable.h                  |   13 +-
 arch/ia64/include/asm/spinlock.h                 |    2 +-
 arch/ia64/include/asm/uaccess.h                  |   26 +-
 arch/ia64/kernel/err_inject.c                    |    2 +-
 arch/ia64/kernel/mca.c                           |    2 +-
 arch/ia64/kernel/module.c                        |   48 +-
 arch/ia64/kernel/palinfo.c                       |    2 +-
 arch/ia64/kernel/salinfo.c                       |    2 +-
 arch/ia64/kernel/sys_ia64.c                      |    7 +
 arch/ia64/kernel/topology.c                      |    2 +-
 arch/ia64/kernel/vmlinux.lds.S                   |    2 +-
 arch/ia64/mm/fault.c                             |   32 +-
 arch/ia64/mm/init.c                              |   13 +
 arch/m32r/lib/usercopy.c                         |    6 +
 arch/mips/include/asm/atomic.h                   |   14 +
 arch/mips/include/asm/elf.h                      |   11 +-
 arch/mips/include/asm/exec.h                     |    2 +-
 arch/mips/include/asm/page.h                     |    2 +-
 arch/mips/include/asm/pgalloc.h                  |    5 +
 arch/mips/kernel/binfmt_elfn32.c                 |    7 +
 arch/mips/kernel/binfmt_elfo32.c                 |    7 +
 arch/mips/kernel/process.c                       |   12 -
 arch/mips/mm/fault.c                             |   17 +
 arch/mips/mm/mmap.c                              |   51 +-
 arch/parisc/include/asm/atomic.h                 |   10 +
 arch/parisc/include/asm/elf.h                    |    7 +
 arch/parisc/include/asm/pgalloc.h                |    6 +
 arch/parisc/include/asm/pgtable.h                |   11 +
 arch/parisc/include/asm/uaccess.h                |    4 +-
 arch/parisc/kernel/module.c                      |   50 +-
 arch/parisc/kernel/sys_parisc.c                  |    9 +-
 arch/parisc/kernel/traps.c                       |    4 +-
 arch/parisc/mm/fault.c                           |  140 +-
 arch/powerpc/include/asm/atomic.h                |   10 +
 arch/powerpc/include/asm/elf.h                   |   19 +-
 arch/powerpc/include/asm/exec.h                  |    2 +-
 arch/powerpc/include/asm/kmap_types.h            |    2 +-
 arch/powerpc/include/asm/mman.h                  |    2 +-
 arch/powerpc/include/asm/page.h                  |    8 +-
 arch/powerpc/include/asm/page_64.h               |    7 +-
 arch/powerpc/include/asm/pgalloc-64.h            |    7 +
 arch/powerpc/include/asm/pgtable.h               |    1 +
 arch/powerpc/include/asm/pte-hash32.h            |    1 +
 arch/powerpc/include/asm/reg.h                   |    1 +
 arch/powerpc/include/asm/smp.h                   |    2 +-
 arch/powerpc/include/asm/uaccess.h               |  140 +-
 arch/powerpc/kernel/exceptions-64e.S             |    4 +-
 arch/powerpc/kernel/exceptions-64s.S             |    2 +-
 arch/powerpc/kernel/module_32.c                  |   13 +-
 arch/powerpc/kernel/process.c                    |   55 -
 arch/powerpc/kernel/signal_32.c                  |    2 +-
 arch/powerpc/kernel/signal_64.c                  |    2 +-
 arch/powerpc/kernel/sysfs.c                      |    2 +-
 arch/powerpc/kernel/vdso.c                       |    5 +-
 arch/powerpc/lib/usercopy_64.c                   |   18 -
 arch/powerpc/mm/fault.c                          |   54 +-
 arch/powerpc/mm/mmap_64.c                        |   16 +
 arch/powerpc/mm/mmu_context_nohash.c             |    2 +-
 arch/powerpc/mm/numa.c                           |    2 +-
 arch/powerpc/mm/slice.c                          |   23 +-
 arch/powerpc/platforms/cell/spufs/file.c         |    4 +-
 arch/powerpc/platforms/powermac/smp.c            |    2 +-
 arch/s390/include/asm/atomic.h                   |   10 +
 arch/s390/include/asm/elf.h                      |   13 +-
 arch/s390/include/asm/exec.h                     |    2 +-
 arch/s390/include/asm/uaccess.h                  |   15 +-
 arch/s390/kernel/module.c                        |   22 +-
 arch/s390/kernel/process.c                       |   36 -
 arch/s390/mm/mmap.c                              |   24 +
 arch/score/include/asm/exec.h                    |    2 +-
 arch/score/kernel/process.c                      |    5 -
 arch/sh/kernel/cpu/sh4a/smp-shx3.c               |    2 +-
 arch/sh/mm/mmap.c                                |   22 +-
 arch/sparc/include/asm/atomic_64.h               |  106 +-
 arch/sparc/include/asm/cache.h                   |    2 +-
 arch/sparc/include/asm/elf_32.h                  |    7 +
 arch/sparc/include/asm/elf_64.h                  |    7 +
 arch/sparc/include/asm/pgalloc_32.h              |    1 +
 arch/sparc/include/asm/pgalloc_64.h              |    1 +
 arch/sparc/include/asm/pgtable_32.h              |   15 +-
 arch/sparc/include/asm/pgtsrmmu.h                |    5 +
 arch/sparc/include/asm/spinlock_64.h             |   35 +-
 arch/sparc/include/asm/thread_info_32.h          |    2 +
 arch/sparc/include/asm/thread_info_64.h          |    2 +
 arch/sparc/include/asm/uaccess.h                 |    1 +
 arch/sparc/include/asm/uaccess_32.h              |   27 +-
 arch/sparc/include/asm/uaccess_64.h              |   19 +-
 arch/sparc/kernel/Makefile                       |    2 +-
 arch/sparc/kernel/prom_common.c                  |    2 +-
 arch/sparc/kernel/sys_sparc_32.c                 |    2 +-
 arch/sparc/kernel/sys_sparc_64.c                 |   48 +-
 arch/sparc/kernel/sysfs.c                        |    2 +-
 arch/sparc/kernel/traps_64.c                     |   13 +-
 arch/sparc/kernel/us3_cpufreq.c                  |   69 +-
 arch/sparc/lib/Makefile                          |    2 +-
 arch/sparc/lib/atomic_64.S                       |  136 +-
 arch/sparc/lib/ksyms.c                           |    6 +
 arch/sparc/mm/Makefile                           |    2 +-
 arch/sparc/mm/fault_32.c                         |  292 ++
 arch/sparc/mm/fault_64.c                         |  486 ++
 arch/sparc/mm/hugetlbpage.c                      |   21 +-
 arch/tile/include/asm/atomic_64.h                |   10 +
 arch/tile/include/asm/uaccess.h                  |    4 +-
 arch/um/Makefile                                 |    4 +
 arch/um/include/asm/kmap_types.h                 |    2 +-
 arch/um/include/asm/page.h                       |    3 +
 arch/um/include/asm/pgtable-3level.h             |    1 +
 arch/um/kernel/process.c                         |   16 -
 arch/x86/Kconfig                                 |   10 +-
 arch/x86/Kconfig.cpu                             |    6 +-
 arch/x86/Kconfig.debug                           |    6 +-
 arch/x86/Makefile                                |   10 +
 arch/x86/boot/Makefile                           |    3 +
 arch/x86/boot/bitops.h                           |    4 +-
 arch/x86/boot/boot.h                             |    4 +-
 arch/x86/boot/compressed/Makefile                |    3 +
 arch/x86/boot/compressed/eboot.c                 |    2 -
 arch/x86/boot/compressed/head_32.S               |    7 +-
 arch/x86/boot/compressed/head_64.S               |    8 +-
 arch/x86/boot/compressed/misc.c                  |    4 +-
 arch/x86/boot/cpucheck.c                         |   28 +-
 arch/x86/boot/header.S                           |    6 +-
 arch/x86/boot/memory.c                           |    2 +-
 arch/x86/boot/video-vesa.c                       |    1 +
 arch/x86/boot/video.c                            |    2 +-
 arch/x86/crypto/aes-x86_64-asm_64.S              |    4 +
 arch/x86/crypto/aesni-intel_asm.S                |   21 +
 arch/x86/crypto/blowfish-x86_64-asm_64.S         |    7 +
 arch/x86/crypto/camellia-x86_64-asm_64.S         |    7 +
 arch/x86/crypto/cast5-avx-x86_64-asm_64.S        |    7 +
 arch/x86/crypto/cast6-avx-x86_64-asm_64.S        |    7 +
 arch/x86/crypto/salsa20-x86_64-asm_64.S          |    4 +
 arch/x86/crypto/serpent-avx-x86_64-asm_64.S      |    7 +
 arch/x86/crypto/serpent-sse2-x86_64-asm_64.S     |    4 +
 arch/x86/crypto/sha1_ssse3_asm.S                 |    2 +
 arch/x86/crypto/twofish-avx-x86_64-asm_64.S      |    7 +
 arch/x86/crypto/twofish-x86_64-asm_64-3way.S     |    4 +
 arch/x86/crypto/twofish-x86_64-asm_64.S          |    3 +
 arch/x86/ia32/ia32_signal.c                      |   14 +-
 arch/x86/ia32/ia32entry.S                        |  141 +-
 arch/x86/ia32/sys_ia32.c                         |    6 +-
 arch/x86/include/asm/alternative-asm.h           |   39 +
 arch/x86/include/asm/alternative.h               |    4 +-
 arch/x86/include/asm/apic.h                      |    2 +-
 arch/x86/include/asm/apm.h                       |    4 +-
 arch/x86/include/asm/atomic.h                    |  307 ++-
 arch/x86/include/asm/atomic64_32.h               |  100 +
 arch/x86/include/asm/atomic64_64.h               |  202 +-
 arch/x86/include/asm/bitops.h                    |    4 +-
 arch/x86/include/asm/boot.h                      |    7 +-
 arch/x86/include/asm/cache.h                     |    5 +-
 arch/x86/include/asm/cacheflush.h                |    2 +-
 arch/x86/include/asm/checksum_32.h               |   12 +-
 arch/x86/include/asm/cmpxchg.h                   |   35 +
 arch/x86/include/asm/compat.h                    |    2 +-
 arch/x86/include/asm/cpufeature.h                |    4 +-
 arch/x86/include/asm/desc.h                      |   67 +-
 arch/x86/include/asm/desc_defs.h                 |    6 +
 arch/x86/include/asm/div64.h                     |    2 +-
 arch/x86/include/asm/elf.h                       |   31 +-
 arch/x86/include/asm/emergency-restart.h         |    2 +-
 arch/x86/include/asm/fpu-internal.h              |    6 +-
 arch/x86/include/asm/futex.h                     |   16 +-
 arch/x86/include/asm/hw_irq.h                    |    4 +-
 arch/x86/include/asm/i8259.h                     |    2 +-
 arch/x86/include/asm/io.h                        |   21 +-
 arch/x86/include/asm/irqflags.h                  |    5 +
 arch/x86/include/asm/kprobes.h                   |    9 +-
 arch/x86/include/asm/local.h                     |  142 +-
 arch/x86/include/asm/mman.h                      |   15 +
 arch/x86/include/asm/mmu.h                       |   16 +-
 arch/x86/include/asm/mmu_context.h               |   76 +-
 arch/x86/include/asm/module.h                    |   17 +-
 arch/x86/include/asm/nmi.h                       |    6 +-
 arch/x86/include/asm/page_64.h                   |    2 +-
 arch/x86/include/asm/paravirt.h                  |   46 +-
 arch/x86/include/asm/paravirt_types.h            |   17 +-
 arch/x86/include/asm/pgalloc.h                   |   23 +
 arch/x86/include/asm/pgtable-2level.h            |    2 +
 arch/x86/include/asm/pgtable-3level.h            |    4 +
 arch/x86/include/asm/pgtable.h                   |  113 +-
 arch/x86/include/asm/pgtable_32.h                |   14 +-
 arch/x86/include/asm/pgtable_32_types.h          |   15 +-
 arch/x86/include/asm/pgtable_64.h                |   19 +-
 arch/x86/include/asm/pgtable_64_types.h          |    5 +
 arch/x86/include/asm/pgtable_types.h             |   36 +-
 arch/x86/include/asm/processor.h                 |   39 +-
 arch/x86/include/asm/ptrace.h                    |   26 +-
 arch/x86/include/asm/realmode.h                  |    4 +-
 arch/x86/include/asm/reboot.h                    |   10 +-
 arch/x86/include/asm/rwsem.h                     |   60 +-
 arch/x86/include/asm/segment.h                   |   24 +-
 arch/x86/include/asm/smp.h                       |   14 +-
 arch/x86/include/asm/spinlock.h                  |   36 +-
 arch/x86/include/asm/stackprotector.h            |    4 +-
 arch/x86/include/asm/stacktrace.h                |   32 +-
 arch/x86/include/asm/switch_to.h                 |    4 +-
 arch/x86/include/asm/thread_info.h               |   83 +-
 arch/x86/include/asm/uaccess.h                   |   96 +-
 arch/x86/include/asm/uaccess_32.h                |  106 +-
 arch/x86/include/asm/uaccess_64.h                |  232 +-
 arch/x86/include/asm/word-at-a-time.h            |    2 +-
 arch/x86/include/asm/x86_init.h                  |   10 +-
 arch/x86/include/asm/xsave.h                     |   10 +-
 arch/x86/include/uapi/asm/e820.h                 |    2 +-
 arch/x86/kernel/Makefile                         |    2 +-
 arch/x86/kernel/acpi/boot.c                      |    4 +-
 arch/x86/kernel/acpi/sleep.c                     |    4 +
 arch/x86/kernel/acpi/wakeup_32.S                 |    6 +-
 arch/x86/kernel/alternative.c                    |   65 +-
 arch/x86/kernel/apic/apic.c                      |    4 +-
 arch/x86/kernel/apic/apic_flat_64.c              |    4 +-
 arch/x86/kernel/apic/apic_noop.c                 |    2 +-
 arch/x86/kernel/apic/bigsmp_32.c                 |    2 +-
 arch/x86/kernel/apic/es7000_32.c                 |    5 +-
 arch/x86/kernel/apic/io_apic.c                   |    8 +-
 arch/x86/kernel/apic/numaq_32.c                  |    3 +-
 arch/x86/kernel/apic/probe_32.c                  |    2 +-
 arch/x86/kernel/apic/summit_32.c                 |    2 +-
 arch/x86/kernel/apic/x2apic_cluster.c            |    4 +-
 arch/x86/kernel/apic/x2apic_phys.c               |    2 +-
 arch/x86/kernel/apic/x2apic_uv_x.c               |    2 +-
 arch/x86/kernel/apm_32.c                         |   19 +-
 arch/x86/kernel/asm-offsets.c                    |   20 +
 arch/x86/kernel/asm-offsets_64.c                 |    1 +
 arch/x86/kernel/cpu/Makefile                     |    4 -
 arch/x86/kernel/cpu/amd.c                        |    2 +-
 arch/x86/kernel/cpu/common.c                     |   75 +-
 arch/x86/kernel/cpu/intel.c                      |    2 +-
 arch/x86/kernel/cpu/intel_cacheinfo.c            |   50 +-
 arch/x86/kernel/cpu/mcheck/mce.c                 |   31 +-
 arch/x86/kernel/cpu/mcheck/p5.c                  |    3 +
 arch/x86/kernel/cpu/mcheck/therm_throt.c         |    2 +-
 arch/x86/kernel/cpu/mcheck/winchip.c             |    3 +
 arch/x86/kernel/cpu/mtrr/main.c                  |    2 +-
 arch/x86/kernel/cpu/mtrr/mtrr.h                  |    2 +-
 arch/x86/kernel/cpu/perf_event.c                 |    8 +-
 arch/x86/kernel/cpu/perf_event_intel.c           |    6 +-
 arch/x86/kernel/cpu/perf_event_intel_uncore.c    |    4 +-
 arch/x86/kernel/cpu/perf_event_intel_uncore.h    |    2 +-
 arch/x86/kernel/cpuid.c                          |    2 +-
 arch/x86/kernel/crash.c                          |    4 +-
 arch/x86/kernel/doublefault_32.c                 |    8 +-
 arch/x86/kernel/dumpstack.c                      |   30 +-
 arch/x86/kernel/dumpstack_32.c                   |   34 +-
 arch/x86/kernel/dumpstack_64.c                   |   63 +-
 arch/x86/kernel/early_printk.c                   |    1 +
 arch/x86/kernel/entry_32.S                       |  354 ++-
 arch/x86/kernel/entry_64.S                       |  530 ++-
 arch/x86/kernel/ftrace.c                         |   14 +-
 arch/x86/kernel/head64.c                         |    1 -
 arch/x86/kernel/head_32.S                        |  237 +-
 arch/x86/kernel/head_64.S                        |  120 +-
 arch/x86/kernel/i386_ksyms_32.c                  |    8 +
 arch/x86/kernel/i387.c                           |    2 +-
 arch/x86/kernel/i8259.c                          |   10 +-
 arch/x86/kernel/io_delay.c                       |    2 +-
 arch/x86/kernel/ioport.c                         |    2 +-
 arch/x86/kernel/irq.c                            |    8 +-
 arch/x86/kernel/irq_32.c                         |   69 +-
 arch/x86/kernel/irq_64.c                         |    2 +-
 arch/x86/kernel/kdebugfs.c                       |    2 +-
 arch/x86/kernel/kgdb.c                           |   25 +-
 arch/x86/kernel/kprobes/core.c                   |   30 +-
 arch/x86/kernel/kprobes/opt.c                    |   16 +-
 arch/x86/kernel/kvm.c                            |    2 +-
 arch/x86/kernel/ldt.c                            |   31 +-
 arch/x86/kernel/machine_kexec_32.c               |    6 +-
 arch/x86/kernel/microcode_core.c                 |    2 +-
 arch/x86/kernel/microcode_intel.c                |    4 +-
 arch/x86/kernel/module.c                         |   76 +-
 arch/x86/kernel/msr.c                            |    2 +-
 arch/x86/kernel/nmi.c                            |   19 +-
 arch/x86/kernel/nmi_selftest.c                   |    4 +-
 arch/x86/kernel/paravirt-spinlocks.c             |    2 +-
 arch/x86/kernel/paravirt.c                       |   43 +-
 arch/x86/kernel/pci-calgary_64.c                 |    2 +-
 arch/x86/kernel/pci-iommu_table.c                |    2 +-
 arch/x86/kernel/pci-swiotlb.c                    |    2 +-
 arch/x86/kernel/process.c                        |   57 +-
 arch/x86/kernel/process_32.c                     |   29 +-
 arch/x86/kernel/process_64.c                     |   15 +-
 arch/x86/kernel/ptrace.c                         |   25 +-
 arch/x86/kernel/pvclock.c                        |    8 +-
 arch/x86/kernel/reboot.c                         |   44 +-
 arch/x86/kernel/relocate_kernel_64.S             |    4 +-
 arch/x86/kernel/setup.c                          |   19 +-
 arch/x86/kernel/setup_percpu.c                   |   29 +-
 arch/x86/kernel/signal.c                         |   15 +-
 arch/x86/kernel/smp.c                            |    2 +-
 arch/x86/kernel/smpboot.c                        |   15 +-
 arch/x86/kernel/step.c                           |   10 +-
 arch/x86/kernel/sys_i386_32.c                    |  248 +
 arch/x86/kernel/sys_x86_64.c                     |   19 +-
 arch/x86/kernel/tboot.c                          |   14 +-
 arch/x86/kernel/time.c                           |   10 +-
 arch/x86/kernel/tls.c                            |    7 +-
 arch/x86/kernel/traps.c                          |   64 +-
 arch/x86/kernel/uprobes.c                        |    2 +-
 arch/x86/kernel/vm86_32.c                        |    6 +-
 arch/x86/kernel/vmlinux.lds.S                    |  148 +-
 arch/x86/kernel/vsyscall_64.c                    |   12 +-
 arch/x86/kernel/x8664_ksyms_64.c                 |    2 -
 arch/x86/kernel/x86_init.c                       |    8 +-
 arch/x86/kernel/xsave.c                          |    2 +
 arch/x86/kvm/cpuid.c                             |   21 +-
 arch/x86/kvm/emulate.c                           |    4 +-
 arch/x86/kvm/lapic.c                             |    2 +-
 arch/x86/kvm/paging_tmpl.h                       |    2 +-
 arch/x86/kvm/svm.c                               |    8 +
 arch/x86/kvm/vmx.c                               |   57 +-
 arch/x86/kvm/x86.c                               |   10 +-
 arch/x86/lguest/boot.c                           |    3 +-
 arch/x86/lib/atomic64_386_32.S                   |  164 +
 arch/x86/lib/atomic64_cx8_32.S                   |  103 +-
 arch/x86/lib/checksum_32.S                       |  100 +-
 arch/x86/lib/clear_page_64.S                     |    5 +-
 arch/x86/lib/cmpxchg16b_emu.S                    |    2 +
 arch/x86/lib/copy_page_64.S                      |   24 +-
 arch/x86/lib/copy_user_64.S                      |   47 +-
 arch/x86/lib/copy_user_nocache_64.S              |   20 +-
 arch/x86/lib/csum-copy_64.S                      |    2 +
 arch/x86/lib/csum-wrappers_64.c                  |    4 +-
 arch/x86/lib/getuser.S                           |   70 +-
 arch/x86/lib/insn.c                              |    6 +-
 arch/x86/lib/iomap_copy_64.S                     |    2 +
 arch/x86/lib/memcpy_64.S                         |   18 +-
 arch/x86/lib/memmove_64.S                        |   34 +-
 arch/x86/lib/memset_64.S                         |    7 +-
 arch/x86/lib/mmx_32.c                            |  243 +-
 arch/x86/lib/msr-reg.S                           |   18 +-
 arch/x86/lib/putuser.S                           |   90 +-
 arch/x86/lib/rwlock.S                            |   42 +
 arch/x86/lib/rwsem.S                             |    6 +-
 arch/x86/lib/thunk_64.S                          |    2 +
 arch/x86/lib/usercopy_32.c                       |  376 +-
 arch/x86/lib/usercopy_64.c                       |   25 +-
 arch/x86/mm/extable.c                            |   25 +-
 arch/x86/mm/fault.c                              |  556 ++-
 arch/x86/mm/gup.c                                |    2 +-
 arch/x86/mm/highmem_32.c                         |    4 +
 arch/x86/mm/hugetlbpage.c                        |   30 +-
 arch/x86/mm/init.c                               |   90 +-
 arch/x86/mm/init_32.c                            |  119 +-
 arch/x86/mm/init_64.c                            |   44 +-
 arch/x86/mm/iomap_32.c                           |    4 +
 arch/x86/mm/ioremap.c                            |   15 +-
 arch/x86/mm/kmemcheck/kmemcheck.c                |    4 +-
 arch/x86/mm/mmap.c                               |   41 +-
 arch/x86/mm/mmio-mod.c                           |   10 +-
 arch/x86/mm/numa.c                               |    2 +-
 arch/x86/mm/pageattr-test.c                      |    2 +-
 arch/x86/mm/pageattr.c                           |   33 +-
 arch/x86/mm/pat.c                                |   12 +-
 arch/x86/mm/pf_in.c                              |   10 +-
 arch/x86/mm/pgtable.c                            |  137 +-
 arch/x86/mm/pgtable_32.c                         |    3 +
 arch/x86/mm/physaddr.c                           |    4 +-
 arch/x86/mm/setup_nx.c                           |    7 +
 arch/x86/mm/tlb.c                                |    4 +
 arch/x86/net/bpf_jit.S                           |   14 +
 arch/x86/net/bpf_jit_comp.c                      |   37 +-
 arch/x86/oprofile/backtrace.c                    |    8 +-
 arch/x86/oprofile/nmi_int.c                      |    8 +-
 arch/x86/oprofile/op_model_amd.c                 |    8 +-
 arch/x86/oprofile/op_model_ppro.c                |    7 +-
 arch/x86/oprofile/op_x86_model.h                 |    2 +-
 arch/x86/pci/amd_bus.c                           |    2 +-
 arch/x86/pci/irq.c                               |    8 +-
 arch/x86/pci/mrst.c                              |    4 +-
 arch/x86/pci/pcbios.c                            |  144 +-
 arch/x86/platform/efi/efi_32.c                   |   19 +
 arch/x86/platform/efi/efi_stub_32.S              |   64 +-
 arch/x86/platform/efi/efi_stub_64.S              |    8 +
 arch/x86/platform/mrst/mrst.c                    |    6 +-
 arch/x86/platform/olpc/olpc_dt.c                 |    2 +-
 arch/x86/power/cpu.c                             |    4 +-
 arch/x86/realmode/init.c                         |    8 +-
 arch/x86/realmode/rm/Makefile                    |    3 +
 arch/x86/realmode/rm/header.S                    |    4 +-
 arch/x86/realmode/rm/trampoline_32.S             |   12 +-
 arch/x86/realmode/rm/trampoline_64.S             |    2 +-
 arch/x86/tools/relocs.c                          |   95 +-
 arch/x86/vdso/Makefile                           |    2 +-
 arch/x86/vdso/vdso32-setup.c                     |   23 +-
 arch/x86/vdso/vma.c                              |   29 +-
 arch/x86/xen/enlighten.c                         |   47 +-
 arch/x86/xen/mmu.c                               |    9 +
 arch/x86/xen/smp.c                               |   18 +-
 arch/x86/xen/xen-asm_32.S                        |   12 +-
 arch/x86/xen/xen-head.S                          |   11 +
 arch/x86/xen/xen-ops.h                           |    2 -
 block/blk-iopoll.c                               |    4 +-
 block/blk-map.c                                  |    2 +-
 block/blk-softirq.c                              |    4 +-
 block/bsg.c                                      |   12 +-
 block/compat_ioctl.c                             |    2 +-
 block/partitions/efi.c                           |    8 +-
 block/scsi_ioctl.c                               |   27 +-
 crypto/cryptd.c                                  |    4 +-
 drivers/acpi/apei/apei-internal.h                |    2 +-
 drivers/acpi/apei/cper.c                         |    8 +-
 drivers/acpi/bgrt.c                              |    6 +-
 drivers/acpi/blacklist.c                         |    4 +-
 drivers/acpi/ec_sys.c                            |   12 +-
 drivers/acpi/processor_idle.c                    |    2 +-
 drivers/acpi/sysfs.c                             |    4 +-
 drivers/ata/libahci.c                            |    2 +-
 drivers/ata/libata-core.c                        |    8 +-
 drivers/ata/pata_arasan_cf.c                     |    4 +-
 drivers/atm/adummy.c                             |    2 +-
 drivers/atm/ambassador.c                         |    8 +-
 drivers/atm/atmtcp.c                             |   14 +-
 drivers/atm/eni.c                                |   10 +-
 drivers/atm/firestream.c                         |    8 +-
 drivers/atm/fore200e.c                           |   14 +-
 drivers/atm/he.c                                 |   18 +-
 drivers/atm/horizon.c                            |    4 +-
 drivers/atm/idt77252.c                           |   36 +-
 drivers/atm/iphase.c                             |   34 +-
 drivers/atm/lanai.c                              |   12 +-
 drivers/atm/nicstar.c                            |   46 +-
 drivers/atm/solos-pci.c                          |    4 +-
 drivers/atm/suni.c                               |    4 +-
 drivers/atm/uPD98402.c                           |   16 +-
 drivers/atm/zatm.c                               |    6 +-
 drivers/base/bus.c                               |    4 +-
 drivers/base/devtmpfs.c                          |    2 +-
 drivers/base/node.c                              |    2 +-
 drivers/base/power/domain.c                      |    4 +-
 drivers/base/power/wakeup.c                      |    8 +-
 drivers/base/syscore.c                           |    4 +-
 drivers/block/cciss.c                            |   28 +-
 drivers/block/cciss.h                            |    2 +-
 drivers/block/cpqarray.c                         |   28 +-
 drivers/block/cpqarray.h                         |    2 +-
 drivers/block/drbd/drbd_int.h                    |    6 +-
 drivers/block/drbd/drbd_main.c                   |    8 +-
 drivers/block/drbd/drbd_receiver.c               |   22 +-
 drivers/block/loop.c                             |    2 +-
 drivers/block/pktcdvd.c                          |    2 +-
 drivers/cdrom/cdrom.c                            |    9 +-
 drivers/cdrom/gdrom.c                            |    1 -
 drivers/char/agp/frontend.c                      |    2 +-
 drivers/char/hpet.c                              |    2 +-
 drivers/char/ipmi/ipmi_msghandler.c              |    8 +-
 drivers/char/ipmi/ipmi_si_intf.c                 |    8 +-
 drivers/char/mem.c                               |   41 +-
 drivers/char/nvram.c                             |    2 +-
 drivers/char/pcmcia/synclink_cs.c                |   18 +-
 drivers/char/random.c                            |   10 +-
 drivers/char/sonypi.c                            |    9 +-
 drivers/char/tpm/tpm_acpi.c                      |    3 +-
 drivers/char/tpm/tpm_eventlog.c                  |    7 +-
 drivers/char/virtio_console.c                    |    4 +-
 drivers/clocksource/arm_arch_timer.c             |    2 +-
 drivers/clocksource/metag_generic.c              |    2 +-
 drivers/cpufreq/acpi-cpufreq.c                   |   20 +-
 drivers/cpufreq/cpufreq.c                        |    9 +-
 drivers/cpufreq/cpufreq_governor.c               |    4 +-
 drivers/cpufreq/cpufreq_governor.h               |    2 +-
 drivers/cpufreq/cpufreq_stats.c                  |    2 +-
 drivers/cpufreq/p4-clockmod.c                    |   12 +-
 drivers/cpufreq/speedstep-centrino.c             |    7 +-
 drivers/cpuidle/cpuidle.c                        |    2 +-
 drivers/cpuidle/governor.c                       |    4 +-
 drivers/cpuidle/sysfs.c                          |    2 +-
 drivers/devfreq/devfreq.c                        |    4 +-
 drivers/dma/sh/shdma.c                           |    2 +-
 drivers/edac/edac_mc_sysfs.c                     |   12 +-
 drivers/edac/edac_pci_sysfs.c                    |   22 +-
 drivers/edac/mce_amd.h                           |    2 +-
 drivers/firewire/core-card.c                     |    2 +-
 drivers/firewire/core-cdev.c                     |    3 +-
 drivers/firewire/core-device.c                   |    2 +-
 drivers/firewire/core-transaction.c              |    1 +
 drivers/firewire/core.h                          |    1 +
 drivers/firmware/dmi-id.c                        |    2 +-
 drivers/firmware/dmi_scan.c                      |    7 +-
 drivers/firmware/efivars.c                       |    4 +-
 drivers/firmware/google/memconsole.c             |    4 +-
 drivers/gpio/gpio-ich.c                          |    2 +-
 drivers/gpio/gpio-vr41xx.c                       |    2 +-
 drivers/gpu/drm/drm_crtc_helper.c                |    2 +-
 drivers/gpu/drm/drm_drv.c                        |    6 +-
 drivers/gpu/drm/drm_fops.c                       |   18 +-
 drivers/gpu/drm/drm_global.c                     |   14 +-
 drivers/gpu/drm/drm_info.c                       |   14 +-
 drivers/gpu/drm/drm_ioc32.c                      |   13 +-
 drivers/gpu/drm/drm_ioctl.c                      |    2 +-
 drivers/gpu/drm/drm_lock.c                       |    4 +-
 drivers/gpu/drm/drm_stub.c                       |    2 +-
 drivers/gpu/drm/i810/i810_dma.c                  |    8 +-
 drivers/gpu/drm/i810/i810_drv.h                  |    4 +-
 drivers/gpu/drm/i915/i915_debugfs.c              |    2 +-
 drivers/gpu/drm/i915/i915_dma.c                  |    2 +-
 drivers/gpu/drm/i915/i915_drv.h                  |    4 +-
 drivers/gpu/drm/i915/i915_gem_execbuffer.c       |    6 +-
 drivers/gpu/drm/i915/i915_ioc32.c                |   11 +-
 drivers/gpu/drm/i915/i915_irq.c                  |   22 +-
 drivers/gpu/drm/i915/intel_display.c             |   26 +-
 drivers/gpu/drm/mga/mga_drv.h                    |    4 +-
 drivers/gpu/drm/mga/mga_ioc32.c                  |   11 +-
 drivers/gpu/drm/mga/mga_irq.c                    |    8 +-
 drivers/gpu/drm/nouveau/nouveau_bios.c           |    2 +-
 drivers/gpu/drm/nouveau/nouveau_drm.h            |    2 +-
 drivers/gpu/drm/nouveau/nouveau_gem.c            |    4 +-
 drivers/gpu/drm/nouveau/nouveau_ioc32.c          |    2 +-
 drivers/gpu/drm/nouveau/nouveau_vga.c            |    2 +-
 drivers/gpu/drm/r128/r128_cce.c                  |    2 +-
 drivers/gpu/drm/r128/r128_drv.h                  |    4 +-
 drivers/gpu/drm/r128/r128_ioc32.c                |   11 +-
 drivers/gpu/drm/r128/r128_irq.c                  |    4 +-
 drivers/gpu/drm/r128/r128_state.c                |    4 +-
 drivers/gpu/drm/radeon/mkregtable.c              |    4 +-
 drivers/gpu/drm/radeon/radeon_device.c           |    2 +-
 drivers/gpu/drm/radeon/radeon_drv.h              |    2 +-
 drivers/gpu/drm/radeon/radeon_ioc32.c            |   13 +-
 drivers/gpu/drm/radeon/radeon_irq.c              |    6 +-
 drivers/gpu/drm/radeon/radeon_state.c            |    4 +-
 drivers/gpu/drm/radeon/radeon_ttm.c              |   37 +-
 drivers/gpu/drm/radeon/rs690.c                   |    4 +-
 drivers/gpu/drm/ttm/ttm_page_alloc.c             |    4 +-
 drivers/gpu/drm/udl/udl_fb.c                     |    1 -
 drivers/gpu/drm/via/via_drv.h                    |    4 +-
 drivers/gpu/drm/via/via_irq.c                    |   18 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_drv.h              |    2 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c             |    8 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_irq.c              |    4 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_marker.c           |    2 +-
 drivers/hid/hid-core.c                           |    4 +-
 drivers/hv/channel.c                             |    4 +-
 drivers/hv/hv.c                                  |    2 +-
 drivers/hv/hyperv_vmbus.h                        |    2 +-
 drivers/hv/vmbus_drv.c                           |    4 +-
 drivers/hwmon/acpi_power_meter.c                 |    4 +-
 drivers/hwmon/applesmc.c                         |    2 +-
 drivers/hwmon/asus_atk0110.c                     |   10 +-
 drivers/hwmon/coretemp.c                         |    2 +-
 drivers/hwmon/ibmaem.c                           |    2 +-
 drivers/hwmon/sht15.c                            |   12 +-
 drivers/hwmon/via-cputemp.c                      |    2 +-
 drivers/i2c/busses/i2c-amd756-s4882.c            |    2 +-
 drivers/i2c/busses/i2c-nforce2-s4985.c           |    2 +-
 drivers/ide/ide-cd.c                             |    2 +-
 drivers/iio/industrialio-core.c                  |    2 +-
 drivers/infiniband/core/cm.c                     |   32 +-
 drivers/infiniband/core/fmr_pool.c               |   20 +-
 drivers/infiniband/hw/cxgb4/mem.c                |    4 +-
 drivers/infiniband/hw/ipath/ipath_rc.c           |    6 +-
 drivers/infiniband/hw/ipath/ipath_ruc.c          |    6 +-
 drivers/infiniband/hw/mthca/mthca_cmd.c          |    2 +-
 drivers/infiniband/hw/mthca/mthca_mr.c           |    2 +-
 drivers/infiniband/hw/nes/nes.c                  |    4 +-
 drivers/infiniband/hw/nes/nes.h                  |   40 +-
 drivers/infiniband/hw/nes/nes_cm.c               |   62 +-
 drivers/infiniband/hw/nes/nes_mgt.c              |    8 +-
 drivers/infiniband/hw/nes/nes_nic.c              |   40 +-
 drivers/infiniband/hw/nes/nes_verbs.c            |   10 +-
 drivers/infiniband/hw/qib/qib.h                  |    1 +
 drivers/input/gameport/gameport.c                |    4 +-
 drivers/input/input.c                            |    4 +-
 drivers/input/joystick/sidewinder.c              |    1 +
 drivers/input/joystick/xpad.c                    |    4 +-
 drivers/input/mouse/psmouse.h                    |    2 +-
 drivers/input/mousedev.c                         |    2 +-
 drivers/input/serio/serio.c                      |    4 +-
 drivers/iommu/iommu.c                            |    2 +-
 drivers/iommu/irq_remapping.c                    |   10 +-
 drivers/irqchip/irq-gic.c                        |    4 +-
 drivers/isdn/capi/capi.c                         |   10 +-
 drivers/isdn/gigaset/interface.c                 |    8 +-
 drivers/isdn/hardware/avm/b1.c                   |    4 +-
 drivers/isdn/i4l/isdn_tty.c                      |   22 +-
 drivers/isdn/icn/icn.c                           |    2 +-
 drivers/leds/leds-clevo-mail.c                   |    2 +-
 drivers/leds/leds-ss4200.c                       |    2 +-
 drivers/lguest/core.c                            |   10 +-
 drivers/lguest/page_tables.c                     |    2 +-
 drivers/lguest/x86/core.c                        |   12 +-
 drivers/lguest/x86/switcher_32.S                 |   27 +-
 drivers/md/bitmap.c                              |    2 +-
 drivers/md/dm-ioctl.c                            |    2 +-
 drivers/md/dm-raid1.c                            |   16 +-
 drivers/md/dm-stripe.c                           |   10 +-
 drivers/md/dm-table.c                            |    2 +-
 drivers/md/dm-thin-metadata.c                    |    4 +-
 drivers/md/dm.c                                  |   16 +-
 drivers/md/md.c                                  |   26 +-
 drivers/md/md.h                                  |    6 +-
 drivers/md/persistent-data/dm-space-map.h        |    1 +
 drivers/md/raid1.c                               |    4 +-
 drivers/md/raid10.c                              |   16 +-
 drivers/md/raid5.c                               |   10 +-
 drivers/media/dvb-core/dvbdev.c                  |    2 +-
 drivers/media/dvb-frontends/dib3000.h            |    2 +-
 drivers/media/pci/cx88/cx88-video.c              |    6 +-
 drivers/media/platform/omap/omap_vout.c          |   11 +-
 drivers/media/platform/s5p-tv/mixer.h            |    2 +-
 drivers/media/platform/s5p-tv/mixer_grp_layer.c  |    2 +-
 drivers/media/platform/s5p-tv/mixer_reg.c        |    2 +-
 drivers/media/platform/s5p-tv/mixer_video.c      |   24 +-
 drivers/media/platform/s5p-tv/mixer_vp_layer.c   |    2 +-
 drivers/media/radio/radio-cadet.c                |    2 +
 drivers/media/usb/dvb-usb/cxusb.c                |    2 +-
 drivers/media/usb/dvb-usb/dw2102.c               |    2 +-
 drivers/media/v4l2-core/v4l2-ioctl.c             |    5 +-
 drivers/message/fusion/mptsas.c                  |   34 +-
 drivers/message/fusion/mptscsih.c                |   19 +-
 drivers/message/i2o/i2o_proc.c                   |   51 +-
 drivers/message/i2o/iop.c                        |    8 +-
 drivers/mfd/janz-cmodio.c                        |    1 +
 drivers/mfd/twl4030-irq.c                        |    9 +-
 drivers/mfd/twl6030-irq.c                        |   10 +-
 drivers/misc/c2port/core.c                       |    4 +-
 drivers/misc/kgdbts.c                            |    4 +-
 drivers/misc/lis3lv02d/lis3lv02d.c               |    8 +-
 drivers/misc/lis3lv02d/lis3lv02d.h               |    2 +-
 drivers/misc/sgi-gru/gruhandles.c                |    4 +-
 drivers/misc/sgi-gru/gruprocfs.c                 |    8 +-
 drivers/misc/sgi-gru/grutables.h                 |  154 +-
 drivers/misc/sgi-xp/xp.h                         |    2 +-
 drivers/misc/sgi-xp/xpc.h                        |    3 +-
 drivers/misc/sgi-xp/xpc_main.c                   |    4 +-
 drivers/mmc/core/mmc_ops.c                       |    2 +-
 drivers/mmc/host/dw_mmc.h                        |    2 +-
 drivers/mmc/host/sdhci-s3c.c                     |    8 +-
 drivers/mtd/devices/doc2000.c                    |    2 +-
 drivers/mtd/nand/denali.c                        |    1 +
 drivers/mtd/nftlmount.c                          |    1 +
 drivers/mtd/sm_ftl.c                             |    2 +-
 drivers/net/bonding/bond_main.c                  |    2 +-
 drivers/net/ethernet/8390/ax88796.c              |    4 +-
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h  |    2 +-
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c   |   11 +-
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h   |    3 +-
 drivers/net/ethernet/broadcom/tg3.h              |    1 +
 drivers/net/ethernet/chelsio/cxgb3/l2t.h         |    2 +-
 drivers/net/ethernet/dec/tulip/de4x5.c           |    4 +-
 drivers/net/ethernet/emulex/benet/be_main.c      |    2 +-
 drivers/net/ethernet/faraday/ftgmac100.c         |    2 +
 drivers/net/ethernet/faraday/ftmac100.c          |    2 +
 drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c     |    2 +-
 drivers/net/ethernet/neterion/vxge/vxge-config.c |    7 +-
 drivers/net/ethernet/realtek/r8169.c             |    8 +-
 drivers/net/ethernet/sfc/ptp.c                   |    2 +-
 drivers/net/ethernet/stmicro/stmmac/mmc_core.c   |    4 +-
 drivers/net/hyperv/hyperv_net.h                  |    2 +-
 drivers/net/hyperv/rndis_filter.c                |    4 +-
 drivers/net/ieee802154/fakehard.c                |    2 +-
 drivers/net/macvlan.c                            |   18 +-
 drivers/net/macvtap.c                            |    2 +-
 drivers/net/ppp/ppp_generic.c                    |    4 +-
 drivers/net/slip/slhc.c                          |    2 +-
 drivers/net/team/team.c                          |    2 +-
 drivers/net/tun.c                                |    5 +-
 drivers/net/usb/hso.c                            |   23 +-
 drivers/net/vxlan.c                              |    2 +-
 drivers/net/wireless/at76c50x-usb.c              |    2 +-
 drivers/net/wireless/ath/ath9k/ar9002_mac.c      |   30 +-
 drivers/net/wireless/ath/ath9k/ar9003_mac.c      |   58 +-
 drivers/net/wireless/ath/ath9k/hw.h              |    4 +-
 drivers/net/wireless/iwlegacy/3945-mac.c         |    4 +-
 drivers/net/wireless/iwlwifi/dvm/debugfs.c       |   26 +-
 drivers/net/wireless/iwlwifi/pcie/trans.c        |    4 +-
 drivers/net/wireless/mac80211_hwsim.c            |   32 +-
 drivers/net/wireless/rndis_wlan.c                |    2 +-
 drivers/net/wireless/rt2x00/rt2x00.h             |    2 +-
 drivers/net/wireless/rt2x00/rt2x00queue.c        |    4 +-
 drivers/net/wireless/ti/wl1251/sdio.c            |   12 +-
 drivers/net/wireless/ti/wl12xx/main.c            |    8 +-
 drivers/net/wireless/ti/wl18xx/main.c            |    6 +-
 drivers/oprofile/buffer_sync.c                   |    8 +-
 drivers/oprofile/event_buffer.c                  |    2 +-
 drivers/oprofile/oprof.c                         |    2 +-
 drivers/oprofile/oprofile_files.c                |    2 +-
 drivers/oprofile/oprofile_stats.c                |   10 +-
 drivers/oprofile/oprofile_stats.h                |   10 +-
 drivers/oprofile/oprofilefs.c                    |    2 +-
 drivers/oprofile/timer_int.c                     |    2 +-
 drivers/parport/procfs.c                         |    4 +-
 drivers/pci/hotplug/acpiphp_ibm.c                |    4 +-
 drivers/pci/hotplug/cpcihp_generic.c             |    6 +-
 drivers/pci/hotplug/cpcihp_zt5550.c              |   14 +-
 drivers/pci/hotplug/cpqphp_nvram.c               |    4 +
 drivers/pci/hotplug/pci_hotplug_core.c           |    6 +-
 drivers/pci/hotplug/pciehp_core.c                |    2 +-
 drivers/pci/pci-sysfs.c                          |    6 +-
 drivers/pci/pci.h                                |    2 +-
 drivers/pci/pcie/aspm.c                          |    6 +-
 drivers/pci/probe.c                              |    2 +-
 drivers/platform/x86/msi-laptop.c                |   14 +-
 drivers/platform/x86/sony-laptop.c               |    2 +-
 drivers/platform/x86/thinkpad_acpi.c             |   70 +-
 drivers/pnp/pnpbios/bioscalls.c                  |   14 +-
 drivers/pnp/resource.c                           |    4 +-
 drivers/power/pda_power.c                        |    7 +-
 drivers/power/power_supply.h                     |    4 +-
 drivers/power/power_supply_core.c                |    7 +-
 drivers/power/power_supply_sysfs.c               |    6 +-
 drivers/regulator/max8660.c                      |    6 +-
 drivers/regulator/max8973-regulator.c            |    8 +-
 drivers/regulator/mc13892-regulator.c            |    6 +-
 drivers/rtc/rtc-cmos.c                           |    4 +-
 drivers/rtc/rtc-ds1307.c                         |    2 +-
 drivers/rtc/rtc-m48t59.c                         |    4 +-
 drivers/scsi/bfa/bfa_fcpim.h                     |    2 +-
 drivers/scsi/bfa/bfa_ioc.h                       |    4 +-
 drivers/scsi/hosts.c                             |    4 +-
 drivers/scsi/hpsa.c                              |   30 +-
 drivers/scsi/hpsa.h                              |    2 +-
 drivers/scsi/libfc/fc_exch.c                     |   50 +-
 drivers/scsi/libsas/sas_ata.c                    |    2 +-
 drivers/scsi/lpfc/lpfc.h                         |    8 +-
 drivers/scsi/lpfc/lpfc_debugfs.c                 |   18 +-
 drivers/scsi/lpfc/lpfc_init.c                    |    6 +-
 drivers/scsi/lpfc/lpfc_scsi.c                    |   16 +-
 drivers/scsi/pmcraid.c                           |   20 +-
 drivers/scsi/pmcraid.h                           |    8 +-
 drivers/scsi/qla2xxx/qla_attr.c                  |    4 +-
 drivers/scsi/qla2xxx/qla_gbl.h                   |    4 +-
 drivers/scsi/qla2xxx/qla_os.c                    |    6 +-
 drivers/scsi/qla4xxx/ql4_def.h                   |    2 +-
 drivers/scsi/qla4xxx/ql4_os.c                    |    6 +-
 drivers/scsi/scsi.c                              |    2 +-
 drivers/scsi/scsi_lib.c                          |    6 +-
 drivers/scsi/scsi_sysfs.c                        |    2 +-
 drivers/scsi/scsi_tgt_lib.c                      |    2 +-
 drivers/scsi/scsi_transport_fc.c                 |    8 +-
 drivers/scsi/scsi_transport_iscsi.c              |    6 +-
 drivers/scsi/scsi_transport_srp.c                |    6 +-
 drivers/scsi/sd.c                                |    2 +-
 drivers/scsi/sg.c                                |    2 +-
 drivers/spi/spi.c                                |    2 +-
 drivers/staging/iio/iio_hwmon.c                  |    2 +-
 drivers/staging/octeon/ethernet-rx.c             |   12 +-
 drivers/staging/octeon/ethernet.c                |    8 +-
 drivers/staging/rtl8712/rtl871x_io.h             |    2 +-
 drivers/staging/sbe-2t3e3/netdev.c               |    2 +-
 drivers/staging/usbip/vhci.h                     |    2 +-
 drivers/staging/usbip/vhci_hcd.c                 |    6 +-
 drivers/staging/usbip/vhci_rx.c                  |    2 +-
 drivers/staging/vt6655/hostap.c                  |    7 +-
 drivers/staging/vt6656/hostap.c                  |    7 +-
 drivers/staging/zcache/tmem.c                    |    4 +-
 drivers/staging/zcache/tmem.h                    |    2 +
 drivers/target/target_core_device.c              |    2 +-
 drivers/target/target_core_transport.c           |    2 +-
 drivers/tty/cyclades.c                           |    6 +-
 drivers/tty/hvc/hvc_console.c                    |   14 +-
 drivers/tty/hvc/hvcs.c                           |   21 +-
 drivers/tty/ipwireless/tty.c                     |   27 +-
 drivers/tty/moxa.c                               |    2 +-
 drivers/tty/n_gsm.c                              |    4 +-
 drivers/tty/n_tty.c                              |    3 +-
 drivers/tty/pty.c                                |    4 +-
 drivers/tty/rocket.c                             |    6 +-
 drivers/tty/serial/kgdboc.c                      |   32 +-
 drivers/tty/serial/samsung.c                     |    9 +-
 drivers/tty/serial/serial_core.c                 |    8 +-
 drivers/tty/synclink.c                           |   34 +-
 drivers/tty/synclink_gt.c                        |   28 +-
 drivers/tty/synclinkmp.c                         |   34 +-
 drivers/tty/tty_io.c                             |    2 +-
 drivers/tty/tty_ldisc.c                          |   10 +-
 drivers/tty/tty_port.c                           |   22 +-
 drivers/uio/uio.c                                |   21 +-
 drivers/usb/atm/cxacru.c                         |    2 +-
 drivers/usb/atm/usbatm.c                         |   24 +-
 drivers/usb/core/devices.c                       |    6 +-
 drivers/usb/core/hcd.c                           |    4 +-
 drivers/usb/core/message.c                       |    2 +-
 drivers/usb/core/sysfs.c                         |    2 +-
 drivers/usb/core/usb.c                           |    2 +-
 drivers/usb/early/ehci-dbgp.c                    |   16 +-
 drivers/usb/gadget/u_serial.c                    |   22 +-
 drivers/usb/serial/console.c                     |    6 +-
 drivers/usb/storage/usb.h                        |    2 +-
 drivers/usb/wusbcore/wa-hc.h                     |    4 +-
 drivers/usb/wusbcore/wa-xfer.c                   |    2 +-
 drivers/video/aty/aty128fb.c                     |    2 +-
 drivers/video/aty/atyfb_base.c                   |    8 +-
 drivers/video/aty/mach64_cursor.c                |    5 +-
 drivers/video/backlight/kb3886_bl.c              |    2 +-
 drivers/video/fb_defio.c                         |    6 +-
 drivers/video/fbcmap.c                           |    3 +-
 drivers/video/fbmem.c                            |    6 +-
 drivers/video/i810/i810_accel.c                  |    1 +
 drivers/video/mb862xx/mb862xxfb_accel.c          |   16 +-
 drivers/video/nvidia/nvidia.c                    |   27 +-
 drivers/video/s1d13xxxfb.c                       |    6 +-
 drivers/video/smscufx.c                          |    4 +-
 drivers/video/udlfb.c                            |   36 +-
 drivers/video/uvesafb.c                          |   53 +-
 drivers/video/vesafb.c                           |   58 +-
 drivers/video/via/via_clock.h                    |    2 +-
 fs/9p/vfs_inode.c                                |    2 +-
 fs/Kconfig.binfmt                                |    2 +-
 fs/aio.c                                         |   11 +-
 fs/autofs4/waitq.c                               |    2 +-
 fs/befs/endian.h                                 |    4 +-
 fs/befs/linuxvfs.c                               |    2 +-
 fs/binfmt_aout.c                                 |   23 +-
 fs/binfmt_elf.c                                  |  605 +++-
 fs/binfmt_flat.c                                 |    6 +
 fs/bio.c                                         |    6 +-
 fs/block_dev.c                                   |    2 +-
 fs/btrfs/ctree.c                                 |    9 +-
 fs/btrfs/super.c                                 |    2 +-
 fs/cachefiles/bind.c                             |    6 +-
 fs/cachefiles/daemon.c                           |    8 +-
 fs/cachefiles/internal.h                         |   12 +-
 fs/cachefiles/namei.c                            |    2 +-
 fs/cachefiles/proc.c                             |   12 +-
 fs/cachefiles/rdwr.c                             |    2 +-
 fs/ceph/dir.c                                    |    2 +-
 fs/cifs/cifs_debug.c                             |   12 +-
 fs/cifs/cifsfs.c                                 |    8 +-
 fs/cifs/cifsglob.h                               |   54 +-
 fs/cifs/link.c                                   |    2 +-
 fs/cifs/misc.c                                   |    4 +-
 fs/cifs/smb1ops.c                                |   80 +-
 fs/cifs/smb2ops.c                                |   84 +-
 fs/cifs/smb2pdu.c                                |    3 +-
 fs/coda/cache.c                                  |   10 +-
 fs/compat.c                                      |    6 +-
 fs/compat_binfmt_elf.c                           |    2 +
 fs/compat_ioctl.c                                |    8 +-
 fs/configfs/dir.c                                |   10 +-
 fs/coredump.c                                    |   24 +-
 fs/dcache.c                                      |    2 +-
 fs/ecryptfs/inode.c                              |    4 +-
 fs/ecryptfs/miscdev.c                            |    2 +-
 fs/ecryptfs/read_write.c                         |    2 +-
 fs/exec.c                                        |  362 ++-
 fs/ext4/ext4.h                                   |   20 +-
 fs/ext4/mballoc.c                                |   44 +-
 fs/ext4/super.c                                  |    2 +-
 fs/fhandle.c                                     |    3 +-
 fs/fifo.c                                        |   22 +-
 fs/fs_struct.c                                   |    8 +-
 fs/fscache/cookie.c                              |   36 +-
 fs/fscache/internal.h                            |  196 +-
 fs/fscache/object.c                              |   28 +-
 fs/fscache/operation.c                           |   30 +-
 fs/fscache/page.c                                |  110 +-
 fs/fscache/stats.c                               |  344 +-
 fs/fuse/cuse.c                                   |   10 +-
 fs/fuse/dev.c                                    |    2 +-
 fs/fuse/dir.c                                    |    2 +-
 fs/gfs2/inode.c                                  |    2 +-
 fs/hugetlbfs/inode.c                             |   13 +-
 fs/inode.c                                       |    4 +-
 fs/jffs2/erase.c                                 |    3 +-
 fs/jffs2/wbuf.c                                  |    3 +-
 fs/jfs/super.c                                   |    6 +-
 fs/libfs.c                                       |   10 +-
 fs/lockd/clntproc.c                              |    4 +-
 fs/locks.c                                       |    8 +-
 fs/namei.c                                       |   15 +-
 fs/namespace.c                                   |    2 +-
 fs/nfs/callback_xdr.c                            |    2 +-
 fs/nfs/inode.c                                   |    6 +-
 fs/nfsd/nfs4proc.c                               |    2 +-
 fs/nfsd/nfs4xdr.c                                |    6 +-
 fs/nfsd/nfscache.c                               |    8 +-
 fs/nfsd/vfs.c                                    |    6 +-
 fs/nls/nls_base.c                                |   18 +-
 fs/nls/nls_euc-jp.c                              |    6 +-
 fs/nls/nls_koi8-ru.c                             |    6 +-
 fs/notify/fanotify/fanotify_user.c               |    4 +-
 fs/notify/notification.c                         |    4 +-
 fs/ntfs/dir.c                                    |    2 +-
 fs/ntfs/file.c                                   |    4 +-
 fs/ocfs2/localalloc.c                            |    2 +-
 fs/ocfs2/ocfs2.h                                 |   10 +-
 fs/ocfs2/suballoc.c                              |   12 +-
 fs/ocfs2/super.c                                 |   20 +-
 fs/pipe.c                                        |   33 +-
 fs/proc/array.c                                  |   20 +
 fs/proc/base.c                                   |    4 +-
 fs/proc/kcore.c                                  |   32 +-
 fs/proc/meminfo.c                                |    2 +-
 fs/proc/nommu.c                                  |    2 +-
 fs/proc/proc_sysctl.c                            |   18 +-
 fs/proc/self.c                                   |    2 +-
 fs/proc/task_mmu.c                               |   39 +-
 fs/proc/task_nommu.c                             |    4 +-
 fs/qnx6/qnx6.h                                   |    4 +-
 fs/quota/netlink.c                               |    4 +-
 fs/readdir.c                                     |    2 +-
 fs/reiserfs/do_balan.c                           |    2 +-
 fs/reiserfs/procfs.c                             |    2 +-
 fs/reiserfs/reiserfs.h                           |    4 +-
 fs/seq_file.c                                    |    2 +-
 fs/splice.c                                      |   36 +-
 fs/sysfs/bin.c                                   |    6 +-
 fs/sysfs/dir.c                                   |    2 +-
 fs/sysfs/file.c                                  |   10 +-
 fs/sysfs/symlink.c                               |    2 +-
 fs/sysv/sysv.h                                   |    2 +-
 fs/ubifs/io.c                                    |    2 +-
 fs/udf/misc.c                                    |    2 +-
 fs/ufs/swab.h                                    |    4 +-
 fs/xattr.c                                       |   21 +
 fs/xattr_acl.c                                   |    4 +-
 fs/xfs/xfs_bmap.c                                |    2 +-
 fs/xfs/xfs_dir2_sf.c                             |   10 +-
 fs/xfs/xfs_ioctl.c                               |    2 +-
 fs/xfs/xfs_iops.c                                |    2 +-
 include/asm-generic/4level-fixup.h               |    2 +
 include/asm-generic/atomic-long.h                |  210 +
 include/asm-generic/atomic.h                     |    2 +-
 include/asm-generic/atomic64.h                   |   12 +
 include/asm-generic/cache.h                      |    4 +-
 include/asm-generic/emergency-restart.h          |    2 +-
 include/asm-generic/kmap_types.h                 |    4 +-
 include/asm-generic/local.h                      |   13 +
 include/asm-generic/pgtable-nopmd.h              |   18 +-
 include/asm-generic/pgtable-nopud.h              |   15 +-
 include/asm-generic/pgtable.h                    |    8 +
 include/asm-generic/vmlinux.lds.h                |   10 +-
 include/crypto/algapi.h                          |    2 +-
 include/drm/drmP.h                               |   17 +-
 include/drm/drm_crtc_helper.h                    |    2 +-
 include/drm/ttm/ttm_memory.h                     |    2 +-
 include/keys/asymmetric-subtype.h                |    2 +-
 include/linux/atmdev.h                           |    4 +-
 include/linux/binfmts.h                          |    3 +-
 include/linux/blkdev.h                           |    2 +-
 include/linux/blktrace_api.h                     |    2 +-
 include/linux/cache.h                            |    4 +
 include/linux/cdrom.h                            |    1 -
 include/linux/cleancache.h                       |    2 +-
 include/linux/compat.h                           |    6 +-
 include/linux/compiler-gcc4.h                    |   20 +
 include/linux/compiler.h                         |   65 +-
 include/linux/completion.h                       |    6 +-
 include/linux/configfs.h                         |    2 +-
 include/linux/cpu.h                              |    2 +-
 include/linux/cpufreq.h                          |    3 +-
 include/linux/cpuidle.h                          |    5 +-
 include/linux/cpumask.h                          |   12 +-
 include/linux/crypto.h                           |    6 +-
 include/linux/ctype.h                            |    2 +-
 include/linux/decompress/mm.h                    |    2 +-
 include/linux/devfreq.h                          |    2 +-
 include/linux/device.h                           |    7 +-
 include/linux/dma-mapping.h                      |    2 +-
 include/linux/dmaengine.h                        |    4 +-
 include/linux/efi.h                              |    1 +
 include/linux/elf.h                              |    2 +
 include/linux/err.h                              |    4 +-
 include/linux/extcon.h                           |    2 +-
 include/linux/fb.h                               |    2 +-
 include/linux/filter.h                           |    4 +
 include/linux/frontswap.h                        |    2 +-
 include/linux/fs.h                               |    3 +-
 include/linux/fs_struct.h                        |    2 +-
 include/linux/fscache-cache.h                    |    4 +-
 include/linux/fscache.h                          |    2 +-
 include/linux/fsnotify.h                         |    2 +-
 include/linux/ftrace_event.h                     |    2 +-
 include/linux/genhd.h                            |    2 +-
 include/linux/genl_magic_func.h                  |    2 +-
 include/linux/gfp.h                              |   12 +-
 include/linux/highmem.h                          |   12 +
 include/linux/hwmon-sysfs.h                      |    5 +-
 include/linux/i2c.h                              |    1 +
 include/linux/i2o.h                              |    2 +-
 include/linux/if_pppox.h                         |    2 +-
 include/linux/init.h                             |   33 +-
 include/linux/init_task.h                        |    7 +
 include/linux/interrupt.h                        |    8 +-
 include/linux/iommu.h                            |    2 +-
 include/linux/ioport.h                           |    2 +-
 include/linux/irq.h                              |    3 +-
 include/linux/irqchip/arm-gic.h                  |    2 +-
 include/linux/key-type.h                         |    2 +-
 include/linux/kgdb.h                             |    6 +-
 include/linux/kobject.h                          |    3 +-
 include/linux/kobject_ns.h                       |    2 +-
 include/linux/kref.h                             |    2 +-
 include/linux/kvm_host.h                         |    4 +-
 include/linux/libata.h                           |    2 +-
 include/linux/list.h                             |   15 +
 include/linux/math64.h                           |    6 +-
 include/linux/mm.h                               |  110 +-
 include/linux/mm_types.h                         |   20 +
 include/linux/mmiotrace.h                        |    4 +-
 include/linux/mmzone.h                           |    2 +-
 include/linux/mod_devicetable.h                  |    6 +-
 include/linux/module.h                           |   60 +-
 include/linux/moduleloader.h                     |   16 +
 include/linux/moduleparam.h                      |    4 +-
 include/linux/namei.h                            |    6 +-
 include/linux/net.h                              |    2 +-
 include/linux/netdevice.h                        |    3 +-
 include/linux/netfilter.h                        |    2 +-
 include/linux/netfilter/ipset/ip_set.h           |    2 +-
 include/linux/netfilter/nfnetlink.h              |    2 +-
 include/linux/nls.h                              |    2 +-
 include/linux/notifier.h                         |    3 +-
 include/linux/oprofile.h                         |    4 +-
 include/linux/pci_hotplug.h                      |    3 +-
 include/linux/perf_event.h                       |   12 +-
 include/linux/pipe_fs_i.h                        |    6 +-
 include/linux/platform_data/usb-ehci-s5p.h       |    2 +-
 include/linux/platform_data/usb-exynos.h         |    2 +-
 include/linux/pm_domain.h                        |    2 +-
 include/linux/pm_runtime.h                       |    2 +-
 include/linux/pnp.h                              |    2 +-
 include/linux/poison.h                           |    4 +-
 include/linux/power/smartreflex.h                |    2 +-
 include/linux/ppp-comp.h                         |    2 +-
 include/linux/proc_fs.h                          |    2 +-
 include/linux/random.h                           |    5 +
 include/linux/rculist.h                          |   16 +
 include/linux/reboot.h                           |   14 +-
 include/linux/regset.h                           |    3 +-
 include/linux/relay.h                            |    2 +-
 include/linux/rio.h                              |    2 +-
 include/linux/rmap.h                             |    4 +-
 include/linux/sched.h                            |   67 +-
 include/linux/sched/sysctl.h                     |    1 +
 include/linux/seq_file.h                         |    1 +
 include/linux/skbuff.h                           |   12 +-
 include/linux/slab.h                             |   36 +-
 include/linux/slab_def.h                         |   33 +-
 include/linux/slob_def.h                         |    4 +-
 include/linux/slub_def.h                         |   10 +-
 include/linux/sock_diag.h                        |    2 +-
 include/linux/sonet.h                            |    2 +-
 include/linux/sunrpc/addr.h                      |    8 +-
 include/linux/sunrpc/clnt.h                      |    2 +-
 include/linux/sunrpc/svc.h                       |    2 +-
 include/linux/sunrpc/svc_rdma.h                  |   18 +-
 include/linux/sunrpc/svcauth.h                   |    2 +-
 include/linux/swiotlb.h                          |    3 +-
 include/linux/syscalls.h                         |    2 +-
 include/linux/syscore_ops.h                      |    2 +-
 include/linux/sysctl.h                           |    6 +-
 include/linux/sysfs.h                            |   10 +-
 include/linux/sysrq.h                            |    3 +-
 include/linux/thread_info.h                      |    7 +
 include/linux/tty.h                              |    4 +-
 include/linux/tty_driver.h                       |    2 +-
 include/linux/tty_ldisc.h                        |    2 +-
 include/linux/types.h                            |   16 +
 include/linux/uaccess.h                          |    6 +-
 include/linux/unaligned/access_ok.h              |   24 +-
 include/linux/usb.h                              |    4 +-
 include/linux/usb/renesas_usbhs.h                |    2 +-
 include/linux/vermagic.h                         |   21 +-
 include/linux/vmalloc.h                          |   11 +-
 include/linux/vmstat.h                           |   20 +-
 include/linux/xattr.h                            |    5 +-
 include/linux/zlib.h                             |    3 +-
 include/media/v4l2-dev.h                         |    2 +-
 include/media/v4l2-ioctl.h                       |    1 -
 include/net/9p/transport.h                       |    2 +-
 include/net/bluetooth/l2cap.h                    |    2 +-
 include/net/caif/cfctrl.h                        |    6 +-
 include/net/flow.h                               |    2 +-
 include/net/genetlink.h                          |    2 +-
 include/net/gro_cells.h                          |    2 +-
 include/net/inet_connection_sock.h               |    2 +-
 include/net/inetpeer.h                           |    8 +-
 include/net/ip.h                                 |    2 +-
 include/net/ip_fib.h                             |    2 +-
 include/net/ip_vs.h                              |    8 +-
 include/net/irda/ircomm_tty.h                    |    1 +
 include/net/iucv/af_iucv.h                       |    2 +-
 include/net/llc_c_ac.h                           |    2 +-
 include/net/llc_c_ev.h                           |    4 +-
 include/net/llc_c_st.h                           |    2 +-
 include/net/llc_s_ac.h                           |    2 +-
 include/net/llc_s_st.h                           |    2 +-
 include/net/mac80211.h                           |    2 +-
 include/net/neighbour.h                          |    2 +-
 include/net/net_namespace.h                      |   12 +-
 include/net/netdma.h                             |    2 +-
 include/net/netlink.h                            |    2 +-
 include/net/netns/conntrack.h                    |    6 +-
 include/net/netns/ipv4.h                         |    2 +-
 include/net/protocol.h                           |    4 +-
 include/net/rtnetlink.h                          |    2 +-
 include/net/sctp/sctp.h                          |    6 +-
 include/net/sctp/sm.h                            |    4 +-
 include/net/sctp/structs.h                       |    2 +-
 include/net/sock.h                               |    6 +-
 include/net/tcp.h                                |    8 +-
 include/net/xfrm.h                               |    8 +-
 include/rdma/iw_cm.h                             |    2 +-
 include/scsi/libfc.h                             |    3 +-
 include/scsi/scsi_device.h                       |    6 +-
 include/scsi/scsi_transport_fc.h                 |    3 +-
 include/sound/soc.h                              |    4 +-
 include/target/target_core_base.h                |    2 +-
 include/trace/events/irq.h                       |    4 +-
 include/uapi/linux/a.out.h                       |    8 +
 include/uapi/linux/byteorder/little_endian.h     |   28 +-
 include/uapi/linux/elf.h                         |   28 +
 include/uapi/linux/screen_info.h                 |    3 +-
 include/uapi/linux/swab.h                        |    6 +-
 include/uapi/linux/sysctl.h                      |    6 +-
 include/uapi/linux/xattr.h                       |    4 +
 include/video/udlfb.h                            |    8 +-
 include/video/uvesafb.h                          |    1 +
 init/Kconfig                                     |    2 +-
 init/Makefile                                    |    3 +
 init/do_mounts.c                                 |   14 +-
 init/do_mounts.h                                 |    8 +-
 init/do_mounts_initrd.c                          |   22 +-
 init/do_mounts_md.c                              |    6 +-
 init/init_task.c                                 |    4 +
 init/initramfs.c                                 |   40 +-
 init/main.c                                      |   77 +-
 ipc/ipc_sysctl.c                                 |   10 +-
 ipc/mq_sysctl.c                                  |    2 +-
 ipc/msg.c                                        |   11 +-
 ipc/sem.c                                        |   11 +-
 ipc/shm.c                                        |   17 +-
 kernel/acct.c                                    |    2 +-
 kernel/audit.c                                   |    8 +-
 kernel/auditsc.c                                 |    4 +-
 kernel/capability.c                              |    3 +
 kernel/compat.c                                  |   40 +-
 kernel/debug/debug_core.c                        |   16 +-
 kernel/debug/kdb/kdb_main.c                      |    4 +-
 kernel/events/core.c                             |   28 +-
 kernel/exit.c                                    |    4 +-
 kernel/fork.c                                    |  167 +-
 kernel/futex.c                                   |    9 +
 kernel/futex_compat.c                            |    2 +-
 kernel/gcov/base.c                               |    7 +-
 kernel/hrtimer.c                                 |    4 +-
 kernel/irq_work.c                                |    7 +-
 kernel/jump_label.c                              |    5 +
 kernel/kallsyms.c                                |   39 +-
 kernel/kexec.c                                   |    3 +-
 kernel/kmod.c                                    |    4 +-
 kernel/kprobes.c                                 |    8 +-
 kernel/ksysfs.c                                  |    2 +-
 kernel/lockdep.c                                 |    7 +-
 kernel/module.c                                  |  337 +-
 kernel/mutex-debug.c                             |   12 +-
 kernel/mutex-debug.h                             |    4 +-
 kernel/mutex.c                                   |    7 +-
 kernel/notifier.c                                |   17 +-
 kernel/panic.c                                   |    3 +-
 kernel/pid.c                                     |    2 +-
 kernel/pid_namespace.c                           |    2 +-
 kernel/posix-cpu-timers.c                        |    4 +-
 kernel/posix-timers.c                            |   20 +-
 kernel/power/process.c                           |   12 +-
 kernel/profile.c                                 |   14 +-
 kernel/ptrace.c                                  |    8 +-
 kernel/rcupdate.c                                |    4 +-
 kernel/rcutiny.c                                 |    4 +-
 kernel/rcutiny_plugin.h                          |    2 +-
 kernel/rcutorture.c                              |   56 +-
 kernel/rcutree.c                                 |   68 +-
 kernel/rcutree.h                                 |   24 +-
 kernel/rcutree_plugin.h                          |   20 +-
 kernel/rcutree_trace.c                           |   22 +-
 kernel/rtmutex-tester.c                          |   24 +-
 kernel/sched/auto_group.c                        |    4 +-
 kernel/sched/core.c                              |   51 +-
 kernel/sched/fair.c                              |    4 +-
 kernel/signal.c                                  |   12 +-
 kernel/smp.c                                     |    2 +-
 kernel/smpboot.c                                 |    4 +-
 kernel/softirq.c                                 |   18 +-
 kernel/srcu.c                                    |    4 +-
 kernel/sys.c                                     |   10 +-
 kernel/sysctl.c                                  |   39 +-
 kernel/time.c                                    |    2 +-
 kernel/time/alarmtimer.c                         |    2 +-
 kernel/time/tick-broadcast.c                     |    2 +-
 kernel/time/timer_stats.c                        |   10 +-
 kernel/timer.c                                   |    6 +-
 kernel/trace/blktrace.c                          |    6 +-
 kernel/trace/ftrace.c                            |   20 +-
 kernel/trace/ring_buffer.c                       |   76 +-
 kernel/trace/trace.c                             |    8 +-
 kernel/trace/trace.h                             |    2 +-
 kernel/trace/trace_events.c                      |   25 +-
 kernel/trace/trace_mmiotrace.c                   |    8 +-
 kernel/trace/trace_output.c                      |   12 +-
 kernel/trace/trace_stack.c                       |    2 +-
 kernel/user_namespace.c                          |    2 +-
 kernel/utsname_sysctl.c                          |    2 +-
 kernel/watchdog.c                                |    2 +-
 lib/Kconfig.debug                                |    6 +-
 lib/Makefile                                     |    2 +-
 lib/bitmap.c                                     |    8 +-
 lib/bug.c                                        |    2 +
 lib/debugobjects.c                               |    2 +-
 lib/devres.c                                     |    4 +-
 lib/div64.c                                      |    4 +-
 lib/dma-debug.c                                  |    4 +-
 lib/inflate.c                                    |    2 +-
 lib/ioremap.c                                    |    4 +-
 lib/kobject.c                                    |    4 +-
 lib/list_debug.c                                 |  126 +-
 lib/radix-tree.c                                 |    2 +-
 lib/strncpy_from_user.c                          |    2 +-
 lib/strnlen_user.c                               |    2 +-
 lib/swiotlb.c                                    |    2 +-
 lib/vsprintf.c                                   |   12 +-
 mm/Kconfig                                       |    6 +-
 mm/filemap.c                                     |    2 +-
 mm/fremap.c                                      |    5 +
 mm/highmem.c                                     |    7 +-
 mm/hugetlb.c                                     |   70 +-
 mm/internal.h                                    |    1 +
 mm/maccess.c                                     |    4 +-
 mm/madvise.c                                     |   41 +
 mm/memory-failure.c                              |   26 +-
 mm/memory.c                                      |  424 ++-
 mm/mempolicy.c                                   |   26 +
 mm/mlock.c                                       |   16 +-
 mm/mmap.c                                        |  576 ++-
 mm/mprotect.c                                    |  139 +-
 mm/mremap.c                                      |   44 +-
 mm/nommu.c                                       |   21 +-
 mm/page-writeback.c                              |    4 +-
 mm/page_alloc.c                                  |   41 +-
 mm/percpu.c                                      |    2 +-
 mm/process_vm_access.c                           |   14 +-
 mm/rmap.c                                        |   38 +-
 mm/shmem.c                                       |   19 +-
 mm/slab.c                                        |  105 +-
 mm/slab.h                                        |    5 +-
 mm/slab_common.c                                 |   11 +-
 mm/slob.c                                        |  201 +-
 mm/slub.c                                        |   99 +-
 mm/sparse-vmemmap.c                              |    4 +-
 mm/sparse.c                                      |    2 +-
 mm/swap.c                                        |    3 +
 mm/swapfile.c                                    |   12 +-
 mm/util.c                                        |    6 +
 mm/vmalloc.c                                     |   82 +-
 mm/vmstat.c                                      |   12 +-
 net/8021q/vlan.c                                 |    5 +-
 net/9p/mod.c                                     |    4 +-
 net/9p/trans_fd.c                                |    2 +-
 net/atm/atm_misc.c                               |    8 +-
 net/atm/lec.h                                    |    2 +-
 net/atm/proc.c                                   |    6 +-
 net/atm/resources.c                              |    4 +-
 net/ax25/sysctl_net_ax25.c                       |    2 +-
 net/batman-adv/bat_iv_ogm.c                      |    8 +-
 net/batman-adv/hard-interface.c                  |    4 +-
 net/batman-adv/soft-interface.c                  |    4 +-
 net/batman-adv/types.h                           |    6 +-
 net/batman-adv/unicast.c                         |    2 +-
 net/bluetooth/hci_sock.c                         |    2 +-
 net/bluetooth/l2cap_core.c                       |    6 +-
 net/bluetooth/l2cap_sock.c                       |   12 +-
 net/bluetooth/rfcomm/sock.c                      |    4 +-
 net/bluetooth/rfcomm/tty.c                       |   10 +-
 net/bridge/netfilter/ebtables.c                  |    6 +-
 net/caif/cfctrl.c                                |   11 +-
 net/can/af_can.c                                 |    2 +-
 net/can/gw.c                                     |    6 +-
 net/compat.c                                     |   34 +-
 net/core/datagram.c                              |    2 +-
 net/core/dev.c                                   |   16 +-
 net/core/flow.c                                  |    8 +-
 net/core/iovec.c                                 |    4 +-
 net/core/neighbour.c                             |    2 +-
 net/core/net-sysfs.c                             |    2 +-
 net/core/net_namespace.c                         |    8 +-
 net/core/rtnetlink.c                             |   13 +-
 net/core/scm.c                                   |    8 +-
 net/core/sock.c                                  |   24 +-
 net/core/sock_diag.c                             |    9 +-
 net/core/sysctl_net_core.c                       |   18 +-
 net/decnet/af_decnet.c                           |    1 +
 net/decnet/sysctl_net_decnet.c                   |    4 +-
 net/ipv4/af_inet.c                               |    8 +-
 net/ipv4/ah4.c                                   |    2 +-
 net/ipv4/devinet.c                               |   14 +-
 net/ipv4/esp4.c                                  |    2 +-
 net/ipv4/fib_frontend.c                          |    6 +-
 net/ipv4/fib_semantics.c                         |    2 +-
 net/ipv4/inet_connection_sock.c                  |    2 +-
 net/ipv4/inetpeer.c                              |    4 +-
 net/ipv4/ip_fragment.c                           |   15 +-
 net/ipv4/ip_gre.c                                |    6 +-
 net/ipv4/ip_sockglue.c                           |    2 +-
 net/ipv4/ip_vti.c                                |    4 +-
 net/ipv4/ipcomp.c                                |    2 +-
 net/ipv4/ipconfig.c                              |    6 +-
 net/ipv4/ipip.c                                  |    4 +-
 net/ipv4/netfilter/arp_tables.c                  |   12 +-
 net/ipv4/netfilter/ip_tables.c                   |   12 +-
 net/ipv4/ping.c                                  |    2 +-
 net/ipv4/raw.c                                   |   14 +-
 net/ipv4/route.c                                 |   18 +-
 net/ipv4/sysctl_net_ipv4.c                       |   45 +-
 net/ipv4/tcp_input.c                             |    2 +-
 net/ipv4/tcp_probe.c                             |    2 +-
 net/ipv4/udp.c                                   |   10 +-
 net/ipv4/xfrm4_policy.c                          |   14 +-
 net/ipv6/addrconf.c                              |    6 +-
 net/ipv6/icmp.c                                  |    2 +-
 net/ipv6/ip6_gre.c                               |    8 +-
 net/ipv6/ip6_tunnel.c                            |    4 +-
 net/ipv6/ipv6_sockglue.c                         |    2 +-
 net/ipv6/netfilter/ip6_tables.c                  |   12 +-
 net/ipv6/netfilter/nf_conntrack_reasm.c          |   14 +-
 net/ipv6/raw.c                                   |   19 +-
 net/ipv6/reassembly.c                            |   13 +-
 net/ipv6/route.c                                 |    2 +-
 net/ipv6/sit.c                                   |    4 +-
 net/ipv6/sysctl_net_ipv6.c                       |    2 +-
 net/ipv6/udp.c                                   |    8 +-
 net/ipv6/xfrm6_policy.c                          |   13 +-
 net/irda/ircomm/ircomm_tty.c                     |   18 +-
 net/iucv/af_iucv.c                               |    4 +-
 net/iucv/iucv.c                                  |    2 +-
 net/key/af_key.c                                 |    4 +-
 net/mac80211/cfg.c                               |    8 +-
 net/mac80211/ieee80211_i.h                       |    3 +-
 net/mac80211/iface.c                             |   14 +-
 net/mac80211/main.c                              |    2 +-
 net/mac80211/pm.c                                |    6 +-
 net/mac80211/rate.c                              |    2 +-
 net/mac80211/rc80211_pid_debugfs.c               |    2 +-
 net/mac80211/util.c                              |    2 +-
 net/netfilter/ipset/ip_set_core.c                |    2 +-
 net/netfilter/ipvs/ip_vs_conn.c                  |    6 +-
 net/netfilter/ipvs/ip_vs_core.c                  |    4 +-
 net/netfilter/ipvs/ip_vs_ctl.c                   |   14 +-
 net/netfilter/ipvs/ip_vs_lblc.c                  |    2 +-
 net/netfilter/ipvs/ip_vs_lblcr.c                 |    2 +-
 net/netfilter/ipvs/ip_vs_sync.c                  |    6 +-
 net/netfilter/ipvs/ip_vs_xmit.c                  |    4 +-
 net/netfilter/nf_conntrack_acct.c                |    2 +-
 net/netfilter/nf_conntrack_ecache.c              |    2 +-
 net/netfilter/nf_conntrack_helper.c              |    2 +-
 net/netfilter/nf_conntrack_proto.c               |    2 +-
 net/netfilter/nf_conntrack_standalone.c          |    2 +-
 net/netfilter/nf_conntrack_timestamp.c           |    2 +-
 net/netfilter/nf_log.c                           |   10 +-
 net/netfilter/nf_sockopt.c                       |    4 +-
 net/netfilter/nfnetlink_log.c                    |    4 +-
 net/netfilter/xt_statistic.c                     |    8 +-
 net/netlink/af_netlink.c                         |    4 +-
 net/netlink/genetlink.c                          |   16 +-
 net/packet/af_packet.c                           |   12 +-
 net/phonet/pep.c                                 |    6 +-
 net/phonet/socket.c                              |    2 +-
 net/phonet/sysctl.c                              |    2 +-
 net/rds/cong.c                                   |    6 +-
 net/rds/ib.h                                     |    2 +-
 net/rds/ib_cm.c                                  |    2 +-
 net/rds/ib_recv.c                                |    4 +-
 net/rds/iw.h                                     |    2 +-
 net/rds/iw_cm.c                                  |    2 +-
 net/rds/iw_recv.c                                |    4 +-
 net/rds/rds.h                                    |    2 +-
 net/rds/tcp.c                                    |    2 +-
 net/rds/tcp_send.c                               |    2 +-
 net/rxrpc/af_rxrpc.c                             |    2 +-
 net/rxrpc/ar-ack.c                               |   14 +-
 net/rxrpc/ar-call.c                              |    2 +-
 net/rxrpc/ar-connection.c                        |    2 +-
 net/rxrpc/ar-connevent.c                         |    2 +-
 net/rxrpc/ar-input.c                             |    4 +-
 net/rxrpc/ar-internal.h                          |    8 +-
 net/rxrpc/ar-local.c                             |    2 +-
 net/rxrpc/ar-output.c                            |    4 +-
 net/rxrpc/ar-peer.c                              |    2 +-
 net/rxrpc/ar-proc.c                              |    4 +-
 net/rxrpc/ar-transport.c                         |    2 +-
 net/rxrpc/rxkad.c                                |    4 +-
 net/sctp/ipv6.c                                  |    6 +-
 net/sctp/protocol.c                              |   10 +-
 net/sctp/sm_sideeffect.c                         |    2 +-
 net/sctp/socket.c                                |   21 +-
 net/sctp/sysctl.c                                |    4 +-
 net/socket.c                                     |   18 +-
 net/sunrpc/clnt.c                                |    4 +-
 net/sunrpc/sched.c                               |    4 +-
 net/sunrpc/svc.c                                 |    4 +-
 net/sunrpc/xprtrdma/svc_rdma.c                   |   38 +-
 net/sunrpc/xprtrdma/svc_rdma_recvfrom.c          |    6 +-
 net/sunrpc/xprtrdma/svc_rdma_sendto.c            |    2 +-
 net/sunrpc/xprtrdma/svc_rdma_transport.c         |   10 +-
 net/tipc/link.c                                  |    6 +-
 net/tipc/msg.c                                   |    2 +-
 net/tipc/subscr.c                                |    2 +-
 net/unix/sysctl_net_unix.c                       |    2 +-
 net/wireless/wext-core.c                         |   19 +-
 net/xfrm/xfrm_policy.c                           |   27 +-
 net/xfrm/xfrm_state.c                            |   29 +-
 net/xfrm/xfrm_sysctl.c                           |    2 +-
 scripts/Makefile.build                           |    2 +-
 scripts/Makefile.clean                           |    3 +-
 scripts/Makefile.host                            |   28 +-
 scripts/basic/fixdep.c                           |   12 +-
 scripts/gcc-plugin.sh                            |   17 +
 scripts/headers_install.pl                       |    1 +
 scripts/link-vmlinux.sh                          |    2 +-
 scripts/mod/file2alias.c                         |   14 +-
 scripts/mod/modpost.c                            |   25 +-
 scripts/mod/modpost.h                            |    6 +-
 scripts/mod/sumversion.c                         |    2 +-
 scripts/package/builddeb                         |    1 +
 scripts/pnmtologo.c                              |    6 +-
 scripts/sortextable.h                            |    6 +-
 security/Kconfig                                 |  675 +++-
 security/apparmor/lsm.c                          |    2 +-
 security/integrity/ima/ima.h                     |    4 +-
 security/integrity/ima/ima_api.c                 |    2 +-
 security/integrity/ima/ima_fs.c                  |    4 +-
 security/integrity/ima/ima_queue.c               |    2 +-
 security/keys/compat.c                           |    2 +-
 security/keys/key.c                              |   18 +-
 security/keys/keyctl.c                           |    8 +-
 security/keys/keyring.c                          |    6 +-
 security/security.c                              |    9 +-
 security/selinux/hooks.c                         |    2 +-
 security/selinux/include/xfrm.h                  |    2 +-
 security/smack/smack_lsm.c                       |    2 +-
 security/tomoyo/tomoyo.c                         |    2 +-
 security/yama/yama_lsm.c                         |   22 +-
 sound/aoa/codecs/onyx.c                          |    7 +-
 sound/aoa/codecs/onyx.h                          |    1 +
 sound/core/oss/pcm_oss.c                         |   18 +-
 sound/core/pcm_compat.c                          |    2 +-
 sound/core/pcm_native.c                          |    4 +-
 sound/core/seq/seq_device.c                      |    8 +-
 sound/drivers/mts64.c                            |   14 +-
 sound/drivers/opl4/opl4_lib.c                    |    2 +-
 sound/drivers/portman2x4.c                       |    3 +-
 sound/firewire/amdtp.c                           |    4 +-
 sound/firewire/amdtp.h                           |    2 +-
 sound/firewire/isight.c                          |   10 +-
 sound/firewire/scs1x.c                           |    8 +-
 sound/oss/sb_audio.c                             |    2 +-
 sound/oss/swarm_cs4297a.c                        |    6 +-
 sound/pci/ymfpci/ymfpci.h                        |    2 +-
 sound/pci/ymfpci/ymfpci_main.c                   |   12 +-
 tools/gcc/.gitignore                             |    1 +
 tools/gcc/Makefile                               |   45 +
 tools/gcc/checker_plugin.c                       |  171 +
 tools/gcc/colorize_plugin.c                      |  151 +
 tools/gcc/constify_plugin.c                      |  518 ++
 tools/gcc/generate_size_overflow_hash.sh         |   94 +
 tools/gcc/kallocstat_plugin.c                    |  170 +
 tools/gcc/kernexec_plugin.c                      |  465 ++
 tools/gcc/latent_entropy_plugin.c                |  327 ++
 tools/gcc/size_overflow_hash.data                | 5876 ++++++++++++++++++++++
 tools/gcc/size_overflow_plugin.c                 | 2114 ++++++++
 tools/gcc/stackleak_plugin.c                     |  327 ++
 tools/gcc/structleak_plugin.c                    |  276 +
 tools/perf/util/include/asm/alternative-asm.h    |    3 +
 tools/perf/util/include/linux/compiler.h         |    8 +
 virt/kvm/kvm_main.c                              |   32 +-
 1555 files changed, 30474 insertions(+), 7126 deletions(-)
commit a00016a11e35e91aec8e2d9b6ec4c6fbb11d6d2b
Merge: 0949bd4 fc53d63
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 22 19:03:44 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit fc53d6338964741b368070ec5c935bc579b8c2a6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 22 19:02:45 2012 -0400

    Update to pax-linux-3.2.12-test33.patch

commit 0949bd46a6455b308f66ad7c993bfee62412db35
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 22 16:56:09 2012 -0400

    Use current_umask() instead of current->fs->umask

commit 22f6432d0fe733619cfcb523782ed7d80c46d645
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 21 19:42:42 2012 -0400

    compile fix

commit 0cad49d6b8fbb32395da924c1665a1110a9a9eef
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 21 19:34:56 2012 -0400

    Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain
    uses of domains with particular hash collisions

commit 47fc52e0a068a29d6cca2f809daf0679cba33c44
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 20:25:49 2012 -0400

    zero kernel_role

commit b00953b43c69238d181d21121ef1577c988d5f6b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 19:29:34 2012 -0400

    zero real_root after releasing it

commit 0b3ab73ce5d34a2c3206955cd65eddd6bdfd32a1
Merge: b724f59 273f98e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 19:11:26 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit 273f98e58cdac555d3b5dce5c1ca168349f95878
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 19:10:52 2012 -0400

    Temporary workaround for (most) size_overflow plugin false-positives
    Increase randomization for brk-managed heap to 21 bits
    Update to pax-linux-3.2.12-test32.patch

commit b724f59125304460c2af8bd4b02921993afbb5d3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 18:58:53 2012 -0400

    compile fix

commit 329f1a9d0f137d0a973316c53bbec18a6eeecd4f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 18:52:23 2012 -0400

    Require default and kernel role

commit a7c5c4f55bdd61cfcd0fb1be7a67160429409878
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 18:47:28 2012 -0400

    Allow policies without special roles
    don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles)

commit 402ec3d24d66d38403dc543c84851f5e72d39e22
Merge: 8e012dc f14661a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 19 18:06:59 2012 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        fs/namei.c

commit f14661aaf202155c97f66626cea0269017bb7775
Merge: eae671f 058b017
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 19 18:05:44 2012 -0400

    Merge branch 'linux-3.2.y' into pax-test

commit 8e012dcf7a50b7cde34c2cec93ecedd049123b75
Author: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
Date:   Fri Mar 16 17:08:39 2012 -0700

    nilfs2: fix NULL pointer dereference in nilfs_load_super_block()
    
    According to the report from Slicky Devil, nilfs caused kernel oops at
    nilfs_load_super_block function during mount after he shrank the
    partition without resizing the filesystem:
    
     BUG: unable to handle kernel NULL pointer dereference at 00000048
     IP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2]
     *pde = 00000000
     Oops: 0000 [#1] PREEMPT SMP
     ...
     Call Trace:
      [<d0d7a87b>] init_nilfs+0x4b/0x2e0 [nilfs2]
      [<d0d6f707>] nilfs_mount+0x447/0x5b0 [nilfs2]
      [<c0226636>] mount_fs+0x36/0x180
      [<c023d961>] vfs_kern_mount+0x51/0xa0
      [<c023ddae>] do_kern_mount+0x3e/0xe0
      [<c023f189>] do_mount+0x169/0x700
      [<c023fa9b>] sys_mount+0x6b/0xa0
      [<c04abd1f>] sysenter_do_call+0x12/0x28
     Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43
     20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72
     48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00
     EIP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc
     CR2: 0000000000000048
    
    This turned out due to a defect in an error path which runs if the
    calculated location of the secondary super block was invalid.
    
    This patch fixes it and eliminates the reported oops.
    
    Reported-by: Slicky Devil <slicky.dvl@gmail.com>
    Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
    Tested-by: Slicky Devil <slicky.dvl@gmail.com>
    Cc: <stable@vger.kernel.org>        [2.6.30+]
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 8067d7f69bf27dc08057a771cf125e71e4575bf2
Author: Haogang Chen <haogangchen@gmail.com>
Date:   Fri Mar 16 17:08:38 2012 -0700

    nilfs2: clamp ns_r_segments_percentage to [1, 99]
    
    ns_r_segments_percentage is read from the disk.  Bogus or malicious
    value could cause integer overflow and malfunction due to meaningless
    disk usage calculation.  This patch reports error when mounting such
    bogus volumes.
    
    Signed-off-by: Haogang Chen <haogangchen@gmail.com>
    Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit e1a90645643f9b0194a5984ec8febd06360d5c8b
Author: Eric Dumazet <eric.dumazet@gmail.com>
Date:   Sat Mar 10 09:20:21 2012 +0000

    tcp: fix syncookie regression
    
    commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit())
    added a serious regression on synflood handling.
    
    Simon Kirby discovered a successful connection was delayed by 20 seconds
    before being responsive.
    
    In my tests, I discovered that xmit frames were lost, and needed ~4
    retransmits and a socket dst rebuild before being really sent.
    
    In case of syncookie initiated connection, we use a different path to
    initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared.
    
    As ip_queue_xmit() now depends on inet flow being setup, fix this by
    copying the temp flowi4 we use in cookie_v4_check().
    
    Reported-by: Simon Kirby <sim@netnation.com>
    Bisected-by: Simon Kirby <sim@netnation.com>
    Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
    Tested-by: Eric Dumazet <eric.dumazet@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 06c6c8628bf38b08b4d97f4c55cde9fdecfb5d65
Author: Stanislav Kinsbursky <skinsbursky@parallels.com>
Date:   Mon Mar 12 02:59:41 2012 +0000

    tun: don't hold network namespace by tun sockets
    
    v3: added previously removed sock_put() to the tun_release() callback, because
    sk_release_kernel() doesn't drop the socket reference.
    
    v2: sk_release_kernel() used for socket release. Dummy tun_release() is
    required for sk_release_kernel() ---> sock_release() ---> sock->ops->release()
    call.
    
    TUN was designed to destroy it's socket on network namesapce shutdown. But this
    will never happen for persistent device, because it's socket holds network
    namespace.
    This patch removes of holding network namespace by TUN socket and replaces it
    by creating socket in init_net and then changing it's net it to desired one. On
    shutdown socket is moved back to init_net prior to final put.
    
    Signed-off-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 46ae7374bd387c58d673a9e58852a9fd31042c5c
Author: Tyler Hicks <tyhicks@canonical.com>
Date:   Mon Dec 12 10:02:30 2011 -0600

    vfs: Correctly set the dir i_mutex lockdep class
    
    9a7aa12f3911853a introduced additional logic around setting the i_mutex
    lockdep class for directory inodes. The idea was that some filesystems
    may want their own special lockdep class for different directory
    inodes and calling unlock_new_inode() should not clobber one of
    those special classes.
    
    I believe that the added conditional, around the *negated* return value
    of lockdep_match_class(), caused directory inodes to be placed in the
    wrong lockdep class.
    
    inode_init_always() sets the i_mutex lockdep class with i_mutex_key for
    all inodes. If the filesystem did not change the class during inode
    initialization, then the conditional mentioned above was false and the
    directory inode was incorrectly left in the non-directory lockdep class.
    If the filesystem did set a special lockdep class, then the conditional
    mentioned above was true and that class was clobbered with
    i_mutex_dir_key.
    
    This patch removes the negation from the conditional so that the i_mutex
    lockdep class is properly set for directory inodes. Special classes are
    preserved and directory inodes with unmodified classes are set with
    i_mutex_dir_key.
    
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Reviewed-by: Jan Kara <jack@suse.cz>
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

commit 603590b0d2eca61ce26499eac9c563bc567a18c9
Author: Jan Kara <jack@suse.cz>
Date:   Mon Feb 20 17:54:00 2012 +0100

    udf: Fix deadlock in udf_release_file()
    
    udf_release_file() can be called from munmap() path with mmap_sem held.  Thus
    we cannot take i_mutex there because that ranks above mmap_sem. Luckily,
    i_mutex is not needed in udf_release_file() anymore since protection by
    i_data_sem is enough to protect from races with write and truncate.
    
    Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
    Reviewed-by: Namjae Jeon <linkinjeon@gmail.com>
    Signed-off-by: Jan Kara <jack@suse.cz>
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

commit ca79ab9034f3c2f7e3f65c35e0d9ed3ecea529bf
Author: Miklos Szeredi <mszeredi@suse.cz>
Date:   Tue Mar 6 13:56:33 2012 +0100

    vfs: fix double put after complete_walk()
    
    complete_walk() already puts nd->path, no need to do it again at cleanup time.
    
    This would result in Oopses if triggered, apparently the codepath is not too
    well exercised.
    
    Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
    CC: stable@vger.kernel.org
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

commit 13885ba2b18400f3ef6540497d30f1af896605e5
Author: Miklos Szeredi <mszeredi@suse.cz>
Date:   Tue Mar 6 13:56:34 2012 +0100

    vfs: fix return value from do_last()
    
    complete_walk() returns either ECHILD or ESTALE.  do_last() turns this into
    ECHILD unconditionally.  If not in RCU mode, this error will reach userspace
    which is complete nonsense.
    
    Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
    CC: stable@vger.kernel.org
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    
    Conflicts:
    
        fs/namei.c

commit f5ab7572c99ffb58953eb1070622307e904c3b7f
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Sat Mar 10 17:07:28 2012 -0500

    restore smp_mb() in unlock_new_inode()
    
    wait_on_inode() doesn't have ->i_lock
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

commit f3e758cd08e3881982d4b78eb72fe8a1ead6b872
Author: David S. Miller <davem@davemloft.net>
Date:   Tue Mar 13 18:19:51 2012 -0700

    sparc32: Add -Av8 to assembler command line.
    
    Newer version of binutils are more strict about specifying the
    correct options to enable certain classes of instructions.
    
    The sparc32 build is done for v7 in order to support sun4c systems
    which lack hardware integer multiply and divide instructions.
    
    So we have to pass -Av8 when building the assembler routines that
    use these instructions and get patched into the kernel when we find
    out that we have a v8 capable cpu.
    
    Reported-by: Paul Gortmaker <paul.gortmaker@windriver.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 66276ec78b2a971d2e704e5ef963cdc8b6a049a4
Author: Thomas Gleixner <tglx@linutronix.de>
Date:   Fri Mar 9 20:55:10 2012 +0100

    x86: Derandom delay_tsc for 64 bit
    
    Commit f0fbf0abc093 ("x86: integrate delay functions") converted
    delay_tsc() into a random delay generator for 64 bit.  The reason is
    that it merged the mostly identical versions of delay_32.c and
    delay_64.c.  Though the subtle difference of the result was:
    
     static void delay_tsc(unsigned long loops)
     {
    -   unsigned bclock, now;
    +   unsigned long bclock, now;
    
    Now the function uses rdtscl() which returns the lower 32bit of the
    TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64
    bit this fails when the lower 32bit are close to wrap around when
    bclock is read, because the following check
    
           if ((now - bclock) >= loops)
                        break;
    
    evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0
    because the unsigned long (now - bclock) of these values results in
    0xffffffff00000001 which is definitely larger than the loops
    value. That explains Tvortkos observation:
    
    "Because I am seeing udelay(500) (_occasionally_) being short, and
     that by delaying for some duration between 0us (yep) and 491us."
    
    Make those variables explicitely u32 again, so this works for both 32
    and 64 bit.
    
    Reported-by: Tvrtko Ursulin <tvrtko.ursulin@onelan.co.uk>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Cc: stable@vger.kernel.org # >= 2.6.27
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 2d0ddb60f5031bdf79b4d51225f9f2d5856255bf
Author: Al Viro <viro@ZenIV.linux.org.uk>
Date:   Thu Mar 8 17:51:19 2012 +0000

    aio: fix the "too late munmap()" race
    
    Current code has put_ioctx() called asynchronously from aio_fput_routine();
    that's done *after* we have killed the request that used to pin ioctx,
    so there's nothing to stop io_destroy() waiting in wait_for_all_aios()
    from progressing.  As the result, we can end up with async call of
    put_ioctx() being the last one and possibly happening during exit_mmap()
    or elf_core_dump(), neither of which expects stray munmap() being done
    to them...
    
    We do need to prevent _freeing_ ioctx until aio_fput_routine() is done
    with that, but that's all we care about - neither io_destroy() nor
    exit_aio() will progress past wait_for_all_aios() until aio_fput_routine()
    does really_put_req(), so the ioctx teardown won't be done until then
    and we don't care about the contents of ioctx past that point.
    
    Since actual freeing of these suckers is RCU-delayed, we don't need to
    bump ioctx refcount when request goes into list for async removal.
    All we need is rcu_read_lock held just over the ->ctx_lock-protected
    area in aio_fput_routine().
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
    Acked-by: Benjamin LaHaise <bcrl@kvack.org>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 002124c055afbf09b52226af65621999e8316448
Author: Al Viro <viro@ZenIV.linux.org.uk>
Date:   Wed Mar 7 05:16:35 2012 +0000

    aio: fix io_setup/io_destroy race
    
    Have ioctx_alloc() return an extra reference, so that caller would drop it
    on success and not bother with re-grabbing it on failure exit.  The current
    code is obviously broken - io_destroy() from another thread that managed
    to guess the address io_setup() would've returned would free ioctx right
    under us; gets especially interesting if aio_context_t * we pass to
    io_setup() points to PROT_READ mapping, so put_user() fails and we end
    up doing io_destroy() on kioctx another thread has just got freed...
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Acked-by: Benjamin LaHaise <bcrl@kvack.org>
    Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit a1cd2719b8ed8e40dbd98c87713ac23a2169f6d8
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Thu Mar 15 15:17:12 2012 -0700

    drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode
    
    strict_strtoul() writes a long but ->gamma_mode only has space to store an
    int, so on 64 bit systems we end up scribbling over ->gamma_table_count as
    well.  I've changed it to use kstrtouint() instead.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Acked-by: Inki Dae <inki.dae@samsung.com>
    Signed-off-by: Florian Tobias Schandinat <FlorianSchandinat@gmx.de>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit cf83f735a5571f4341ee6eab947a1f7d833cea6e
Merge: e4b05b6 eae671f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 16 21:04:27 2012 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        security/Kconfig

commit eae671fafe93f04685c04a089cc13efebc05d600
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 16 20:58:01 2012 -0400

    Update to pax-linux-3.2.11-test31.patch
    Introduction of the size_overflow plugin from Emese Revfy
    Many thanks to Emese for her hard work :)

commit e4b05b65c645c412eceb9c950ee7b4771627e6b1
Merge: e55aa68 258c015
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 15 20:59:19 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit 258c0159fa6dd5044ca984eeaad57bb6e21bacea
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 15 20:59:05 2012 -0400

    fix ARM compilation

commit e55aa68f4bb20e75cd7423123aa612c2a69590c0
Merge: 8f95ea9 55b7573
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 14 19:33:41 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit 55b7573f6c2f3be26fb39c7bd6a9d742d02811ca
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 14 19:33:15 2012 -0400

    Update to pax-linux-3.2.10-test28.patch

commit 8f95ea9f718c293794a1f6bdd2a5f5f336f7bd64
Merge: c8786a2 886ac5e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 13 17:38:13 2012 -0400

    Merge branch 'pax-test' into grsec-test
    
    Greets and thanks to snq for his assistance in testing/debugging REFCOUNT on ARM :)

commit 886ac5eeb1835e87cf7398b8aae9e9ba6b36bf77
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 13 17:37:44 2012 -0400

    Update to pax-linux-3.2.10-test26.patch

commit c8786a2abed5e5327f68efa520c04db99bb6a63a
Merge: 219c982 c061fcf
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 13 17:25:06 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit c061fcfa6b78f3774800821144d8ac2d94d7da3e
Merge: 89373d2 3f4b3b2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 13 17:25:02 2012 -0400

    Merge branch 'linux-3.2.y' into pax-test

commit 219c982a05abe47be4ea7d749e1b408e0cb86f1f
Merge: 54e19a3 89373d2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 12 17:23:57 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit 89373d2abafb9bda97f78bdb157d1d05cf21e008
Merge: a778588 7459f11
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 12 17:23:49 2012 -0400

    Merge branch 'linux-3.2.y' into pax-test

commit 54e19a3979978fca902b14ae25125f26fbbbc7a7
Merge: c4650f1 a778588
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 12 16:51:25 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit a778588c9d1b75c48c1f09aac98c1b28bd87a749
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 12 16:51:12 2012 -0400

    Update to pax-linux-3.2.9-test24.patch

commit c4650f14b13f84735fe3de06a1f3ff5776473eff
Merge: fb2abee 1015790
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 11 21:08:28 2012 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        security/Kconfig

commit 101579028a736c224e590c7e12a7357018c424e1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 11 21:07:27 2012 -0400

    Update to pax-linux-3.2.9-test22.patch

commit fb2abee4b9b49f5f18342a8cdf7aa3ba2b7c9100
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 11 11:02:17 2012 -0400

    Allow 4096 CPUs

commit 96bae28cbe6a41d48e3b56e5904814096e956000
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 11 10:25:58 2012 -0400

    Use a per-cpu 48-bit counter instead of a global atomic64
    Initialize each counter to have the cpu number in the lower 16 bits
    instead of incrementing the counter each time by 1, perform the increments
    above the cpu number so that wrapping/exhausting the counter doesn't corrupt
    any state
    idea from PaX Team

commit b975688101da6e966aebb1bc6b8c5c5983974f9c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 10 20:33:12 2012 -0500

    Special vnsec edition! :)
    Further reduce argv/env allowance for suid/sgid apps to 512KB
    Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap)
    Clear 3GB personality on suid/sgid binaries
    Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64)
      with the main purpose of throwing off program stack -> arg/env alignment
    Update documentation

commit e5cfa902c4e891d11dd2086543d2555aa0c27d33
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 10 19:54:47 2012 -0500

    Resolve skbuff.h warnings that turn into errors during compilation in
    the grsecurity directory with -Werror

commit 2023210ad43a944033fcacc660ce410888f562ee
Merge: ece4383 5f66adf
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 9 19:48:01 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 5f66adf72f83730a07bc79a2fab56afed6dbbd0e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 9 19:47:06 2012 -0500

    Add colorize plugin

commit ece4383e5e91c92d138c4df84225a70b552f4d69
Merge: a366d0e ab4a5a1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 9 17:56:46 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit ab4a5a1a67289c3585e2ff8aa64ecece7bd17eea
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 9 17:56:26 2012 -0500

    Update to pax-linux-3.2.9-test21.patch

commit a366d0ed963ce93fce10121c1100989d5f064e75
Author: Mikulas Patocka <mpatocka@redhat.com>
Date:   Sun Mar 4 19:52:03 2012 -0500

    mm: fix find_vma_prev
    
    Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory
    management on PA-RISC.
    
    After application of the patch, programs that allocate big arrays on the
    stack crash with segfault, for example, this will crash if compiled
    without optimization:
    
      int main()
      {
        char array[200000];
        array[199999] = 0;
        return 0;
      }
    
    The reason is that PA-RISC has up-growing stack and the stack is usually
    the last memory area.  In the above example, a page fault happens above
    the stack.
    
    Previously, if we passed too high address to find_vma_prev, it returned
    NULL and stored the last VMA in *pprev.  After "simplify find_vma_prev"
    change, it stores NULL in *pprev.  Consequently, the stack area is not
    found and it is not expanded, as it used to be before the change.
    
    This patch restores the old behavior and makes it return the last VMA in
    *pprev if the requested address is higher than address of any other VMA.
    
    Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
    Acked-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 9cd8dd4d56051099f11563f72fcd91cd0ce19604
Author: Hugh Dickins <hughd@google.com>
Date:   Tue Mar 6 12:28:52 2012 -0800

    mmap: EINVAL not ENOMEM when rejecting VM_GROWS
    
    Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP
    from shared anonymous: hoist the file case's -EINVAL up for both.
    
    Signed-off-by: Hugh Dickins <hughd@google.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 97745dce6c87f9d9ca5b4be9bd4c2fc1684ca04c
Author: Al Viro <viro@ZenIV.linux.org.uk>
Date:   Mon Mar 5 06:38:42 2012 +0000

    aout: move setup_arg_pages() prior to reading/mapping the binary
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 3b20ce55ae8cffee43cb4afdf5be438b5ac4fef0
Author: Jan Beulich <JBeulich@suse.com>
Date:   Mon Mar 5 16:49:24 2012 +0000

    vsprintf: make %pV handling compatible with kasprintf()
    
    kasprintf() (and potentially other functions that I didn't run across so
    far) want to evaluate argument lists twice.  Caring to do so for the
    primary list is obviously their job, but they can't reasonably be
    expected to check the format string for instances of %pV, which however
    need special handling too: On architectures like x86-64 (as opposed to
    e.g.  ix86), using the same argument list twice doesn't produce the
    expected results, as an internally managed cursor gets updated during
    the first run.
    
    Fix the problem by always acting on a copy of the original list when
    handling %pV.
    
    Signed-off-by: Jan Beulich <jbeulich@suse.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 4146896ab9674f51d4909f3a52bc7fe80f04e4cb
Author: Al Viro <viro@ZenIV.linux.org.uk>
Date:   Mon Mar 5 06:39:47 2012 +0000

    VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit a831bd53764695ea680cc1fa3c98759a610ed2ac
Author: Christian König <deathsimple@vodafone.de>
Date:   Tue Feb 28 23:19:20 2012 +0100

    drm/radeon: fix uninitialized variable
    
    Without this fix the driver randomly treats
    textures as arrays and I'm really wondering
    why gcc isn't complaining about it.
    
    Signed-off-by: Christian König <deathsimple@vodafone.de>
    Reviewed-by: Jerome Glisse <jglisse@redhat.com>
    Signed-off-by: Dave Airlie <airlied@redhat.com>

commit aa2cd55f97f3cc03bdd895b6e8ba99619ee69dfc
Author: H. Peter Anvin <hpa@zytor.com>
Date:   Fri Mar 2 10:43:48 2012 -0800

    regset: Prevent null pointer reference on readonly regsets
    
    The regset common infrastructure assumed that regsets would always
    have .get and .set methods, but not necessarily .active methods.
    Unfortunately people have since written regsets without .set methods.
    
    Rather than putting in stub functions everywhere, handle regsets with
    null .get or .set methods explicitly.
    
    Signed-off-by: H. Peter Anvin <hpa@zytor.com>
    Reviewed-by: Oleg Nesterov <oleg@redhat.com>
    Acked-by: Roland McGrath <roland@hack.frob.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 072ddd99401c79b53c6bf6bff9deb93022124c79
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 5 18:12:57 2012 -0500

    Fix compiler errors reported on forums

commit 1606774b48af24e6f99d99c624c0e447d4b66474
Merge: 3127bd5 4ca2ffd
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 5 17:31:35 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 4ca2ffd9da024f4ba2d0cb6245ba1b2726169452
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 5 17:31:21 2012 -0500

    Update to pax-linux-3.2.9-test20.patch

commit 3127bd581a292966b1057c7433219dac188c3720
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 2 21:30:37 2012 -0500

    Fix memory leak on logged exec_id check failure in /proc/pid/statm
    Thanks to Djalal Harouni for the report

commit d9f1a3be0e97e0632f97379322712d8deeb3ce23
Merge: 0a56be8 9aa8288
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 2 18:38:22 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 9aa8288a09e6e03ce37c08136b26bff17a093b5c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 2 18:37:43 2012 -0500

    Update to pax-linux-3.2.9-test19.patch

commit 0a56be884bbd7ce733cac0b879c45383494d73b0
Merge: 9e66745 3f5c52a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 1 20:18:01 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 3f5c52aba100b3bb252980f9d363aafde52da1a2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 1 20:16:56 2012 -0500

    Update to pax-linux-3.2.9-test18.patch

commit ae53ec231d12719a36bf871f8c5841020ed692ee
Merge: b255baf 44fb317
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 1 20:15:31 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test

commit 9e667456c03eadea2f305be761abe4de9a5877a3
Merge: 5e4e200 b255baf
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 27 20:53:59 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit b255baf50365d39b406f43aab2c64745607baaa2
Merge: 340ce90 1de504e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 27 20:53:29 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test
    Update to pax-linux-3.2.8-test17.patch
    
    Conflicts:
        arch/x86/include/asm/i387.h
        arch/x86/kernel/process_32.c
        arch/x86/kernel/traps.c

commit 5e4e200ac530452884b625cb75de240e1e98c731
Merge: 44306d7 340ce90
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 27 18:02:13 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 340ce90d98a043fa8e4ed9ffc229d4c1f86e2fec
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 27 18:01:48 2012 -0500

    Update to pax-linux-3.2.7-test17.patch

commit 44306d7b3097f77e73040dd25f4f6750751bae7a
Merge: 29d0b07 521c411
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 26 19:04:15 2012 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        Makefile

commit 521c411bb4ca66ce01146fde8bac9dd22414076d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 26 19:03:33 2012 -0500

    Update to pax-linux-3.2.7-test16.patch

commit 29d0b07290bb9a10cdfcc3c30058e16265330dea
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 26 17:12:44 2012 -0500

    fix typo

commit 344f6d84e5d3fdc6ec40a078fc2f5861d340b2ef
Merge: f45b3be caa8f83
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 20:59:27 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit caa8f83456c4d0b204beefffaa1d1993f2348d08
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 20:59:12 2012 -0500

    Update to pax-linux-3.2.7-test15.patch

commit f45b3be34a345502a302e736af9a65742ddef7cb
Merge: 62f35fd 9f1309b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 11:40:15 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 9f1309b0b935e3b30fc87a9e3009b84cf943ef47
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 11:39:57 2012 -0500

    Update to pax-linux-3.2.7-test14.patch

commit 62f35fdbecc58f2988fe13638d907b87a15776bb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 09:08:55 2012 -0500

    We could log on attempted exploits of writing /proc/self/mem, but the current
    log function declares the access a read, so just swap the ordering for now

commit 066ee8f9c26f1549b4ad893508777b549c8d4b79
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 08:46:14 2012 -0500

    Log /proc/pid/mem attempts

commit 674471e581893a94d475acac3e3c4496209b3ac9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 08:15:00 2012 -0500

    Make use of f_version for protecting /proc file structs (fine since we're not a directory
    or seq_file)

commit eab42cfdd237ffcdd8ec24bedecc275a3a9e987f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 24 20:02:19 2012 -0500

    Fix ia64 compilation

commit 50dfea412fd395e0183c2ade368efa525d38b267
Merge: 12db845 4c6f99b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 24 19:00:53 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 4c6f99bf338e03966356b147d0360cb3b522a44f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 24 19:00:36 2012 -0500

    (6:57:09 PM) pipacs: but you can be proactive
    (Fix other-arch atomic64/REFCOUNT compilation failures)

commit 12db8453f6bb0a756f369c9151668ba1249bc478
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 23 21:10:12 2012 -0500

    Remove unnecessary copies, as suggested by solar

commit cc02cab84368467ea03cb35f861a8a7092d91ab4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 23 20:59:35 2012 -0500

    Make global_exec_counter static, as suggested by solar

commit e642091a475ebb3a30e81f85e7751233d0c2af43
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 23 19:00:26 2012 -0500

    sync with stable tree

commit 6df09c3d8e371905b7b8fe90c4188f23614c6be5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 23 18:48:47 2012 -0500

    Remove unneeded gr_acl_handle_fchmod, as the code is shared now by gr_acl_handle_chmod
    Remove handling of old kludge in chmod/fchmod

commit 815cb62f2ca7b58efc39778b3a855feb675ab56c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 23 18:18:49 2012 -0500

    Apply umask checks to chmod/fchmod as well, as requested by sponsor
    Union the enforced umask with the existing one to produce minimal privilege
    Change umask type to u16

commit 0e7668c6abbdbcd3f7f9759e3994d6f4bc9953f0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 22 18:16:11 2012 -0500

    Add per-role umask enforcement to RBAC, requested by a sponsor

commit ad5ac943fe58199f1cc475912a39edb157acb77b
Merge: dda0bb5 41722e3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 20 20:04:42 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 41722e342e116d95f3d3556d66c97c888d752d39
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 20 20:04:00 2012 -0500

    Merge changes from pax-linux-3.2.7-test12.patch, fixes KVM incompatibility with
    KERNEXEC plugin

commit dda0bb57137846a476a866c60db2681aaf6052c0
Merge: 4fd554e d70927a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 20 20:01:41 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit d70927afec977d489a54c106a3c3ddc32e953050
Merge: 1daebf1 9d0231c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 20 20:01:33 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test

commit 4fd554e3a097b22c5049fcdc423897477deff5ef
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 20 09:17:57 2012 -0500

    Fix wrong logic on capability checks for switching roles, broke policies
    Thanks to Richard Kojedzinszky for reporting

commit 12f97d52ac603f24344f8d71569c412a307e9422
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 21:20:10 2012 -0500

    sparc64 compile fix

commit 07af3d8e76a6a47ce1836e5b20ed8c0f879c8201
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 18:38:32 2012 -0500

    Update configuration help and name for GRKERNSEC_PROC_MEMMAP

commit 5ced6f8def06c2176b40b5fa07345fc723dc4dcb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 18:18:01 2012 -0500

    optimize the check a bit

commit 03159050f64989be44ae03be769cbed62a7cd2e5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 18:00:45 2012 -0500

    smile VUPEN :D
    (limit argv+env to 1MB for suid/sgid binaries)

commit dd759d8800d225a397e4de49fe729c7d601298d2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 17:49:33 2012 -0500

    Address Space Protection -> Memory Protections (suggested on IRC for consistency)

commit 4de635bda8ebfb85312e3bf851bdbff93de400da
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 17:45:06 2012 -0500

    Change the long long type for exec_id to the proper u64

commit 4feb07e7cb64b3d0f0f8cca1aef70bc725cae6fa
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Thu Feb 9 00:46:47 2012 +0000

    isdn: type bug in isdn_net_header()
    
    We use len to store the return value from eth_header().  eth_header()
    can return -ETH_HLEN (-14).  We want to pass this back instead of
    truncating it to 65522 and returning that.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Acked-by: Neil Horman <nhorman@tuxdriver.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 134ac8545b47f0f27d550ea6e1edb3a1ed7a9748
Author: Heiko Carstens <heiko.carstens@de.ibm.com>
Date:   Sat Feb 4 10:47:10 2012 +0100

    exec: fix use-after-free bug in setup_new_exec()
    
    Setting the task name is done within setup_new_exec() by accessing
    bprm->filename. However this happens after flush_old_exec().
    This may result in a use after free bug, flush_old_exec() may
    "complete" vfork_done, which will wake up the parent which in turn
    may free the passed in filename.
    To fix this add a new tcomm field in struct linux_binprm which
    contains the now early generated task name until it is used.
    
    Fixes this bug on s390:
    
      Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000
      Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818)
      Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374)
      Call Trace:
      ([<0000000000282e2c>] setup_new_exec+0x38/0x374)
       [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4
       [<0000000000280a42>] search_binary_handler+0x38e/0x5bc
       [<0000000000282b6c>] do_execve_common+0x410/0x514
       [<0000000000282cb6>] do_execve+0x46/0x58
       [<00000000005bce58>] kernel_execve+0x28/0x70
       [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140
       [<00000000005bc8da>] kernel_thread_starter+0x6/0xc
       [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc
      Last Breaking-Event-Address:
       [<00000000002830f0>] setup_new_exec+0x2fc/0x374
    
      Kernel panic - not syncing: Fatal exception: panic_on_oops
    
    Reported-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
    Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit d758ee9f5230893dabb5aab737b3109684bde196
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Fri Feb 10 09:03:58 2012 +0100

    relay: prevent integer overflow in relay_open()
    
    "subbuf_size" and "n_subbufs" come from the user and they need to be
    capped to prevent an integer overflow.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Cc: stable@kernel.org
    Signed-off-by: Jens Axboe <axboe@kernel.dk>

commit 40ed7b34848b8e0d7bf9a3fc21a7c75ce1ae507c
Merge: b1baadf 1daebf1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 13 17:47:04 2012 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        fs/proc/base.c

commit 1daebf1d623fe5b0efdd329f78562eb7078bc772
Merge: 1413df2 c2db2e2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 13 17:45:54 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test

commit b1baadf5047ab67cf61cd20bf58c6afb09c37c7d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 12 16:44:05 2012 -0500

    add missing declaration

commit 3981059c35e8463002517935c28f3d74b8e3703c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 12 16:36:04 2012 -0500

    Require CAP_SETUID/CAP_SETGID in a subject in order to change roles
    in addition to existing checks (this handles the setresuid ruid = euid case)

commit 0beab03263c773f463412c350ad9064b44b6ede0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 12 16:13:40 2012 -0500

    Revert setreuid changes when RBAC is enabled, breaks freeradius
    I'll fix the learning issue Lavish reported a different way through
    gradm modifications
    
    This reverts commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111.

commit 0c61cb1cfbbfec7d07647268c922d51434d22621
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 11 14:22:46 2012 -0500

    copy exec_id on fork

commit 000c08e0890630086b2ed04084050ed856a7ec31
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 10 20:00:36 2012 -0500

    compile fix

commit 54b8c8f54484e5ee18040657827158bc4b63bccc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 10 19:19:52 2012 -0500

    Introduce enhancement to CONFIG_GRKERNSEC_PROC_MEMMAP
    denies reading of sensitive /proc/pid entries where the file descriptor
    was opened in a different task than the one performing the read

commit dd19579049186e2648b9ae5e42af04cfda7ab2dc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 10 17:43:24 2012 -0500

    Remove duplicate signal check

commit 6ff60c34155bb73a4eec7bbfe6f59e9d35e1c0c6
Merge: 4eba97e 1413df2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 8 19:24:34 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 1413df258d4664d928b876ffb57e1bdc1ccd06f6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 8 19:24:08 2012 -0500

    Merge changes from pax-linux-3.2.4-test11.patch

commit 4eba97eda7f7d25b7ab6ad5c9de094545e749044
Merge: 0e058dd 8dd90a2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 6 17:50:12 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 8dd90a21adfeefd86134d1fedf77b958bc59eaa3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 6 17:49:07 2012 -0500

    Merge changes from pax-linux-3.2.4-test10.patch, fixes BPF JIT double-free

commit a6b5dfed0937a0eb386b4b519a387f8e8177ffdc
Merge: 7e4169c 6133971
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 6 17:48:57 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test

commit 0e058dd6d14e0c67c44dd332a871f1fe1bb06095
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 5 19:24:45 2012 -0500

    We now allow configurations with no PaX markings, giving the system no way to override the defaults

commit 9afb0110287e31c3c56d861b4927f64f8dbd7857
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 5 10:01:23 2012 -0500

    Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory

commit a6a0ad24a5f7bef90236d94c1bdfe21d291fc834
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 4 21:01:16 2012 -0500

    Improve security of ptrace-based monitoring/sandboxing
    See:
    http://article.gmane.org/gmane.linux.kernel.lsm/15156

commit ca4ca5a1027b41f9528794e52a53ce9c47926101
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 20:42:55 2012 -0500

    fix typo

commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 20:25:38 2012 -0500

    Reported by lavish on IRC:
    If a suid/sgid binary did not learn any setuid/setgid call during learning,
    we would not any CAP_SETUID/CAP_SETGID capability to the task, nor
    any restrictions on uid/gid changes.  uid and gid can however be changed
    within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to
    euid/egid.
    
    My fix:
    POSIX doesn't specify whether unprivileged users can perform the above
    setresuid/setresgid as an unprivileged user, though Linux has historically
    permitted them.  Modify this behavior when RBAC is enabled to require
    CAP_SETUID/CAP_SETGID for these operations.
    
    Thanks to Lavish for the report!
    
    Conflicts:
    
        kernel/sys.c

commit e55be1f30908f1ad4450cb0558cde71ff5c7247f
Merge: ba586eb 7e4169c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 20:10:21 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 7e4169c6c880ec9641f1178c88545913c8a21e1f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 20:10:05 2012 -0500

    Merge changes from pax-linux-3.2.4-test9.patch

commit ba586ebbcd0ed781e38a99c580a757a00347c6eb
Author: Christopher Yeoh <cyeoh@au1.ibm.com>
Date:   Thu Feb 2 11:34:09 2012 +1030

    Fix race in process_vm_rw_core
    
    This fixes the race in process_vm_core found by Oleg (see
    
      http://article.gmane.org/gmane.linux.kernel/1235667/
    
    for details).
    
    This has been updated since I last sent it as the creation of the new
    mm_access() function did almost exactly the same thing as parts of the
    previous version of this patch did.
    
    In order to use mm_access() even when /proc isn't enabled, we move it to
    kernel/fork.c where other related process mm access functions already
    are.
    
    Signed-off-by: Chris Yeoh <yeohc@au1.ibm.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    Conflicts:
    
        fs/proc/base.c
        mm/process_vm_access.c

commit b9194d60fb9fe579f5c34817ed822abde18939a0
Author: Oleg Nesterov <oleg@redhat.com>
Date:   Tue Jan 31 17:15:11 2012 +0100

    proc: make sure mem_open() doesn't pin the target's memory
    
    Once /proc/pid/mem is opened, the memory can't be released until
    mem_release() even if its owner exits.
    
    Change mem_open() to do atomic_inc(mm_count) + mmput(), this only
    pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count)
    before access_remote_vm(), this verifies that this mm is still alive.
    
    I am not sure what should mem_rw() return if atomic_inc_not_zero()
    fails. With this patch it returns zero to match the "mm == NULL" case,
    may be it should return -EINVAL like it did before e268337d.
    
    Perhaps it makes sense to add the additional fatal_signal_pending()
    check into the main loop, to ensure we do not hold this memory if
    the target task was oom-killed.
    
    Cc: stable@kernel.org
    Signed-off-by: Oleg Nesterov <oleg@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit d4500134f9363bc79556e0e7a1fd811cd8552cc4
Author: Oleg Nesterov <oleg@redhat.com>
Date:   Tue Jan 31 17:14:38 2012 +0100

    proc: mem_release() should check mm != NULL
    
    mem_release() can hit mm == NULL, add the necessary check.
    
    Cc: stable@kernel.org
    Signed-off-by: Oleg Nesterov <oleg@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 5d1c11221a86f233fdbb232312a561f85d0a3a05
Author: Oleg Nesterov <oleg@redhat.com>
Date:   Tue Jan 31 17:14:54 2012 +0100

    note: redisabled mem_write
    
    proc: unify mem_read() and mem_write()
    
    No functional changes, cleanup and preparation.
    
    mem_read() and mem_write() are very similar. Move this code into the
    new common helper, mem_rw(), which takes the additional "int write"
    argument.
    
    Cc: stable@kernel.org
    Signed-off-by: Oleg Nesterov <oleg@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    Conflicts:
    
        fs/proc/base.c

commit af966b421d9f55ab7e1a8b2741beba44b22bc2e0
Merge: 3903f01 01fee18
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 19:50:40 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 01fee1851aef26b898ccba5312cabf1f919b74cb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 19:49:46 2012 -0500

    Merge changes from pax-linux-3.2.4-test8.patch

commit c2490ddbfc3f5dd664dd0e1b8575856c3be01879
Merge: 201c0db 141936c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 19:49:01 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test

commit 3903f0172ecadf7a575ba3535402a1506133640a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jan 30 23:26:44 2012 -0500

    Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT
    
    We'll whitelist required directories for compatibility instead of requiring
    that people disable the feature entirely if they use SELinux, fuse, etc
    
    Conflicts:
    
        fs/sysfs/mount.c

commit e3618feaa7e63807f1b88c199882075b3ec9bd05
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 29 01:12:19 2012 -0500

    perform RBAC check if TPE is on but match fails, matches previous behavior

commit 627b7fe22799a86e2f81a74f0e0c53474bec3100
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jan 28 13:17:06 2012 -0500

    log more information about the reason for a TPE denial for novice users, requested by a sponsor

commit efefd67008cbad8a8591e2484410966a300a39a5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:58:53 2012 -0500

    merge upstream sha512 changes

commit 8a79280377db78fb2091fe01eddb9e24f75d9fe1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:49:07 2012 -0500

    drop lock on error in xfs_readlink
    
    http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0

commit aa5f2f63e37f426bf2211c5fb8f7bc70de14f08a
Author: Li Wang <liwang@nudt.edu.cn>
Date:   Thu Jan 19 09:44:36 2012 +0800

    eCryptfs: Infinite loop due to overflow in ecryptfs_write()
    
    ecryptfs_write() can enter an infinite loop when truncating a file to a
    size larger than 4G. This only happens on architectures where size_t is
    represented by 32 bits.
    
    This was caused by a size_t overflow due to it incorrectly being used to
    store the result of a calculation which uses potentially large values of
    type loff_t.
    
    [tyhicks@canonical.com: rewrite subject and commit message]
    Signed-off-by: Li Wang <liwang@nudt.edu.cn>
    Signed-off-by: Yunchuan Wen <wenyunchuan@kylinos.com.cn>
    Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>

commit a7607747d0f74f357d78bb796d70635dd05f46e8
Author: Tyler Hicks <tyhicks@canonical.com>
Date:   Thu Jan 19 20:33:44 2012 -0600

    eCryptfs: Check inode changes in setattr
    
    Most filesystems call inode_change_ok() very early in ->setattr(), but
    eCryptfs didn't call it at all. It allowed the lower filesystem to make
    the call in its ->setattr() function. Then, eCryptfs would copy the
    appropriate inode attributes from the lower inode to the eCryptfs inode.
    
    This patch changes that and actually calls inode_change_ok() on the
    eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call
    would happen earlier in ecryptfs_setattr(), but there are some possible
    inode initialization steps that must happen first.
    
    Since the call was already being made on the lower inode, the change in
    functionality should be minimal, except for the case of a file extending
    truncate call. In that case, inode_newsize_ok() was never being
    called on the eCryptfs inode. Rather than inode_newsize_ok() catching
    maximum file size errors early on, eCryptfs would encrypt zeroed pages
    and write them to the lower filesystem until the lower filesystem's
    write path caught the error in generic_write_checks(). This patch
    introduces a new function, called ecryptfs_inode_newsize_ok(), which
    checks if the new lower file size is within the appropriate limits when
    the truncate operation will be growing the lower file.
    
    In summary this change prevents eCryptfs truncate operations (and the
    resulting page encryptions), which would exceed the lower filesystem
    limits or FSIZE rlimits, from ever starting.
    
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Reviewed-by: Li Wang <liwang@nudt.edu.cn>
    Cc: <stable@vger.kernel.org>

commit 0d96f190a39505254ace4e9330219aaeda9b64e3
Author: Tyler Hicks <tyhicks@canonical.com>
Date:   Wed Jan 18 18:30:04 2012 -0600

    eCryptfs: Make truncate path killable
    
    ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a
    page, zeroes out the appropriate portions, and then encrypts the page
    before writing it to the lower filesystem. It was unkillable and due to
    the lack of sparse file support could result in tying up a large portion
    of system resources, while encrypting pages of zeros, with no way for
    the truncate operation to be stopped from userspace.
    
    This patch adds the ability for ecryptfs_write() to detect a pending
    fatal signal and return as gracefully as possible. The intent is to
    leave the lower file in a useable state, while still allowing a user to
    break out of the encryption loop. If a pending fatal signal is detected,
    the eCryptfs inode size is updated to reflect the modified inode size
    and then -EINTR is returned.
    
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Cc: <stable@vger.kernel.org>

commit a02d0d2516b9e92edffeb8fca87462bca49c1f6f
Author: Tyler Hicks <tyhicks@canonical.com>
Date:   Tue Jan 24 10:02:22 2012 -0600

    eCryptfs: Fix oops when printing debug info in extent crypto functions
    
    If pages passed to the eCryptfs extent-based crypto functions are not
    mapped and the module parameter ecryptfs_verbosity=1 was specified at
    loading time, a NULL pointer dereference will occur.
    
    Note that this wouldn't happen on a production system, as you wouldn't
    pass ecryptfs_verbosity=1 on a production system. It leaks private
    information to the system logs and is for debugging only.
    
    The debugging info printed in these messages is no longer very useful
    and rather than doing a kmap() in these debugging paths, it will be
    better to simply remove the debugging paths completely.
    
    https://launchpad.net/bugs/913651
    
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Reported-by: Daniel DeFreez
    Cc: <stable@vger.kernel.org>

commit b1c44d3054dc7f293b2e0a98c0e9e5e03e01f04c
Author: Tyler Hicks <tyhicks@canonical.com>
Date:   Thu Jan 12 11:30:44 2012 +0100

    eCryptfs: Sanitize write counts of /dev/ecryptfs
    
    A malicious count value specified when writing to /dev/ecryptfs may
    result in a a very large kernel memory allocation.
    
    This patch peeks at the specified packet payload size, adds that to the
    size of the packet headers and compares the result with the write count
    value. The resulting maximum memory allocation size is approximately 532
    bytes.
    
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Reported-by: Sasha Levin <levinsasha928@gmail.com>
    Cc: <stable@vger.kernel.org>

commit 96dcb7282d323813181a1791f51c0ab7696b675b
Merge: 6c09fa5 201c0db
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:44:15 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 201c0dbf177527367676028151e36d340923f033
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:43:24 2012 -0500

    Merge changes from pax-linux-3.2.2-test6.patch, fixes 0 order vmalloc allocation errors
    on loading modules with empty sections

commit 6c09fa566a7c29f00556ca12f343f2db91c4f42b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:42:13 2012 -0500

    compile fix

commit 917ae526b4fcec2b3e1afefa13de9dff7d8a5423
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:39:28 2012 -0500

    use LSM flags instead of duplicating checks

commit 0cf3be2ea2ae43c9dd4933fb26c0429041b8acb8
Merge: 44b9f11 558718b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 18:56:23 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 558718b2217beff69edf60f34a6f9893d910e9ac
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 18:56:04 2012 -0500

    Merge changes from pax-linux-3.2.2-test6.patch

commit 44b9f1132b2de7cbf5f57525fe0f7f9fb0a76507
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 18:53:55 2012 -0500

    don't increase the size of task_struct when unnecessary
    change ptrace_readexec log message

commit a9c9626e054adb885883aa64f85506852894dd33
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 18:16:28 2012 -0500

    Update documentation for CONFIG_GRKERNSEC_PTRACE_READEXEC --
    the protection applies to all unreadable binaries.

commit 98fdf4ab69eba7a72efb2054295daafdbbc2fb8f
Merge: 7b3f3af 05a1349
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 25 20:52:09 2012 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        block/scsi_ioctl.c
        drivers/scsi/sd.c
        fs/proc/base.c

commit 05a134966efb9cb9346ad3422888969ffc79ac1d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 25 20:47:36 2012 -0500

    Resync with pax-linux-3.2.2-test5.patch

commit 5ecaafd81b229aeeb5656df36f9c8da86307f82a
Merge: c6d443d 3499d64
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 25 20:45:16 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test (and pax-linux-3.2.2-test5.patch)
    
    Conflicts:
        ipc/shm.c

commit 7b3f3afd7444613c759d68ff8c2efaebfae3bab1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 24 19:42:01 2012 -0500

    Add two new features, one is automatic by enabling CONFIG_GRKERNSEC
    (may be changed if it breaks some userland), the other has its own
    config option
    
    First feature requires CAP_SYS_ADMIN to write to any sysctl entry via
    the syscall or /proc/sys.
    
    Second feature requires read access to a suid/sgid binary in order
    to ptrace it, preventing infoleaking of binaries in situations where
    the admin has specified 4711 or 2711 perms.  Feature has been
    given the config option CONFIG_GRKERNSEC_PTRACE_READEXEC and
    a sysctl entry of ptrace_readexec

commit 11a7bb25c411c9dccfdca5718639b4becdffd388
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 22 14:37:10 2012 -0500

    Compilation fixes

commit cd400e21c7c352baba47d6f375297a7847afb33a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 22 14:20:27 2012 -0500

    Initial port of grsecurity 2.2.2 for Linux 3.2.1
    Note that the new syscalls added to this kernel for remote process read/write
    are subject to ptrace hardening/other relevant RBAC features
    /proc/slabinfo is S_IRUSR via mainline now, so I made slab_allocators S_IRUSR by default
    as well
    pax_track_stack has been removed from support for this kernel -- if you're running this kernel
    you should be using a version of gcc with plugin support

commit c6d443d1270f455c56a4ffe0f1dd3d3e7ec12a2f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 22 11:47:31 2012 -0500

    Import pax-linux-3.2.1-test5.patch
commit bfd7db842f835f9837cd43644459b3a95b0b488d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 22 11:02:02 2012 -0500

    Allow processes to access others' /proc/pid/maps files (subject to the normal modification of data)
    instead of returning -EACCES
    thanks to Wraith from irc for the report

commit 873ac13576506cd48ddb527c2540f274e249da50
Merge: 34083dd 8a44fcc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 20 18:04:02 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 8a44fcc90cf3368003dc84e1ed013b2e4248c9b2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 20 18:02:15 2012 -0500

    Merge the diff between pax-linux-3.2.1-test4.patch and pax-linux-3.2.1-test5.patch
    Denies executable shared memory when MPROTECT is active
    Fixes ia32 emulation crash on 64bit host introduced in a recent patch

commit 34083ddf5c0b2b1c0f5e9f7d9e32ddcba223446b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jan 19 20:23:14 2012 -0500

    Introduce new GRKERNSEC_SETXID implementation
    We're not able to change the credentials of other threads in the process until at most
    one syscall after the first thread does it, since we mark the threads as needing rescheduling
    and such work occurs on syscall exit.
    This does however ensure that we're only modifying the current task's credentials
    which upholds RCU expectations
    
    Many thanks to corsac for testing

commit 5f900ad54d3992a4e1cda88273acc2f897a42e71
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jan 19 17:42:48 2012 -0500

    Simplify backport

commit f02e444f7b2fb286f99d3b4031ff4e44a4606c37
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jan 19 17:08:16 2012 -0500

    Commit the latest silent fix for a local privilege escalation from Linus
    Also disable writing to /proc/pid/mem
    http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc

commit 814d38c72b1ee3338294576a05af4f6ca9cffa6c
Merge: 0394a3f 7e6299b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 18 20:22:09 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 7e6299b4733c082dde930375dd207b63237751ec
Merge: 83555fb 9bb1282
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 18 20:21:37 2012 -0500

    Merge branch 'linux-3.1.y' into pax-test

commit 0394a3f36c6195dcaf22e265c94d11bb7338c6f7
Author: Jesper Juhl <jj@chaosbits.net>
Date:   Sun Jan 8 22:44:29 2012 +0100

    audit: always follow va_copy() with va_end()
    
    A call to va_copy() should always be followed by a call to va_end() in
    the same function.  In kernel/autit.c::audit_log_vformat() this is not
    always done.  This patch makes sure va_end() is always called.
    
    Signed-off-by: Jesper Juhl <jj@chaosbits.net>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: Eric Paris <eparis@redhat.com>
    Cc: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit fcbb39319e88bfdf70efe3931cf80a9f23b1a4d9
Author: Andi Kleen <ak@linux.intel.com>
Date:   Thu Jan 12 17:20:30 2012 -0800

    panic: don't print redundant backtraces on oops
    
    When an oops causes a panic and panic prints another backtrace it's pretty
    common to have the original oops data be scrolled away on a 80x50 screen.
    
    The second backtrace is quite redundant and not needed anyways.
    
    So don't print the panic backtrace when oops_in_progress is true.
    
    [akpm@linux-foundation.org: add comment]
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
    Cc: Michael Holzheu <holzheu@linux.vnet.ibm.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 22e4717d04333e2aff6d5d1b2c1b16045f367a1f
Author: Miklos Szeredi <mszeredi@suse.cz>
Date:   Thu Jan 12 17:59:46 2012 +0100

    fsnotify: don't BUG in fsnotify_destroy_mark()
    
    Removing the parent of a watched file results in "kernel BUG at
    fs/notify/mark.c:139".
    
    To reproduce
    
      add "-w /tmp/audit/dir/watched_file" to audit.rules
      rm -rf /tmp/audit/dir
    
    This is caused by fsnotify_destroy_mark() being called without an
    extra reference taken by the caller.
    
    Reported by Francesco Cosoleto here:
    
      https://bugzilla.novell.com/show_bug.cgi?id=689860
    
    Fix by removing the BUG_ON and adding a comment about not accessing mark after
    the iput.
    
    Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
    CC: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 1a90cff66ed00cd57bf00a990d13e95060fa362c
Author: Paolo Bonzini <pbonzini@redhat.com>
Date:   Thu Jan 12 16:01:28 2012 +0100

    block: fail SCSI passthrough ioctls on partition devices
    
    Linux allows executing the SG_IO ioctl on a partition or LVM volume, and
    will pass the command to the underlying block device.  This is
    well-known, but it is also a large security problem when (via Unix
    permissions, ACLs, SELinux or a combination thereof) a program or user
    needs to be granted access only to part of the disk.
    
    This patch lets partitions forward a small set of harmless ioctls;
    others are logged with printk so that we can see which ioctls are
    actually sent.  In my tests only CDROM_GET_CAPABILITY actually occurred.
    Of course it was being sent to a (partition on a) hard disk, so it would
    have failed with ENOTTY and the patch isn't changing anything in
    practice.  Still, I'm treating it specially to avoid spamming the logs.
    
    In principle, this restriction should include programs running with
    CAP_SYS_RAWIO.  If for example I let a program access /dev/sda2 and
    /dev/sdb, it still should not be able to read/write outside the
    boundaries of /dev/sda2 independent of the capabilities.  However, for
    now programs with CAP_SYS_RAWIO will still be allowed to send the
    ioctls.  Their actions will still be logged.
    
    This patch does not affect the non-libata IDE driver.  That driver
    however already tests for bd != bd->bd_contains before issuing some
    ioctl; it could be restricted further to forbid these ioctls even for
    programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO.
    
    Cc: linux-scsi@vger.kernel.org
    Cc: Jens Axboe <axboe@kernel.dk>
    Cc: James Bottomley <JBottomley@parallels.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    [ Make it also print the command name when warning - Linus ]
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit b41a1178caa15bd7d6d5b36c04c7b1ead05717e2
Author: Paolo Bonzini <pbonzini@redhat.com>
Date:   Thu Jan 12 16:01:27 2012 +0100

    block: add and use scsi_blk_cmd_ioctl
    
    Introduce a wrapper around scsi_cmd_ioctl that takes a block device.
    
    The function will then be enhanced to detect partition block devices
    and, in that case, subject the ioctls to whitelisting.
    
    Cc: linux-scsi@vger.kernel.org
    Cc: Jens Axboe <axboe@kernel.dk>
    Cc: James Bottomley <JBottomley@parallels.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 97a79814903fc350e1d13704ea31528a42705401
Author: Kees Cook <keescook@chromium.org>
Date:   Sat Jan 7 10:41:04 2012 -0800

    audit: treat s_id as an untrusted string
    
    The use of s_id should go through the untrusted string path, just to be
    extra careful.
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Acked-by: Mimi Zohar <zohar@us.ibm.com>
    Signed-off-by: Eric Paris <eparis@redhat.com>

commit 2d3f39e9dd73f26a8248fd4442f110d983c5b419
Author: Xi Wang <xi.wang@gmail.com>
Date:   Tue Dec 20 18:39:41 2011 -0500

    audit: fix signedness bug in audit_log_execve_info()
    
    In the loop, a size_t "len" is used to hold the return value of
    audit_log_single_execve_arg(), which returns -1 on error.  In that
    case the error handling (len <= 0) will be bypassed since "len" is
    unsigned, and the loop continues with (p += len) being wrapped.
    Change the type of "len" to signed int to fix the error handling.
    
        size_t len;
        ...
        for (...) {
                len = audit_log_single_execve_arg(...);
                if (len <= 0)
                        break;
                p += len;
        }
    
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Signed-off-by: Eric Paris <eparis@redhat.com>

commit 1b3dc2ea3204fb22b9d0d30b2b7953991f5be594
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Tue Jan 17 03:28:51 2012 -0300

    [media] ds3000: using logical && instead of bitwise &
    
    The intent here was to test if the FE_HAS_LOCK was set.  The current
    test is equivalent to "if (status) { ..."
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>

commit 36522330dc59d2fc70c042f3f081d75c32b6259a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jan 16 13:10:38 2012 -0500

    Ignore the 0 signal for protected task RBAC checks

commit d513acd55f7a683f6e146a4f570cdb63300479ab
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jan 16 11:56:13 2012 -0500

    whitespace cleanup

commit ced261c4b82818c700aff8487f647f6f3e5b5122
Merge: d48751f 83555fb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 13 20:12:54 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 83555fb431e5be6c0e09687ff3bdc583f0caf9d9
Merge: fcd8129 93dad39
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 13 20:12:43 2012 -0500

    Merge branch 'linux-3.1.y' into pax-test

commit d48751f3919ae855fda0ff6c149db82442329253
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 11 19:05:47 2012 -0500

    Call our own set_user when forcing change to new id

commit 26d9d497f6b926bc1699980aa18c360a3d3c52a0
Merge: e6578ff fcd8129
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 10 16:00:10 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit fcd8129277601f2e2d5a2066120cf8b2472d7d1f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 10 15:58:43 2012 -0500

    Merge changes from pax-linux-3.1.8-test23.patch

commit e6578ff3e7629c432ed9b99bde6af2a1c00279b5
Merge: 8859ec3 a120549
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 21:45:56 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit a12054967a77090de1caa07c41e694a77db4e237
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 21:45:30 2012 -0500

    Merge changes from pax-linux-3.1.8-test22.patch

commit 8859ec32f9815c274df65448f9f2960176c380d3
Merge: a5016b4 ddd4114
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 21:26:08 2012 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        fs/binfmt_elf.c
        security/Kconfig

commit ddd41147e158a79704983a409b7433eba797cf66
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 21:12:42 2012 -0500

    Resync with PaX patch (whitespace difference)

commit 29e569df8205c5f0e043fe4803aa984406c8b118
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 21:09:47 2012 -0500

    Merge changes from pax-linux-3.1.8-test21.patch

commit a5016b4f9c09c337b17e063a7f369af1e86d944d
Merge: 0124c92 04231d5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 18:52:20 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 04231d52dc8d0d6788a6bc6709dc046d3eb37097
Merge: 7bdddeb a919904
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 18:51:50 2012 -0500

    Merge branch 'linux-3.1.y' into pax-test
    
    Conflicts:
        include/net/flow.h

commit 0124c9264234c450904a0a5fa2f8c608ab8e3796
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 18:33:05 2012 -0500

    Make GRKERNSEC_SETXID option compatible with credential debugging

commit 69919c6da7cf8a781439da15b597a7d6bc9b3abe
Author: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Date:   Wed Dec 28 15:57:11 2011 -0800

    mm/mempolicy.c: refix mbind_range() vma issue
    
    commit 8aacc9f550 ("mm/mempolicy.c: fix pgoff in mbind vma merge") is the
    slightly incorrect fix.
    
    Why? Think following case.
    
    1. map 4 pages of a file at offset 0
    
       [0123]
    
    2. map 2 pages just after the first mapping of the same file but with
       page offset 2
    
       [0123][23]
    
    3. mbind() 2 pages from the first mapping at offset 2.
       mbind_range() should treat new vma is,
    
       [0123][23]
         |23|
         mbind vma
    
       but it does
    
       [0123][23]
         |01|
         mbind vma
    
       Oops. then, it makes wrong vma merge and splitting ([01][0123] or similar).
    
    This patch fixes it.
    
    [testcase]
      test result - before the patch
    
        case4: 126: test failed. expect '2,4', actual '2,2,2'
                case5: passed
        case6: passed
        case7: passed
        case8: passed
        case_n: 246: test failed. expect '4,2', actual '1,4'
    
        ------------[ cut here ]------------
        kernel BUG at mm/filemap.c:135!
        invalid opcode: 0000 [#4] SMP DEBUG_PAGEALLOC
    
        (snip long bug on messages)
    
      test result - after the patch
    
        case4: passed
                case5: passed
        case6: passed
        case7: passed
        case8: passed
        case_n: passed
    
      source:  mbind_vma_test.c
    ============================================================
     #include <numaif.h>
     #include <numa.h>
     #include <sys/mman.h>
     #include <stdio.h>
     #include <unistd.h>
     #include <stdlib.h>
     #include <string.h>
    
    static unsigned long pagesize;
    void* mmap_addr;
    struct bitmask *nmask;
    char buf[1024];
    FILE *file;
    char retbuf[10240] = "";
    int mapped_fd;
    
    char *rubysrc = "ruby -e '\
      pid = %d; \
      vstart = 0x%llx; \
      vend = 0x%llx; \
      s = `pmap -q #{pid}`; \
      rary = []; \
      s.each_line {|line|; \
        ary=line.split(\" \"); \
        addr = ary[0].to_i(16); \
        if(vstart <= addr && addr < vend) then \
          rary.push(ary[1].to_i()/4); \
        end; \
      }; \
      print rary.join(\",\"); \
    '";
    
    void init(void)
    {
        void* addr;
        char buf[128];
    
        nmask = numa_allocate_nodemask();
        numa_bitmask_setbit(nmask, 0);
    
        pagesize = getpagesize();
    
        sprintf(buf, "%s", "mbind_vma_XXXXXX");
        mapped_fd = mkstemp(buf);
        if (mapped_fd == -1)
                perror("mkstemp "), exit(1);
        unlink(buf);
    
        if (lseek(mapped_fd, pagesize*8, SEEK_SET) < 0)
                perror("lseek "), exit(1);
        if (write(mapped_fd, "\0", 1) < 0)
                perror("write "), exit(1);
    
        addr = mmap(NULL, pagesize*8, PROT_NONE,
                    MAP_SHARED, mapped_fd, 0);
        if (addr == MAP_FAILED)
                perror("mmap "), exit(1);
    
        if (mprotect(addr+pagesize, pagesize*6, PROT_READ|PROT_WRITE) < 0)
                perror("mprotect "), exit(1);
    
        mmap_addr = addr + pagesize;
    
        /* make page populate */
        memset(mmap_addr, 0, pagesize*6);
    }
    
    void fin(void)
    {
        void* addr = mmap_addr - pagesize;
        munmap(addr, pagesize*8);
    
        memset(buf, 0, sizeof(buf));
        memset(retbuf, 0, sizeof(retbuf));
    }
    
    void mem_bind(int index, int len)
    {
        int err;
    
        err = mbind(mmap_addr+pagesize*index, pagesize*len,
                    MPOL_BIND, nmask->maskp, nmask->size, 0);
        if (err)
                perror("mbind "), exit(err);
    }
    
    void mem_interleave(int index, int len)
    {
        int err;
    
        err = mbind(mmap_addr+pagesize*index, pagesize*len,
                    MPOL_INTERLEAVE, nmask->maskp, nmask->size, 0);
        if (err)
                perror("mbind "), exit(err);
    }
    
    void mem_unbind(int index, int len)
    {
        int err;
    
        err = mbind(mmap_addr+pagesize*index, pagesize*len,
                    MPOL_DEFAULT, NULL, 0, 0);
        if (err)
                perror("mbind "), exit(err);
    }
    
    void Assert(char *expected, char *value, char *name, int line)
    {
        if (strcmp(expected, value) == 0) {
                fprintf(stderr, "%s: passed\n", name);
                return;
        }
        else {
                fprintf(stderr, "%s: %d: test failed. expect '%s', actual '%s'\n",
                        name, line,
                        expected, value);
    //          exit(1);
        }
    }
    
    /*
          AAAA
        PPPPPPNNNNNN
        might become
        PPNNNNNNNNNN
        case 4 below
    */
    void case4(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        mem_bind(0, 4);
        mem_unbind(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("2,4", retbuf, "case4", __LINE__);
    
        fin();
    }
    
    /*
           AAAA
     PPPPPPNNNNNN
     might become
     PPPPPPPPPPNN
     case 5 below
    */
    void case5(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        mem_bind(0, 2);
        mem_bind(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("4,2", retbuf, "case5", __LINE__);
    
        fin();
    }
    
    /*
            AAAA
        PPPPNNNNXXXX
        might become
        PPPPPPPPPPPP 6
    */
    void case6(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        mem_bind(0, 2);
        mem_bind(4, 2);
        mem_bind(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("6", retbuf, "case6", __LINE__);
    
        fin();
    }
    
    /*
        AAAA
    PPPPNNNNXXXX
    might become
    PPPPPPPPXXXX 7
    */
    void case7(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        mem_bind(0, 2);
        mem_interleave(4, 2);
        mem_bind(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("4,2", retbuf, "case7", __LINE__);
    
        fin();
    }
    
    /*
        AAAA
    PPPPNNNNXXXX
    might become
    PPPPNNNNNNNN 8
    */
    void case8(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        mem_bind(0, 2);
        mem_interleave(4, 2);
        mem_interleave(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("2,4", retbuf, "case8", __LINE__);
    
        fin();
    }
    
    void case_n(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        /* make redundunt mappings [0][1234][34][7] */
        mmap(mmap_addr + pagesize*4, pagesize*2, PROT_READ|PROT_WRITE,
             MAP_FIXED|MAP_SHARED, mapped_fd, pagesize*3);
    
        /* Expect to do nothing. */
        mem_unbind(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("4,2", retbuf, "case_n", __LINE__);
    
        fin();
    }
    
    int main(int argc, char** argv)
    {
        case4();
        case5();
        case6();
        case7();
        case8();
        case_n();
    
        return 0;
    }
    =============================================================
    
    Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
    Acked-by: Johannes Weiner <hannes@cmpxchg.org>
    Cc: Minchan Kim <minchan.kim@gmail.com>
    Cc: Caspar Zhang <caspar@casparzhang.com>
    Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
    Cc: Christoph Lameter <cl@linux.com>
    Cc: Hugh Dickins <hugh.dickins@tiscali.co.uk>
    Cc: Mel Gorman <mel@csn.ul.ie>
    Cc: Lee Schermerhorn <lee.schermerhorn@hp.com>
    Cc: <stable@vger.kernel.org>                [3.1.x]
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit f3a1082005781777086df235049f8c0b7efe524e
Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Date:   Tue Dec 27 22:32:41 2011 -0500

    packet: fix possible dev refcnt leak when bind fail
    
    If bind is fail when bind is called after set PACKET_FANOUT
    sock option, the dev refcnt will leak.
    
    Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 915f8b08dac68839dc7204ee81cf9852fda16d24
Author: Haogang Chen <haogangchen@gmail.com>
Date:   Mon Dec 19 17:11:56 2011 -0800

    nilfs2: potential integer overflow in nilfs_ioctl_clean_segments()
    
    There is a potential integer overflow in nilfs_ioctl_clean_segments().
    When a large argv[n].v_nmembs is passed from the userspace, the subsequent
    call to vmalloc() will allocate a buffer smaller than expected, which
    leads to out-of-bound access in nilfs_ioctl_move_blocks() and
    lfs_clean_segments().
    
    The following check does not prevent the overflow because nsegs is also
    controlled by the userspace and could be very large.
    
                if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment)
                        goto out_free;
    
    This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and
    returns -EINVAL when overflow.
    
    Signed-off-by: Haogang Chen <haogangchen@gmail.com>
    Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 006afb6eb7a7398edc0068c3a7b9510ffaf80f72
Author: Kautuk Consul <consul.kautuk@gmail.com>
Date:   Mon Dec 19 17:12:04 2011 -0800

    mm/vmalloc.c: remove static declaration of va from __get_vm_area_node
    
    Static storage is not required for the struct vmap_area in
    __get_vm_area_node.
    
    Removing "static" to store this variable on the stack instead.
    
    Signed-off-by: Kautuk Consul <consul.kautuk@gmail.com>
    Acked-by: David Rientjes <rientjes@google.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 461ecdf221edb089e5fa0d5563e1688cd0a36f66
Author: Michel Lespinasse <walken@google.com>
Date:   Mon Dec 19 17:12:06 2011 -0800

    binary_sysctl(): fix memory leak
    
    binary_sysctl() calls sysctl_getname() which allocates from names_cache
    slab usin __getname()
    
    The matching function to free the name is __putname(), and not putname()
    which should be used only to match getname() allocations.
    
    This is because when auditing is enabled, putname() calls audit_putname
    *instead* (not in addition) to __putname().  Then, if a syscall is in
    progress, audit_putname does not release the name - instead, it expects
    the name to get released when the syscall completes, but that will happen
    only if audit_getname() was called previously, i.e.  if the name was
    allocated with getname() rather than the naked __getname().  So,
    __getname() followed by putname() ends up leaking memory.
    
    Signed-off-by: Michel Lespinasse <walken@google.com>
    Acked-by: Al Viro <viro@zeniv.linux.org.uk>
    Cc: Christoph Hellwig <hch@infradead.org>
    Cc: Eric Paris <eparis@redhat.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 0a2cd3ef50c0bae70d59c74a77db0455d26fde56
Author: Sean Hefty <sean.hefty@intel.com>
Date:   Tue Dec 6 21:17:11 2011 +0000

    RDMA/cma: Verify private data length
    
    private_data_len is defined as a u8.  If the user specifies a large
    private_data size (> 220 bytes), we will calculate a total length that
    exceeds 255, resulting in private_data_len wrapping back to 0.  This
    can lead to overwriting random kernel memory.  Avoid this by verifying
    that the resulting size fits into a u8.
    
    Reported-by: B. Thery <benjamin.thery@bull.net>
    Addresses: <http://bugs.openfabrics.org/bugzilla/show_bug.cgi?id=2335>
    Signed-off-by: Sean Hefty <sean.hefty@intel.com>
    Signed-off-by: Roland Dreier <roland@purestorage.com>

commit 6b618c54aaec99078629ec5b9575cb7d6fc31176
Author: Xi Wang <xi.wang@gmail.com>
Date:   Sun Dec 11 23:40:56 2011 -0800

    Input: cma3000_d0x - fix signedness bug in cma3000_thread_irq()
    
    The error check (intr_status < 0) didn't work because intr_status is
    a u8.  Change its type to signed int.
    
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Signed-off-by: Dmitry Torokhov <dtor@mail.ru>

commit e27f34e383d7863b2528a63b81b23db09781f6b6
Author: Xi Wang <xi.wang@gmail.com>
Date:   Fri Dec 16 12:44:15 2011 +0000

    sctp: fix incorrect overflow check on autoclose
    
    Commit 8ffd3208 voids the previous patches f6778aab and 810c0719 for
    limiting the autoclose value.  If userspace passes in -1 on 32-bit
    platform, the overflow check didn't work and autoclose would be set
    to 0xffffffff.
    
    This patch defines a max_autoclose (in seconds) for limiting the value
    and exposes it through sysctl, with the following intentions.
    
    1) Avoid overflowing autoclose * HZ.
    
    2) Keep the default autoclose bound consistent across 32- and 64-bit
       platforms (INT_MAX / HZ in this patch).
    
    3) Keep the autoclose value consistent between setsockopt() and
       getsockopt() calls.
    
    Suggested-by: Vlad Yasevich <vladislav.yasevich@hp.com>
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 8ebdfaad2f46ff0ac9fef9858e436bcc712a1ac8
Author: Xi Wang <xi.wang@gmail.com>
Date:   Wed Dec 21 05:18:33 2011 -0500

    vmwgfx: fix incorrect VRAM size check in vmw_kms_fb_create()
    
    Commit e133e737 didn't correctly fix the integer overflow issue.
    
    -   unsigned int required_size;
    +   u64 required_size;
        ...
        required_size = mode_cmd->pitch * mode_cmd->height;
    -   if (unlikely(required_size > dev_priv->vram_size)) {
    +   if (unlikely(required_size > (u64) dev_priv->vram_size)) {
    
    Note that both pitch and height are u32.  Their product is still u32 and
    would overflow before being assigned to required_size.  A correct way is
    to convert pitch and height to u64 before the multiplication.
    
        required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height;
    
    This patch calls the existing vmw_kms_validate_mode_vram() for
    validation.
    
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Reviewed-and-tested-by: Thomas Hellstrom <thellstrom@vmware.com>
    Signed-off-by: Dave Airlie <airlied@redhat.com>
    
    Conflicts:
    
        drivers/gpu/drm/vmwgfx/vmwgfx_kms.c

commit eb8f0bd01fb994c9abc77dc84729794cd841753d
Author: Xi Wang <xi.wang@gmail.com>
Date:   Thu Dec 22 13:35:22 2011 +0000

    rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt()
    
    Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will
    cause a kernel oops due to insufficient bounds checking.
    
        if (count > 1<<30) {
                /* Enforce a limit to prevent overflow */
                return -EINVAL;
        }
        count = roundup_pow_of_two(count);
        table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count));
    
    Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as:
    
        ... + (count * sizeof(struct rps_dev_flow))
    
    where sizeof(struct rps_dev_flow) is 8.  (1 << 30) * 8 will overflow
    32 bits.
    
    This patch replaces the magic number (1 << 30) with a symbolic bound.
    
    Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 648188958672024b616c42c1f6c98c8cfc85619d
Author: Xi Wang <xi.wang@gmail.com>
Date:   Fri Dec 30 10:40:17 2011 -0500

    netfilter: ctnetlink: fix timeout calculation
    
    The sanity check (timeout < 0) never works; the dividend is unsigned
    and so is the division, which should have been a signed division.
    
        long timeout = (ct->timeout.expires - jiffies) / HZ;
        if (timeout < 0)
                timeout = 0;
    
    This patch converts the time values to signed for the division.
    
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

commit ab03a0973cee73f88655ff4981812ad316a6cd59
Merge: 76f82df 7bdddeb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 3 17:42:50 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 7bdddebd9d274a344a1c57a561152160c9e9a32a
Merge: 3e59cb5 55cc81a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 3 17:42:36 2012 -0500

    Merge branch 'linux-3.1.y' into pax-test

commit 76f82df18ba181687f454426fa9ced7a92b2ac1f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 22 20:15:02 2011 -0500

    Only further restrict futex targeting another process -- our modified
    permission check also happened to allow a case where a process retaining
    uid 0 could issue futex syscalls against other uid 0 tasks, despite the euid
    being non-zero (reported on forums by ben_w)

commit 6b235a4450a5fea41663ec35fa0608988b6078c6
Merge: 97c16f0 3e59cb5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 22 19:11:06 2011 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        fs/hfs/btree.c

commit 3e59cb503d4ca6ce0954b8d3eb508cf7d1a31f50
Merge: 285eb4e c26f60b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 22 19:09:57 2011 -0500

    Merge branch 'linux-3.1.y' into pax-test
    
    Conflicts:
        arch/x86/kernel/process.c

commit 97c16f0fcff592160c1787bd1c56ae7ad070ac17
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Dec 19 21:54:01 2011 -0500

    Add new option: "Enforce consistent multithreaded privileges"

commit 7d125a16a5245b2bafc9184b8f93e864394ba1cb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Dec 7 19:58:31 2011 -0500

    Remove harmless duplicate code -- exec_file would be null already so the
    second check would never pass.

commit 4e3304e94aa72737810bc50169519af157dce4ce
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Dec 7 19:50:39 2011 -0500

    Revert back to (possibly?) undocumented /proc/pid behavior that gdb
    depended on for attaching to a thread.  Entries exist in /proc for
    threads, but are not visible in a readdir.

commit 1bd899335f23815cfe8deac44c6b346398f3b95e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 18:03:28 2011 -0500

    Put the already-walked path if in RCU-walk mode

commit ec7ae36b7159f10649709779443a988662965d66
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 17:35:21 2011 -0500

    Fix memory leak introduced by recent (unpublished) commit
    75ab998b94a29d464518d6d501bdde3fbfcbfa14

commit 1e2318a8ea2e67eaf17236be374b5da8a5ba5e04
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 13:56:10 2011 -0500

    Explicitly check size copied to userland in override_release to silence gcc

commit c30a85d0fff67e0724e726febb934c0b6fa01c6c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 13:54:02 2011 -0500

    Initialize variable to silence erroneous gcc warning

commit 2cf8e7a3bf4e97b2cd3de9ebc453bc505dc7eb78
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 13:47:47 2011 -0500

    Future-proof other potential RCU-aware locations where we can log.

commit 0c904e8c7ea0338c47c7ae825e093a152dc8f8a8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 13:02:54 2011 -0500

    Fix freeze reported by 'vs' on the forums.  Bug occurred due to
    MAY_NOT_BLOCK added to Linux 3.1.  Our logging code, when a capability used
    in generic_permission() was in the task's effective set but disallowed by
    RBAC, would block when acquiring locks resulting in the freeze.
    
    Also update the ordering of checks so that CAP_DAC_READ_SEARCH isn't logged
    as being required when CAP_DAC_OVERRIDE is present (consistent with
    older patches).

commit ab694e5eccfbc369baa593ebc1269d1908cf16dc
Author: Xi Wang <xi.wang@gmail.com>
Date:   Tue Nov 29 09:26:30 2011 +0000

    sctp: better integer overflow check in sctp_auth_create_key()
    
    The check from commit 30c2235c is incomplete and cannot prevent
    cases like key_len = 0x80000000 (INT_MAX + 1).  In that case, the
    left-hand side of the check (INT_MAX - key_len), which is unsigned,
    becomes 0xffffffff (UINT_MAX) and bypasses the check.
    
    However this shouldn't be a security issue.  The function is called
    from the following two code paths:
    
     1) setsockopt()
    
     2) sctp_auth_asoc_set_secret()
    
    In case (1), sca_keylength is never going to exceed 65535 since it's
    bounded by a u16 from the user API.  As such, the key length will
    never overflow.
    
    In case (2), sca_keylength is computed based on the user key (1 short)
    and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still
    will not overflow.
    
    In other words, this overflow check is not really necessary.  Just
    make it more correct.
    
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Cc: Vlad Yasevich <vladislav.yasevich@hp.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit e565e28c3635a1d50f80541fbf6b606d742fec76
Author: Josh Boyer <jwboyer@redhat.com>
Date:   Fri Aug 19 14:50:26 2011 -0400

    fs/minix: Verify bitmap block counts before mounting
    
    Newer versions of MINIX can create filesystems that allocate an extra
    bitmap block.  Mounting of this succeeds, but doing a statfs call will
    result in an oops in count_free because of a negative number being used
    for the bh index.
    
    Avoid this by verifying the number of allocated blocks at mount time,
    erroring out if there are not enough and make statfs ignore the extras
    if there are too many.
    
    This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792
    
    Signed-off-by: Josh Boyer <jwboyer@redhat.com>
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

commit 6e134e398ec1a3f428261680e83df4319e64bed9
Author: Julia Lawall <julia@diku.dk>
Date:   Tue Nov 15 14:53:11 2011 -0800

    drivers/gpu/vga/vgaarb.c: add missing kfree
    
    kbuf is a buffer that is local to this function, so all of the error paths
    leaving the function should release it.
    
    Signed-off-by: Julia Lawall <julia@diku.dk>
    Cc: Jesper Juhl <jj@chaosbits.net>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Dave Airlie <airlied@redhat.com>

commit 2b9057b321e36860e8d63985b5c4e496f254b717
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Dec 3 21:33:28 2011 -0500

    Import changes between pax-linux-3.1.4-test18.patch and grsecurity-2.2.2-3.1.4-201112021740.patch

commit 5dfe6091dca281a456eaff5e7b4692d768a05cfd
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Dec 3 21:29:37 2011 -0500

    Import pax-linux-3.1.4-test18.patch

commit 285eb4ea45d853ae00426b3315a61c1368080dad
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Dec 10 18:33:46 2011 -0500

    Import changes from pax-linux-3.1.5-test20.patch

commit a6bda918fc90ec1d5c387e978d147ad2044153f1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 8 20:55:54 2011 -0500

    Import changes from pax-linux-3.1.4-test19.patch

commit e6d987bdb782b280f882cc20055e3d9cb28ad3a5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Dec 3 21:29:37 2011 -0500

    Import pax-linux-3.1.4-test18.patch
commit c982acca364cbd7677bad7e53b9c7ecfaa6dfeb7
Merge: 814820a 3a59a59
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun May 12 21:51:18 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        security/Kconfig

commit 3a59a59cf5e1bf88f96b05c64f7969e97f7f051f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun May 12 21:50:07 2013 -0400

    Update to pax-linux-3.8.13-test24.patch:
    - fixed sparc/constification compile error, reported by blake
    - UDEREF/amd64 should be a bit more efficient when disabled at boot time
    - fixed some unnecessary integer truncations that could trip up the size overflow plugin

 arch/arm/kernel/vmlinux.lds.S       |    4 ++--
 arch/sparc/kernel/us3_cpufreq.c     |    4 ++--
 arch/x86/ia32/ia32entry.S           |    4 ++--
 arch/x86/include/asm/pgtable.h      |    6 ++++--
 arch/x86/include/asm/uaccess.h      |    6 +++---
 arch/x86/kernel/kprobes-opt.c       |    4 ++++
 arch/x86/lib/copy_user_nocache_64.S |    2 +-
 arch/x86/lib/getuser.S              |    8 ++++----
 arch/x86/lib/putuser.S              |    8 ++++----
 arch/x86/mm/fault.c                 |    6 +++---
 drivers/net/slip/slhc.c             |    2 +-
 drivers/staging/iio/ring_sw.c       |    2 +-
 fs/binfmt_elf.c                     |    6 +++---
 fs/nfsd/nfscache.c                  |    2 +-
 fs/xattr.c                          |   21 +++++++++++++++++++++
 include/linux/syscalls.h            |    2 +-
 include/linux/xattr.h               |    3 +++
 init/main.c                         |    3 +++
 kernel/futex_compat.c               |    2 +-
 kernel/trace/trace.h                |    2 +-
 net/socket.c                        |    2 +-
 security/Kconfig                    |    2 +-
 22 files changed, 67 insertions(+), 34 deletions(-)

commit 814820abfe5b9a34401d838b2510431a4cd92be9
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Mon May 6 09:31:17 2013 +0000

    Upstream commit: 6bf15191f666c5965d212561d7a5c7b78b808dfa
    
    tipc: potential divide by zero in tipc_link_recv_fragment()
    
    The worry here is that fragm_sz could be zero since it comes from
    skb->data.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/tipc/link.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

commit b58503d2784f0a4dbf4d9dbef9bdcc7bf163e3c1
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Mon May 6 08:28:41 2013 +0000

    Upstream commit: cb4b102f0ab29fcbaf945c6b1f85ef006cdb8edc
    
    tipc: add a bounds check in link_recv_changeover_msg()
    
    The bearer_id here comes from skb->data and it can be a number from 0 to
    7.  The problem is that the ->links[] array has only 2 elements so I
    have added a range check.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/tipc/link.c |    5 ++++-
 1 files changed, 4 insertions(+), 1 deletions(-)

commit ed0428c4ef6c5498870772f212ac651216eb8d0c
Merge: 2452d8d dbf932a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun May 12 21:18:25 2013 -0400

    Merge branch 'linux-3.8.y' into pax-test
    
    Conflicts:
        arch/x86/kernel/cpu/perf_event_intel_uncore.c
        arch/x86/mm/init.c

commit a113d6ac19303cd76d405df5aef5a4d190e6e7d7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun May 12 20:24:01 2013 -0400

    compile fix

 grsecurity/gracl.c      |    1 +
 grsecurity/gracl_segv.c |    1 +
 2 files changed, 2 insertions(+), 0 deletions(-)

commit 1bd664ee9054a28bbcf1dad6f9ffbc9e8500bb00
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun May 12 18:25:26 2013 -0400

    fix btrfs support here as well

 grsecurity/gracl_segv.c |   17 +++++++++--------
 1 files changed, 9 insertions(+), 8 deletions(-)

commit c75e4664fe4d20da1639f70d9def097c4f20856b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun May 12 18:12:57 2013 -0400

    Fix RBAC compatibility with btrfs compiled as a module, as
    reported on the forums by YuHg at:
    http://forums.grsecurity.net/viewtopic.php?t=2575&p=12952#p12952

 fs/btrfs/inode.c            |   11 +----------
 grsecurity/gracl.c          |   19 ++++++++++---------
 grsecurity/gracl_segv.c     |    2 +-
 grsecurity/grsec_disabled.c |    2 +-
 4 files changed, 13 insertions(+), 21 deletions(-)

commit e40c5804acc5b83e10d16ca3ba92502a3e5f7f27
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat May 11 12:12:00 2013 -0400

    allow copies just up to the start of kernel code

 fs/exec.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 04638852588cf243f865f5a73aa9dab94fab53b7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri May 10 16:53:07 2013 -0400

    MODULES_EXEC_VADDR is a virtual address

 fs/exec.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 017fc58a177b8b3fd9c2a7a4366f3590c9d49435
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri May 10 16:51:03 2013 -0400

    exempt module rx areas from usercopy protection under i386 kernexec
    their .rodata will be placed between stext/etext causing copies of
    constant strings to trigger usercopy reports/terminations

 fs/exec.c |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

commit c1b2cc5dd5f5ae5c88402c7acbcb270f8d36a9da
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed May 8 20:25:52 2013 -0400

    User jorgus on the forums:
    http://forums.grsecurity.net/viewtopic.php?f=3&t=3446
    discovered that the upstreamed version of enforcing RLIMIT_NPROC
    at setuid/exec time missed an important corner case:
    If RLIMIT_NPROC is set after a setuid occurs and the user's process
    limit is reached elsewhere, no enforcement of RLIMIT_NPROC will
    happen at exec time for the task with a modified RLIMIT_NPROC.
    
    This patch fixes that.

 kernel/sys.c |    7 +++++++
 1 files changed, 7 insertions(+), 0 deletions(-)

commit 85ffce8c95bd1d9114852f74db8c66ddbc2e77ff
Merge: 539fff0 2452d8d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed May 8 18:13:41 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 2452d8d0416d5c9c32805443dd89e5c9778dea4a
Merge: 6c850d8 9c9ab76
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed May 8 18:13:31 2013 -0400

    Merge branch 'linux-3.8.y' into pax-test
    
    Conflicts:
        arch/x86/kernel/irq.c
        kernel/trace/trace_stack.c

commit 539fff0cf95c3dcc02c5e0ac3ef8da4519efdb9a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue May 7 21:43:00 2013 -0400

    turn counter into a flag

 grsecurity/Kconfig        |    2 +-
 grsecurity/grsec_chroot.c |    8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

commit 3da48c0f89377e1ef76470d4b19f19df793fdf32
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue May 7 21:02:39 2013 -0400

    add GRKERNSEC_CHROOT_INITRD to work around Plymouth stupidity
    useful for Fedora/RHEL users

 grsecurity/Kconfig        |   10 ++++++++++
 grsecurity/grsec_chroot.c |   17 +++++++++++++++--
 2 files changed, 25 insertions(+), 2 deletions(-)

commit 418102925c0cfb0de51b0a021abaa575e28fafa6
Author: Peter Zijlstra <a.p.zijlstra@chello.nl>
Date:   Fri May 3 14:11:25 2013 +0200

    Upstream commit: 7cc23cd6c0c7d7f4bee057607e7ce01568925717
    
    perf/x86/intel/lbr: Demand proper privileges for PERF_SAMPLE_BRANCH_KERNEL
    
    We should always have proper privileges when requesting kernel
    data.
    
    Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
    Cc: <stable@kernel.org>
    Cc: Andi Kleen <ak@linux.intel.com>
    Cc: eranian@google.com
    Link: http://lkml.kernel.org/r/20130503121256.230745028@chello.nl
    [ Fix build error reported by fengguang.wu@intel.com, propagate error code back. ]
    Signed-off-by: Ingo Molnar <mingo@kernel.org>
    Link: http://lkml.kernel.org/n/tip-v0x9ky3ahzr6nm3c6ilwrili@git.kernel.org

 arch/x86/kernel/cpu/perf_event_intel_lbr.c |   13 ++++++++++---
 1 files changed, 10 insertions(+), 3 deletions(-)

commit f9e1af27cca1722a4c6a801000b5b3b5410401a2
Author: Eric Dumazet <edumazet@google.com>
Date:   Mon Apr 29 05:58:52 2013 +0000

    Upstream commit: aebda156a570782a86fc4426842152237a19427d
    
    net: defer net_secret[] initialization
    
    Instead of feeding net_secret[] at boot time, defer the init
    at the point first socket is created.
    
    This permits some platforms to use better entropy sources than
    the ones available at boot time.
    
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 include/net/secure_seq.h |    1 +
 net/core/secure_seq.c    |    4 +---
 net/ipv4/af_inet.c       |    5 ++++-
 3 files changed, 6 insertions(+), 4 deletions(-)

commit a9229d75129cd9744a5e486ec99a0fe6aeaf10ac
Author: Daniel Borkmann <dborkman@redhat.com>
Date:   Wed May 1 02:59:23 2013 +0000

    Upstream commit: be3e45810bb1ee0bdfa93f6b9532d8c451e50f48
    
    net: sctp: attribute printl with __printf for gcc fmt checks
    
    Let GCC check for format string errors in sctp's probe printl
    function. This patch fixes the warning when compiled with W=1:
    
    net/sctp/probe.c:73:2: warning: function might be possible candidate
    for 'gnu_printf' format attribute [-Wmissing-format-attribute]
    
    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/sctp/probe.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 81b98190c66a90f0ed2de4560f542b1dea7664f2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu May 2 19:58:54 2013 -0400

    remove no-longer-needed vmware 8 compat fix

 mm/page_alloc.c |    6 ------
 1 files changed, 0 insertions(+), 6 deletions(-)

commit a7716a90c1dbe09a8a6d98c74ea2f7fe2a530e94
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu May 2 19:55:23 2013 -0400

    remove unnecessary < 0 check

 net/phonet/af_phonet.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit a4e8dd5b1cca13c2e4145af75694a04aaa811f3f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed May 1 18:30:48 2013 -0400

    remove references to CONFIG_X86_WP_WORKS_OK

 arch/um/defconfig |    1 -
 security/Kconfig  |    2 +-
 2 files changed, 1 insertions(+), 2 deletions(-)

commit 408da6791f93ffe00d26bfe919f1b2218fe0804d
Merge: a8dbe8e 6c850d8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed May 1 18:28:44 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        arch/sparc/mm/ultra.S
        drivers/tty/tty_io.c

commit 6c850d8b76b375e418b6a18a33cc8263f36fabcf
Merge: cdbcbef 9fa1d01
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed May 1 18:25:18 2013 -0400

    Merge branch 'linux-3.8.y' into pax-test

commit a8dbe8ee7a0a3ace489e2f95d69d33e14d5f0b78
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Apr 29 18:44:23 2013 -0400

    add module.h to silence compiler warning, thanks to
    Sergei Trofimovich

 fs/btrfs/inode.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 55eba82aca97aa56378e000840c48965557721e8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Apr 29 18:43:03 2013 -0400

    compilation fix

 kernel/trace/trace.h |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit e3bf912b54af6df7fbebc68b5999554562056c5c
Merge: 5b72e37 cdbcbef
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Apr 29 18:34:42 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit cdbcbef45c4f003cbee11e10668a35d424c17c60
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Apr 29 18:33:35 2013 -0400

    Update to pax-linux-3.8.10-test21.patch:
    - removed size overflow coverage of resource_size(), reported at http://forums.grsecurity.net/viewtopic.php?f=3&t=3412
    - fixed bad pointer arithmetic in nfsd_cache_update, reported by Jason A. Donenfeld and http://forums.grsecurity.net/viewtopic.php?f=3&t=3438
      note that the false positive is not fixed yet
    - fixed a few unintended bitmask computations found by a not-yet-public gcc plugin
    - fixed the kernel stack leak bug in do_tgkill, found by the size overflow plugin (https://code.google.com/p/chromium/issues/detail?id=223444)
    - reverted the nested NMI fix in search for a real one
    - simplified the arm_delay_ops constification

 arch/arm/include/asm/delay.h     |    8 ++++----
 arch/arm/lib/delay.c             |   17 +++++------------
 arch/x86/kernel/entry_64.S       |   11 ++++++++++-
 arch/x86/kernel/i8259.c          |    2 +-
 arch/x86/kernel/pci-calgary_64.c |    2 +-
 arch/x86/kvm/vmx.c               |    4 ++--
 drivers/block/pktcdvd.c          |    2 +-
 fs/btrfs/extent-tree.c           |    2 +-
 fs/nfsd/nfscache.c               |    6 ++++--
 kernel/trace/trace.c             |    2 +-
 tools/gcc/structleak_plugin.c    |    4 ++++
 11 files changed, 34 insertions(+), 26 deletions(-)

commit 5b72e3790fa0e8a16a09c0ef745d8065620a1e74
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Apr 26 20:53:06 2013 -0400

    don't use file_inode()

 drivers/tty/tty_io.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit a2df9595fa2e3c7a0c63b1acac75425fd4feb946
Author: Jiri Slaby <jslaby@suse.cz>
Date:   Fri Apr 26 13:48:53 2013 +0200

    Upstream commit: 37b7f3c76595e23257f61bd80b223de8658617ee
    
    TTY: fix atime/mtime regression
    
    In commit b0de59b5733d ("TTY: do not update atime/mtime on read/write")
    we removed timestamps from tty inodes to fix a security issue and waited
    if something breaks.  Well, 'w', the utility to find out logged users
    and their inactivity time broke.  It shows that users are inactive since
    the time they logged in.
    
    To revert to the old behaviour while still preventing attackers to
    guess the password length, we update the timestamps in one-minute
    intervals by this patch.
    
    Signed-off-by: Jiri Slaby <jslaby@suse.cz>
    Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    Conflicts:
    
        drivers/tty/tty_io.c

 drivers/tty/tty_io.c |   15 ++++++++++++++-
 1 files changed, 14 insertions(+), 1 deletions(-)

commit c9c76fe07da7611a5062dd3234e5d2369e0a78ec
Author: Jiri Slaby <jslaby@suse.cz>
Date:   Fri Feb 15 15:25:05 2013 +0100

    Upstream commit: b0de59b5733d
    
    TTY: do not update atime/mtime on read/write
    
    On http://vladz.devzero.fr/013_ptmx-timing.php, we can see how to find
    out length of a password using timestamps of /dev/ptmx. It is
    documented in "Timing Analysis of Keystrokes and Timing Attacks on
    SSH". To avoid that problem, do not update time when reading
    from/writing to a TTY.
    
    I am afraid of regressions as this is a behavior we have since 0.97
    and apps may expect the time to be current, e.g. for monitoring
    whether there was a change on the TTY. Now, there is no change. So
    this would better have a lot of testing before it goes upstream.
    
    References: CVE-2013-0160
    
    Signed-off-by: Jiri Slaby <jslaby@suse.cz>
    Cc: stable <stable@vger.kernel.org> # after 3.9 is out
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 drivers/tty/tty_io.c |    8 ++------
 1 files changed, 2 insertions(+), 6 deletions(-)

commit 5344a24e2320d61dbdb88aae04922f0799deefd0
Author: Zhao Hongjiang <zhaohongjiang@huawei.com>
Date:   Fri Apr 26 11:03:53 2013 +0800

    Upstream commit: 91d80a84bbc8f28375cca7e65ec666577b4209ad
    
    aio: fix possible invalid memory access when DEBUG is enabled
    
    dprintk() shouldn't access @ring after it's unmapped.
    
    Signed-off-by: Zhao Hongjiang <zhaohongjiang@huawei.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 fs/aio.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 786841cb279bbd8e458d67e112a1d01a3d4598a7
Author: John David Anglin <dave.anglin@bell.net>
Date:   Tue Apr 23 22:42:07 2013 +0200

    Upstream commit: bda079d336cd8183e1d844a265ea87ae3e1bbe78
    
    parisc: use spin_lock_irqsave/spin_unlock_irqrestore for PTE updates
    
    User applications running on SMP kernels have long suffered from instability
    and random segmentation faults.  This patch improves the situation although
    there is more work to be done.
    
    One of the problems is the various routines in pgtable.h that update page table
    entries use different locking mechanisms, or no lock at all (set_pte_at).  This
    change modifies the routines to all use the same lock pa_dbit_lock.  This lock
    is used for dirty bit updates in the interruption code. The patch also purges
    the TLB entries associated with the PTE to ensure that inconsistent values are
    not used after the page table entry is updated.  The UP and SMP code are now
    identical.
    
    The change also includes a minor update to the purge_tlb_entries function in
    cache.c to improve its efficiency.
    
    Signed-off-by: John David Anglin <dave.anglin@bell.net>
    Cc: Helge Deller <deller@gmx.de>
    Signed-off-by: Helge Deller <deller@gmx.de>

 arch/parisc/include/asm/pgtable.h |   47 +++++++++++++++++++-----------------
 arch/parisc/kernel/cache.c        |    5 +---
 2 files changed, 26 insertions(+), 26 deletions(-)

commit 775a77ad179d4c25bc94e85ef81135cbdffcfdc1
Merge: ba54c97 4d05084
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Apr 26 18:17:20 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        arch/x86/kvm/x86.c
        include/linux/capability.h

commit 4d0508463d0ee3ec4b9eca1ea6bed3be03a3df21
Merge: c664779 bb8dd67
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Apr 26 18:15:45 2013 -0400

    Merge branch 'linux-3.8.y' into pax-test

commit ba54c977fe8c3afc4a9efd7afc3f30cf10b02fa2
Author: David S. Miller <davem@davemloft.net>
Date:   Wed Apr 24 16:52:18 2013 -0700

    Upstream commit: f0af97070acbad5d6a361f485828223a4faaa0ee
    
    sparc64: Fix missing put_cpu_var() in tlb_batch_add_one() when not batching.
    
    Reported-by: Meelis Roos <mroos@linux.ee>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 arch/sparc/mm/tlb.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit dc080cfd57c7cdc426f8c6c2da11911ac99959d8
Author: David S. Miller <davem@davemloft.net>
Date:   Fri Apr 19 17:26:26 2013 -0400

    Upstream commit: f36391d2790d04993f48da6a45810033a2cdf847
    
    sparc64: Fix race in TLB batch processing.
    
    As reported by Dave Kleikamp, when we emit cross calls to do batched
    TLB flush processing we have a race because we do not synchronize on
    the sibling cpus completing the cross call.
    
    So meanwhile the TLB batch can be reset (tb->tlb_nr set to zero, etc.)
    and either flushes are missed or flushes will flush the wrong
    addresses.
    
    Fix this by using generic infrastructure to synchonize on the
    completion of the cross call.
    
    This first required getting the flush_tlb_pending() call out from
    switch_to() which operates with locks held and interrupts disabled.
    The problem is that smp_call_function_many() cannot be invoked with
    IRQs disabled and this is explicitly checked for with WARN_ON_ONCE().
    
    We get the batch processing outside of locked IRQ disabled sections by
    using some ideas from the powerpc port. Namely, we only batch inside
    of arch_{enter,leave}_lazy_mmu_mode() calls.  If we're not in such a
    region, we flush TLBs synchronously.
    
    1) Get rid of xcall_flush_tlb_pending and per-cpu type
       implementations.
    
    2) Do TLB batch cross calls instead via:
    
        smp_call_function_many()
                tlb_pending_func()
                        __flush_tlb_pending()
    
    3) Batch only in lazy mmu sequences:
    
        a) Add 'active' member to struct tlb_batch
        b) Define __HAVE_ARCH_ENTER_LAZY_MMU_MODE
        c) Set 'active' in arch_enter_lazy_mmu_mode()
        d) Run batch and clear 'active' in arch_leave_lazy_mmu_mode()
        e) Check 'active' in tlb_batch_add_one() and do a synchronous
               flush if it's clear.
    
    4) Add infrastructure for synchronous TLB page flushes.
    
        a) Implement __flush_tlb_page and per-cpu variants, patch
           as needed.
        b) Likewise for xcall_flush_tlb_page.
        c) Implement smp_flush_tlb_page() to invoke the cross-call.
        d) Wire up global_flush_tlb_page() to the right routine based
               upon CONFIG_SMP
    
    5) It turns out that singleton batches are very common, 2 out of every
       3 batch flushes have only a single entry in them.
    
       The batch flush waiting is very expensive, both because of the poll
       on sibling cpu completeion, as well as because passing the tlb batch
       pointer to the sibling cpus invokes a shared memory dereference.
    
       Therefore, in flush_tlb_pending(), if there is only one entry in
       the batch perform a completely asynchronous global_flush_tlb_page()
       instead.
    
    Reported-by: Dave Kleikamp <dave.kleikamp@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Acked-by: Dave Kleikamp <dave.kleikamp@oracle.com>

 arch/sparc/include/asm/pgtable_64.h   |    1 +
 arch/sparc/include/asm/switch_to_64.h |    3 +-
 arch/sparc/include/asm/tlbflush_64.h  |   37 +++++++++--
 arch/sparc/kernel/smp_64.c            |   41 ++++++++++-
 arch/sparc/mm/tlb.c                   |   38 +++++++++-
 arch/sparc/mm/tsb.c                   |   57 ++++++++++++----
 arch/sparc/mm/ultra.S                 |  119 ++++++++++++++++++++++++++-------
 7 files changed, 241 insertions(+), 55 deletions(-)

commit cd80cc3cfd122295e6ec6db1e5e16e5b7a5d3b59
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date:   Fri Apr 19 15:32:32 2013 +0000

    Upstream commit: 83f1b4ba917db5dc5a061a44b3403ddb6e783494
    
    net: fix incorrect credentials passing
    
    Commit 257b5358b32f ("scm: Capture the full credentials of the scm
    sender") changed the credentials passing code to pass in the effective
    uid/gid instead of the real uid/gid.
    
    Obviously this doesn't matter most of the time (since normally they are
    the same), but it results in differences for suid binaries when the wrong
    uid/gid ends up being used.
    
    This just undoes that (presumably unintentional) part of the commit.
    
    Reported-by: Andy Lutomirski <luto@amacapital.net>
    Cc: Eric W. Biederman <ebiederm@xmission.com>
    Cc: Serge E. Hallyn <serge@hallyn.com>
    Cc: David S. Miller <davem@davemloft.net>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 include/net/scm.h |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit e126225d1fcaa405ff2a7f1518d615cffe42e7d5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Apr 18 19:22:40 2013 -0400

    move _etext to only cover kernel code, not read-only data, as reported by Gu1

 arch/arm/kernel/vmlinux.lds.S |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 98ad6adbc48759e4f9eae435d3e51ba487155685
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Apr 18 19:17:24 2013 -0400

    add asm/sections.h for USERCOPY change

 fs/exec.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit c403a6c43da1bcac9b1ef2bca9bba0fb84a40f10
Author: Dmitry Popov <dp@highloadlab.com>
Date:   Thu Apr 11 08:55:07 2013 +0000

    Upstream commit: d66954a066158781ccf9c13c91d0316970fe57b6
    
    tcp: incoming connections might use wrong route under synflood
    
    There is a bug in cookie_v4_check (net/ipv4/syncookies.c):
        flowi4_init_output(&fl4, 0, sk->sk_mark, RT_CONN_FLAGS(sk),
                           RT_SCOPE_UNIVERSE, IPPROTO_TCP,
                           inet_sk_flowi_flags(sk),
                           (opt && opt->srr) ? opt->faddr : ireq->rmt_addr,
                           ireq->loc_addr, th->source, th->dest);
    
    Here we do not respect sk->sk_bound_dev_if, therefore wrong dst_entry may be
    taken. This dst_entry is used by new socket (get_cookie_sock ->
    tcp_v4_syn_recv_sock), so its packets may take the wrong path.
    
    Signed-off-by: Dmitry Popov <dp@highloadlab.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/syncookies.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 3600395e8fef3ae712e72f9b68c3609639616df8
Author: Thomas Graf <tgraf@suug.ch>
Date:   Thu Apr 11 10:57:18 2013 +0000

    Upstream commit: 50bceae9bd3569d56744882f3012734d48a1d413
    
    tcp: Reallocate headroom if it would overflow csum_start
    
    If a TCP retransmission gets partially ACKed and collapsed multiple
    times it is possible for the headroom to grow beyond 64K which will
    overflow the 16bit skb->csum_start which is based on the start of
    the headroom. It has been observed rarely in the wild with IPoIB due
    to the 64K MTU.
    
    Verify if the acking and collapsing resulted in a headroom exceeding
    what csum_start can cover and reallocate the headroom if so.
    
    A big thank you to Jim Foraker <foraker1@llnl.gov> and the team at
    LLNL for helping out with the investigation and testing.
    
    Reported-by: Jim Foraker <foraker1@llnl.gov>
    Signed-off-by: Thomas Graf <tgraf@suug.ch>
    Acked-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/tcp_output.c |    8 ++++++--
 1 files changed, 6 insertions(+), 2 deletions(-)

commit 4b0b9a5038da806a2b6eba9efc3f3a53c5188a61
Author: Ivan Vecera <ivecera@redhat.com>
Date:   Fri Apr 12 16:49:24 2013 +0200

    Upstream commit: f11a869d4e38397ac81f2a3d22e8d2aeb3992b0f
    
    be2net: take care of __vlan_put_tag return value
    
    The driver should use return value of __vlan_put_tag with appropriate
    NULL-check instead of old skb pointer.
    
    Signed-off-by: Ivan Vecera <ivecera@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/ethernet/emulex/benet/be_main.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

commit 8d3aca40a891f13b9b1e0d957913fa788fd1cc55
Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Date:   Fri Apr 12 03:17:12 2013 +0000

    Upstream commit: 3be8fbab18fbc06b6ff94a56f9c225e29ea64a73
    
    tuntap: fix error return code in tun_set_iff()
    
    Fix to return a negative error code from the error handling
    case instead of 0, as returned elsewhere in this function.
    
    [ Bug added in linux-3.8 , commit 4008e97f866db665
      ("tuntap: fix ambigious multiqueue API") ]
    
    Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
    Acked-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/tun.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 42cfd101287e0ffa5e8425ca7dd3c4131a7a601c
Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Date:   Sat Apr 13 15:49:03 2013 +0000

    Upstream commit: 06848c10f720cbc20e3b784c0df24930b7304b93
    
    esp4: fix error return code in esp_output()
    
    Fix to return a negative error code from the error handling
    case instead of 0, as returned elsewhere in this function.
    
    Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
    Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/esp4.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

commit 2b45b5f52c2a8930f80c62de392a62516c83e225
Author: Bjørn Mork <bjorn@mork.no>
Date:   Tue Apr 16 00:17:07 2013 +0000

    Upstream commit: 32b161aa88aa40a83888a995c6e2ef81140219b1
    
    net: cdc_mbim: remove bogus sizeof()
    
    The intention was to test against the constant, not the size of
    the constant.
    
    Signed-off-by: Bjørn Mork <bjorn@mork.no>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/usb/cdc_mbim.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 17d7408795519037a5a1272c7888238e20830bfe
Author: Vyacheslav Dubeyko <slava@dubeyko.com>
Date:   Wed Apr 17 15:58:33 2013 -0700

    Upstream commit: 12f267a20aecf8b84a2a9069b9011f1661c779b4
    
    hfsplus: fix potential overflow in hfsplus_file_truncate()
    
    Change a u32 to loff_t hfsplus_file_truncate().
    
    Signed-off-by: Vyacheslav Dubeyko <slava@dubeyko.com>
    Cc: Christoph Hellwig <hch@infradead.org>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: Hin-Tak Leung <htl10@users.sourceforge.net>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 fs/hfsplus/extents.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 5c9574e7f16e7a9b3ea9b419c46ddc57110a555b
Author: Emese Revfy <re.emese@gmail.com>
Date:   Wed Apr 17 15:58:36 2013 -0700

    Upstream commit: b9e146d8eb3b9ecae5086d373b50fa0c1f3e7f0f
    
    kernel/signal.c: stop info leak via the tkill and the tgkill syscalls
    
    This fixes a kernel memory contents leak via the tkill and tgkill syscalls
    for compat processes.
    
    This is visible in the siginfo_t->_sifields._rt.si_sigval.sival_ptr field
    when handling signals delivered from tkill.
    
    The place of the infoleak:
    
    int copy_siginfo_to_user32(compat_siginfo_t __user *to, siginfo_t *from)
    {
            ...
            put_user_ex(ptr_to_compat(from->si_ptr), &to->si_ptr);
            ...
    }
    
    Signed-off-by: Emese Revfy <re.emese@gmail.com>
    Reviewed-by: PaX Team <pageexec@freemail.hu>
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: Oleg Nesterov <oleg@redhat.com>
    Cc: "Eric W. Biederman" <ebiederm@xmission.com>
    Cc: Serge Hallyn <serge.hallyn@canonical.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 kernel/signal.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 0942d16614b0ef59d50b10151d77ec52fc98c2d0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 17 20:17:00 2013 -0400

    Improve PAX_USERCOPY to reject direct copies to/from main kernel text

 fs/exec.c |   29 +++++++++++++++++++++++++++--
 1 files changed, 27 insertions(+), 2 deletions(-)

commit 3cb37d0c0c77dc3928ff8417f982139f95366eba
Merge: e87c19f c664779
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 17 20:06:08 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit c664779987cb0c27a242029f0e0db812e3236203
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 17 19:54:09 2013 -0400

    add intentional_overflow marking for resource_size() as reasoned by:
    http://forums.grsecurity.net/viewtopic.php?f=3&t=3412

 include/linux/ioport.h |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit e87c19f8312355b8658e5138c16bfa6043a379c8
Merge: 802d119 d0c636c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 17 16:57:12 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit d0c636ceaaf406e606898ce3e770e32fb043ea8a
Merge: bc88628 2396403
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 17 16:57:01 2013 -0400

    Merge branch 'linux-3.8.y' into pax-test
    
    Conflicts:
        arch/x86/kernel/paravirt.c

commit 802d1193dcb507b2a62a2de0a869a7dbadd66b9b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Apr 14 21:39:51 2013 -0400

    move location of RBAC user check on setfsuid until after capability checks
    for consistency with other checks

 kernel/sys.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

commit 1a860d7d67051559ab2e6d10f9888649c92904e6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Apr 14 21:34:46 2013 -0400

    A denied setfsuid by the RBAC system would result in an abort_creds() being called
    with an uninitalized pointer, introduced by a bad forward-port

 kernel/sys.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

commit 9f94b84d0e5e101fe8ea8ebcc8eeb141d8a6edb9
Merge: c38d142 bc88628
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Apr 14 21:28:33 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        security/Kconfig

commit bc88628a6a8fcccaabb90908640809b0540df225
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Apr 14 21:26:41 2013 -0400

    Update to pax-linux-3.8.7-test20.patch:
    - fixed KERNEXEC and NMI nesting problem reported by stef&hunger
    - changed PHYSICAL_ALIGN/START to fix http://forums.grsecurity.net/viewtopic.php?f=3&t=3414
    - CONSTIFY depends on KERNEXEC (for the kernel open/close feature)
    - fixed CONSTIFY and powerpc interference, reported by  John Hardin (https://bugs.gentoo.org/show_bug.cgi?id=456364)

 arch/powerpc/include/asm/smp.h |    2 +-
 arch/x86/Kconfig               |    4 ++--
 arch/x86/kernel/entry_64.S     |    8 ++++----
 security/Kconfig               |    2 +-
 4 files changed, 8 insertions(+), 8 deletions(-)

commit c38d142744489fc4d9be80188b6435a278438fd9
Author: Suleiman Souhlal <suleiman@google.com>
Date:   Sat Apr 13 16:03:06 2013 -0700

    Upstream commit: 5b55d708335a9e3e4f61f2dadf7511502205ccd1
    
    vfs: Revert spurious fix to spinning prevention in prune_icache_sb
    
    Revert commit 62a3ddef6181 ("vfs: fix spinning prevention in prune_icache_sb").
    
    This commit doesn't look right: since we are looking at the tail of the
    list (sb->s_inode_lru.prev) if we want to skip an inode, we should put
    it back at the head of the list instead of the tail, otherwise we will
    keep spinning on it.
    
    Discovered when investigating why prune_icache_sb came top in perf
    reports of a swapping load.
    
    Signed-off-by: Suleiman Souhlal <suleiman@google.com>
    Signed-off-by: Hugh Dickins <hughd@google.com>
    Cc: stable@vger.kernel.org # v3.2+
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 fs/inode.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 93019624b80ba59798393942798d7f6ed0c1dbc6
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date:   Sat Apr 13 15:15:30 2013 -0700

    Upstream commit: a49b7e82cab0f9b41f483359be83f44fbb6b4979
    
    kobject: fix kset_find_obj() race with concurrent last kobject_put()
    
    Anatol Pomozov identified a race condition that hits module unloading
    and re-loading.  To quote Anatol:
    
     "This is a race codition that exists between kset_find_obj() and
      kobject_put().  kset_find_obj() might return kobject that has refcount
      equal to 0 if this kobject is freeing by kobject_put() in other
      thread.
    
      Here is timeline for the crash in case if kset_find_obj() searches for
      an object tht nobody holds and other thread is doing kobject_put() on
      the same kobject:
    
        THREAD A (calls kset_find_obj())     THREAD B (calls kobject_put())
        splin_lock()
                                             atomic_dec_return(kobj->kref), counter gets zero here
                                             ... starts kobject cleanup ....
                                             spin_lock() // WAIT thread A in kobj_kset_leave()
        iterate over kset->list
        atomic_inc(kobj->kref) (counter becomes 1)
        spin_unlock()
                                             spin_lock() // taken
                                             // it does not know that thread A increased counter so it
                                             remove obj from list
                                             spin_unlock()
                                             vfree(module) // frees module object with containing kobj
    
        // kobj points to freed memory area!!
        kobject_put(kobj) // OOPS!!!!
    
      The race above happens because module.c tries to use kset_find_obj()
      when somebody unloads module.  The module.c code was introduced in
      commit 6494a93d55fa"
    
    Anatol supplied a patch specific for module.c that worked around the
    problem by simply not using kset_find_obj() at all, but rather than make
    a local band-aid, this just fixes kset_find_obj() to be thread-safe
    using the proper model of refusing the get a new reference if the
    refcount has already dropped to zero.
    
    See examples of this proper refcount handling not only in the kref
    documentation, but in various other equivalent uses of this pattern by
    grepping for atomic_inc_not_zero().
    
    [ Side note: the module race does indicate that module loading and
      unloading is not properly serialized wrt sysfs information using the
      module mutex.  That may require further thought, but this is the
      correct fix at the kobject layer regardless. ]
    
    Reported-analyzed-and-tested-by: Anatol Pomozov <anatol.pomozov@gmail.com>
    Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 lib/kobject.c |    9 ++++++++-
 1 files changed, 8 insertions(+), 1 deletions(-)

commit 5277b052b5fab36729e1255fb3b12f47a4b12867
Author: Dave Hansen <dave@sr71.net>
Date:   Fri Apr 12 16:23:54 2013 -0700

    Upstream commit: 1de14c3c5cbc9bb17e9dcc648cda51c0c85d54b9
    
    x86-32: Fix possible incomplete TLB invalidate with PAE pagetables
    
    This patch attempts to fix:
    
        https://bugzilla.kernel.org/show_bug.cgi?id=56461
    
    The symptom is a crash and messages like this:
    
        chrome: Corrupted page table at address 34a03000
        *pdpt = 0000000000000000 *pde = 0000000000000000
        Bad pagetable: 000f [#1] PREEMPT SMP
    
    Ingo guesses this got introduced by commit 611ae8e3f520 ("x86/tlb:
    enable tlb flush range support for x86") since that code started to free
    unused pagetables.
    
    On x86-32 PAE kernels, that new code has the potential to free an entire
    PMD page and will clear one of the four page-directory-pointer-table
    (aka pgd_t entries).
    
    The hardware aggressively "caches" these top-level entries and invlpg
    does not actually affect the CPU's copy.  If we clear one we *HAVE* to
    do a full TLB flush, otherwise we might continue using a freed pmd page.
    (note, we do this properly on the population side in pud_populate()).
    
    This patch tracks whenever we clear one of these entries in the 'struct
    mmu_gather', and ensures that we follow up with a full tlb flush.
    
    BTW, I disassembled and checked that:
    
        if (tlb->fullmm == 0)
    and
        if (!tlb->fullmm && !tlb->need_flush_all)
    
    generate essentially the same code, so there should be zero impact there
    to the !PAE case.
    
    Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
    Cc: Peter Anvin <hpa@zytor.com>
    Cc: Ingo Molnar <mingo@kernel.org>
    Cc: Artem S Tashkinov <t.artem@mailcity.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 arch/x86/include/asm/tlb.h |    2 +-
 arch/x86/mm/pgtable.c      |    7 +++++++
 include/asm-generic/tlb.h  |    7 ++++++-
 mm/memory.c                |    1 +
 4 files changed, 15 insertions(+), 2 deletions(-)

commit 521e573fc77d1783c1d4636dfbb4617a922f043d
Merge: 032f626 f807619
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Apr 12 19:29:34 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit f80761993b85df96fc142dfc3a317cadc0f8eae5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Apr 12 19:28:21 2013 -0400

    Update to pax-linux-3.8.7-test19.patch:
    - fixed STACKLEAK/XEN interference once again, reported by Jason A. Donenfeld
    - fixed small typo, reported by mlarm (http://forums.grsecurity.net/viewtopic.php?f=3&t=3411)
    - fixed the structleak plugin to compile for gcc 4.5-4.6 as well

 Makefile                      |    2 +-
 arch/x86/xen/enlighten.c      |    6 +++---
 tools/gcc/structleak_plugin.c |    5 +++--
 3 files changed, 7 insertions(+), 6 deletions(-)

commit 032f626a4ae9bc3196313a2e762650c3d9abdc96
Merge: a3a770e 89886f5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Apr 12 18:38:40 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 89886f561cc0d1c42a99624ec8c3704711088155
Merge: 9123489 531ec28
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Apr 12 18:38:30 2013 -0400

    Merge branch 'linux-3.8.y' into pax-test

commit a3a770e18578841e4fbe2aa0831a22811b4812cf
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Apr 11 20:46:20 2013 -0400

    Revert "Don't auto-enable stackleak if kernel is used for xen dom0, kernel will not boot"
    Will be fixed with the next PaX patch
    
    This reverts commit 63badcd2023717cc62b6c3ad5f25fe504c49e6d7.

 security/Kconfig |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit fc98763e4f1f1487928750b26a63098b9e0ed5b1
Author: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Date:   Fri Mar 29 10:20:56 2013 -0400

    Upstream commit: b22227944b8fe92b19150b4c36421e37979d9a16
    
    xen/mmu: On early bootup, flush the TLB when changing RO->RW bits Xen provided pagetables.
    
    Occassionaly on a DL380 G4 the guest would crash quite early with this:
    
    (XEN) d244:v0: unhandled page fault (ec=0003)
    (XEN) Pagetable walk from ffffffff84dc7000:
    (XEN)  L4[0x1ff] = 00000000c3f18067 0000000000001789
    (XEN)  L3[0x1fe] = 00000000c3f14067 000000000000178d
    (XEN)  L2[0x026] = 00000000dc8b2067 0000000000004def
    (XEN)  L1[0x1c7] = 00100000dc8da067 0000000000004dc7
    (XEN) domain_crash_sync called from entry.S
    (XEN) Domain 244 (vcpu#0) crashed on cpu#3:
    (XEN) ----[ Xen-4.1.3OVM  x86_64  debug=n  Not tainted ]----
    (XEN) CPU:    3
    (XEN) RIP:    e033:[<ffffffff81263f22>]
    (XEN) RFLAGS: 0000000000000216   EM: 1   CONTEXT: pv guest
    (XEN) rax: 0000000000000000   rbx: ffffffff81785f88   rcx: 000000000000003f
    (XEN) rdx: 0000000000000000   rsi: 00000000dc8da063   rdi: ffffffff84dc7000
    
    The offending code shows it to be a loop writting the value zero
    (%rax) in the %rdi (the L4 provided by Xen) register:
    
       0: 44 00 00             add    %r8b,(%rax)
       3: 31 c0                 xor    %eax,%eax
       5: b9 40 00 00 00       mov    $0x40,%ecx
       a: 66 0f 1f 84 00 00 00 nopw   0x0(%rax,%rax,1)
      11: 00 00
      13: ff c9                 dec    %ecx
      15:* 48 89 07             mov    %rax,(%rdi)     <-- trapping instruction
      18: 48 89 47 08           mov    %rax,0x8(%rdi)
      1c: 48 89 47 10           mov    %rax,0x10(%rdi)
    
    which fails. xen_setup_kernel_pagetable recycles some of the Xen's
    page-table entries when it has switched over to its Linux page-tables.
    
    Right before try to clear the page, we  make a hypercall to change
    it from _RO to  _RW and that works (otherwise we would hit an BUG()).
    And the _RW flag is set for that page:
    (XEN)  L1[0x1c7] = 001000004885f067 0000000000004dc7
    
    The error code is 3, so PFEC_page_present and PFEC_write_access, so page is
    present (correct), and we tried to write to the page, but a violation
    occurred. The one theory is that the the page entries in hardware
    (which are cached) are not up to date with what we just set. Especially
    as we have just done an CR3 write and flushed the multicalls.
    
    This patch does solve the problem by flusing out the TLB page
    entry after changing it from _RO to _RW and we don't hit this
    issue anymore.
    
    Fixed-Oracle-Bug: 16243091 [ON OCCASIONS VM START GOES INTO
    'CRASH' STATE: CLEAR_PAGE+0X12 ON HP DL380 G4]
    Reported-and-Tested-by: Saar Maoz <Saar.Maoz@oracle.com>
    Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>

 arch/x86/xen/mmu.c |   12 ++++++++----
 1 files changed, 8 insertions(+), 4 deletions(-)

commit d56bdc2595e76ca48cbfd695def7f82c3ab80c11
Author: Namhyung Kim <namhyung.kim@lge.com>
Date:   Mon Apr 1 21:46:23 2013 +0900

    Upstream commit: 83e03b3fe4daffdebbb42151d5410d730ae50bd1
    
    tracing: Fix double free when function profile init failed
    
    On the failure path, stat->start and stat->pages will refer same page.
    So it'll attempt to free the same page again and get kernel panic.
    
    Link: http://lkml.kernel.org/r/1364820385-32027-1-git-send-email-namhyung@kernel.org
    
    Cc: Frederic Weisbecker <fweisbec@gmail.com>
    Cc: Namhyung Kim <namhyung.kim@lge.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Namhyung Kim <namhyung@kernel.org>
    Signed-off-by: Steven Rostedt <rostedt@goodmis.org>

 kernel/trace/ftrace.c |    1 -
 1 files changed, 0 insertions(+), 1 deletions(-)

commit c86b0de9f4c42a7ede40df5af9436e87ccc784bb
Author: Neil Horman <nhorman@tuxdriver.com>
Date:   Tue Apr 9 23:19:00 2013 +0000

    Upstream commit: 61a0f6efc8932e9914e1782ff3a027e23c687fc6
    
    e100: Add dma mapping error check
    
    e100 uses pci_map_single, but fails to check for a dma mapping error after its
    use, resulting in a stack trace:
    
    [   46.656594] ------------[ cut here ]------------
    [   46.657004] WARNING: at lib/dma-debug.c:933 check_unmap+0x47b/0x950()
    [   46.657004] Hardware name: To Be Filled By O.E.M.
    [   46.657004] e100 0000:00:0e.0: DMA-API: device driver failed to check map
    error[device address=0x000000007a4540fa] [size=90 bytes] [mapped as single]
    [   46.657004] Modules linked in:
    [   46.657004]  w83627hf hwmon_vid snd_via82xx ppdev snd_ac97_codec ac97_bus
    snd_seq snd_pcm snd_mpu401 snd_mpu401_uart ns558 snd_rawmidi gameport parport_pc
    e100 snd_seq_device parport snd_page_alloc snd_timer snd soundcore skge shpchp
    k8temp mii edac_core i2c_viapro edac_mce_amd nfsd auth_rpcgss nfs_acl lockd
    sunrpc binfmt_misc uinput ata_generic pata_acpi radeon i2c_algo_bit
    drm_kms_helper ttm firewire_ohci drm firewire_core pata_via sata_via i2c_core
    sata_promise crc_itu_t
    [   46.657004] Pid: 792, comm: ip Not tainted 3.8.0-0.rc6.git0.1.fc19.x86_64 #1
    [   46.657004] Call Trace:
    [   46.657004]  <IRQ>  [<ffffffff81065ed0>] warn_slowpath_common+0x70/0xa0
    [   46.657004]  [<ffffffff81065f4c>] warn_slowpath_fmt+0x4c/0x50
    [   46.657004]  [<ffffffff81364cfb>] check_unmap+0x47b/0x950
    [   46.657004]  [<ffffffff8136522f>] debug_dma_unmap_page+0x5f/0x70
    [   46.657004]  [<ffffffffa030f0f0>] ? e100_tx_clean+0x30/0x210 [e100]
    [   46.657004]  [<ffffffffa030f1a8>] e100_tx_clean+0xe8/0x210 [e100]
    [   46.657004]  [<ffffffffa030fc6f>] e100_poll+0x56f/0x6c0 [e100]
    [   46.657004]  [<ffffffff8159dce1>] ? net_rx_action+0xa1/0x370
    [   46.657004]  [<ffffffff8159ddb2>] net_rx_action+0x172/0x370
    [   46.657004]  [<ffffffff810703bf>] __do_softirq+0xef/0x3d0
    [   46.657004]  [<ffffffff816e4ebc>] call_softirq+0x1c/0x30
    [   46.657004]  [<ffffffff8101c485>] do_softirq+0x85/0xc0
    [   46.657004]  [<ffffffff81070885>] irq_exit+0xd5/0xe0
    [   46.657004]  [<ffffffff816e5756>] do_IRQ+0x56/0xc0
    [   46.657004]  [<ffffffff816dacb2>] common_interrupt+0x72/0x72
    [   46.657004]  <EOI>  [<ffffffff816da1eb>] ?
    _raw_spin_unlock_irqrestore+0x3b/0x70
    [   46.657004]  [<ffffffff816d124d>] __slab_free+0x58/0x38b
    [   46.657004]  [<ffffffff81214424>] ? fsnotify_clear_marks_by_inode+0x34/0x120
    [   46.657004]  [<ffffffff811b0417>] ? kmem_cache_free+0x97/0x320
    [   46.657004]  [<ffffffff8157fc14>] ? sock_destroy_inode+0x34/0x40
    [   46.657004]  [<ffffffff8157fc14>] ? sock_destroy_inode+0x34/0x40
    [   46.657004]  [<ffffffff811b0692>] kmem_cache_free+0x312/0x320
    [   46.657004]  [<ffffffff8157fc14>] sock_destroy_inode+0x34/0x40
    [   46.657004]  [<ffffffff811e8c28>] destroy_inode+0x38/0x60
    [   46.657004]  [<ffffffff811e8d5e>] evict+0x10e/0x1a0
    [   46.657004]  [<ffffffff811e9605>] iput+0xf5/0x180
    [   46.657004]  [<ffffffff811e4338>] dput+0x248/0x310
    [   46.657004]  [<ffffffff811ce0e1>] __fput+0x171/0x240
    [   46.657004]  [<ffffffff811ce26e>] ____fput+0xe/0x10
    [   46.657004]  [<ffffffff8108d54c>] task_work_run+0xac/0xe0
    [   46.657004]  [<ffffffff8106c6ed>] do_exit+0x26d/0xc30
    [   46.657004]  [<ffffffff8109eccc>] ? finish_task_switch+0x7c/0x120
    [   46.657004]  [<ffffffff816dad58>] ? retint_swapgs+0x13/0x1b
    [   46.657004]  [<ffffffff8106d139>] do_group_exit+0x49/0xc0
    [   46.657004]  [<ffffffff8106d1c4>] sys_exit_group+0x14/0x20
    [   46.657004]  [<ffffffff816e3b19>] system_call_fastpath+0x16/0x1b
    [   46.657004] ---[ end trace 4468c44e2156e7d1 ]---
    [   46.657004] Mapped at:
    [   46.657004]  [<ffffffff813663d1>] debug_dma_map_page+0x91/0x140
    [   46.657004]  [<ffffffffa030e8eb>] e100_xmit_prepare+0x12b/0x1c0 [e100]
    [   46.657004]  [<ffffffffa030c924>] e100_exec_cb+0x84/0x140 [e100]
    [   46.657004]  [<ffffffffa030e56a>] e100_xmit_frame+0x3a/0x190 [e100]
    [   46.657004]  [<ffffffff8159ee89>] dev_hard_start_xmit+0x259/0x6c0
    
    Easy fix, modify the cb paramter to e100_exec_cb to return an error, and do the
    dma_mapping_error check in the obvious place
    
    This was reported previously here:
    http://article.gmane.org/gmane.linux.network/257893
    
    But nobody stepped up and fixed it.
    
    CC: Josh Boyer <jwboyer@redhat.com>
    CC: e1000-devel@lists.sourceforge.net
    Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
    Reported-by: Michal Jaegermann <michal@harddata.com>
    Tested-by: Aaron Brown <aaron.f.brown@intel.com>
    Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/ethernet/intel/e100.c |   36 +++++++++++++++++++++++++-----------
 1 files changed, 25 insertions(+), 11 deletions(-)

commit df93708573ce6c512b9a9406a83a6fd4e87ff6a6
Author: Trond Myklebust <Trond.Myklebust@netapp.com>
Date:   Wed Apr 10 12:44:18 2013 -0400

    Upstream commit: eb04e0ac198cec3bab407ad220438dfa65c19c67
    
    NFSv4: Doh! Typo in the fix to nfs41_walk_client_list
    
    Make sure that we set the status to 0 on success. Missed in testing
    because it never appears when doing multiple mounts to _different_
    servers.
    
    Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
    Cc: <stable@vger.kernel.org> # 3.7.x: 7b1f1fd: NFSv4/4.1: Fix bugs in nfs4[01]_walk_client_list

 fs/nfs/nfs4client.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 0ea7b7294f627588b0b3dc26a8a0ff8e1e27b5ea
Author: Yuval Mintz <yuvalmin@broadcom.com>
Date:   Wed Apr 10 13:34:39 2013 +0300

    Upstream commit: fea75645342c7ad574214497a78e562db12dfd7b
    
    bnx2x: Prevent null pointer dereference in AFEX mode
    
    The cnic module is responsible for initializing various bnx2x structs
    via callbacks provided by the bnx2x module.
    One such struct is the queue object for the FCoE queue.
    
    If a device is working in AFEX mode and its configuration allows FCoE yet
    the cnic module is not loaded, it's very likely a null pointer dereference
    will occur, as the bnx2x will erroneously access the FCoE's queue object.
    
    Prevent said access until cnic properly registers itself.
    
    Signed-off-by: Yuval Mintz <yuvalmin@broadcom.com>
    Signed-off-by: Ariel Elior <ariele@broadcom.com>
    Signed-off-by: Eilon Greenstein <eilong@broadcom.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 2908830232725db624aaa052f7ad38d1f98bf541
Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Date:   Tue Apr 9 14:16:04 2013 +0800

    Upstream commit: 3480a2125923e4b7a56d79efc76743089bf273fc
    
    can: gw: use kmem_cache_free() instead of kfree()
    
    Memory allocated by kmem_cache_alloc() should be freed using
    kmem_cache_free(), not kfree().
    
    Cc: linux-stable <stable@vger.kernel.org> # >= v3.2
    Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
    Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
    Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>

 net/can/gw.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

commit d40b572e845a5fb561e3c4a80cc306cd38888a4e
Author: Christoph Paasch <christoph.paasch@uclouvain.be>
Date:   Sun Apr 7 04:53:15 2013 +0000

    Upstream commit: 50a75a8914539c5dcd441c5f54d237a666a426fd
    
    ipv6/tcp: Stop processing ICMPv6 redirect messages
    
    Tetja Rediske found that if the host receives an ICMPv6 redirect message
    after sending a SYN+ACK, the connection will be reset.
    
    He bisected it down to 093d04d (ipv6: Change skb->data before using
    icmpv6_notify() to propagate redirect), but the origin of the bug comes
    from ec18d9a26 (ipv6: Add redirect support to all protocol icmp error
    handlers.). The bug simply did not trigger prior to 093d04d, because
    skb->data did not point to the inner IP header and thus icmpv6_notify
    did not call the correct err_handler.
    
    This patch adds the missing "goto out;" in tcp_v6_err. After receiving
    an ICMPv6 Redirect, we should not continue processing the ICMP in
    tcp_v6_err, as this may trigger the removal of request-socks or setting
    sk_err(_soft).
    
    Reported-by: Tetja Rediske <tetja@tetja.de>
    Signed-off-by: Christoph Paasch <christoph.paasch@uclouvain.be>
    Acked-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv6/tcp_ipv6.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit c7d5c2524456ef3ea9194840e7a9a75069a46824
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 10 20:32:54 2013 -0400

    - fixed typo in Makefile reported by mlarm (https://forums.grsecurity.net/viewtopic.php?t=3411)

 Makefile |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit acac2380fd97acee4367d2aa24c74322dcf1d22b
Author: Trond Myklebust <Trond.Myklebust@netapp.com>
Date:   Fri Apr 5 16:11:11 2013 -0400

    Upstream commit: 7b1f1fd1842e6ede25183c267ae733a7f67f00bc
    
    NFSv4/4.1: Fix bugs in nfs4[01]_walk_client_list
    
    It is unsafe to use list_for_each_entry_safe() here, because
    when we drop the nn->nfs_client_lock, we pin the _current_ list
    entry and ensure that it stays in the list, but we don't do the
    same for the _next_ list entry. Use of list_for_each_entry() is
    therefore the correct thing to do.
    
    Also fix the refcounting in nfs41_walk_client_list().
    
    Finally, ensure that the nfs_client has finished being initialised
    and, in the case of NFSv4.1, that the session is set up.
    
    Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
    Cc: Chuck Lever <chuck.lever@oracle.com>
    Cc: Bryan Schumaker <bjschuma@netapp.com>
    Cc: stable@vger.kernel.org [>= 3.7]

 fs/nfs/nfs4client.c |   44 ++++++++++++++++++++++++++++----------------
 1 files changed, 28 insertions(+), 16 deletions(-)

commit a6cf5f387b882ac0ce655b75f623f86c075517be
Author: Chuck Lever <chuck.lever@oracle.com>
Date:   Fri Mar 22 12:52:59 2013 -0400

    Upstream commit: a58e0be6f6b3eb2079b0b8fedc9df6fa86869f1e
    
    SUNRPC: Remove extra xprt_put()
    
    While testing error cases where rpc_new_client() fails, I saw
    some oopses.
    
    If rpc_new_client() fails, it already invokes xprt_put().  Thus
    __rpc_clone_client() does not need to invoke it again.
    
    Introduced by commit 1b63a751 "SUNRPC: Refactor rpc_clone_client()"
    Fri Sep 14, 2012.
    
    Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
    Cc: stable@vger.kernel.org [>=3.7]
    Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>

 net/sunrpc/clnt.c |    4 +---
 1 files changed, 1 insertions(+), 3 deletions(-)

commit a744b307c1f65ceb100412dc18cdd7ecc9a8ae00
Author: Trond Myklebust <Trond.Myklebust@netapp.com>
Date:   Fri Apr 5 14:13:21 2013 -0400

    Upstream commit: f05c124a70a4953a66acbd6d6c601ea1eb5d0fa7
    
    SUNRPC: Fix a potential memory leak in rpc_new_client
    
    If the call to rpciod_up() fails, we currently leak a reference to the
    struct rpc_xprt.
    As part of the fix, we also remove the redundant check for xprt!=NULL.
    This is already taken care of by the callers.
    
    Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>

 net/sunrpc/clnt.c |    7 ++-----
 1 files changed, 2 insertions(+), 5 deletions(-)

commit 43b9f1b9b8380984c5c100978bd33e8f16da06ac
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 10 19:16:05 2013 -0400

    From https://lkml.org/lkml/2013/4/8/469:
    [PATCH] rtnetlink: call nlmsg_parse() with correct header length

 net/core/rtnetlink.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 9529169b8c405874fd543b785f53c74fa0501c2a
Author: Christopher Harvey <charvey@matrox.com>
Date:   Fri Apr 5 10:51:15 2013 -0400

    Upstream commit: 1812a3db0874be1d1524086da9e84397b800f546
    
    drm/mgag200: Index 24 in extended CRTC registers is 24 in hex, not decimal.
    
    This change properly enables the "requester" in G200ER cards that is
    responsible for getting pixels out of memory and clocking them out to
    the screen.
    
    Signed-off-by: Christopher Harvey <charvey@matrox.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Dave Airlie <airlied@redhat.com>

 drivers/gpu/drm/mgag200/mgag200_mode.c |   13 +++----------
 1 files changed, 3 insertions(+), 10 deletions(-)

commit 07c42243c7b01e2a7a9d168ad491e28b9ef9082a
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Thu Mar 28 13:30:23 2013 -0400

    Upstream commit: 52f21999c7b921a0390708b66ed286282c2e4bee
    
    ecryptfs: close rmmod race
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

 fs/ecryptfs/miscdev.c |   14 ++------------
 1 files changed, 2 insertions(+), 12 deletions(-)

commit 2800bdcf9cd642b967e5fdc2a15c1c4aefbadd9b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 10 19:03:45 2013 -0400

    Backport overflow fix from upstream commit: ccf932042fa7785832d8989ba1369cd7c7f5d7a1

 arch/ia64/kernel/palinfo.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 83280e384ae3ceadad30369ced111dc7d4b46085
Author: Andrey Vagin <avagin@openvz.org>
Date:   Tue Apr 9 17:33:29 2013 +0400

    Upstream commit: e9c5d8a562f01b211926d70443378eb14b29a676
    
    mnt: release locks on error path in do_loopback
    
    do_loopback calls lock_mount(path) and forget to unlock_mount
    if clone_mnt or copy_mnt fails.
    
    [   77.661566] ================================================
    [   77.662939] [ BUG: lock held when returning to user space! ]
    [   77.664104] 3.9.0-rc5+ #17 Not tainted
    [   77.664982] ------------------------------------------------
    [   77.666488] mount/514 is leaving the kernel with locks still held!
    [   77.668027] 2 locks held by mount/514:
    [   77.668817]  #0:  (&sb->s_type->i_mutex_key#7){+.+.+.}, at: [<ffffffff811cca22>] lock_mount+0x32/0xe0
    [   77.671755]  #1:  (&namespace_sem){+++++.}, at: [<ffffffff811cca3a>] lock_mount+0x4a/0xe0
    
    Signed-off-by: Andrey Vagin <avagin@openvz.org>
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

 fs/namespace.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 679e536b9d9536d804f049fe942367a596253e6d
Author: Alex Williamson <alex.williamson@redhat.com>
Date:   Tue Mar 26 11:33:16 2013 -0600

    Upstream commit: 904c680c7bf016a8619a045850937427f8d7368c
    
    vfio-pci: Fix possible integer overflow
    
    The VFIO_DEVICE_SET_IRQS ioctl takes a start and count parameter, both
    of which are unsigned.  We attempt to bounds check these, but fail to
    account for the case where start is a very large number, allowing
    start + count to wrap back into the valid range.  Bounds check both
    start and start + count.
    
    Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Alex Williamson <alex.williamson@redhat.com>

 drivers/vfio/pci/vfio_pci.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 63badcd2023717cc62b6c3ad5f25fe504c49e6d7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 10 18:48:45 2013 -0400

    Don't auto-enable stackleak if kernel is used for xen dom0, kernel will not boot

 security/Kconfig |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit b5261a6384ee42499b29495aaae40b271e77d394
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Apr 9 17:30:45 2013 -0400

    some undefined behavior fixups

 grsecurity/gracl.c      |    4 ++--
 grsecurity/gracl_ip.c   |   10 +++++-----
 grsecurity/gracl_segv.c |    4 ++--
 3 files changed, 9 insertions(+), 9 deletions(-)

commit 9f83caa35e78be1f3e753586ab217555c3b21ff4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Apr 9 17:28:54 2013 -0400

    don't whine about denied ipv6 when it's not enabled

 grsecurity/gracl_ip.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit 5a02f8bc96bd0c31f9ff09e63f9d85d560b8be61
Merge: 97bca88 9123489
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Apr 9 17:18:45 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 9123489428c58668a89f316db6619739cbdd2c2a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Apr 9 17:17:46 2013 -0400

    Update to pax-linux-3.8.6-test18.patch:
    - new size overflow plugin from Emese to work around a gcc optimization
      resulting in an intentional overflow, reported by Carlos Carvalho
      (http://forums.grsecurity.net/viewtopic.php?f=3&t=3409)

 tools/gcc/size_overflow_plugin.c |   68 ++++++++++++++++++++++++++++++++++++-
 1 files changed, 66 insertions(+), 2 deletions(-)

commit 97bca8889e0f1e853f16b7026c39c6729a8587ab
Merge: 675a41e e9d6073
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Apr 8 21:32:59 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        arch/sparc/kernel/us3_cpufreq.c

commit e9d6073f15010ccace0b6b0f0a19ed63cf1adeef
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Apr 8 21:19:03 2013 -0400

    Update to pax-linux-3.8.6-test17.patch:
    - fixed ia64/ppc/sparc compilation by spender
    - improved the STRUCTLEAK gcc plugin to cover a few more cases (credit to stef for the bugreport)

 arch/ia64/include/asm/uaccess.h    |    2 -
 arch/powerpc/include/asm/uaccess.h |    2 -
 arch/sparc/include/asm/uaccess.h   |    7 ----
 arch/sparc/kernel/prom_common.c    |    2 +-
 arch/sparc/kernel/us3_cpufreq.c    |   69 ++++++++++--------------------------
 tools/gcc/structleak_plugin.c      |   15 ++++----
 6 files changed, 28 insertions(+), 69 deletions(-)

commit 675a41e42a636dcb1e97bffe0f0fa6262242e64b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Apr 7 12:00:50 2013 -0400

    fix similar leaks in sys_recvfrom as fixed in recvmsg, already handled by the new structleak plugin

 net/socket.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 5a216624a06429488f24ce47db093da042f90e48
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Apr 6 13:22:24 2013 -0400

    fix typo

 arch/sparc/kernel/us3_cpufreq.c |    5 +----
 1 files changed, 1 insertions(+), 4 deletions(-)

commit e476ca18d21788898cd3acd1b57049971a2fb70f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Apr 6 13:16:13 2013 -0400

    properly fix cpufreq_driver for ultrasparc III with constification

 arch/sparc/kernel/us3_cpufreq.c |   35 +++++++++++++++++------------------
 1 files changed, 17 insertions(+), 18 deletions(-)

commit 3ef64a33c8a38d17db7d1e6ff13d9036c75598ae
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Apr 6 12:58:48 2013 -0400

    mark prom_sparc_ops __initconst

 arch/sparc/kernel/prom_common.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit daaa8e290cb1eb08e86c6d3f0fb1a8270d897439
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Apr 6 12:53:16 2013 -0400

    fix ia64/powerpc/sparc compilation

 arch/ia64/include/asm/uaccess.h    |    2 --
 arch/powerpc/include/asm/uaccess.h |    2 --
 arch/sparc/include/asm/uaccess.h   |    7 -------
 3 files changed, 0 insertions(+), 11 deletions(-)

commit 4a0cd3af0fd8788bd1c84de775743c8ae51e9a39
Author: Johannes Berg <johannes.berg@intel.com>
Date:   Tue Mar 19 20:26:57 2013 +0100

    Upstream commit: ce1eadda6badef9e4e3460097ede674fca47383d
    
    cfg80211: fix wdev tracing crash
    
    Arend reported a crash in tracing if the driver returns an
    ERR_PTR() value from the add_virtual_intf() callback. This
    is due to the tracing then still attempting to dereference
    the "pointer", fix this by using IS_ERR_OR_NULL().
    
    Reported-by: Arend van Spriel <arend@broadcom.com>
    Tested-by: Arend van Spriel <arend@broadcom.com>
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>

 net/wireless/trace.h |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 68e6eafdaf9a3b37c780b3916a35a1961b1559fd
Author: Johannes Berg <johannes.berg@intel.com>
Date:   Mon Mar 25 11:51:14 2013 +0100

    Upstream commit: 3fbd45ca8d1c98f3c2582ef8bc70ade42f70947b
    
    mac80211: fix remain-on-channel cancel crash
    
    If a ROC item is canceled just as it expires, the work
    struct may be scheduled while it is running (and waiting
    for the mutex). This results in it being run after being
    freed, which obviously crashes.
    
    To fix this don't free it when aborting is requested but
    instead mark it as "to be freed", which makes the work a
    no-op and allows freeing it outside.
    
    Cc: stable@vger.kernel.org [3.6+]
    Reported-by: Jouni Malinen <j@w1.fi>
    Tested-by: Jouni Malinen <j@w1.fi>
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>

 net/mac80211/cfg.c         |    6 ++++--
 net/mac80211/ieee80211_i.h |    3 ++-
 net/mac80211/offchannel.c  |   23 +++++++++++++++++------
 3 files changed, 23 insertions(+), 9 deletions(-)

commit dd5df32b00e3c2344ba39fe01071e7b67b83e1e4
Author: Stone Piao <piaoyun@marvell.com>
Date:   Fri Mar 29 19:21:21 2013 -0700

    Upstream commit: 901ceba4e81e9dd6b4a3c4c37ee22000a6c5c65f
    
    mwifiex: limit channel number not to overflow memory
    
    Limit the channel number in scan request, or the driver scan
    config structure memory will be overflowed.
    
    Cc: <stable@vger.kernel.org> # 3.5+
    Signed-off-by: Stone Piao <piaoyun@marvell.com>
    Signed-off-by: Bing Zhao <bzhao@marvell.com>
    Signed-off-by: John W. Linville <linville@tuxdriver.com>

 drivers/net/wireless/mwifiex/cfg80211.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 207c411512bdaf0e4271f93ecac6ca26588da36f
Author: Gao feng <gaofeng@cn.fujitsu.com>
Date:   Thu Mar 21 19:48:41 2013 +0000

    Upstream commit: 130549fed828cc34c22624c6195afcf9e7ae56fe
    
    netfilter: reset nf_trace in nf_reset
    
    We forgot to clear the nf_trace of sk_buff in nf_reset,
    When we use veth device, this nf_trace information will
    be leaked from one net namespace to another net namespace.
    
    Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

 include/linux/skbuff.h |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit 3b12800d73c763265b2de5f2a7a745d9caa62c6f
Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Date:   Fri Mar 22 01:28:18 2013 +0000

    Upstream commit: 558724a5b2a73ad0c7638e21e8dffc419d267b6c
    
    netfilter: nfnetlink_queue: fix error return code in nfnetlink_queue_init()
    
    Fix to return a negative error code from the error handling
    case instead of 0, as returned elsewhere in this function.
    
    Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

 net/netfilter/nfnetlink_queue_core.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

commit a79feb7d3251eca577d83d7f69eee2b961ab2924
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date:   Sat Mar 23 16:57:59 2013 +0100

    Upstream commit: deadcfc3324410726cd6a663fb4fc46be595abe7
    
    netfilter: nfnetlink_acct: return -EINVAL if object name is empty
    
    If user-space tries to create accounting object with an empty
    name, then return -EINVAL.
    
    Reported-by: Michael Zintakis <michael.zintakis@googlemail.com>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

 net/netfilter/nfnetlink_acct.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 1a51dca4fc16538d90a7a4c92b1ffe7e0fd76cf7
Author: Matthias Schiffer <mschiffer@universe-factory.net>
Date:   Sat Mar 30 10:23:12 2013 +0000

    Upstream commit: 906b1c394d0906a154fbdc904ca506bceb515756
    
    netfilter: ip6t_NPT: Fix translation for non-multiple of 32 prefix lengths
    
    The bitmask used for the prefix mangling was being calculated
    incorrectly, leading to the wrong part of the address being replaced
    when the prefix length wasn't a multiple of 32.
    
    Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

 net/ipv6/netfilter/ip6t_NPT.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 3425de1e3dc22e1602f9c77fe8d258da58416d5e
Author: Veaceslav Falico <vfalico@redhat.com>
Date:   Wed Apr 3 05:46:33 2013 +0000

    Upstream commit: 4de79c737b200492195ebc54a887075327e1ec1d
    
    bonding: remove sysfs before removing devices
    
    We have a race condition if we try to rmmod bonding and simultaneously add
    a bond master through sysfs. In bonding_exit() we first remove the devices
    (through rtnl_link_unregister() ) and only after that we remove the sysfs.
    If we manage to add a device through sysfs after that the devices were
    removed - we'll end up with that device/sysfs structure and with the module
    unloaded.
    
    Fix this by first removing the sysfs and only after that calling
    rtnl_link_unregister().
    
    Signed-off-by: Veaceslav Falico <vfalico@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/bonding/bond_main.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit d12cae44a9d12441d81c489178803237219d403d
Author: Eric W. Biederman <ebiederm@xmission.com>
Date:   Wed Apr 3 16:14:47 2013 +0000

    Upstream commit: 0e82e7f6dfeec1013339612f74abc2cdd29d43d2
    
    af_unix: If we don't care about credentials coallesce all messages
    
    It was reported that the following LSB test case failed
    https://lsbbugs.linuxfoundation.org/attachment.cgi?id=2144 because we
    were not coallescing unix stream messages when the application was
    expecting us to.
    
    The problem was that the first send was before the socket was accepted
    and thus sock->sk_socket was NULL in maybe_add_creds, and the second
    send after the socket was accepted had a non-NULL value for sk->socket
    and thus we could tell the credentials were not needed so we did not
    bother.
    
    The unnecessary credentials on the first message cause
    unix_stream_recvmsg to start verifying that all messages had the same
    credentials before coallescing and then the coallescing failed because
    the second message had no credentials.
    
    Ignoring credentials when we don't care in unix_stream_recvmsg fixes a
    long standing pessimization which would fail to coallesce messages when
    reading from a unix stream socket if the senders were different even if
    we did not care about their credentials.
    
    I have tested this and verified that the in the LSB test case mentioned
    above that the messages do coallesce now, while the were failing to
    coallesce without this change.
    
    Reported-by: Karel Srot <ksrot@redhat.com>
    Reported-by: Ding Tianhong <dingtianhong@huawei.com>
    Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/unix/af_unix.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 126d882492b130da6367f71cdf3ac59bf4f4c1bf
Author: Eric W. Biederman <ebiederm@xmission.com>
Date:   Wed Apr 3 16:13:35 2013 +0000

    Upstream commit: 25da0e3e9d3fb2b522bc2a598076735850310eb1
    
    Revert "af_unix: dont send SCM_CREDENTIAL when dest socket is NULL"
    
    This reverts commit 14134f6584212d585b310ce95428014b653dfaf6.
    
    The problem that the above patch was meant to address is that af_unix
    messages are not being coallesced because we are sending unnecesarry
    credentials.  Not sending credentials in maybe_add_creds totally
    breaks unconnected unix domain sockets that wish to send credentails
    to other sockets.
    
    In practice this break some versions of udev because they receive a
    message and the sending uid is bogus so they drop the message.
    
    Reported-by: Sven Joachim <svenjoac@gmx.de>
    Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/unix/af_unix.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 1295b4f600e8f5ab56af71e5a89e4c0e74e95663
Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Date:   Wed Mar 20 21:31:42 2013 +0000

    Upstream commit: cb0e51d80694fc9964436be1a1a15275e991cb1e
    
    lantiq_etop: use free_netdev(netdev) instead of kfree()
    
    Freeing netdev without free_netdev() leads to net, tx leaks.
    And it may lead to dereferencing freed pointer.
    
    Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/ethernet/lantiq_etop.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 1dcdddf846697fbd0b474e7b12ff92f7b408fe5f
Author: Cong Wang <amwang@redhat.com>
Date:   Fri Mar 22 19:14:07 2013 +0000

    Upstream commit: 4a7df340ed1bac190c124c1601bfc10cde9fb4fb
    
    8021q: fix a potential use-after-free
    
    vlan_vid_del() could possibly free ->vlan_info after a RCU grace
    period, however, we may still refer to the freed memory area
    by 'grp' pointer. Found by code inspection.
    
    This patch moves vlan_vid_del() as behind as possible.
    
    Cc: Patrick McHardy <kaber@trash.net>
    Cc: "David S. Miller" <davem@davemloft.net>
    Signed-off-by: Cong Wang <amwang@redhat.com>
    Acked-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/8021q/vlan.c |    7 +++++++
 1 files changed, 7 insertions(+), 0 deletions(-)

commit fff29c277024a39845d4b535083c8dafc21b45d9
Author: Hong zhi guo <honkiko@gmail.com>
Date:   Sat Mar 23 02:27:50 2013 +0000

    Upstream commit: 9b46922e15f4d9d2aedcd320c3b7f7f54d956da7
    
    bridge: fix crash when set mac address of br interface
    
    When I tried to set mac address of a bridge interface to a mac
    address which already learned on this bridge, I got system hang.
    
    The cause is straight forward: function br_fdb_change_mac_address
    calls fdb_insert with NULL source nbp. Then an fdb lookup is
    performed. If an fdb entry is found and it's local, it's OK. But
    if it's not local, source is dereferenced for printk without NULL
    check.
    
    Signed-off-by: Hong Zhiguo <honkiko@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/bridge/br_fdb.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit b72eca0f8495b4b084bcf3eb4fbb425281ba5349
Author: Kumar Amit Mehta <gmate.amit@gmail.com>
Date:   Sat Mar 23 20:10:25 2013 +0000

    Upstream commit: 8fe7f99a9e11a43183bc27420309ae105e1fec1a
    
    bnx2x: fix assignment of signed expression to unsigned variable
    
    fix for incorrect assignment of signed expression to unsigned variable.
    
    Signed-off-by: Kumar Amit Mehta <gmate.amit@gmail.com>
    Acked-by: Dmitry Kravkov <dmitry@broadcom.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/ethernet/broadcom/bnx2x/bnx2x_dcb.c |   18 +++++++++---------
 1 files changed, 9 insertions(+), 9 deletions(-)

commit 4d2d5e3694574d8e9d7594bf6111f144dccc873e
Author: dingtianhong <dingtianhong@huawei.com>
Date:   Mon Mar 25 17:02:04 2013 +0000

    Upstream commit: 14134f6584212d585b310ce95428014b653dfaf6
    
    af_unix: dont send SCM_CREDENTIAL when dest socket is NULL
    
    SCM_SCREDENTIALS should apply to write() syscalls only either source or destination
    socket asserted SOCK_PASSCRED. The original implememtation in maybe_add_creds is wrong,
    and breaks several LSB testcases ( i.e. /tset/LSB.os/netowkr/recvfrom/T.recvfrom).
    
    Origionally-authored-by: Karel Srot <ksrot@redhat.com>
    Signed-off-by: Ding Tianhong <dingtianhong@huawei.com>
    Acked-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/unix/af_unix.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit b964e1e61f0f0ccaa380be3342f956c604054bdc
Author: Eric W. Biederman <ebiederm@xmission.com>
Date:   Thu Mar 21 02:30:41 2013 -0700

    Upstream commit: eddc0a3abff273842a94784d2d022bbc36dc9015
    
    yama:  Better permission check for ptraceme
    
    Change the permission check for yama_ptrace_ptracee to the standard
    ptrace permission check, testing if the traceer has CAP_SYS_PTRACE
    in the tracees user namespace.
    
    Reviewed-by: Kees Cook <keescook@chromium.org>
    Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>

 security/yama/yama_lsm.c |    4 +---
 1 files changed, 1 insertions(+), 3 deletions(-)

commit b94e71c7b6abe75989edff18aca2781233fa143b
Author: Stanislav Kinsbursky <skinsbursky@parallels.com>
Date:   Mon Apr 1 11:40:51 2013 +0400

    Upstream commit: 2dc958fa2fe6987e7ab106bd97029a09a82fcd8d
    
    ipc: set msg back to -EAGAIN if copy wasn't performed
    
    Make sure that msg pointer is set back to error value in case of
    MSG_COPY flag is set and desired message to copy wasn't found.  This
    garantees that msg is either a error pointer or a copy address.
    
    Otherwise the last message in queue will be freed without unlinking from
    the queue (which leads to memory corruption) and the dummy allocated
    copy won't be released.
    
    Signed-off-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 ipc/msg.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit a997fbbe7a37ffd805f4784a18b8e530da6978d1
Author: Jan Kara <jack@suse.cz>
Date:   Fri Mar 29 15:39:16 2013 +0100

    Upstream commit: 35e5cbc0af240778e61113286c019837e06aeec6
    
    reiserfs: Fix warning and inode leak when deleting inode with xattrs
    
    After commit 21d8a15a (lookup_one_len: don't accept . and ..) reiserfs
    started failing to delete xattrs from inode. This was due to a buggy
    test for '.' and '..' in fill_with_dentries() which resulted in passing
    '.' and '..' entries to lookup_one_len() in some cases. That returned
    error and so we failed to iterate over all xattrs of and inode.
    
    Fix the test in fill_with_dentries() along the lines of the one in
    lookup_one_len().
    
    Reported-by: Pawel Zawora <pzawora@gmail.com>
    CC: stable@vger.kernel.org
    Signed-off-by: Jan Kara <jack@suse.cz>

 fs/reiserfs/xattr.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 9f07957378e0f55abb81da8e23b124a608fbe1cc
Author: Paul Bolle <pebolle@tiscali.nl>
Date:   Wed Apr 3 12:24:45 2013 +0100

    Upstream commit: 4e1db26a0b42e2b6e27c05d68adcc01709c2eed2
    
    ARM: 7690/1: mm: fix CONFIG_LPAE typos
    
    CONFIG_LPAE doesn't exist: the correct option is CONFIG_ARM_LPAE, so fix
    up the two typos under arch/arm/.
    
    The fix to head.S is slightly scary, but this is just for setting up
    an early io-mapping for the serial port when running on a big-endian,
    LPAE system. Since these systems don't exist in the wild (at least, I
    have no access to one outside of kvmtool, which doesn't provide a serial
    port suitable for earlyprintk), then we can revisit the code later if it
    causes any problems.
    
    Signed-off-by: Paul Bolle <pebolle@tiscali.nl>
    Signed-off-by: Will Deacon <will.deacon@arm.com>
    Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>

 arch/arm/kernel/head.S  |    2 +-
 arch/arm/kernel/setup.c |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

commit 984ba346b2d8f158473e9723ba145031368431ed
Author: Catalin Marinas <catalin.marinas@arm.com>
Date:   Tue Mar 26 23:35:04 2013 +0100

    Upstream commit: 93dc68876b608da041fe40ed39424b0fcd5aa2fb
    
    ARM: 7684/1: errata: Workaround for Cortex-A15 erratum 798181 (TLBI/DSB operations)
    
    On Cortex-A15 (r0p0..r3p2) the TLBI/DSB are not adequately shooting down
    all use of the old entries. This patch implements the erratum workaround
    which consists of:
    
    1. Dummy TLBIMVAIS and DSB on the CPU doing the TLBI operation.
    2. Send IPI to the CPUs that are running the same mm (and ASID) as the
       one being invalidated (or all the online CPUs for global pages).
    3. CPU receiving the IPI executes a DMB and CLREX (part of the exception
       return code already).
    
    Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
    Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
    
    Conflicts:
    
        arch/arm/include/asm/tlbflush.h
        arch/arm/kernel/smp_tlb.c
        arch/arm/mm/context.c

 arch/arm/Kconfig                   |   10 +++++
 arch/arm/include/asm/highmem.h     |    7 ++++
 arch/arm/include/asm/mmu_context.h |    2 +
 arch/arm/include/asm/tlbflush.h    |   15 ++++++++
 arch/arm/kernel/smp_tlb.c          |   66 ++++++++++++++++++++++++++++++++++++
 arch/arm/mm/context.c              |    6 ++-
 6 files changed, 104 insertions(+), 2 deletions(-)

commit 9a6ef010c38b3d5471886d2dea6e3c1622e2a286
Author: Jan Stancek <jstancek@redhat.com>
Date:   Thu Apr 4 11:35:10 2013 -0700

    Upstream commit: b6a9b7f6b1f21735a7456d534dc0e68e61359d2c
    
    mm: prevent mmap_cache race in find_vma()
    
    find_vma() can be called by multiple threads with read lock
    held on mm->mmap_sem and any of them can update mm->mmap_cache.
    Prevent compiler from re-fetching mm->mmap_cache, because other
    readers could update it in the meantime:
    
                   thread 1                             thread 2
                                            |
      find_vma()                            |  find_vma()
        struct vm_area_struct *vma = NULL;  |
        vma = mm->mmap_cache;               |
        if (!(vma && vma->vm_end > addr     |
            && vma->vm_start <= addr)) {    |
                                            |    mm->mmap_cache = vma;
        return vma;                         |
         ^^ compiler may optimize this      |
            local variable out and re-read  |
            mm->mmap_cache                  |
    
    This issue can be reproduced with gcc-4.8.0-1 on s390x by running
    mallocstress testcase from LTP, which triggers:
    
      kernel BUG at mm/rmap.c:1088!
        Call Trace:
         ([<000003d100c57000>] 0x3d100c57000)
          [<000000000023a1c0>] do_wp_page+0x2fc/0xa88
          [<000000000023baae>] handle_pte_fault+0x41a/0xac8
          [<000000000023d832>] handle_mm_fault+0x17a/0x268
          [<000000000060507a>] do_protection_exception+0x1e2/0x394
          [<0000000000603a04>] pgm_check_handler+0x138/0x13c
          [<000003fffcf1f07a>] 0x3fffcf1f07a
        Last Breaking-Event-Address:
          [<000000000024755e>] page_add_new_anon_rmap+0xc2/0x168
    
    Thanks to Jakub Jelinek for his insight on gcc and helping to
    track this down.
    
    Signed-off-by: Jan Stancek <jstancek@redhat.com>
    Acked-by: David Rientjes <rientjes@google.com>
    Signed-off-by: Hugh Dickins <hughd@google.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 mm/mmap.c  |    2 +-
 mm/nommu.c |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

commit 53f5096daa14967938bc154e6c41f9119863fb36
Merge: e988d7c 0a45285
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Apr 5 17:32:31 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        drivers/net/ethernet/broadcom/tg3.c

commit 0a452855444d02502df6eb21ef3083cf303f71e1
Merge: 0277fa1 00cfbb8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Apr 5 17:31:15 2013 -0400

    Update to pax-linux-3.8.6-test16.patch:
    - fixed some attribute leakage into userland headers, patch by Mathias Krause
    - fixed some of the access_*_vm related breakage that trigger size overflows, reported by Hunger
    
    Merge branch 'linux-3.8.y' into pax-test
    
    Conflicts:
        drivers/gpu/drm/i915/intel_display.c

commit e988d7c8d946c816a2cb97f0d38048a1584966b8
Merge: baec40e 0277fa1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 3 22:05:41 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 0277fa123b486cf11420967e4568d7653e225fd3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 3 22:04:48 2013 -0400

    Update to pax-linux-3.8.5-test15.patch:
    - fixed section mismatch error caused by CONSTIFY (http://forums.grsecurity.net/viewtopic.php?f=3&t=3388 and http://forums.grsecurity.net/viewtopic.php?f=3&t=3391)
    - fixed integer type mixup in the cx88 driver (http://forums.grsecurity.net/viewtopic.php?f=3&t=3394)

 drivers/media/pci/cx88/cx88-video.c |    6 +++---
 include/net/net_namespace.h         |    4 ++++
 2 files changed, 7 insertions(+), 3 deletions(-)

commit baec40e6708fd5ae2000cad6c70c5980c998b91c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Apr 2 19:50:32 2013 -0400

    fix compilation as reported on forums for gcc versions lacking plugin
    support

 include/net/net_namespace.h |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

commit f6da5efca8a7edc9d3af02d6c35fddae0d2fd095
Merge: 6b69c35 0db9d15
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Apr 2 17:47:27 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 0db9d156826bdd50510086fde837648a3dfd370e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Apr 2 17:46:05 2013 -0400

    Update to pax-linux-3.8.5-test14.patch:
    - removed some no longer necessary __size_overflow marks and updated the overflow plugin's hash table

 arch/x86/include/asm/uaccess_64.h |    6 +-
 include/linux/moduleloader.h      |    4 +-
 tools/gcc/size_overflow_hash.data |   98 +++++++++++++++++++++----------------
 3 files changed, 61 insertions(+), 47 deletions(-)

commit 6b69c3589fa97b454a08c28ecfac5a512f610f4d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Apr 2 17:35:06 2013 -0400

    remove duplicate compiler.h

 include/linux/sysrq.h |    1 -
 1 files changed, 0 insertions(+), 1 deletions(-)

commit 01e1d503fd2220adaaec0b92ea19441bdff73555
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 29 19:53:50 2013 -0400

    fix intentional_overflow marking on sys_sendto

 include/linux/syscalls.h |    2 +-
 net/socket.c             |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

commit cd5ff114d958470f471c63775278e8c05e774630
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 29 18:46:16 2013 -0400

    fix size_overflow false positive

 kernel/futex_compat.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 295ba16cc53df2375261accbedd6575ea327770a
Merge: 18340f1 278a989
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 29 17:36:18 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        fs/exec.c
        include/linux/thread_info.h

commit 278a989c831d62193c7b3d119fe2302babd45d12
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 29 17:34:34 2013 -0400

    Resync with pax-linux-3.8.5-test13.patch

 arch/arm/include/asm/pgtable.h |    3 ++-
 arch/arm/lib/delay.c           |    1 +
 fs/exec.c                      |    8 ++++----
 include/linux/compiler.h       |    1 +
 include/linux/proc_fs.h        |    2 +-
 include/linux/thread_info.h    |    6 +++---
 include/linux/zlib.h           |    3 ++-
 init/main.c                    |    4 ++--
 kernel/user_namespace.c        |    2 +-
 lib/list_debug.c               |    4 ++--
 mm/slab.c                      |    1 +
 mm/slob.c                      |    1 +
 mm/slub.c                      |    1 +
 net/core/sysctl_net_core.c     |    3 +--
 tools/gcc/constify_plugin.c    |    1 +
 15 files changed, 24 insertions(+), 17 deletions(-)

commit 18340f14bd42d06c60995ab04cf6bb235bcaade6
Merge: 05f01ae e8cfeae
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 29 17:30:57 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit e8cfeae7751abb844911a15114dff5c9b2b9fcd9
Merge: b461cb7 aa4cfde
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 29 17:30:44 2013 -0400

    Merge branch 'linux-3.8.y' into pax-test
    
    Conflicts:
        drivers/gpu/drm/i915/i915_gem_execbuffer.c
        fs/nfsd/vfs.c

commit 05f01ae4c3479541586a2387f916a6620889c479
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 29 17:05:39 2013 -0400

    Another infoleak, up to 128 bytes on the stack in __sys_recvmsg
    takes user-provided length, copies up to that amount in a sockaddr_storage
    struct on the stack, then takes an upper-bounded-only user-provided length
    and copies the sockaddr_storage struct back out to userland, complete with
    uninitialized data

 net/socket.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit eea6ade59490784e83e08ec67322288fcf14cb31
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 28 23:07:37 2013 -0400

    return a proper error, otherwise we could be accessing uninitialized data
    (previous define was a positive value)

 drivers/usb/storage/realtek_cr.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 3cc43b90104c3016adb40f412ce2e4b0dcdd4c9e
Merge: c3dc9a6 b461cb7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 28 20:54:24 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit b461cb7b1d85490430ef7896c247794af72c3749
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 28 20:54:11 2013 -0400

    Add structleak plugin

 tools/gcc/structleak_plugin.c |  270 +++++++++++++++++++++++++++++++++++++++++
 1 files changed, 270 insertions(+), 0 deletions(-)

commit c3dc9a6ef10782894bb11fd088fd712db44d8062
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 28 20:53:22 2013 -0400

    Enable structleak by default for the security auto-config

 security/Kconfig |   11 +++++++----
 1 files changed, 7 insertions(+), 4 deletions(-)

commit 6568e7348222fbe00256c9d337c4c24ee57e3f7e
Merge: d8503a3 74bec16
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 28 20:47:10 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 74bec16b657147a5575b1f14f4423a717ba317a6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 28 20:46:13 2013 -0400

    Update to pax-linux-3.8.4-test13.patch:
    - fixed bug with the old PAGEEXEC method and hugetlb, reported by Alex Efros (https://bugs.gentoo.org/show_bug.cgi?id=437722)
    - added a new gcc plugin to plug (pun intended) some of the kernel stack leaks to userland

 Makefile                      |    5 +++-
 arch/x86/include/asm/compat.h |    2 +-
 arch/x86/mm/fault.c           |    3 +-
 fs/binfmt_elf.c               |    2 +-
 include/linux/compiler.h      |   42 ++++++++++++++--------------------------
 security/Kconfig              |   16 +++++++++++++++
 tools/gcc/Makefile            |    2 +
 tools/gcc/constify_plugin.c   |    7 +++++-
 8 files changed, 47 insertions(+), 32 deletions(-)

commit d8503a3a35d68b9ba1615d29335aef3f70d51465
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 28 20:02:40 2013 -0400

    Fix 8-byte stack infoleak in ia32_rt_sigpending
    User controls length, kernel only performs check on the upper bound, will
    fill in any amount less than sizeof(sigset_t) via a copy_to_user under
    KERNEL_DS in sys_rt_sigpending, then will copy the full size of compat_sigset_t
    regardless of whether the sigset_t content copied into it has been initialized
    or not

 arch/x86/ia32/sys_ia32.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 46a9f4b871ebf298ee67cc3f799dbd6c2382022b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 26 21:05:05 2013 -0400

    commit 814d9d4f9164c3d778dadd093a54bb55d9a0c576
    Author: J. Bruce Fields <bfields@redhat.com>
    Date:   Tue Mar 26 14:11:13 2013 -0400
    
        nfsd4: reject "negative" acl lengths
    
        Since we only enforce an upper bound, not a lower bound, a "negative"
        length can get through here.
    
        The symptom seen was a warning when we attempt to a kmalloc with an
        excessive size.
    
        Reported-by: Toralf Förster <toralf.foerster@gmx.de>
        Signed-off-by: J. Bruce Fields <bfields@redhat.com>

 fs/nfsd/nfs4xdr.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 2cf84a1843bfdf9298e2a1dc8df4e52d11a1af89
Author: Jeff Layton <jlayton@redhat.com>
Date:   Mon Mar 11 09:52:19 2013 -0400

    Upstream commit: f853c616883a8de966873a1dab283f1369e275a1
    
    cifs: ignore everything in SPNEGO blob after mechTypes
    
    We've had several reports of people attempting to mount Windows 8 shares
    and getting failures with a return code of -EINVAL. The default sec=
    mode changed recently to sec=ntlmssp. With that, we expect and parse a
    SPNEGO blob from the server in the NEGOTIATE reply.
    
    The current decode_negTokenInit function first parses all of the
    mechTypes and then tries to parse the rest of the negTokenInit reply.
    The parser however currently expects a mechListMIC or nothing to follow the
    mechTypes, but Windows 8 puts a mechToken field there instead to carry
    some info for the new NegoEx stuff.
    
    In practice, we don't do anything with the fields after the mechTypes
    anyway so I don't see any real benefit in continuing to parse them.
    This patch just has the kernel ignore the fields after the mechTypes.
    We'll probably need to reinstate some of this if we ever want to support
    NegoEx.
    
    Reported-by: Jason Burgess <jason@jacknife2.dns2go.com>
    Reported-by: Yan Li <elliot.li.tech@gmail.com>
    Signed-off-by: Jeff Layton <jlayton@redhat.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Steve French <sfrench@us.ibm.com>

 fs/cifs/asn1.c |   53 +++++------------------------------------------------
 1 files changed, 5 insertions(+), 48 deletions(-)

commit 0b1c6223105a05d5a84e39a5e951868e37610e1c
Merge: 93ff726 0deb54c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 25 18:35:15 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 0deb54c1f47145aef38f4d2bf0b7de3e9fbab959
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 25 18:35:05 2013 -0400

    fix typo

 arch/x86/mm/ioremap.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 93ff72680353534d4b0b213aecb61f1fc2f9a152
Merge: be9f8b8 f95e53a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 25 18:30:06 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit f95e53abadb6e4665866e4502ff9f518514193e1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 25 18:29:25 2013 -0400

    Update to pax-linux-3.8.4-test12.patch:
    
    - fixed perf compilation reported by Michael Tremer
    - fixed USERCOPY reports triggered by SCTP, reported by mcp
    - last fix for aslr gap accounting, promise (thanks to spender)

 arch/x86/mm/ioremap.c                    |    3 +++
 fs/binfmt_elf.c                          |    5 ++---
 mm/mmap.c                                |    2 +-
 net/sctp/socket.c                        |   19 +++++++++++++++----
 tools/perf/util/include/linux/compiler.h |    8 ++++++++
 5 files changed, 29 insertions(+), 8 deletions(-)

commit be9f8b82b0d8a21d7515fb6e44a907623381c5df
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 25 16:48:34 2013 -0400

    From: Al Viro <viro@ZenIV.linux.org.uk>
    To: Brad Spengler <spender@grsecurity.net>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    
    Umm...  I see what you are describing, and AFAICS you are correct; let me
    see if I am misreading your analysis:
            * vfsmount_lock may act fair; A holding it shared, with B spinning
    on attempt to take it exclusive may lead to C spinning on attempt to take
    it shared.
            * path_is_under() tries get rename_lock while holding vfsmount_lock
    shared.
            * d_path() et.al. try to take vfsmount_lock shared, while holding
    rename_lock.
    
    All true and yes, it's a bug (I'd probably classify it as a livelock, but
    that doesn't make any real difference).  There are three possible solutions,
    AFAICS:
            1) two-liner in path_is_under() replacing the use of vfsmount_lock
    with that of namespace_sem; trivial, but results in function unexpectedly
    blocking.  The current callers are fine with that, but it's a trouble
    waiting to happen.
            2) replace write_seqlock() in prepend_path() callers with
    read_seqbegin/read_seqretry loops; bigger and more brittle, since unlike
    is_subdir() we need more than just ->d_parent not pointing to something
    freed - we also care about ->d_name.len being in sync with ->d_name.name.
    It probably can be worked around, but...
    
            3) declare that rename_lock nests inside vfsmount_lock and let
    the callers of prepend_path() take vfsmount_lock().  I'd probably prefer
    that one...
    
    Nest rename_lock inside vfsmount_lock
    
    ... lest we get livelocks between path_is_under() and d_path() and friends.
    
    [ add grsec-specific bits, thanks to Alexey Vlasov for his patience in reproducing
      the issue ]
    
    Spotted-by: Brad Spengler <spender@grsecurity.net>
    Cc: stable@vger.kernel.org
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

 fs/dcache.c        |   16 +++++++++++-----
 grsecurity/gracl.c |   20 ++++++++++----------
 2 files changed, 21 insertions(+), 15 deletions(-)

commit d9253ae96e0e88510ae7b8adb8ab3ef089be6dee
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date:   Fri Mar 22 11:44:04 2013 -0700

    Upstream commit: 51f0885e5415b4cc6535e9cdcc5145bfbc134353
    
    vfs,proc: guarantee unique inodes in /proc
    
    Dave Jones found another /proc issue with his Trinity tool: thanks to
    the namespace model, we can have multiple /proc dentries that point to
    the same inode, aliasing directories in /proc/<pid>/net/ for example.
    
    This ends up being a total disaster, because it acts like hardlinked
    directories, and causes locking problems.  We rely on the topological
    sort of the inodes pointed to by dentries, and if we have aliased
    directories, that odering becomes unreliable.
    
    In short: don't do this.  Multiple dentries with the same (directory)
    inode is just a bad idea, and the namespace code should never have
    exposed things this way.  But we're kind of stuck with it.
    
    This solves things by just always allocating a new inode during /proc
    dentry lookup, instead of using "iget_locked()" to look up existing
    inodes by superblock and number.  That actually simplies the code a bit,
    at the cost of potentially doing more inode [de]allocations.
    
    That said, the inode lookup wasn't free either (and did a lot of locking
    of inodes), so it is probably not that noticeable.  We could easily keep
    the old lookup model for non-directory entries, but rather than try to
    be excessively clever this just implements the minimal and simplest
    workaround for the problem.
    
    Reported-and-tested-by: Dave Jones <davej@redhat.com>
    Analyzed-by: Al Viro <viro@zeniv.linux.org.uk>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    Conflicts:
    
        fs/proc/inode.c

 fs/proc/inode.c |    9 +++------
 1 files changed, 3 insertions(+), 6 deletions(-)

commit 399d3bbdb82db765c86118ae5a0bf1d2d17762fb
Author: Vladimir Davydov <vdavydov@parallels.com>
Date:   Fri Mar 22 15:04:51 2013 -0700

    Upstream commit: 38d78e587d4960d0db94add518d27ee74bad2301
    
    mqueue: sys_mq_open: do not call mnt_drop_write() if read-only
    
    mnt_drop_write() must be called only if mnt_want_write() succeeded,
    otherwise the mnt_writers counter will diverge.
    
    mnt_writers counters are used to check if remounting FS as read-only is
    OK, so after an extra mnt_drop_write() call, it would be impossible to
    remount mqueue FS as read-only.  Besides, on umount a warning would be
    printed like this one:
    
      =====================================
      [ BUG: bad unlock balance detected! ]
      3.9.0-rc3 #5 Not tainted
      -------------------------------------
      a.out/12486 is trying to release lock (sb_writers) at:
      mnt_drop_write+0x1f/0x30
      but there are no more locks to release!
    
    Signed-off-by: Vladimir Davydov <vdavydov@parallels.com>
    Cc: Doug Ledford <dledford@redhat.com>
    Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
    Cc: "Eric W. Biederman" <ebiederm@xmission.com>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 ipc/mqueue.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit d3859c71e2ec174b6f3e5cbe06d3011cdddaa59e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 23 13:02:32 2013 -0400

    Don't use constify plugin if not enabled in config,
    reported by Alexey Vlasov

 Makefile |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 3afb82e020593249ac394e9859397c3e0ef5341c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 23 12:50:13 2013 -0400

    oded 0day #2
    http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf
    slide 20

 drivers/net/ethernet/broadcom/tg3.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

commit 4cc4b98b29faff2530540be16e0fcd8a74800b06
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 23 12:15:50 2013 -0400

    oded 0day #1
    http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf
    slide 18

 drivers/net/wireless/zd1211rw/zd_usb.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 8a3292af6fdae4b88b49a2a4ef96eee145b4d479
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 23 12:13:12 2013 -0400

    remove warning on accessing this /proc entry, HIDESYM already caught the infoleak

 drivers/gpu/drm/i915/i915_debugfs.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 44cb11a9470f72157601d0ad4d572d111f90f504
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 22 18:11:42 2013 -0400

    use VM_DONTDUMP

 fs/binfmt_elf.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 92dd7f850ae63e3ddc3d262f2b7134cf54b51abb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 22 17:53:09 2013 -0400

    fix recent RLIMIT_AS changes (due to vm_flags typo)
    
    Conflicts:
    
        fs/binfmt_elf.c

 fs/binfmt_elf.c |    2 +-
 mm/mmap.c       |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

commit fd5f0d92b0fbec02029dad124501a9c80e527a32
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 22 17:08:48 2013 -0400

    complete_walk drops rcu-walk mode, no need for our own dropping
    method outside of generic_permission

 fs/namei.c |   30 ------------------------------
 1 files changed, 0 insertions(+), 30 deletions(-)

commit b49ab1c73edb6442eec609b26bba4d850b3111b6
Merge: 5e9a707 783ade9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 21 21:56:28 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 783ade9f97f0f736e3c83275b7c9fcb2d6e9d9c4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 21 21:55:31 2013 -0400

    Update to pax-linux-3.8.3-test11.patch:
    - rewrote the ASLR gap accounting code once again
    - fixed ptrace compat bug found by the size overflow plugin

 fs/binfmt_elf.c          |   25 ++++++++++++-------------
 fs/exec.c                |    7 ++-----
 include/linux/compat.h   |    2 +-
 include/linux/mm.h       |    5 +++++
 include/linux/mm_types.h |    2 +-
 kernel/ptrace.c          |    2 +-
 mm/mmap.c                |   15 ++++++++++-----
 7 files changed, 32 insertions(+), 26 deletions(-)

commit 5e9a7077d935b2279f25428c5d32fd53cbbfb92a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 21 19:37:33 2013 -0400

    Make the constify plugin usage actually depend on the introduced config option
    (it was still forced on)

 tools/gcc/Makefile |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 1974b4f58d9d729c80ac1987785446115304a54c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 21 16:12:38 2013 -0400

    fix failed merge

 arch/arm/mm/fault.c |   15 +++------------
 1 files changed, 3 insertions(+), 12 deletions(-)

commit 675a8ab4a8fe8315df348735a37a302a7535224c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 20 23:36:14 2013 -0400

    From c4dab66c31612717f798e1e8ff11b57253a81a31 Mon Sep 17 00:00:00 2001
    From: Kees Cook <keescook@chromium.org>
    Date: Sun, 10 Mar 2013 20:09:31 +0000
    Subject: drm/i915: bounds check execbuffer relocation count
    
    It is possible to wrap the counter used to allocate the buffer for
    relocation copies. This could lead to heap writing overflows.
    
    CVE-2013-0913
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Reported-by: Pinkie Pie
    Cc: stable@vger.kernel.org

 drivers/gpu/drm/i915/i915_gem_execbuffer.c |   11 ++++++++---
 1 files changed, 8 insertions(+), 3 deletions(-)

commit ddeac12cbb9076bffd51c544e03463f94c9eaa39
Author: Andy Honig <ahonig@google.com>
Date:   Wed Feb 20 14:48:10 2013 -0800

    Upstream commit: 0b79459b482e85cb7426aa7da683a9f2c97aeae1
    
    KVM: x86: Convert MSR_KVM_SYSTEM_TIME to use gfn_to_hva_cache functions (CVE-2013-1797)
    
    There is a potential use after free issue with the handling of
    MSR_KVM_SYSTEM_TIME.  If the guest specifies a GPA in a movable or removable
    memory such as frame buffers then KVM might continue to write to that
    address even after it's removed via KVM_SET_USER_MEMORY_REGION.  KVM pins
    the page in memory so it's unlikely to cause an issue, but if the user
    space component re-purposes the memory previously used for the guest, then
    the guest will be able to corrupt that memory.
    
    Tested: Tested against kvmclock unit test
    
    Signed-off-by: Andrew Honig <ahonig@google.com>
    Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>

 arch/x86/include/asm/kvm_host.h |    4 +-
 arch/x86/kvm/x86.c              |   47 ++++++++++++++++----------------------
 2 files changed, 22 insertions(+), 29 deletions(-)

commit 0bcac31b57c381001feb69fd6ec8069e61e03432
Author: Andy Honig <ahonig@google.com>
Date:   Mon Mar 11 09:34:52 2013 -0700

    Upstream commit: c300aa64ddf57d9c5d9c898a64b36877345dd4a9
    
    KVM: x86: fix for buffer overflow in handling of MSR_KVM_SYSTEM_TIME (CVE-2013-1796)
    
    If the guest sets the GPA of the time_page so that the request to update the
    time straddles a page then KVM will write onto an incorrect page.  The
    write is done byusing kmap atomic to get a pointer to the page for the time
    structure and then performing a memcpy to that page starting at an offset
    that the guest controls.  Well behaved guests always provide a 32-byte aligned
    address, however a malicious guest could use this to corrupt host kernel
    memory.
    
    Tested: Tested against kvmclock unit test.
    
    Signed-off-by: Andrew Honig <ahonig@google.com>
    Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>

 arch/x86/kvm/x86.c |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

commit 695c59887e4ec10b0b695ab4f645d1226c433be0
Author: Andy Honig <ahonig@google.com>
Date:   Wed Feb 20 14:49:16 2013 -0800

    Upstream commit: a2c118bfab8bc6b8bb213abfc35201e441693d55
    
    KVM: Fix bounds checking in ioapic indirect register reads (CVE-2013-1798)
    
    If the guest specifies a IOAPIC_REG_SELECT with an invalid value and follows
    that with a read of the IOAPIC_REG_WINDOW KVM does not properly validate
    that request.  ioapic_read_indirect contains an
    ASSERT(redir_index < IOAPIC_NUM_PINS), but the ASSERT has no effect in
    non-debug builds.  In recent kernels this allows a guest to cause a kernel
    oops by reading invalid memory.  In older kernels (pre-3.3) this allows a
    guest to read from large ranges of host memory.
    
    Tested: tested against apic unit tests.
    
    Signed-off-by: Andrew Honig <ahonig@google.com>
    Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>

 virt/kvm/ioapic.c |    7 +++++--
 1 files changed, 5 insertions(+), 2 deletions(-)

commit c77e4017f6f372ac09751b6fcd85c35781dc2d9e
Merge: aec3cd4 c522e3a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 20 19:38:25 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit c522e3a2167ff5e18996e55ca8cca5ca6f6d29e3
Merge: c57d855 405acc3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 20 19:38:11 2013 -0400

    Merge branch 'linux-3.8.y' into pax-test

commit aec3cd4d2bd54673b155d9ae3fb9c44becc790d1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 19 19:56:04 2013 -0400

    include linux/compiler.h

 include/linux/zlib.h |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 1f1109e97bc609218e52e4bb57683d3b23cf2e8e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 19 18:42:20 2013 -0400

    fix missing sock_release()

 net/irda/af_irda.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

commit dd65c05cd24faf8946d4941434a553ee285c35a3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 19 18:36:17 2013 -0400

    fix mpt fusion infoleak

 drivers/message/fusion/mptbase.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

commit e297b4f150b769efdc4c547d3caf1e3c0f24735f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 19 18:33:45 2013 -0400

    Fix size_overflow false positive reported by slashbeast

 include/linux/zlib.h |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 5b9982733764361c7102c2b1a9cbe42e5bf4f4be
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 19 17:35:36 2013 -0400

    fix up failed merge

 arch/arm/mm/fault.c |    9 ++-------
 1 files changed, 2 insertions(+), 7 deletions(-)

commit a1bdc34d1d882da3abf47923a760e5b0bbdaf0bd
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 19 17:34:36 2013 -0400

    update documentation on consequences of building without gcc plugin support

 Makefile |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit f49ae0f6c3bbedf6b3817ee2b1b232e0da7fa537
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 19 17:18:13 2013 -0400

    fix compilation failure associated with the latent entropy plugin and lack of gcc plugin support reported on the forums

 init/main.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit f00195c633f91cfbd8c1f530d2c371b713026e20
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 18 22:27:33 2013 -0400

    Fix compile error reported by KDE on the forums

 kernel/user_namespace.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 2979c6ee78aabb4421873ea53581380c6bb6ed05
Merge: 0949569 c57d855
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 18 22:20:46 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        arch/arm/mm/fault.c
        arch/x86/mm/fault.c
        fs/exec.c

commit c57d8557f5f2d77c2c7fa1f58316819a5e1f9293
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 18 21:22:03 2013 -0400

    Update to pax-linux-3.8.2-test9.patch:
     arm changes from spender
      - removed userland access to the vectors page
      - removed obsolete sigreturn trampoline handling
      - added emulation for __kuser_get_tls
      - fixed missing uderef instrumentation in unaligned memory accessors (failed safe)
    - fixed recent sysfs/power_supply attr breakage reported by Steven Allen
    - hopefully fixed the remaining issues with aslr_gap accounting (http://forums.grsecurity.net/viewtopic.php?f=3&t=2960)
    - changed debian packager rules to include the compiler plugins, from Tyler Coumbes <coumbes@gmail.com>
    - fixed the sa_restorer leak discovered and reported by Emese Revfy (CVE-2013-0914, google chromium bug #177956)
    - new size overflow plugin from Emese that instruments a whole lot more code due to tracking function return values
      and more type casts as well. this found the above mentioned sa_restorer leak and would have protected against CVE-2013-0913.

 arch/arm/kernel/process.c                     |    5 +-
 arch/arm/kernel/signal.c                      |   24 +-
 arch/arm/kernel/traps.c                       |    7 -
 arch/arm/mm/alignment.c                       |    8 +
 arch/arm/mm/fault.c                           |   23 +-
 arch/arm/mm/mmu.c                             |    2 +-
 arch/x86/include/asm/bitops.h                 |    2 +-
 arch/x86/include/asm/desc.h                   |    2 +-
 arch/x86/include/asm/div64.h                  |    2 +-
 arch/x86/include/asm/io.h                     |    8 +-
 arch/x86/include/asm/paravirt.h               |    2 +-
 arch/x86/kernel/cpu/perf_event_intel_uncore.c |   16 +-
 arch/x86/kernel/setup_percpu.c                |    2 +-
 arch/x86/mm/fault.c                           |    4 +-
 arch/x86/mm/numa.c                            |    2 +-
 arch/x86/mm/physaddr.c                        |    4 +-
 drivers/ata/libahci.c                         |    2 +-
 drivers/gpu/drm/i915/i915_gem_execbuffer.c    |    2 +-
 drivers/infiniband/hw/mthca/mthca_cmd.c       |    2 +-
 drivers/infiniband/hw/mthca/mthca_mr.c        |    2 +-
 drivers/lguest/page_tables.c                  |    2 +-
 drivers/net/wireless/at76c50x-usb.c           |    2 +-
 drivers/oprofile/oprofile_files.c             |    2 +-
 drivers/power/power_supply_core.c             |    1 +
 drivers/usb/core/message.c                    |    2 +-
 fs/befs/endian.h                              |    4 +-
 fs/binfmt_elf.c                               |    5 +-
 fs/exec.c                                     |    4 +-
 fs/qnx6/qnx6.h                                |    4 +-
 fs/sysv/sysv.h                                |    2 +-
 fs/ubifs/io.c                                 |    2 +-
 fs/ufs/swab.h                                 |    4 +-
 include/linux/compat.h                        |    4 +-
 include/linux/completion.h                    |    6 +-
 include/linux/cpumask.h                       |   12 +-
 include/linux/ctype.h                         |    2 +-
 include/linux/err.h                           |    4 +-
 include/linux/math64.h                        |    6 +-
 include/linux/sched.h                         |    2 +-
 include/linux/unaligned/access_ok.h           |   12 +-
 include/linux/usb.h                           |    2 +-
 include/uapi/linux/byteorder/little_endian.h  |    4 +-
 include/uapi/linux/swab.h                     |    6 +-
 kernel/sched/core.c                           |    6 +-
 kernel/signal.c                               |    3 +
 kernel/time.c                                 |    2 +-
 kernel/timer.c                                |    2 +-
 lib/div64.c                                   |    4 +-
 mm/page-writeback.c                           |    2 +-
 net/socket.c                                  |    2 +
 scripts/package/builddeb                      |    1 +
 tools/gcc/size_overflow_hash.data             | 8869 +++++++++++++++----------
 tools/gcc/size_overflow_plugin.c              | 1072 ++--
 53 files changed, 6227 insertions(+), 3951 deletions(-)

commit 09495691bb31f11ec14d9127429f9a0f3f716f22
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 17 20:51:50 2013 -0400

    fix typo

 grsecurity/gracl.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit deb85b00d0f9f886e264e116313f298401ec5c59
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 17 20:03:33 2013 -0400

    Call update_rlimit_cpu to immediately change RLIMIT_CPU on the task
    with a subject applied to it with RES_CPU.  Otherwise, the limit will only
    begin to be applied at fork time.
    
    Thanks to Bjornar Ness for the report.

 grsecurity/gracl.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

commit 2126421f123513f604ceef2b23ba9ed516de7e58
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 16 22:07:43 2013 -0400

    Move inode auditing prior to our refcnt dropping

 fs/namei.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 4d4e665885aab4bacfe662ad6d2190fc9d817146
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 16 22:00:30 2013 -0400

    Drop reference on completed path walked in RCU mode or when violating
    the chroot fchdir check inside a chroot -- possible culprit for a reported
    vfsmount_lock hang during unmount

 fs/namei.c |    8 ++++++--
 1 files changed, 6 insertions(+), 2 deletions(-)

commit 53a8a413f45340ee176dd36dd283de3a1ebb7417
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 16 16:43:45 2013 -0400

    add user_arg_ptr back to exec.c

 fs/exec.c |   12 ++++++++++++
 1 files changed, 12 insertions(+), 0 deletions(-)

commit 83d285953c7e75db388c7f65be5cf1e16fcedec8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 16 11:22:36 2013 -0400

    Don't globally include compat.h -- with the new X32 support it
    changes some definitions involving ELF binaries resulting in invalid
    coredumps, as reported by KDE on the forums:
    http://forums.grsecurity.net/viewtopic.php?f=3&t=3310
    Thanks to the PaX Team for debugging

 fs/exec.c                  |    3 +++
 grsecurity/grsec_exec.c    |   13 +++++++++++++
 include/linux/grsecurity.h |   15 ---------------
 3 files changed, 16 insertions(+), 15 deletions(-)

commit 67a94583659cf6c583fbbb023ec2a8ed471ba94a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 14 20:59:26 2013 -0400

    Add peer information to /proc/net/unix from Kenan Kalajdzic:
    http://marc.info/?l=linux-netdev&m=126745636809191&w=2
    
    We use a "P" prefix to the inode number instead of "peer=".  This
    additional information can be used, for instance, to find what processes
    are connected to MySQL's unix domain socket.

 net/unix/af_unix.c |   12 +++++++++---
 1 files changed, 9 insertions(+), 3 deletions(-)

commit 1cd623d11a462d151ea8a5cace4521e1724911a3
Author: Oliver Neukum <oneukum@suse.de>
Date:   Tue Mar 12 14:52:42 2013 +0100

    Upstream commit: c0f5ecee4e741667b2493c742b60b6218d40b3aa
    
    USB: cdc-wdm: fix buffer overflow
    
    The buffer for responses must not overflow.
    If this would happen, set a flag, drop the data and return
    an error after user space has read all remaining data.
    
    Signed-off-by: Oliver Neukum <oliver@neukum.org>
    CC: stable@kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 drivers/usb/class/cdc-wdm.c |   23 ++++++++++++++++++++---
 1 files changed, 20 insertions(+), 3 deletions(-)

commit 3e9e7beb379eaf424d0634c0c556e47c07d367fc
Merge: 9cdf9bc db4cb92
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 14 20:23:14 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        security/keys/compat.c

commit db4cb924546e3fec3a59f78d056f48176eaf7100
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 14 20:22:24 2013 -0400

    Update to pax-linux-3.8.2-test8.patch

 arch/arm/include/asm/cache.h                |    2 ++
 arch/arm/mach-omap2/gpmc.c                  |   22 ++++++++++++----------
 arch/arm/mach-omap2/omap_device.c           |    4 ++--
 arch/arm/mach-omap2/omap_device.h           |    4 ++--
 arch/arm/plat-orion/include/plat/addr-map.h |    2 +-
 5 files changed, 19 insertions(+), 15 deletions(-)

commit 5e72fcce7c468d29168c64c72c18ff5ff0d3b4ae
Merge: 3c865f9 1a45c31
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 14 20:20:54 2013 -0400

    Merge branch 'linux-3.8.y' into pax-test
    
    Conflicts:
        arch/arm/include/asm/delay.h
        arch/arm/include/asm/pgtable.h
        arch/arm/lib/delay.c
        security/keys/compat.c

commit 9cdf9bccf22d6a6741e4152bb5d32335beb8caf1
Author: Al Viro <viro@ZenIV.linux.org.uk>
Date:   Tue Mar 12 02:59:49 2013 +0000

    Upstream commit: a930d8790552658140d7d0d2e316af4f0d76a512
    
    vfs: fix pipe counter breakage
    
    If you open a pipe for neither read nor write, the pipe code will not
    add any usage counters to the pipe, causing the 'struct pipe_inode_info"
    to be potentially released early.
    
    That doesn't normally matter, since you cannot actually use the pipe,
    but the pipe release code - particularly fasync handling - still expects
    the actual pipe infrastructure to all be there.  And rather than adding
    NULL pointer checks, let's just disallow this case, the same way we
    already do for the named pipe ("fifo") case.
    
    This is ancient going back to pre-2.4 days, and until trinity, nobody
    naver noticed.
    
    Reported-by: Dave Jones <davej@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 fs/pipe.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit c11fa4be226659a40a6c73f0fa09fee074fba1b2
Author: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Date:   Mon Feb 25 10:20:36 2013 -0500

    Upstream commit: 8aec0f5d4137532de14e6554fd5dd201ff3a3c49
    
    Fix: compat_rw_copy_check_uvector() misuse in aio, readv, writev, and security keys
    
    Looking at mm/process_vm_access.c:process_vm_rw() and comparing it to
    compat_process_vm_rw() shows that the compatibility code requires an
    explicit "access_ok()" check before calling
    compat_rw_copy_check_uvector(). The same difference seems to appear when
    we compare fs/read_write.c:do_readv_writev() to
    fs/compat.c:compat_do_readv_writev().
    
    This subtle difference between the compat and non-compat requirements
    should probably be debated, as it seems to be error-prone. In fact,
    there are two others sites that use this function in the Linux kernel,
    and they both seem to get it wrong:
    
    Now shifting our attention to fs/aio.c, we see that aio_setup_iocb()
    also ends up calling compat_rw_copy_check_uvector() through
    aio_setup_vectored_rw(). Unfortunately, the access_ok() check appears to
    be missing. Same situation for
    security/keys/compat.c:compat_keyctl_instantiate_key_iov().
    
    I propose that we add the access_ok() check directly into
    compat_rw_copy_check_uvector(), so callers don't have to worry about it,
    and it therefore makes the compat call code similar to its non-compat
    counterpart. Place the access_ok() check in the same location where
    copy_from_user() can trigger a -EFAULT error in the non-compat code, so
    the ABI behaviors are alike on both compat and non-compat.
    
    While we are here, fix compat_do_readv_writev() so it checks for
    compat_rw_copy_check_uvector() negative return values.
    
    And also, fix a memory leak in compat_keyctl_instantiate_key_iov() error
    handling.
    
    Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
    Acked-by: Al Viro <viro@ZenIV.linux.org.uk>
    Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    Conflicts:
    
        security/keys/compat.c

 fs/compat.c            |   15 +++++++--------
 mm/process_vm_access.c |    8 --------
 security/keys/compat.c |    3 ++-
 3 files changed, 9 insertions(+), 17 deletions(-)

commit 13487f197ab2d5bc76156224c24c45a44bbd6a11
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 11 18:38:38 2013 -0400

    Fix leak of signal handler addresses across execve, found by Emese Revfy

 kernel/signal.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit 79b130c4b11c7940daf2b33d653a17666331c634
Merge: 6480ce9 3c865f9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 10 20:04:03 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 3c865f9184c6fd56c634bce0096cfc8039d5c43d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 10 20:03:12 2013 -0400

    Update to pax-linux-3.8.2-test7.patch:
    - fixed gcc asserts reported by KDE (http://forums.grsecurity.net/viewtopic.php?f=3&t=3342)
    - adjusted RLIMIT_AS accounting for the extra ASLR gap mappings, reported by Alexander Stoll (https://bugs.gentoo.org/show_bug.cgi?id=459268)

 fs/binfmt_elf.c                   |    3 ++-
 fs/exec.c                         |    3 +++
 include/linux/mm_types.h          |    2 +-
 init/main.c                       |    4 ++--
 mm/mmap.c                         |    2 +-
 mm/page_alloc.c                   |    4 ++--
 tools/gcc/latent_entropy_plugin.c |   11 +++++++----
 7 files changed, 18 insertions(+), 11 deletions(-)

commit 6480ce919bd7d68ba14f3194e4bdd7b61bc8e491
Merge: 4a5305e 25b3569
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 10 10:41:16 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 25b356980568bed9958315bb5a551fdc610055ed
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 10 10:40:48 2013 -0400

    Update to pax-linux-3.8.2-test6.patch:
    - fixed a KERNEXEC false positive on arm reported by Gu1
    - fixed various compile errors reported by x14sg1 (http://forums.grsecurity.net/viewtopic.php?f=3&t=3340)
    - fixed too strict mmap parameter checking on i386, reported by browndav (http://forums.grsecurity.net/viewtopic.php?f=1&t=3339)
    - added fix from spender for some namespace breakage reported by zakalwe
    - small latent entropy improvement: pass pax_extra_latent_entropy to the kernel to extract entropy from RAM content during boot

 Documentation/kernel-parameters.txt |    5 +++++
 arch/arm/kernel/patch.c             |    2 ++
 arch/x86/kernel/sys_i386_32.c       |    5 +++--
 drivers/acpi/blacklist.c            |    2 +-
 drivers/video/aty/mach64_cursor.c   |    1 +
 init/main.c                         |    4 ----
 mm/page_alloc.c                     |   27 +++++++++++++++++++++++++++
 net/ipv4/ip_fragment.c              |    2 +-
 security/Kconfig                    |    5 +++++
 tools/gcc/latent_entropy_plugin.c   |    7 +++++--
 10 files changed, 50 insertions(+), 10 deletions(-)

commit 4a5305eb7b6c5e49c332feeca9b6bfead9ab917f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 9 11:19:06 2013 -0500

    From: Mathias Krause <minipli@googlemail.com>
    To: "David S. Miller" <davem@davemloft.net>
    Cc: netdev@vger.kernel.org, Mathias Krause <minipli@googlemail.com>,
            Stephen Hemminger <stephen@networkplumber.org>
    Subject: [PATCH 1/3] bridge: fix mdb info leaks
    Date: Sat,  9 Mar 2013 16:52:19 +0100
    
    The bridging code discloses heap and stack bytes via the RTM_GETMDB
    netlink interface and via the notify messages send to group RTNLGRP_MDB
    afer a successful add/del.
    
    Fix both cases by initializing all unset members/padding bytes with
    memset(0).
    
    Cc: Stephen Hemminger <stephen@networkplumber.org>
    Signed-off-by: Mathias Krause <minipli@googlemail.com>
    
    From: Mathias Krause <minipli@googlemail.com>
    To: "David S. Miller" <davem@davemloft.net>
    Cc: netdev@vger.kernel.org, Mathias Krause <minipli@googlemail.com>
    Subject: [PATCH 2/3] rtnl: fix info leak on RTM_GETLINK request for VF devices
    Date: Sat,  9 Mar 2013 16:52:20 +0100
    
    Initialize the mac address buffer with 0 as the driver specific function
    will probably not fill the whole buffer. In fact, all in-kernel drivers
    fill only ETH_ALEN of the MAX_ADDR_LEN bytes, i.e. 6 of the 32 possible
    bytes. Therefore we currently leak 26 bytes of stack memory to userland
    via the netlink interface.
    
    Signed-off-by: Mathias Krause <minipli@googlemail.com>
    
    From: Mathias Krause <minipli@googlemail.com>
    To: "David S. Miller" <davem@davemloft.net>
    Cc: netdev@vger.kernel.org, Mathias Krause <minipli@googlemail.com>
    Subject: [PATCH 3/3] dcbnl: fix various netlink info leaks
    Date: Sat,  9 Mar 2013 16:52:21 +0100
    
    The dcb netlink interface leaks stack memory in various places:
    * perm_addr[] buffer is only filled at max with 12 of the 32 bytes but
      copied completely,
    * no in-kernel driver fills all fields of an IEEE 802.1Qaz subcommand,
      so we're leaking up to 58 bytes for ieee_ets structs, up to 136 bytes
      for ieee_pfc structs, etc.,
    * the same is true for CEE -- no in-kernel driver fills the whole
      struct,
    
    Prevent all of the above stack info leaks by properly initializing the
    buffers/structures involved.
    
    Signed-off-by: Mathias Krause <minipli@googlemail.com>

 net/bridge/br_mdb.c  |    4 ++++
 net/core/rtnetlink.c |    1 +
 net/dcb/dcbnl.c      |    8 ++++++++
 3 files changed, 13 insertions(+), 0 deletions(-)

commit 601dd446f896e3a362f706943df18a68d50420a1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 9 09:35:25 2013 -0500

    add open/close wrappers in __patch_text() as reported by Gu1 on IRC

 arch/arm/kernel/patch.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit ae39966fd85a493e9079b357e3faa62245a41222
Author: Peter Hurley <peter@hurleysoftware.com>
Date:   Fri Mar 8 12:43:27 2013 -0800

    Upstream commit: 88b9e456b1649722673ffa147914299799dc9041
    
    ipc: don't allocate a copy larger than max
    
    When MSG_COPY is set, a duplicate message must be allocated for the copy
    before locking the queue.  However, the copy could not be larger than was
    sent which is limited to msg_ctlmax.
    
    Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
    Acked-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 ipc/msg.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

commit 61240e99650ea3e540a03a3e994349c5086f166b
Author: Peter Hurley <peter@hurleysoftware.com>
Date:   Fri Mar 8 12:43:26 2013 -0800

    Upstream commit: e1082f45f1e2bbf6e25f6b614fc6616ebf709d19
    
    ipc: fix potential oops when src msg > 4k w/ MSG_COPY
    
    If the src msg is > 4k, then dest->next points to the
    next allocated segment; resetting it just prior to dereferencing
    is bad.
    
    Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
    Acked-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 ipc/msgutil.c |    3 ---
 1 files changed, 0 insertions(+), 3 deletions(-)

commit 51727f602a267f34fb2e0dc9557f1714028d51a2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 8 22:14:06 2013 -0500

    add missing 'else' in recent constify fixups

 net/ipv4/ip_fragment.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit a38c1a640729b3d8e584d1ab98e908c221bc12cf
Merge: 1580bb3 47c3f47
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 8 18:18:37 2013 -0500

    Merge branch 'pax-test' into grsec-test

commit 47c3f47ba4f874f5c72e4c04b76b6b92e44daebe
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 8 18:17:22 2013 -0500

    Update to pax-linux-3.8.2-test5.patch:
    - fixed some fallout after the last round of constification changes, reported by several people

 arch/arm/common/gic.c                   |    4 ++--
 arch/arm/include/asm/hardware/gic.h     |    3 ++-
 arch/x86/include/asm/nmi.h              |    2 +-
 arch/x86/kernel/nmi.c                   |    2 +-
 arch/x86/pci/irq.c                      |    2 +-
 drivers/base/power/domain.c             |    4 ++--
 drivers/cpufreq/cpufreq_governor.c      |    4 ++--
 drivers/mfd/twl4030-irq.c               |    1 +
 drivers/video/vesafb.c                  |    7 +++++--
 include/linux/irq.h                     |    1 +
 include/linux/pm_domain.h               |    2 +-
 kernel/sched/core.c                     |    4 ++++
 lib/Kconfig.debug                       |    4 ++--
 net/core/sysctl_net_core.c              |    2 +-
 net/decnet/af_decnet.c                  |    1 +
 net/ipv4/devinet.c                      |    2 +-
 net/ipv4/ip_fragment.c                  |    2 +-
 net/ipv4/route.c                        |    2 +-
 net/ipv4/sysctl_net_ipv4.c              |    2 +-
 net/ipv6/netfilter/nf_conntrack_reasm.c |    2 +-
 net/ipv6/reassembly.c                   |    2 +-
 scripts/sortextable.h                   |    6 +++---
 22 files changed, 36 insertions(+), 25 deletions(-)

commit 1580bb38b4db0bf2a46316599815e8b234edad81
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 7 22:02:59 2013 -0500

    add an additional open/close wrapper

 kernel/sched/core.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 21622672d28d58e0d93a805cd1f9650a894a752a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 7 21:58:24 2013 -0500

    fix oops at shutdown with new constify code

 kernel/sched/core.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit f6b9ab9fcc747bb1b14a4857d59e6681936220ec
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 7 21:18:44 2013 -0500

    Add PAX_CONSTIFY_PLUGIN, which we previously enabled unconditionally
    it currently conflicts with some lock debugging options, so made as an
    option to allow for debugging when necessary

 Makefile          |    2 --
 lib/Kconfig.debug |    6 +++---
 security/Kconfig  |   18 ++++++++++++++++++
 3 files changed, 21 insertions(+), 5 deletions(-)

commit 0885b00b8373a1597b69c38032a0c9eee279303b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 7 20:55:19 2013 -0500

    disable DEBUG_LOCK_ALLOC, as it conflicts with the new constify

 lib/Kconfig.debug |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit c8a2617165e7127a54f293cbf57d22d50dd83abd
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 7 20:30:41 2013 -0500

    Fix error:
    drivers/video/vesafb.c:502:3: error: assignment of member ‘fb_pan_display’ in read-only object
    with cast and proper kernexec accessors

 drivers/video/vesafb.c |    7 +++++--
 1 files changed, 5 insertions(+), 2 deletions(-)

commit 99f2814d3e2a6db25985edc47c7e09c4a2d8c408
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 7 20:20:28 2013 -0500

    fix typo

 grsecurity/gracl.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 399674de6c42bbcae2d01b082d6d9ce9d183b000
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 7 20:12:17 2013 -0500

    fix compilation error -- no reason for task_pid_nr to not take a const task ptr

 include/linux/sched.h |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit a6c239eacf683f9dd2aeebb1b1adb71e5eedbd9f
Author: Kees Cook <keescook@chromium.org>
Date:   Mon Feb 25 21:32:25 2013 +0000

    Upstream commit: e70ab977991964a5a7ad1182799451d067e62669
    
    proc connector: reject unprivileged listener bumps
    
    While PROC_CN_MCAST_LISTEN/IGNORE is entirely advisory, it was possible
    for an unprivileged user to turn off notifications for all listeners by
    sending PROC_CN_MCAST_IGNORE. Instead, require the same privileges as
    required for a multicast bind.
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: Evgeniy Polyakov <zbr@ioremap.net>
    Cc: Matt Helsley <matthltc@us.ibm.com>
    Cc: stable@vger.kernel.org
    Acked-by: Evgeniy Polyakov <zbr@ioremap.net>
    Acked-by: Matt Helsley <matthltc@us.ibm.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/connector/cn_proc.c |    8 ++++++++
 1 files changed, 8 insertions(+), 0 deletions(-)

commit ac6014ded57101e3e608941555ff507e20c1ece3
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Tue Feb 26 19:15:02 2013 +0000

    Upstream commit: 90c7881ecee1f08e0a49172cf61371cf2509ee4a
    
    irda: small read beyond end of array in debug code
    
    charset comes from skb->data.  It's a number in the 0-255 range.
    If we have debugging turned on then this could cause a read beyond
    the end of the array.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/irda/iriap.c |    7 +++++--
 1 files changed, 5 insertions(+), 2 deletions(-)

commit e60bd2aad9bfdb68731cc888eae14a7600bd2ffe
Author: Guenter Roeck <linux@roeck-us.net>
Date:   Wed Feb 27 10:57:31 2013 +0000

    Upstream commit: 726bc6b092da4c093eb74d13c07184b18c1af0f1
    
    net/sctp: Validate parameter size for SCTP_GET_ASSOC_STATS
    
    Building sctp may fail with:
    
    In function ‘copy_from_user’,
        inlined from ‘sctp_getsockopt_assoc_stats’ at
        net/sctp/socket.c:5656:20:
    arch/x86/include/asm/uaccess_32.h:211:26: error: call to
        ‘copy_from_user_overflow’ declared with attribute error: copy_from_user()
        buffer size is not provably correct
    
    if built with W=1 due to a missing parameter size validation
    before the call to copy_from_user.
    
    Signed-off-by: Guenter Roeck <linux@roeck-us.net>
    Acked-by: Vlad Yasevich <vyasevich@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/sctp/socket.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

commit be49e0ae9a4d0e8daa831d7d8d6f3a56beda3e3c
Author: Guillaume Nault <g.nault@alphalink.fr>
Date:   Fri Mar 1 05:02:02 2013 +0000

    Upstream commit: 8b82547e33e85fc24d4d172a93c796de1fefa81a
    
    l2tp: Restore socket refcount when sendmsg succeeds
    
    The sendmsg() syscall handler for PPPoL2TP doesn't decrease the socket
    reference counter after successful transmissions. Any successful
    sendmsg() call from userspace will then increase the reference counter
    forever, thus preventing the kernel's session and tunnel data from
    being freed later on.
    
    The problem only happens when writing directly on L2TP sockets.
    PPP sockets attached to L2TP are unaffected as the PPP subsystem
    uses pppol2tp_xmit() which symmetrically increase/decrease reference
    counters.
    
    This patch adds the missing call to sock_put() before returning from
    pppol2tp_sendmsg().
    
    Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/l2tp/l2tp_ppp.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 98a9a5f981f5deda4059a255c1196886f2f27e2f
Author: Cong Wang <amwang@redhat.com>
Date:   Sun Mar 3 16:18:11 2013 +0000

    Upstream commit: ece6b0a2b25652d684a7ced4ae680a863af041e0
    
    rds: limit the size allocated by rds_message_alloc()
    
    Dave Jones reported the following bug:
    
    "When fed mangled socket data, rds will trust what userspace gives it,
    and tries to allocate enormous amounts of memory larger than what
    kmalloc can satisfy."
    
    WARNING: at mm/page_alloc.c:2393 __alloc_pages_nodemask+0xa0d/0xbe0()
    Hardware name: GA-MA78GM-S2H
    Modules linked in: vmw_vsock_vmci_transport vmw_vmci vsock fuse bnep dlci bridge 8021q garp stp mrp binfmt_misc l2tp_ppp l2tp_core rfcomm s
    Pid: 24652, comm: trinity-child2 Not tainted 3.8.0+ #65
    Call Trace:
     [<ffffffff81044155>] warn_slowpath_common+0x75/0xa0
     [<ffffffff8104419a>] warn_slowpath_null+0x1a/0x20
     [<ffffffff811444ad>] __alloc_pages_nodemask+0xa0d/0xbe0
     [<ffffffff8100a196>] ? native_sched_clock+0x26/0x90
     [<ffffffff810b2128>] ? trace_hardirqs_off_caller+0x28/0xc0
     [<ffffffff810b21cd>] ? trace_hardirqs_off+0xd/0x10
     [<ffffffff811861f8>] alloc_pages_current+0xb8/0x180
     [<ffffffff8113eaaa>] __get_free_pages+0x2a/0x80
     [<ffffffff811934fe>] kmalloc_order_trace+0x3e/0x1a0
     [<ffffffff81193955>] __kmalloc+0x2f5/0x3a0
     [<ffffffff8104df0c>] ? local_bh_enable_ip+0x7c/0xf0
     [<ffffffffa0401ab3>] rds_message_alloc+0x23/0xb0 [rds]
     [<ffffffffa04043a1>] rds_sendmsg+0x2b1/0x990 [rds]
     [<ffffffff810b21cd>] ? trace_hardirqs_off+0xd/0x10
     [<ffffffff81564620>] sock_sendmsg+0xb0/0xe0
     [<ffffffff810b2052>] ? get_lock_stats+0x22/0x70
     [<ffffffff810b24be>] ? put_lock_stats.isra.23+0xe/0x40
     [<ffffffff81567f30>] sys_sendto+0x130/0x180
     [<ffffffff810b872d>] ? trace_hardirqs_on+0xd/0x10
     [<ffffffff816c547b>] ? _raw_spin_unlock_irq+0x3b/0x60
     [<ffffffff816cd767>] ? sysret_check+0x1b/0x56
     [<ffffffff810b8695>] ? trace_hardirqs_on_caller+0x115/0x1a0
     [<ffffffff81341d8e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
     [<ffffffff816cd742>] system_call_fastpath+0x16/0x1b
    ---[ end trace eed6ae990d018c8b ]---
    
    Reported-by: Dave Jones <davej@redhat.com>
    Cc: Dave Jones <davej@redhat.com>
    Cc: David S. Miller <davem@davemloft.net>
    Cc: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
    Signed-off-by: Cong Wang <amwang@redhat.com>
    Acked-by: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/rds/message.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit b46df323e01c63c62fdb82cf2c47e4386f5a0499
Author: Cong Wang <amwang@redhat.com>
Date:   Sun Mar 3 16:28:27 2013 +0000

    Upstream commit: 3f736868b47687d1336fe88185560b22bb92021e
    
    sctp: use KMALLOC_MAX_SIZE instead of its own MAX_KMALLOC_SIZE
    
    Don't definite its own MAX_KMALLOC_SIZE, use the one
    defined in mm.
    
    Cc: Vlad Yasevich <vyasevich@gmail.com>
    Cc: Sridhar Samudrala <sri@us.ibm.com>
    Cc: Neil Horman <nhorman@tuxdriver.com>
    Cc: David S. Miller <davem@davemloft.net>
    Signed-off-by: Cong Wang <amwang@redhat.com>
    Acked-by: Neil Horman <nhorman@tuxdriver.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/sctp/ssnmap.c |    8 +++-----
 1 files changed, 3 insertions(+), 5 deletions(-)

commit 4295a024e812f903fc580c81de5e81cc149503fa
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 7 17:57:49 2013 -0500

    Upstream commit: https://lkml.org/lkml/2013/3/6/535

 security/keys/process_keys.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 33edd486a9899a145a15586d7134636b0300aaee
Merge: 4eeeaf3 a2a2094
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 7 17:53:00 2013 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        arch/arm/include/asm/domain.h

commit a2a20947f5e1332e474160a39af520738b3c8c19
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 7 17:51:04 2013 -0500

    Update to pax-linux-3.8.2-test4.patch:
     fixed arm compilation problems reported by Michael Tremer
    - the constify plugin got smarter that enabled, with some additional patching,
      the elimination of about half the static function pointers on amd64/allmod
      (up from about 18%), depending on the kernel config it can be even more (70%)

 Documentation/dontdiff                        |    2 +
 arch/arm/include/asm/domain.h                 |    1 +
 arch/x86/include/asm/i8259.h                  |    2 +-
 arch/x86/include/asm/nmi.h                    |    4 +-
 arch/x86/kernel/acpi/boot.c                   |    4 +-
 arch/x86/kernel/apic/apic_noop.c              |    2 +-
 arch/x86/kernel/apic/es7000_32.c              |    2 +-
 arch/x86/kernel/apic/io_apic.c                |   10 +-
 arch/x86/kernel/cpu/mcheck/mce.c              |    2 +-
 arch/x86/kernel/cpu/perf_event.c              |    6 +-
 arch/x86/kernel/cpu/perf_event_intel_uncore.c |    2 +-
 arch/x86/kernel/cpu/perf_event_intel_uncore.h |    2 +-
 arch/x86/kernel/i8259.c                       |    6 +-
 arch/x86/kernel/io_delay.c                    |    2 +-
 arch/x86/kernel/nmi.c                         |    6 +-
 arch/x86/kernel/nmi_selftest.c                |    4 +-
 arch/x86/kernel/pci-swiotlb.c                 |    2 +-
 arch/x86/oprofile/nmi_int.c                   |    8 +-
 arch/x86/oprofile/op_model_amd.c              |    8 +-
 arch/x86/oprofile/op_model_ppro.c             |    7 +-
 arch/x86/oprofile/op_x86_model.h              |    2 +-
 arch/x86/pci/irq.c                            |    6 +-
 drivers/acpi/apei/apei-internal.h             |    2 +-
 drivers/acpi/bgrt.c                           |    6 +-
 drivers/acpi/blacklist.c                      |    2 +-
 drivers/acpi/processor_idle.c                 |    2 +-
 drivers/acpi/sysfs.c                          |    4 +-
 drivers/base/bus.c                            |    4 +-
 drivers/base/node.c                           |    2 +-
 drivers/base/syscore.c                        |    4 +-
 drivers/block/drbd/drbd_receiver.c            |    4 +-
 drivers/char/random.c                         |    2 +-
 drivers/cpufreq/acpi-cpufreq.c                |   20 ++-
 drivers/cpufreq/cpufreq.c                     |    7 +-
 drivers/cpufreq/cpufreq_governor.c            |    4 +-
 drivers/cpufreq/cpufreq_governor.h            |    2 +-
 drivers/cpufreq/p4-clockmod.c                 |   12 +-
 drivers/cpufreq/speedstep-centrino.c          |    7 +-
 drivers/cpuidle/cpuidle.c                     |    2 +-
 drivers/cpuidle/governor.c                    |    4 +-
 drivers/cpuidle/sysfs.c                       |    2 +-
 drivers/devfreq/devfreq.c                     |    4 +-
 drivers/edac/edac_mc_sysfs.c                  |    2 +-
 drivers/edac/edac_pci_sysfs.c                 |    2 +-
 drivers/firewire/core-device.c                |    2 +-
 drivers/firmware/dmi-id.c                     |    2 +-
 drivers/firmware/efivars.c                    |    2 +-
 drivers/firmware/google/memconsole.c          |    4 +-
 drivers/gpio/gpio-ich.c                       |    2 +-
 drivers/gpu/drm/drm_drv.c                     |    2 +-
 drivers/gpu/drm/drm_ioc32.c                   |    9 +-
 drivers/gpu/drm/i915/i915_ioc32.c             |   11 +-
 drivers/gpu/drm/i915/intel_display.c          |   26 ++-
 drivers/gpu/drm/mga/mga_ioc32.c               |   11 +-
 drivers/gpu/drm/nouveau/nouveau_ioc32.c       |    2 +-
 drivers/gpu/drm/r128/r128_ioc32.c             |   11 +-
 drivers/gpu/drm/radeon/radeon_ioc32.c         |   11 +-
 drivers/gpu/drm/radeon/radeon_ttm.c           |   33 ++--
 drivers/gpu/drm/udl/udl_fb.c                  |    1 -
 drivers/hwmon/acpi_power_meter.c              |    4 +-
 drivers/hwmon/applesmc.c                      |    2 +-
 drivers/hwmon/asus_atk0110.c                  |   10 +-
 drivers/hwmon/ibmaem.c                        |    2 +-
 drivers/hwmon/pmbus/pmbus_core.c              |    2 +-
 drivers/iio/industrialio-core.c               |    2 +-
 drivers/input/mouse/psmouse.h                 |    2 +-
 drivers/iommu/iommu.c                         |    2 +-
 drivers/leds/leds-clevo-mail.c                |    2 +-
 drivers/leds/leds-ss4200.c                    |    2 +-
 drivers/media/v4l2-core/v4l2-ioctl.c          |    5 +-
 drivers/mfd/twl4030-irq.c                     |    8 +-
 drivers/mfd/twl6030-irq.c                     |   10 +-
 drivers/misc/c2port/core.c                    |    4 +-
 drivers/mtd/sm_ftl.c                          |    2 +-
 drivers/net/bonding/bond_main.c               |    2 +-
 drivers/net/macvlan.c                         |   16 +-
 drivers/net/vxlan.c                           |    2 +-
 drivers/pci/hotplug/acpiphp_ibm.c             |    4 +-
 drivers/pci/hotplug/pci_hotplug_core.c        |    6 +-
 drivers/pci/hotplug/pciehp_core.c             |    2 +-
 drivers/pci/pci-sysfs.c                       |    6 +-
 drivers/pci/pci.h                             |    2 +-
 drivers/platform/x86/msi-laptop.c             |   14 +-
 drivers/platform/x86/sony-laptop.c            |    2 +-
 drivers/power/power_supply.h                  |    4 +-
 drivers/power/power_supply_core.c             |    6 +-
 drivers/power/power_supply_sysfs.c            |    6 +-
 drivers/rtc/rtc-cmos.c                        |    4 +-
 drivers/rtc/rtc-ds1307.c                      |    2 +-
 drivers/rtc/rtc-m48t59.c                      |    4 +-
 drivers/scsi/bfa/bfa.h                        |    2 +-
 drivers/staging/iio/iio_hwmon.c               |    2 +-
 drivers/usb/storage/usb.h                     |    2 +-
 drivers/video/aty/atyfb_base.c                |    8 +-
 drivers/video/aty/mach64_cursor.c             |    4 +-
 drivers/video/backlight/kb3886_bl.c           |    2 +-
 drivers/video/fb_defio.c                      |    6 +-
 drivers/video/mb862xx/mb862xxfb_accel.c       |   16 +-
 drivers/video/nvidia/nvidia.c                 |   27 ++-
 drivers/video/s1d13xxxfb.c                    |    6 +-
 drivers/video/smscufx.c                       |    4 +-
 drivers/video/udlfb.c                         |    4 +-
 drivers/video/uvesafb.c                       |   14 +-
 fs/exec.c                                     |    6 +-
 fs/ext4/super.c                               |    2 +-
 fs/jfs/super.c                                |    4 +-
 fs/nfs/callback_xdr.c                         |    2 +-
 fs/nfsd/nfs4proc.c                            |    2 +-
 fs/nfsd/nfs4xdr.c                             |    6 +-
 fs/nls/nls_base.c                             |   18 +-
 fs/nls/nls_euc-jp.c                           |    6 +-
 fs/nls/nls_koi8-ru.c                          |    6 +-
 fs/proc/proc_sysctl.c                         |   18 +-
 include/drm/drmP.h                            |   12 +-
 include/keys/asymmetric-subtype.h             |    2 +-
 include/linux/atmdev.h                        |    2 +-
 include/linux/binfmts.h                       |    2 +-
 include/linux/configfs.h                      |    2 +-
 include/linux/cpufreq.h                       |    3 +-
 include/linux/cpuidle.h                       |    5 +-
 include/linux/devfreq.h                       |    2 +-
 include/linux/device.h                        |    7 +-
 include/linux/extcon.h                        |    2 +-
 include/linux/fb.h                            |    2 +-
 include/linux/fscache.h                       |    2 +-
 include/linux/genl_magic_func.h               |    2 +-
 include/linux/hwmon-sysfs.h                   |    5 +-
 include/linux/iommu.h                         |    2 +-
 include/linux/irq.h                           |    2 +-
 include/linux/key-type.h                      |    2 +-
 include/linux/kobject.h                       |    1 +
 include/linux/kobject_ns.h                    |    2 +-
 include/linux/list.h                          |   14 +-
 include/linux/mod_devicetable.h               |    2 +-
 include/linux/module.h                        |    5 +-
 include/linux/net.h                           |    2 +-
 include/linux/netfilter.h                     |    2 +-
 include/linux/nls.h                           |    2 +-
 include/linux/pci_hotplug.h                   |    3 +-
 include/linux/platform_data/usb-exynos.h      |    2 +-
 include/linux/pnp.h                           |    2 +-
 include/linux/ppp-comp.h                      |    2 +-
 include/linux/rculist.h                       |   16 ++
 include/linux/sched.h                         |    2 +-
 include/linux/sock_diag.h                     |    2 +-
 include/linux/sunrpc/clnt.h                   |    2 +-
 include/linux/sunrpc/svc.h                    |    2 +-
 include/linux/sunrpc/svcauth.h                |    2 +-
 include/linux/swiotlb.h                       |    3 +-
 include/linux/syscore_ops.h                   |    2 +-
 include/linux/sysctl.h                        |    6 +-
 include/linux/sysfs.h                         |   10 +-
 include/linux/sysrq.h                         |    1 +
 include/linux/xattr.h                         |    2 +-
 include/net/9p/transport.h                    |    2 +-
 include/net/bluetooth/l2cap.h                 |    2 +-
 include/net/genetlink.h                       |    2 +-
 include/net/ip.h                              |    2 +-
 include/net/ip_vs.h                           |    4 +-
 include/net/llc_c_ac.h                        |    2 +-
 include/net/llc_c_ev.h                        |    4 +-
 include/net/llc_c_st.h                        |    2 +-
 include/net/llc_s_ac.h                        |    2 +-
 include/net/llc_s_st.h                        |    2 +-
 include/net/mac80211.h                        |    2 +-
 include/net/net_namespace.h                   |    2 +-
 include/net/netns/conntrack.h                 |    6 +-
 include/net/rtnetlink.h                       |    2 +-
 include/net/sctp/sm.h                         |    4 +-
 include/net/sctp/structs.h                    |    2 +-
 include/net/xfrm.h                            |    4 +-
 ipc/ipc_sysctl.c                              |   10 +-
 ipc/mq_sysctl.c                               |    2 +-
 kernel/kmod.c                                 |    2 +-
 kernel/ksysfs.c                               |    2 +-
 kernel/module.c                               |    4 +-
 kernel/pid_namespace.c                        |    2 +-
 kernel/rcutree_plugin.h                       |    2 +-
 kernel/sched/core.c                           |   39 ++--
 kernel/smpboot.c                              |    4 +-
 kernel/softirq.c                              |    2 +-
 kernel/sysctl.c                               |    2 +-
 kernel/utsname_sysctl.c                       |    2 +-
 kernel/watchdog.c                             |    2 +-
 lib/Kconfig.debug                             |    2 +-
 lib/kobject.c                                 |    4 +-
 lib/list_debug.c                              |   57 ++++-
 lib/swiotlb.c                                 |    2 +-
 mm/hugetlb.c                                  |   16 +-
 mm/memory-failure.c                           |    2 +-
 mm/slab_common.c                              |    2 +-
 net/9p/mod.c                                  |    4 +-
 net/ax25/sysctl_net_ax25.c                    |    2 +-
 net/core/neighbour.c                          |    2 +-
 net/core/net-sysfs.c                          |    2 +-
 net/core/net_namespace.c                      |    8 +-
 net/core/rtnetlink.c                          |   11 +-
 net/core/sock_diag.c                          |    9 +-
 net/core/sysctl_net_core.c                    |   15 +-
 net/ipv4/af_inet.c                            |    8 +-
 net/ipv4/devinet.c                            |   12 +-
 net/ipv4/inet_connection_sock.c               |    2 +-
 net/ipv4/ip_fragment.c                        |    9 +-
 net/ipv4/ip_gre.c                             |    6 +-
 net/ipv4/ip_vti.c                             |    4 +-
 net/ipv4/ipip.c                               |    4 +-
 net/ipv4/route.c                              |   14 +-
 net/ipv4/sysctl_net_ipv4.c                    |   43 ++--
 net/ipv6/addrconf.c                           |    4 +-
 net/ipv6/icmp.c                               |    2 +-
 net/ipv6/ip6_gre.c                            |    6 +-
 net/ipv6/ip6_tunnel.c                         |    4 +-
 net/ipv6/netfilter/nf_conntrack_reasm.c       |   12 +-
 net/ipv6/reassembly.c                         |   11 +-
 net/ipv6/route.c                              |    2 +-
 net/ipv6/sit.c                                |    4 +-
 net/ipv6/sysctl_net_ipv6.c                    |    2 +-
 net/netfilter/ipset/ip_set_core.c             |    2 +-
 net/netfilter/ipvs/ip_vs_ctl.c                |    4 +-
 net/netfilter/ipvs/ip_vs_lblc.c               |    2 +-
 net/netfilter/ipvs/ip_vs_lblcr.c              |    2 +-
 net/netfilter/nf_conntrack_acct.c             |    2 +-
 net/netfilter/nf_conntrack_ecache.c           |    2 +-
 net/netfilter/nf_conntrack_helper.c           |    2 +-
 net/netfilter/nf_conntrack_proto.c            |    2 +-
 net/netfilter/nf_conntrack_standalone.c       |    2 +-
 net/netfilter/nf_conntrack_timestamp.c        |    2 +-
 net/netfilter/nf_log.c                        |   10 +-
 net/netfilter/nf_sockopt.c                    |    4 +-
 net/netlink/genetlink.c                       |   16 +-
 net/phonet/sysctl.c                           |    2 +-
 net/rds/rds.h                                 |    2 +-
 net/sctp/ipv6.c                               |    6 +-
 net/sctp/protocol.c                           |   10 +-
 net/sctp/sm_sideeffect.c                      |    2 +-
 net/sctp/sysctl.c                             |    4 +-
 net/sunrpc/clnt.c                             |    4 +-
 net/sunrpc/svc.c                              |    4 +-
 net/unix/sysctl_net_unix.c                    |    2 +-
 net/xfrm/xfrm_policy.c                        |   11 +-
 net/xfrm/xfrm_state.c                         |   29 ++-
 net/xfrm/xfrm_sysctl.c                        |    2 +-
 security/apparmor/lsm.c                       |    2 +-
 security/keys/key.c                           |   18 +-
 security/yama/yama_lsm.c                      |   22 +-
 tools/gcc/Makefile                            |    4 +-
 tools/gcc/constify_plugin.c                   |  299 +++++++++++++++++++------
 tools/gcc/size_overflow_plugin.c              |    7 +-
 248 files changed, 994 insertions(+), 668 deletions(-)

commit 4eeeaf3a560e25d1685f8973ef676b205efaa81b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 6 12:58:21 2013 -0500

    Make slab_state __read_only, it's only written to during init

 mm/slab_common.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit e7067b68d36fb9e0e8818de5d9ce1b4ba19ce24a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 6 12:31:35 2013 -0500

    Make two new helper functions:
    gr_is_global_root() and gr_is_global_nonroot()

 grsecurity/gracl.c      |   10 +++++-----
 grsecurity/gracl_segv.c |    2 +-
 grsecurity/grsec_link.c |    4 ++--
 grsecurity/grsec_sig.c  |   10 +++++-----
 grsecurity/grsec_tpe.c  |    6 +++---
 include/linux/uidgid.h  |    2 ++
 6 files changed, 18 insertions(+), 16 deletions(-)

commit d45d88eddd4998b280b1e5b5384289ee11ca7088
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 6 12:14:41 2013 -0500

    convert remaining task->pid to task_pid_nr(task)

 grsecurity/gracl.c        |   22 +++++++++++-----------
 grsecurity/gracl_shm.c    |    2 +-
 grsecurity/grsec_chroot.c |    4 ++--
 grsecurity/grsec_sig.c    |    4 ++--
 4 files changed, 16 insertions(+), 16 deletions(-)

commit c877f2ece03ee2232dd281c1977ae59507297124
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 5 17:29:54 2013 -0500

    compat-log is only used anymore by vm86-on-64bit and allows unlimited
    spamming of the kernel log buffer (and since it includes the changable
    process name, can avoid syslog log deduplication)
    Turn it off by default

 fs/compat.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 7c1964c4b7276889d7967bee70e46918cdca1b14
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 4 17:19:10 2013 -0500

    fix compilation error reported on IRC and forums when GRKERNSEC_PROC_USERGROUP
    is enabled, introduced with recent userns support

 init/main.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit c3ce01b94d8dd42b9c7942c0d513b152613e0656
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 3 18:46:12 2013 -0500

    Prevent TOMOYO from auto-loading modules by unprivileged users
    (Only reachable if TOMOYO is actually used)

 security/tomoyo/mount.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

commit 79e142f9455b398759ff9d93d4963a21b98dddda
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 3 18:28:45 2013 -0500

    For now, don't permit any special access to /proc in a user namespace
    Later we can go back and allow a userns-uid0 special access to a /proc
    with a non-global pid namespace

 fs/proc/base.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 8b91fb393049ce5f3c0a86f62247409853fd9700
Merge: d931eb8 603ef05
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 3 17:42:09 2013 -0500

    Merge branch 'pax-test' into grsec-test

commit 603ef0579b9c3765d999c1938cb7a120d8c8e00b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 3 17:41:31 2013 -0500

    Fix compilation error on ARM reported by Michael Tremer

 arch/arm/mach-omap2/wd_timer.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

commit b4c9ce81fdd7839a150c97873c710c479e788280
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 3 17:39:53 2013 -0500

    Fix compilation error on ARM reported by Michael Tremer

 arch/arm/kernel/armksyms.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit d931eb81ab3da46896268fd61373a6aa7bbea930
Merge: bfa7f44 5948f93
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 3 17:34:36 2013 -0500

    Merge branch 'pax-test' into grsec-test

commit 5948f930bc1c2d22138c1c76ca7e1bc94b6a3ce0
Merge: ab30472 19b00d2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 3 17:34:08 2013 -0500

    Merge branch 'linux-3.8.y' into pax-test

commit bfa7f445c5d484de51a5828b92ad2ff65053cc87
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 3 15:12:12 2013 -0500

    Initial support for user namespaces, as we previously didn't allow
    the option to be enabled at all.
    
    RBAC will act on the global uids/gids only, so all uids/gids in user
    namespaces will be converted
    
    Because Eric Biederman is insulted that I didn't support his
    backdoor prior to it receiving proper review.  I still have the CAP_SYS_ADMIN
    check in for user namespaces, so this is generally irrelevant.

 fs/exec.c                   |    6 +-
 fs/proc/base.c              |    2 +-
 fs/proc/proc_net.c          |    4 +-
 grsecurity/gracl.c          |  128 +++++++++++++++++++++++++++++-------------
 grsecurity/gracl_cap.c      |    4 +-
 grsecurity/gracl_ip.c       |   16 +++---
 grsecurity/gracl_segv.c     |   12 +++-
 grsecurity/gracl_shm.c      |    4 +-
 grsecurity/grsec_disabled.c |   10 ++--
 grsecurity/grsec_fifo.c     |    6 +-
 grsecurity/grsec_init.c     |   24 ++++----
 grsecurity/grsec_log.c      |    3 -
 grsecurity/grsec_tpe.c      |    6 +-
 include/linux/grinternal.h  |   12 ++--
 include/linux/grsecurity.h  |   12 ++--
 include/linux/uidgid.h      |    3 +
 init/Kconfig                |    2 -
 ipc/shm.c                   |    2 +-
 kernel/cred.c               |    5 +-
 kernel/kallsyms.c           |    2 +-
 kernel/kmod.c               |    6 +-
 kernel/sys.c                |   12 ++--
 22 files changed, 166 insertions(+), 115 deletions(-)

commit 27a8cc1a9f22f95de6fe8740bdc900a160274dff
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date:   Wed Feb 27 08:36:04 2013 -0800

    Upstream commit: 09884964335e85e897876d17783c2ad33cf8a2e0
    
    mm: do not grow the stack vma just because of an overrun on preceding vma
    
    The stack vma is designed to grow automatically (marked with VM_GROWSUP
    or VM_GROWSDOWN depending on architecture) when an access is made beyond
    the existing boundary.  However, particularly if you have not limited
    your stack at all ("ulimit -s unlimited"), this can cause the stack to
    grow even if the access was really just one past *another* segment.
    
    And that's wrong, especially since we first grow the segment, but then
    immediately later enforce the stack guard page on the last page of the
    segment.  So _despite_ first growing the stack segment as a result of
    the access, the kernel will then make the access cause a SIGSEGV anyway!
    
    So do the same logic as the guard page check does, and consider an
    access to within one page of the next segment to be a bad access, rather
    than growing the stack to abut the next segment.
    
    Reported-and-tested-by: Heiko Carstens <heiko.carstens@de.ibm.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 mm/mmap.c |   27 +++++++++++++++++++++++++++
 1 files changed, 27 insertions(+), 0 deletions(-)

commit 5596211af754867ca825f58e6e0300a8439950fe
Author: H. Peter Anvin <hpa@linux.intel.com>
Date:   Wed Feb 27 12:46:40 2013 -0800

    Upstream commit: 7c10093692ed2e6f318387d96b829320aa0ca64c
    
    x86: Make sure we can boot in the case the BDA contains pure garbage
    
    On non-BIOS platforms it is possible that the BIOS data area contains
    garbage instead of being zeroed or something equivalent (firmware
    people: we are talking of 1.5K here, so please do the sane thing.)
    
    We need on the order of 20-30K of low memory in order to boot, which
    may grow up to < 64K in the future.  We probably want to avoid the
    lowest of the low memory.  At the same time, it seems extremely
    unlikely that a legitimate EBDA would ever reach down to the 128K
    (which would require it to be over half a megabyte in size.)  Thus,
    pick 128K as the cutoff for "this is insane, ignore."  We may still
    end up reserving a bunch of extra memory on the low megabyte, but that
    is not really a major issue these days.  In the worst case we lose
    512K of RAM.
    
    This code really should be merged with trim_bios_range() in
    arch/x86/kernel/setup.c, but that is a bigger patch for a later merge
    window.
    
    Reported-by: Darren Hart <dvhart@linux.intel.com>
    Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
    Cc: Matt Fleming <matt.fleming@intel.com>
    Cc: <stable@vger.kernel.org>
    Link: http://lkml.kernel.org/n/tip-oebml055yyfm8yxmria09rja@git.kernel.org

 arch/x86/kernel/head.c |   53 ++++++++++++++++++++++++++++++-----------------
 1 files changed, 34 insertions(+), 19 deletions(-)

commit 10eb1dabfb743fb22dcbcf186bb8d2192d2d55ea
Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Date:   Wed Feb 27 17:05:46 2013 -0800

    Upstream commit: 940da353a83e895ea600cb8ab17dceefb1bcb469
    
    memstick: move the dereference below the NULL test
    
    The dereference should be moved below the NULL test.
    
    spatch with a semantic match is used to found this.
    (http://coccinelle.lip6.fr/)
    
    Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
    Cc: Maxim Levitsky <maximlevitsky@gmail.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 drivers/memstick/host/r592.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 1a63cb1ca50a10748cbf766894ecedf34a89baa3
Author: Xi Wang <xi.wang@gmail.com>
Date:   Wed Feb 27 17:05:21 2013 -0800

    Upstream commit: df1778be1a33edffa51d094eeda87c858ded6560
    
    sysctl: fix null checking in bin_dn_node_address()
    
    The null check of `strchr() + 1' is broken, which is always non-null,
    leading to OOB read.  Instead, check the result of strchr().
    
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Cc: "Eric W. Biederman" <ebiederm@xmission.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 kernel/sysctl_binary.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 7ca96db0817416fd40761e7437d1939fc0731380
Author: Tejun Heo <tj@kernel.org>
Date:   Wed Feb 27 17:03:34 2013 -0800

    Upstream commit: 6cdae7416a1c45c2ce105a78187d9b7e8feb9e24
    
    idr: fix a subtle bug in idr_get_next()
    
    The iteration logic of idr_get_next() is borrowed mostly verbatim from
    idr_for_each().  It walks down the tree looking for the slot matching
    the current ID.  If the matching slot is not found, the ID is
    incremented by the distance of single slot at the given level and
    repeats.
    
    The implementation assumes that during the whole iteration id is aligned
    to the layer boundaries of the level closest to the leaf, which is true
    for all iterations starting from zero or an existing element and thus is
    fine for idr_for_each().
    
    However, idr_get_next() may be given any point and if the starting id
    hits in the middle of a non-existent layer, increment to the next layer
    will end up skipping the same offset into it.  For example, an IDR with
    IDs filled between [64, 127] would look like the following.
    
              [  0  64 ... ]
           /----/   |
           |        |
          NULL    [ 64 ... 127 ]
    
    If idr_get_next() is called with 63 as the starting point, it will try
    to follow down the pointer from 0.  As it is NULL, it will then try to
    proceed to the next slot in the same level by adding the slot distance
    at that level which is 64 - making the next try 127.  It goes around the
    loop and finds and returns 127 skipping [64, 126].
    
    Note that this bug also triggers in idr_for_each_entry() loop which
    deletes during iteration as deletions can make layers go away leaving
    the iteration with unaligned ID into missing layers.
    
    Fix it by ensuring proceeding to the next slot doesn't carry over the
    unaligned offset - ie.  use round_up(id + 1, slot_distance) instead of
    id += slot_distance.
    
    Signed-off-by: Tejun Heo <tj@kernel.org>
    Reported-by: David Teigland <teigland@redhat.com>
    Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 lib/idr.c |    9 ++++++++-
 1 files changed, 8 insertions(+), 1 deletions(-)

commit 745362f28034f54242ba2e64eaa7374ab9869613
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 1 20:31:42 2013 -0500

    Fix dentry use-after-free after failed complete_walk() with RBAC enabled
    Many thanks to zakalwe from #grsecurity for the report and debugging help

 fs/namei.c |    8 +++-----
 1 files changed, 3 insertions(+), 5 deletions(-)

commit b53b3b14330920c6f7cfb74c8508a3026e1be620
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 28 18:29:26 2013 -0500

    Fix bad git merge

 fs/namespace.c |    8 --------
 1 files changed, 0 insertions(+), 8 deletions(-)

commit 71886f69ea10fa22e593dba1bdbe5c0334c6fede
Merge: 1cce1dd ab30472
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 28 17:45:14 2013 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        net/core/sock_diag.c

commit ab3047280e1dfb43f1b301a296123757b4ac4f6e
Merge: 4b61d21 4c91a0e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 28 17:43:56 2013 -0500

    Merge branch 'linux-3.8.y' into pax-test

commit 1cce1ddd17c584c80465521834c3faf1a7c607d7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 27 22:20:22 2013 -0500

    add compiler.h to sysrq.h to fix compilation problem reported by micu on forums

 include/linux/sysrq.h |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 9f1e7fe130803fde83eb903b575335f59cd2bd18
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 27 17:52:31 2013 -0500

    declare check_syslog_permissions() earlier in file, fix bug in syslog_action_restricted() in upstream kernel

 kernel/printk.c |   12 +++++++-----
 1 files changed, 7 insertions(+), 5 deletions(-)

commit 11dd499888fa76f3466821ce4daa5e0c55e43d39
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 27 17:23:46 2013 -0500

    Fix upstream vulnerability from addition of a /dev/kmsg device
    while neglecting to add the same set of existing permission checks
    from do_syslog.  This bit both dmesg_restrict and GRKERNSEC_DMESG.
    A temporary workaround without this patch would be to
    chmod 0600 /dev/kmsg (and is likely a good idea anyway).
    
    Notified in #grsecurity IRC by Jason A. Donenfeld and Petr Matousek
    Initially reported to Redhat bugzilla by Christian Kujau:
    https://bugzilla.redhat.com/show_bug.cgi?id=903192

 kernel/printk.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

commit 66c04806f5660988c3cb4855e60de294e77e3d0e
Author: David Howells <dhowells@redhat.com>
Date:   Thu Feb 21 12:00:25 2013 +0000

    Upstream commit: fe9453a1dcb5fb146f9653267e78f4a558066f6f
    
    KEYS: Revert one application of "Fix unreachable code" patch
    
    A patch to fix some unreachable code in search_my_process_keyrings() got
    applied twice by two different routes upstream as commits e67eab39bee2
    and b010520ab3d2 (both "fix unreachable code").
    
    Unfortunately, the second application removed something it shouldn't
    have and this wasn't detected by GIT.  This is due to the patch not
    having sufficient lines of context to distinguish the two places of
    application.
    
    The effect of this is relatively minor: inside the kernel, the keyring
    search routines may search multiple keyrings and then prioritise the
    errors if no keys or negative keys are found in any of them.  With the
    extra deletion, the presence of a negative key in the thread keyring
    (causing ENOKEY) is incorrectly overridden by an error searching the
    process keyring.
    
    So revert the second application of the patch.
    
    Signed-off-by: David Howells <dhowells@redhat.com>
    Cc: Jiri Kosina <jkosina@suse.cz>
    Cc: Andrew Morton <akpm@linux-foundation.org>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 security/keys/process_keys.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 954b0c8a95b08c09c3d15ec38106ce403bf714da
Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Date:   Thu Feb 21 16:42:43 2013 -0800

    Upstream commit: 49deb4bc227cb9db5b8ebf9434367f8bed057c7a
    
    configfs: move the dereference below the NULL test
    
    The dereference should be moved below the NULL test.
    
    spatch with a semantic match is used to found this.
    (http://coccinelle.lip6.fr/)
    
    Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
    Cc: Joel Becker <jlbec@evilplan.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 fs/configfs/dir.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

commit d16d42c4fdc8baca5816d75b4a115102bf3d3423
Author: Nicolas Pitre <nicolas.pitre@linaro.org>
Date:   Sun Feb 24 20:06:09 2013 -0500

    Upstream commit: a883b70d8e0a88278c0a1f80753b4dc99962b541
    
    tty vt: fix character insertion overflow
    
    Commit 81732c3b2fed ("tty vt: Fix line garbage in virtual console on
    command line edition") broke insert_char() in multiple ways.  Then
    commit b1a925f44a3a ("tty vt: Fix a regression in command line edition")
    partially fixed it.  However, the buffer being moved is still too large
    and overflowing beyond the end of the current line, corrupting existing
    characters on the next line.
    
    Example test case:
    
    echo -e "abc\nde\x1b[A\x1b[4h \x1b[4l\x1b[B"
    
    Expected result:
    
    ab c
    de
    
    Current result:
    
    ab c
     e
    
    Needless to say that this is very annoying when inserting words in the
    middle of paragraphs with certain text editors.
    
    Signed-off-by: Nicolas Pitre <nico@linaro.org>
    Cc: Jean-François Moine <moinejf@free.fr>
    Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 drivers/tty/vt/vt.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 6cda35071669b4aabde081bd039e0ffea36f997a
Author: Robin Holt <holt@sgi.com>
Date:   Fri Feb 22 16:35:34 2013 -0800

    Upstream commit: 751efd8610d3d7d67b7bdf7f62646edea7365dd7
    
    mmu_notifier_unregister NULL Pointer deref and multiple ->release() callouts
    
    There is a race condition between mmu_notifier_unregister() and
    __mmu_notifier_release().
    
    Assume two tasks, one calling mmu_notifier_unregister() as a result of a
    filp_close() ->flush() callout (task A), and the other calling
    mmu_notifier_release() from an mmput() (task B).
    
                    A                               B
    t1                                              srcu_read_lock()
    t2              if (!hlist_unhashed())
    t3                                              srcu_read_unlock()
    t4              srcu_read_lock()
    t5                                              hlist_del_init_rcu()
    t6                                              synchronize_srcu()
    t7              srcu_read_unlock()
    t8              hlist_del_rcu()  <--- NULL pointer deref.
    
    Additionally, the list traversal in __mmu_notifier_release() is not
    protected by the by the mmu_notifier_mm->hlist_lock which can result in
    callouts to the ->release() notifier from both mmu_notifier_unregister()
    and __mmu_notifier_release().
    
    -stable suggestions:
    
    The stable trees prior to 3.7.y need commits 21a92735f660 and
    70400303ce0c cherry-picked in that order prior to cherry-picking this
    commit.  The 3.7.y tree already has those two commits.
    
    Signed-off-by: Robin Holt <holt@sgi.com>
    Cc: Andrea Arcangeli <aarcange@redhat.com>
    Cc: Wanpeng Li <liwanp@linux.vnet.ibm.com>
    Cc: Xiao Guangrong <xiaoguangrong@linux.vnet.ibm.com>
    Cc: Avi Kivity <avi@redhat.com>
    Cc: Hugh Dickins <hughd@google.com>
    Cc: Marcelo Tosatti <mtosatti@redhat.com>
    Cc: Sagi Grimberg <sagig@mellanox.co.il>
    Cc: Haggai Eran <haggaie@mellanox.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 mm/mmu_notifier.c |   82 +++++++++++++++++++++++++++--------------------------
 1 files changed, 42 insertions(+), 40 deletions(-)

commit bf5167ed78ba6131c6874887f714bda50c2cab83
Author: Mike Galbraith <bitbucket@online.de>
Date:   Mon Jan 28 12:19:25 2013 +0100

    Upstream commit: e0a79f529d5ba2507486d498b25da40911d95cf6
    
    sched: Fix select_idle_sibling() bouncing cow syndrome
    
    If the previous CPU is cache affine and idle, select it.
    
    The current implementation simply traverses the sd_llc domain,
    taking the first idle CPU encountered, which walks buddy pairs
    hand in hand over the package, inflicting excruciating pain.
    
    1 tbench pair (worst case) in a 10 core + SMT package:
    
      pre   15.22 MB/sec 1 procs
      post 252.01 MB/sec 1 procs
    
    Signed-off-by: Mike Galbraith <bitbucket@online.de>
    Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
    Link: http://lkml.kernel.org/r/1359371965.5783.127.camel@marge.simpson.net
    Signed-off-by: Ingo Molnar <mingo@kernel.org>

 kernel/sched/fair.c |   21 +++++++--------------
 1 files changed, 7 insertions(+), 14 deletions(-)

commit cf7c2d257836fdcb5d51ad142cbc56ac12f7a37c
Author: Eric W. Biederman <ebiederm@xmission.com>
Date:   Fri Dec 28 18:58:39 2012 -0800

    Upstream commit: c61a2810a2161986353705b44d9503e6bb079f4f
    
    userns: Avoid recursion in put_user_ns
    
    When freeing a deeply nested user namespace free_user_ns calls
    put_user_ns on it's parent which may in turn call free_user_ns again.
    When -fno-optimize-sibling-calls is passed to gcc one stack frame per
    user namespace is left on the stack, potentially overflowing the
    kernel stack.  CONFIG_FRAME_POINTER forces -fno-optimize-sibling-calls
    so we can't count on gcc to optimize this code.
    
    Remove struct kref and use a plain atomic_t.  Making the code more
    flexible and easier to comprehend.  Make the loop in free_user_ns
    explict to guarantee that the stack does not overflow with
    CONFIG_FRAME_POINTER enabled.
    
    I have tested this fix with a simple program that uses unshare to
    create a deeply nested user namespace structure and then calls exit.
    With 1000 nesteuser namespaces before this change running my test
    program causes the kernel to die a horrible death.  With 10,000,000
    nested user namespaces after this change my test program runs to
    completion and causes no harm.
    
    Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
    Pointed-out-by: Vasily Kulikov <segoon@openwall.com>
    Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>

 include/linux/user_namespace.h |   10 +++++-----
 kernel/user.c                  |    4 +---
 kernel/user_namespace.c        |   17 +++++++++--------
 3 files changed, 15 insertions(+), 16 deletions(-)

commit 81501c7106ccc186c94806f4db954626295b5ebe
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Feb 26 17:12:30 2013 -0500

    Pass the same flags to kern_path_create as the original function

 fs/namei.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit a677c8eee35afe48868f92c7d6745bfe809cd481
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Fri Feb 22 22:45:42 2013 -0500

    Upstream commit: 9b40bc90abd126bcc5da5658059b8e72e285e559
    
    get rid of unprotected dereferencing of mnt->mnt_ns
    
    It's safe only under namespace_sem or vfsmount_lock; all places
    in fs/namespace.c that want mnt->mnt_ns->user_ns actually want to use
    current->nsproxy->mnt_ns->user_ns (note the calls of check_mnt() in
    there).
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

 fs/namespace.c |   29 +++++++++++++++++------------
 1 files changed, 17 insertions(+), 12 deletions(-)

commit 89298124d0c96dc34a60377e7a1308f8f532ff75
Author: Greg Thelen <gthelen@google.com>
Date:   Fri Feb 22 16:36:01 2013 -0800

    Upstream fix: 5f00110f7273f9ff04ac69a5f85bb535a4fd0987
    
    tmpfs: fix use-after-free of mempolicy object
    
    The tmpfs remount logic preserves filesystem mempolicy if the mpol=M
    option is not specified in the remount request.  A new policy can be
    specified if mpol=M is given.
    
    Before this patch remounting an mpol bound tmpfs without specifying
    mpol= mount option in the remount request would set the filesystem's
    mempolicy object to a freed mempolicy object.
    
    To reproduce the problem boot a DEBUG_PAGEALLOC kernel and run:
        # mkdir /tmp/x
    
        # mount -t tmpfs -o size=100M,mpol=interleave nodev /tmp/x
    
        # grep /tmp/x /proc/mounts
        nodev /tmp/x tmpfs rw,relatime,size=102400k,mpol=interleave:0-3 0 0
    
        # mount -o remount,size=200M nodev /tmp/x
    
        # grep /tmp/x /proc/mounts
        nodev /tmp/x tmpfs rw,relatime,size=204800k,mpol=??? 0 0
            # note ? garbage in mpol=... output above
    
        # dd if=/dev/zero of=/tmp/x/f count=1
            # panic here
    
    Panic:
        BUG: unable to handle kernel NULL pointer dereference at           (null)
        IP: [<          (null)>]           (null)
        [...]
        Oops: 0010 [#1] SMP DEBUG_PAGEALLOC
        Call Trace:
          mpol_shared_policy_init+0xa5/0x160
          shmem_get_inode+0x209/0x270
          shmem_mknod+0x3e/0xf0
          shmem_create+0x18/0x20
          vfs_create+0xb5/0x130
          do_last+0x9a1/0xea0
          path_openat+0xb3/0x4d0
          do_filp_open+0x42/0xa0
          do_sys_open+0xfe/0x1e0
          compat_sys_open+0x1b/0x20
          cstar_dispatch+0x7/0x1f
    
    Non-debug kernels will not crash immediately because referencing the
    dangling mpol will not cause a fault.  Instead the filesystem will
    reference a freed mempolicy object, which will cause unpredictable
    behavior.
    
    The problem boils down to a dropped mpol reference below if
    shmem_parse_options() does not allocate a new mpol:
    
        config = *sbinfo
        shmem_parse_options(data, &config, true)
        mpol_put(sbinfo->mpol)
        sbinfo->mpol = config.mpol  /* BUG: saves unreferenced mpol */
    
    This patch avoids the crash by not releasing the mempolicy if
    shmem_parse_options() doesn't create a new mpol.
    
    How far back does this issue go? I see it in both 2.6.36 and 3.3.  I did
    not look back further.
    
    Signed-off-by: Greg Thelen <gthelen@google.com>
    Acked-by: Hugh Dickins <hughd@google.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 mm/shmem.c |   10 ++++++++--
 1 files changed, 8 insertions(+), 2 deletions(-)

commit 614943c76d9e49f12f3e1154f1dea80dc4bb2743
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 23 11:08:05 2013 -0500

    Userland can send a netlink message requesting SOCK_DIAG_BY_FAMILY
    with a family greater or equal then AF_MAX -- the array size of
    sock_diag_handlers[]. The current code does not test for this
    condition therefore is vulnerable to an out-of-bound access opening
    doors for a privilege escalation.
    
    Signed-off-by: Mathias Krause <minipli@googlemail.com>
    
    The sock_diag_lock_handler() and sock_diag_unlock_handler() actually
    make the code less readable. Get rid of them and make the lock usage
    and access to sock_diag_handlers[] clear on the first sight.
    
    Signed-off-by: Mathias Krause <minipli@googlemail.com>

 net/core/sock_diag.c |   27 ++++++++++-----------------
 1 files changed, 10 insertions(+), 17 deletions(-)

commit e8d44970f8ac5ceda7b0e3f2c2ab33cefb800990
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 23 10:58:52 2013 -0500

    Fix compilation failure reported by Hinnerk van Bruinehsen when CPU_USE_DOMAINS is not defined

 arch/arm/include/asm/domain.h |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 7b729586eb81f344fdedf0942fab0acc738a6725
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 22 19:02:51 2013 -0500

    Add back capability check for user namespaces.  They have not seen enough proper review and needlessly exposes additional attack surface for all users.

 kernel/fork.c |   17 +++++++++++++++++
 1 files changed, 17 insertions(+), 0 deletions(-)

commit fadc560d0c486af88da83177735f5515e88acdcc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 21 23:06:48 2013 -0500

    put is_hugetlbfs_mnt inside ifdefs

 grsecurity/gracl.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 8252176922d405484f986eb2cc350b7cd3ae586e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 21 23:02:07 2013 -0500

    remove unused label

 kernel/module.c |    1 -
 1 files changed, 0 insertions(+), 1 deletions(-)

commit dad4a980f0b625059e215d13da728aa7fd02a374
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 21 23:00:52 2013 -0500

    compile fix

 fs/open.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 13e3266c41b98a40f3d8a4a7fb8ee5c0983156b7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 21 22:57:49 2013 -0500

    remove kmalloc_array_error for the same reasons as kcalloc_error

 include/linux/slab.h |    9 ---------
 1 files changed, 0 insertions(+), 9 deletions(-)

commit 0c24df0e81ae880c4523cc78ff91609b9aa6133a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 21 22:49:35 2013 -0500

    Initial port of grsecurity for Linux 3.8

 Documentation/kernel-parameters.txt                |    4 +
 Makefile                                           |   10 +-
 arch/alpha/include/asm/cache.h                     |    4 +-
 arch/alpha/kernel/osf_sys.c                        |   14 +-
 arch/arm/include/asm/cache.h                       |    2 +
 arch/arm/include/asm/thread_info.h                 |    9 +-
 arch/arm/kernel/process.c                          |    4 +-
 arch/arm/kernel/ptrace.c                           |    9 +
 arch/arm/kernel/traps.c                            |    7 +-
 arch/arm/mm/fault.c                                |   27 +-
 arch/arm/mm/mmap.c                                 |    6 +-
 arch/avr32/include/asm/cache.h                     |    4 +-
 arch/blackfin/include/asm/cache.h                  |    3 +-
 arch/cris/include/arch-v10/arch/cache.h            |    3 +-
 arch/cris/include/arch-v32/arch/cache.h            |    3 +-
 arch/frv/include/asm/cache.h                       |    3 +-
 arch/frv/mm/elf-fdpic.c                            |    7 +-
 arch/hexagon/include/asm/cache.h                   |    6 +-
 arch/ia64/include/asm/cache.h                      |    3 +-
 arch/ia64/kernel/sys_ia64.c                        |    3 +-
 arch/ia64/mm/hugetlbpage.c                         |    3 +-
 arch/m32r/include/asm/cache.h                      |    4 +-
 arch/m68k/include/asm/cache.h                      |    4 +-
 arch/microblaze/include/asm/cache.h                |    3 +-
 arch/mips/include/asm/cache.h                      |    3 +-
 arch/mips/include/asm/thread_info.h                |    9 +-
 arch/mips/kernel/ptrace.c                          |    9 +
 arch/mips/kernel/scall32-o32.S                     |    2 +-
 arch/mips/kernel/scall64-64.S                      |    2 +-
 arch/mips/kernel/scall64-n32.S                     |    2 +-
 arch/mips/kernel/scall64-o32.S                     |    2 +-
 arch/mips/mm/mmap.c                                |    3 +-
 arch/mn10300/proc-mn103e010/include/proc/cache.h   |    4 +-
 arch/mn10300/proc-mn2ws0050/include/proc/cache.h   |    4 +-
 arch/openrisc/include/asm/cache.h                  |    4 +-
 arch/parisc/include/asm/cache.h                    |    5 +-
 arch/parisc/kernel/sys_parisc.c                    |   19 +-
 arch/powerpc/include/asm/cache.h                   |    3 +-
 arch/powerpc/include/asm/thread_info.h             |    8 +-
 arch/powerpc/kernel/process.c                      |   10 +-
 arch/powerpc/kernel/ptrace.c                       |   14 +
 arch/powerpc/kernel/traps.c                        |    5 +
 arch/powerpc/mm/slice.c                            |    8 +-
 arch/s390/include/asm/cache.h                      |    4 +-
 arch/score/include/asm/cache.h                     |    4 +-
 arch/sh/include/asm/cache.h                        |    3 +-
 arch/sh/mm/mmap.c                                  |    6 +-
 arch/sparc/include/asm/cache.h                     |    4 +-
 arch/sparc/include/asm/thread_info_64.h            |    9 +-
 arch/sparc/kernel/process_32.c                     |    6 +-
 arch/sparc/kernel/process_64.c                     |    8 +-
 arch/sparc/kernel/ptrace_64.c                      |   14 +
 arch/sparc/kernel/sys_sparc_64.c                   |    6 +-
 arch/sparc/kernel/syscalls.S                       |    8 +-
 arch/sparc/kernel/traps_32.c                       |    8 +-
 arch/sparc/kernel/traps_64.c                       |   28 +-
 arch/sparc/kernel/unaligned_64.c                   |    2 +-
 arch/sparc/mm/fault_64.c                           |    2 +-
 arch/sparc/mm/hugetlbpage.c                        |    3 +-
 arch/tile/include/asm/cache.h                      |    3 +-
 arch/um/include/asm/cache.h                        |    3 +-
 arch/unicore32/include/asm/cache.h                 |    6 +-
 arch/x86/Kconfig                                   |    5 +-
 arch/x86/Kconfig.debug                             |    2 +-
 arch/x86/ia32/ia32_aout.c                          |    2 +
 arch/x86/include/asm/thread_info.h                 |    8 +-
 arch/x86/kernel/dumpstack.c                        |    8 +
 arch/x86/kernel/entry_32.S                         |    2 +-
 arch/x86/kernel/entry_64.S                         |    2 +-
 arch/x86/kernel/ioport.c                           |   13 +
 arch/x86/kernel/ptrace.c                           |   14 +
 arch/x86/kernel/smpboot.c                          |    3 +
 arch/x86/kernel/sys_i386_32.c                      |   14 +-
 arch/x86/kernel/sys_x86_64.c                       |    3 +-
 arch/x86/kernel/verify_cpu.S                       |    1 +
 arch/x86/kernel/vm86_32.c                          |   16 +
 arch/x86/mm/fault.c                                |   12 +-
 arch/x86/mm/hugetlbpage.c                          |    3 +-
 arch/x86/mm/init.c                                 |   66 +-
 arch/x86/net/bpf_jit_comp.c                        |  126 +-
 arch/xtensa/variants/dc232b/include/variant/core.h |    2 +-
 arch/xtensa/variants/fsf/include/variant/core.h    |    3 +-
 arch/xtensa/variants/s6000/include/variant/core.h  |    3 +-
 crypto/ablkcipher.c                                |   12 +-
 crypto/aead.c                                      |    9 +-
 crypto/ahash.c                                     |    2 +-
 crypto/blkcipher.c                                 |    6 +-
 crypto/crypto_user.c                               |   38 +-
 crypto/pcompress.c                                 |    3 +-
 crypto/rng.c                                       |    2 +-
 crypto/shash.c                                     |    3 +-
 drivers/block/cciss.c                              |    2 +
 drivers/char/Kconfig                               |    4 +-
 drivers/char/genrtc.c                              |    1 +
 drivers/char/mem.c                                 |   17 +
 drivers/char/random.c                              |   12 +
 drivers/gpu/drm/drm_info.c                         |    4 +
 drivers/hid/hid-wiimote-debug.c                    |    2 +-
 drivers/media/radio/radio-cadet.c                  |    2 +-
 drivers/message/fusion/mptbase.c                   |    5 +
 drivers/net/phy/mdio-bitbang.c                     |    1 +
 drivers/pci/proc.c                                 |    9 +
 drivers/rtc/rtc-dev.c                              |    3 +
 drivers/tty/sysrq.c                                |    2 +-
 drivers/tty/vt/keyboard.c                          |   22 +-
 drivers/video/logo/logo_linux_clut224.ppm          | 2721 ++++++--------
 drivers/xen/xenfs/xenstored.c                      |    5 +
 fs/attr.c                                          |    1 +
 fs/autofs4/waitq.c                                 |    9 +
 fs/binfmt_aout.c                                   |    7 +
 fs/binfmt_elf.c                                    |    6 +
 fs/btrfs/inode.c                                   |   10 +-
 fs/btrfs/ioctl.c                                   |    6 +-
 fs/compat.c                                        |   18 +
 fs/coredump.c                                      |   10 +-
 fs/debugfs/inode.c                                 |    4 +
 fs/exec.c                                          |  155 +-
 fs/ext2/balloc.c                                   |    4 +-
 fs/ext3/balloc.c                                   |    4 +-
 fs/ext4/balloc.c                                   |    4 +-
 fs/fcntl.c                                         |    5 +
 fs/file.c                                          |    4 +
 fs/filesystems.c                                   |    5 +
 fs/fs_struct.c                                     |   26 +-
 fs/hugetlbfs/inode.c                               |    5 +-
 fs/namei.c                                         |  269 ++-
 fs/namespace.c                                     |   24 +
 fs/open.c                                          |   38 +
 fs/pipe.c                                          |    2 +-
 fs/proc/Kconfig                                    |   10 +-
 fs/proc/array.c                                    |   59 +-
 fs/proc/base.c                                     |  168 +-
 fs/proc/cmdline.c                                  |    4 +
 fs/proc/devices.c                                  |    4 +
 fs/proc/fd.c                                       |   17 +-
 fs/proc/inode.c                                    |   17 +
 fs/proc/internal.h                                 |    3 +
 fs/proc/kcore.c                                    |    3 +
 fs/proc/proc_net.c                                 |   12 +
 fs/proc/proc_sysctl.c                              |   43 +-
 fs/proc/root.c                                     |    8 +
 fs/proc/task_mmu.c                                 |   75 +-
 fs/readdir.c                                       |   19 +
 fs/select.c                                        |    2 +
 fs/seq_file.c                                      |   12 +-
 fs/stat.c                                          |   19 +-
 fs/sysfs/dir.c                                     |   12 +
 fs/utimes.c                                        |    7 +
 fs/xattr.c                                         |   19 +-
 grsecurity/Kconfig                                 | 1021 +++++
 grsecurity/Makefile                                |   38 +
 grsecurity/gracl.c                                 | 4017 ++++++++++++++++++++
 grsecurity/gracl_alloc.c                           |  105 +
 grsecurity/gracl_cap.c                             |  110 +
 grsecurity/gracl_fs.c                              |  431 +++
 grsecurity/gracl_ip.c                              |  384 ++
 grsecurity/gracl_learn.c                           |  207 +
 grsecurity/gracl_res.c                             |   68 +
 grsecurity/gracl_segv.c                            |  299 ++
 grsecurity/gracl_shm.c                             |   40 +
 grsecurity/grsec_chdir.c                           |   19 +
 grsecurity/grsec_chroot.c                          |  357 ++
 grsecurity/grsec_disabled.c                        |  434 +++
 grsecurity/grsec_exec.c                            |  174 +
 grsecurity/grsec_fifo.c                            |   24 +
 grsecurity/grsec_fork.c                            |   23 +
 grsecurity/grsec_init.c                            |  283 ++
 grsecurity/grsec_link.c                            |   58 +
 grsecurity/grsec_log.c                             |  329 ++
 grsecurity/grsec_mem.c                             |   40 +
 grsecurity/grsec_mount.c                           |   62 +
 grsecurity/grsec_pax.c                             |   36 +
 grsecurity/grsec_ptrace.c                          |   30 +
 grsecurity/grsec_sig.c                             |  222 ++
 grsecurity/grsec_sock.c                            |  244 ++
 grsecurity/grsec_sysctl.c                          |  469 +++
 grsecurity/grsec_time.c                            |   16 +
 grsecurity/grsec_tpe.c                             |   73 +
 grsecurity/grsum.c                                 |   61 +
 include/linux/capability.h                         |    5 +
 include/linux/cred.h                               |    3 +
 include/linux/fs.h                                 |   10 +
 include/linux/fsnotify.h                           |    6 +
 include/linux/gracl.h                              |  319 ++
 include/linux/gralloc.h                            |    9 +
 include/linux/grdefs.h                             |  140 +
 include/linux/grinternal.h                         |  215 ++
 include/linux/grmsg.h                              |  111 +
 include/linux/grsecurity.h                         |  257 ++
 include/linux/grsock.h                             |   19 +
 include/linux/kallsyms.h                           |   14 +-
 include/linux/kmod.h                               |    2 +
 include/linux/netfilter/xt_gradm.h                 |    9 +
 include/linux/printk.h                             |    3 +-
 include/linux/proc_fs.h                            |   12 +
 include/linux/sched.h                              |   66 +-
 include/linux/security.h                           |    1 +
 include/linux/seq_file.h                           |    3 +
 include/linux/shm.h                                |    4 +
 include/linux/sysctl.h                             |    2 +
 include/linux/thread_info.h                        |    2 +
 include/linux/vermagic.h                           |    9 +-
 include/trace/events/fs.h                          |   53 +
 include/uapi/linux/personality.h                   |    1 +
 init/Kconfig                                       |    5 +-
 init/main.c                                        |   14 +
 ipc/mqueue.c                                       |    1 +
 ipc/shm.c                                          |   28 +
 kernel/capability.c                                |   39 +-
 kernel/cgroup.c                                    |    2 +-
 kernel/compat.c                                    |    1 +
 kernel/configs.c                                   |   11 +
 kernel/cred.c                                      |  109 +-
 kernel/exit.c                                      |   10 +-
 kernel/fork.c                                      |   24 +-
 kernel/futex.c                                     |    1 +
 kernel/kallsyms.c                                  |    9 +
 kernel/kcmp.c                                      |    4 +
 kernel/kmod.c                                      |   71 +-
 kernel/kprobes.c                                   |    4 +-
 kernel/ksysfs.c                                    |    2 +
 kernel/lockdep_proc.c                              |   10 +-
 kernel/module.c                                    |   80 +-
 kernel/panic.c                                     |    4 +-
 kernel/pid.c                                       |   19 +-
 kernel/posix-timers.c                              |    8 +
 kernel/printk.c                                    |    5 +
 kernel/ptrace.c                                    |   20 +-
 kernel/resource.c                                  |   10 +
 kernel/sched/core.c                                |    6 +-
 kernel/signal.c                                    |   37 +-
 kernel/sys.c                                       |   38 +-
 kernel/sysctl.c                                    |   39 +-
 kernel/taskstats.c                                 |    6 +
 kernel/time.c                                      |    5 +
 kernel/time/timekeeping.c                          |    3 +
 kernel/time/timer_list.c                           |   12 +
 kernel/time/timer_stats.c                          |   10 +-
 lib/Kconfig.debug                                  |    5 +-
 lib/is_single_threaded.c                           |    3 +
 lib/vsprintf.c                                     |   35 +-
 localversion-grsec                                 |    1 +
 mm/Kconfig                                         |    4 +-
 mm/filemap.c                                       |    1 +
 mm/kmemleak.c                                      |    4 +-
 mm/mempolicy.c                                     |   12 +-
 mm/migrate.c                                       |    3 +-
 mm/mlock.c                                         |    3 +
 mm/mmap.c                                          |   62 +-
 mm/mprotect.c                                      |    8 +
 mm/page_alloc.c                                    |    6 +
 mm/process_vm_access.c                             |    6 +
 mm/shmem.c                                         |    2 +-
 mm/slab.c                                          |    2 +-
 mm/slub.c                                          |   14 +-
 mm/vmalloc.c                                       |    4 +
 mm/vmstat.c                                        |   18 +-
 net/core/dev.c                                     |    9 +
 net/core/sock_diag.c                               |    7 +
 net/ipv4/inet_hashtables.c                         |    5 +
 net/ipv4/ip_sockglue.c                             |    3 +-
 net/ipv4/tcp_input.c                               |    4 +-
 net/ipv4/tcp_ipv4.c                                |   24 +-
 net/ipv4/tcp_minisocks.c                           |    9 +-
 net/ipv4/tcp_timer.c                               |   11 +
 net/ipv4/udp.c                                     |   24 +
 net/ipv6/tcp_ipv6.c                                |   23 +-
 net/ipv6/udp.c                                     |    7 +
 net/netfilter/Kconfig                              |   10 +
 net/netfilter/Makefile                             |    1 +
 net/netfilter/nf_conntrack_core.c                  |    8 +
 net/netfilter/xt_gradm.c                           |   51 +
 net/netrom/af_netrom.c                             |    2 +-
 net/phonet/af_phonet.c                             |    4 +-
 net/sctp/proc.c                                    |    3 +-
 net/socket.c                                       |   62 +-
 net/sysctl_net.c                                   |    2 +-
 net/unix/af_unix.c                                 |   19 +
 security/Kconfig                                   |  320 ++-
 security/apparmor/lsm.c                            |    2 +-
 security/commoncap.c                               |   29 +
 security/min_addr.c                                |    2 +
 security/security.c                                |    2 -
 security/selinux/hooks.c                           |    2 -
 security/yama/Kconfig                              |    2 +-
 tools/gcc/Makefile                                 |    2 +-
 286 files changed, 15083 insertions(+), 2067 deletions(-)

commit 4b61d2188de70da9dc9b3e67fc0565077370eb27
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 20 21:00:42 2013 -0500

    Initial import of pax-linux-3.8-test3.patch

 Documentation/dontdiff                           |   43 +-
 Documentation/kernel-parameters.txt              |    7 +
 Makefile                                         |   97 +-
 arch/alpha/include/asm/atomic.h                  |   10 +
 arch/alpha/include/asm/elf.h                     |    7 +
 arch/alpha/include/asm/pgalloc.h                 |    6 +
 arch/alpha/include/asm/pgtable.h                 |   11 +
 arch/alpha/kernel/module.c                       |    2 +-
 arch/alpha/kernel/osf_sys.c                      |   10 +-
 arch/alpha/mm/fault.c                            |  141 +-
 arch/arm/Kconfig                                 |    2 +-
 arch/arm/include/asm/atomic.h                    |  421 +++-
 arch/arm/include/asm/cache.h                     |    3 +-
 arch/arm/include/asm/cacheflush.h                |    2 +-
 arch/arm/include/asm/checksum.h                  |   14 +-
 arch/arm/include/asm/cmpxchg.h                   |    2 +
 arch/arm/include/asm/delay.h                     |    8 +-
 arch/arm/include/asm/domain.h                    |   32 +-
 arch/arm/include/asm/elf.h                       |   13 +-
 arch/arm/include/asm/fncpy.h                     |    2 +
 arch/arm/include/asm/futex.h                     |   10 +
 arch/arm/include/asm/kmap_types.h                |    2 +-
 arch/arm/include/asm/mach/dma.h                  |    2 +-
 arch/arm/include/asm/mach/map.h                  |    7 +-
 arch/arm/include/asm/outercache.h                |    2 +-
 arch/arm/include/asm/page.h                      |    2 +-
 arch/arm/include/asm/pgalloc.h                   |   22 +-
 arch/arm/include/asm/pgtable-2level-hwdef.h      |    5 +
 arch/arm/include/asm/pgtable-2level.h            |    1 +
 arch/arm/include/asm/pgtable-3level-hwdef.h      |    4 +
 arch/arm/include/asm/pgtable-3level.h            |    2 +
 arch/arm/include/asm/pgtable.h                   |   56 +-
 arch/arm/include/asm/proc-fns.h                  |    2 +-
 arch/arm/include/asm/processor.h                 |    5 +-
 arch/arm/include/asm/smp.h                       |    2 +-
 arch/arm/include/asm/thread_info.h               |    6 +-
 arch/arm/include/asm/uaccess.h                   |   92 +-
 arch/arm/include/uapi/asm/ptrace.h               |    2 +-
 arch/arm/kernel/armksyms.c                       |    4 +-
 arch/arm/kernel/entry-armv.S                     |  107 +-
 arch/arm/kernel/entry-common.S                   |   41 +-
 arch/arm/kernel/entry-header.S                   |   60 +
 arch/arm/kernel/fiq.c                            |    2 +
 arch/arm/kernel/head.S                           |    6 +-
 arch/arm/kernel/hw_breakpoint.c                  |    2 +-
 arch/arm/kernel/module.c                         |   29 +-
 arch/arm/kernel/perf_event_cpu.c                 |    2 +-
 arch/arm/kernel/process.c                        |   10 +-
 arch/arm/kernel/setup.c                          |   22 +-
 arch/arm/kernel/smp.c                            |    2 +-
 arch/arm/kernel/traps.c                          |    8 +-
 arch/arm/kernel/vmlinux.lds.S                    |   20 +-
 arch/arm/lib/clear_user.S                        |    6 +-
 arch/arm/lib/copy_from_user.S                    |    6 +-
 arch/arm/lib/copy_page.S                         |    1 +
 arch/arm/lib/copy_to_user.S                      |    6 +-
 arch/arm/lib/csumpartialcopyuser.S               |    4 +-
 arch/arm/lib/delay.c                             |   14 +-
 arch/arm/lib/uaccess_with_memcpy.c               |    2 +-
 arch/arm/mach-kirkwood/common.c                  |   19 +-
 arch/arm/mach-omap2/board-n8x0.c                 |    2 +-
 arch/arm/mach-omap2/omap-wakeupgen.c             |    2 +-
 arch/arm/mach-omap2/omap_hwmod.c                 |    4 +-
 arch/arm/mach-ux500/include/mach/setup.h         |    7 -
 arch/arm/mm/Kconfig                              |    3 +-
 arch/arm/mm/fault.c                              |   78 +
 arch/arm/mm/fault.h                              |   12 +
 arch/arm/mm/init.c                               |   41 +
 arch/arm/mm/ioremap.c                            |    4 +-
 arch/arm/mm/mmap.c                               |   36 +-
 arch/arm/mm/mmu.c                                |  186 +-
 arch/arm/mm/proc-v7-2level.S                     |    3 +
 arch/arm/plat-omap/sram.c                        |    2 +
 arch/arm/plat-orion/include/plat/addr-map.h      |    2 +-
 arch/arm/plat-samsung/include/plat/dma-ops.h     |    2 +-
 arch/arm64/kernel/debug-monitors.c               |    2 +-
 arch/arm64/kernel/hw_breakpoint.c                |    2 +-
 arch/avr32/include/asm/elf.h                     |    8 +-
 arch/avr32/include/asm/kmap_types.h              |    4 +-
 arch/avr32/mm/fault.c                            |   27 +
 arch/frv/include/asm/atomic.h                    |   10 +
 arch/frv/include/asm/kmap_types.h                |    2 +-
 arch/frv/mm/elf-fdpic.c                          |    7 +-
 arch/ia64/include/asm/atomic.h                   |   10 +
 arch/ia64/include/asm/elf.h                      |    7 +
 arch/ia64/include/asm/pgalloc.h                  |   12 +
 arch/ia64/include/asm/pgtable.h                  |   13 +-
 arch/ia64/include/asm/spinlock.h                 |    2 +-
 arch/ia64/include/asm/uaccess.h                  |   28 +-
 arch/ia64/kernel/err_inject.c                    |    2 +-
 arch/ia64/kernel/mca.c                           |    2 +-
 arch/ia64/kernel/module.c                        |   48 +-
 arch/ia64/kernel/palinfo.c                       |    2 +-
 arch/ia64/kernel/salinfo.c                       |    2 +-
 arch/ia64/kernel/sys_ia64.c                      |   13 +-
 arch/ia64/kernel/topology.c                      |    2 +-
 arch/ia64/kernel/vmlinux.lds.S                   |    2 +-
 arch/ia64/mm/fault.c                             |   32 +-
 arch/ia64/mm/hugetlbpage.c                       |    2 +-
 arch/ia64/mm/init.c                              |   13 +
 arch/m32r/lib/usercopy.c                         |    6 +
 arch/mips/include/asm/atomic.h                   |   14 +
 arch/mips/include/asm/elf.h                      |   11 +-
 arch/mips/include/asm/exec.h                     |    2 +-
 arch/mips/include/asm/page.h                     |    2 +-
 arch/mips/include/asm/pgalloc.h                  |    5 +
 arch/mips/kernel/binfmt_elfn32.c                 |    7 +
 arch/mips/kernel/binfmt_elfo32.c                 |    7 +
 arch/mips/kernel/process.c                       |   12 -
 arch/mips/mm/fault.c                             |   17 +
 arch/mips/mm/mmap.c                              |   51 +-
 arch/parisc/include/asm/atomic.h                 |   10 +
 arch/parisc/include/asm/elf.h                    |    7 +
 arch/parisc/include/asm/pgalloc.h                |    6 +
 arch/parisc/include/asm/pgtable.h                |   11 +
 arch/parisc/include/asm/uaccess.h                |    4 +-
 arch/parisc/kernel/module.c                      |   50 +-
 arch/parisc/kernel/sys_parisc.c                  |    6 +-
 arch/parisc/kernel/traps.c                       |    4 +-
 arch/parisc/mm/fault.c                           |  140 +-
 arch/powerpc/include/asm/atomic.h                |   10 +
 arch/powerpc/include/asm/elf.h                   |   19 +-
 arch/powerpc/include/asm/exec.h                  |    2 +-
 arch/powerpc/include/asm/kmap_types.h            |    2 +-
 arch/powerpc/include/asm/mman.h                  |    2 +-
 arch/powerpc/include/asm/page.h                  |    8 +-
 arch/powerpc/include/asm/page_64.h               |    7 +-
 arch/powerpc/include/asm/pgalloc-64.h            |    7 +
 arch/powerpc/include/asm/pgtable.h               |    1 +
 arch/powerpc/include/asm/pte-hash32.h            |    1 +
 arch/powerpc/include/asm/reg.h                   |    1 +
 arch/powerpc/include/asm/uaccess.h               |  142 +-
 arch/powerpc/kernel/exceptions-64e.S             |    4 +-
 arch/powerpc/kernel/exceptions-64s.S             |    2 +-
 arch/powerpc/kernel/module_32.c                  |   13 +-
 arch/powerpc/kernel/process.c                    |   55 -
 arch/powerpc/kernel/signal_32.c                  |    2 +-
 arch/powerpc/kernel/signal_64.c                  |    2 +-
 arch/powerpc/kernel/sysfs.c                      |    2 +-
 arch/powerpc/kernel/vdso.c                       |    5 +-
 arch/powerpc/lib/usercopy_64.c                   |   18 -
 arch/powerpc/mm/fault.c                          |   54 +-
 arch/powerpc/mm/mmap_64.c                        |   16 +
 arch/powerpc/mm/mmu_context_nohash.c             |    2 +-
 arch/powerpc/mm/numa.c                           |    2 +-
 arch/powerpc/mm/slice.c                          |   23 +-
 arch/powerpc/platforms/powermac/smp.c            |    2 +-
 arch/s390/include/asm/atomic.h                   |   10 +
 arch/s390/include/asm/elf.h                      |   13 +-
 arch/s390/include/asm/exec.h                     |    2 +-
 arch/s390/include/asm/uaccess.h                  |   15 +-
 arch/s390/kernel/module.c                        |   22 +-
 arch/s390/kernel/process.c                       |   36 -
 arch/s390/mm/mmap.c                              |   24 +
 arch/score/include/asm/exec.h                    |    2 +-
 arch/score/kernel/process.c                      |    5 -
 arch/sh/kernel/cpu/sh4a/smp-shx3.c               |    2 +-
 arch/sh/mm/mmap.c                                |   22 +-
 arch/sparc/include/asm/atomic_64.h               |  106 +-
 arch/sparc/include/asm/cache.h                   |    2 +-
 arch/sparc/include/asm/elf_32.h                  |    7 +
 arch/sparc/include/asm/elf_64.h                  |    7 +
 arch/sparc/include/asm/pgalloc_32.h              |    1 +
 arch/sparc/include/asm/pgalloc_64.h              |    1 +
 arch/sparc/include/asm/pgtable_32.h              |   15 +-
 arch/sparc/include/asm/pgtsrmmu.h                |    5 +
 arch/sparc/include/asm/spinlock_64.h             |   35 +-
 arch/sparc/include/asm/thread_info_32.h          |    2 +
 arch/sparc/include/asm/thread_info_64.h          |    2 +
 arch/sparc/include/asm/uaccess.h                 |    8 +
 arch/sparc/include/asm/uaccess_32.h              |   27 +-
 arch/sparc/include/asm/uaccess_64.h              |   19 +-
 arch/sparc/kernel/Makefile                       |    2 +-
 arch/sparc/kernel/sys_sparc_32.c                 |    2 +-
 arch/sparc/kernel/sys_sparc_64.c                 |   48 +-
 arch/sparc/kernel/sysfs.c                        |    2 +-
 arch/sparc/kernel/traps_64.c                     |   13 +-
 arch/sparc/lib/Makefile                          |    2 +-
 arch/sparc/lib/atomic_64.S                       |  136 +-
 arch/sparc/lib/ksyms.c                           |    6 +
 arch/sparc/mm/Makefile                           |    2 +-
 arch/sparc/mm/fault_32.c                         |  292 ++
 arch/sparc/mm/fault_64.c                         |  486 +++
 arch/sparc/mm/hugetlbpage.c                      |   21 +-
 arch/tile/include/asm/atomic_64.h                |   10 +
 arch/tile/include/asm/uaccess.h                  |    4 +-
 arch/um/Makefile                                 |    4 +
 arch/um/include/asm/kmap_types.h                 |    2 +-
 arch/um/include/asm/page.h                       |    3 +
 arch/um/include/asm/pgtable-3level.h             |    1 +
 arch/um/kernel/process.c                         |   16 -
 arch/x86/Kconfig                                 |   10 +-
 arch/x86/Kconfig.cpu                             |    6 +-
 arch/x86/Kconfig.debug                           |    6 +-
 arch/x86/Makefile                                |   10 +
 arch/x86/boot/Makefile                           |    3 +
 arch/x86/boot/bitops.h                           |    4 +-
 arch/x86/boot/boot.h                             |    4 +-
 arch/x86/boot/compressed/Makefile                |    3 +
 arch/x86/boot/compressed/eboot.c                 |    2 -
 arch/x86/boot/compressed/head_32.S               |    7 +-
 arch/x86/boot/compressed/head_64.S               |    4 +-
 arch/x86/boot/compressed/misc.c                  |    4 +-
 arch/x86/boot/cpucheck.c                         |   28 +-
 arch/x86/boot/header.S                           |    6 +-
 arch/x86/boot/memory.c                           |    2 +-
 arch/x86/boot/video-vesa.c                       |    1 +
 arch/x86/boot/video.c                            |    2 +-
 arch/x86/crypto/aes-x86_64-asm_64.S              |    4 +
 arch/x86/crypto/aesni-intel_asm.S                |   31 +
 arch/x86/crypto/blowfish-x86_64-asm_64.S         |    8 +
 arch/x86/crypto/camellia-x86_64-asm_64.S         |    8 +
 arch/x86/crypto/cast5-avx-x86_64-asm_64.S        |    8 +
 arch/x86/crypto/cast6-avx-x86_64-asm_64.S        |    8 +
 arch/x86/crypto/salsa20-x86_64-asm_64.S          |    5 +
 arch/x86/crypto/serpent-avx-x86_64-asm_64.S      |    8 +
 arch/x86/crypto/serpent-sse2-x86_64-asm_64.S     |    5 +
 arch/x86/crypto/sha1_ssse3_asm.S                 |    3 +
 arch/x86/crypto/twofish-avx-x86_64-asm_64.S      |    8 +
 arch/x86/crypto/twofish-x86_64-asm_64-3way.S     |    5 +
 arch/x86/crypto/twofish-x86_64-asm_64.S          |    3 +
 arch/x86/ia32/ia32_signal.c                      |   14 +-
 arch/x86/ia32/ia32entry.S                        |  141 +-
 arch/x86/ia32/sys_ia32.c                         |   12 +-
 arch/x86/include/asm/alternative-asm.h           |   39 +
 arch/x86/include/asm/alternative.h               |    4 +-
 arch/x86/include/asm/apic.h                      |    2 +-
 arch/x86/include/asm/apm.h                       |    4 +-
 arch/x86/include/asm/atomic.h                    |  307 ++-
 arch/x86/include/asm/atomic64_32.h               |  100 +
 arch/x86/include/asm/atomic64_64.h               |  202 ++-
 arch/x86/include/asm/bitops.h                    |    2 +-
 arch/x86/include/asm/boot.h                      |    7 +-
 arch/x86/include/asm/cache.h                     |    5 +-
 arch/x86/include/asm/cacheflush.h                |    2 +-
 arch/x86/include/asm/checksum_32.h               |   12 +-
 arch/x86/include/asm/cmpxchg.h                   |   35 +
 arch/x86/include/asm/cpufeature.h                |    4 +-
 arch/x86/include/asm/desc.h                      |   65 +-
 arch/x86/include/asm/desc_defs.h                 |    6 +
 arch/x86/include/asm/elf.h                       |   31 +-
 arch/x86/include/asm/emergency-restart.h         |    2 +-
 arch/x86/include/asm/fpu-internal.h              |    6 +-
 arch/x86/include/asm/futex.h                     |   16 +-
 arch/x86/include/asm/hw_irq.h                    |    4 +-
 arch/x86/include/asm/io.h                        |   13 +-
 arch/x86/include/asm/irqflags.h                  |    5 +
 arch/x86/include/asm/kprobes.h                   |    9 +-
 arch/x86/include/asm/local.h                     |  142 +-
 arch/x86/include/asm/mman.h                      |   15 +
 arch/x86/include/asm/mmu.h                       |   16 +-
 arch/x86/include/asm/mmu_context.h               |   76 +-
 arch/x86/include/asm/module.h                    |   17 +-
 arch/x86/include/asm/page_64_types.h             |    2 +-
 arch/x86/include/asm/paravirt.h                  |   44 +-
 arch/x86/include/asm/paravirt_types.h            |   17 +-
 arch/x86/include/asm/pgalloc.h                   |   23 +
 arch/x86/include/asm/pgtable-2level.h            |    2 +
 arch/x86/include/asm/pgtable-3level.h            |    4 +
 arch/x86/include/asm/pgtable.h                   |  110 +-
 arch/x86/include/asm/pgtable_32.h                |   14 +-
 arch/x86/include/asm/pgtable_32_types.h          |   15 +-
 arch/x86/include/asm/pgtable_64.h                |   19 +-
 arch/x86/include/asm/pgtable_64_types.h          |    5 +
 arch/x86/include/asm/pgtable_types.h             |   36 +-
 arch/x86/include/asm/processor.h                 |   39 +-
 arch/x86/include/asm/ptrace.h                    |   26 +-
 arch/x86/include/asm/realmode.h                  |    4 +-
 arch/x86/include/asm/reboot.h                    |   10 +-
 arch/x86/include/asm/rwsem.h                     |   60 +-
 arch/x86/include/asm/segment.h                   |   24 +-
 arch/x86/include/asm/smp.h                       |   14 +-
 arch/x86/include/asm/spinlock.h                  |   36 +-
 arch/x86/include/asm/stackprotector.h            |    4 +-
 arch/x86/include/asm/stacktrace.h                |   32 +-
 arch/x86/include/asm/switch_to.h                 |    4 +-
 arch/x86/include/asm/thread_info.h               |   83 +-
 arch/x86/include/asm/uaccess.h                   |   96 +-
 arch/x86/include/asm/uaccess_32.h                |  106 +-
 arch/x86/include/asm/uaccess_64.h                |  232 +-
 arch/x86/include/asm/word-at-a-time.h            |    2 +-
 arch/x86/include/asm/x86_init.h                  |   10 +-
 arch/x86/include/asm/xsave.h                     |   10 +-
 arch/x86/include/uapi/asm/e820.h                 |    2 +-
 arch/x86/kernel/Makefile                         |    2 +-
 arch/x86/kernel/acpi/sleep.c                     |    4 +
 arch/x86/kernel/acpi/wakeup_32.S                 |    6 +-
 arch/x86/kernel/alternative.c                    |   65 +-
 arch/x86/kernel/apic/apic.c                      |    6 +-
 arch/x86/kernel/apic/apic_flat_64.c              |    4 +-
 arch/x86/kernel/apic/bigsmp_32.c                 |    2 +-
 arch/x86/kernel/apic/es7000_32.c                 |    5 +-
 arch/x86/kernel/apic/io_apic.c                   |    8 +-
 arch/x86/kernel/apic/numaq_32.c                  |    3 +-
 arch/x86/kernel/apic/probe_32.c                  |    2 +-
 arch/x86/kernel/apic/summit_32.c                 |    2 +-
 arch/x86/kernel/apic/x2apic_cluster.c            |    4 +-
 arch/x86/kernel/apic/x2apic_phys.c               |    2 +-
 arch/x86/kernel/apic/x2apic_uv_x.c               |    2 +-
 arch/x86/kernel/apm_32.c                         |   19 +-
 arch/x86/kernel/asm-offsets.c                    |   20 +
 arch/x86/kernel/asm-offsets_64.c                 |    1 +
 arch/x86/kernel/cpu/Makefile                     |    4 -
 arch/x86/kernel/cpu/amd.c                        |    2 +-
 arch/x86/kernel/cpu/common.c                     |   75 +-
 arch/x86/kernel/cpu/intel.c                      |    2 +-
 arch/x86/kernel/cpu/intel_cacheinfo.c            |   50 +-
 arch/x86/kernel/cpu/mcheck/mce.c                 |   29 +-
 arch/x86/kernel/cpu/mcheck/p5.c                  |    3 +
 arch/x86/kernel/cpu/mcheck/therm_throt.c         |    2 +-
 arch/x86/kernel/cpu/mcheck/winchip.c             |    3 +
 arch/x86/kernel/cpu/mtrr/main.c                  |    2 +-
 arch/x86/kernel/cpu/mtrr/mtrr.h                  |    2 +-
 arch/x86/kernel/cpu/perf_event.c                 |    4 +-
 arch/x86/kernel/cpu/perf_event_intel.c           |    6 +-
 arch/x86/kernel/cpu/perf_event_intel_uncore.c    |    2 +-
 arch/x86/kernel/cpuid.c                          |    2 +-
 arch/x86/kernel/crash.c                          |    4 +-
 arch/x86/kernel/doublefault_32.c                 |    8 +-
 arch/x86/kernel/dumpstack.c                      |   30 +-
 arch/x86/kernel/dumpstack_32.c                   |   34 +-
 arch/x86/kernel/dumpstack_64.c                   |   63 +-
 arch/x86/kernel/early_printk.c                   |    1 +
 arch/x86/kernel/entry_32.S                       |  354 ++-
 arch/x86/kernel/entry_64.S                       |  512 +++-
 arch/x86/kernel/ftrace.c                         |   14 +-
 arch/x86/kernel/head32.c                         |    4 +-
 arch/x86/kernel/head_32.S                        |  237 ++-
 arch/x86/kernel/head_64.S                        |  158 +-
 arch/x86/kernel/i386_ksyms_32.c                  |    8 +
 arch/x86/kernel/i387.c                           |    2 +-
 arch/x86/kernel/i8259.c                          |    2 +-
 arch/x86/kernel/ioport.c                         |    2 +-
 arch/x86/kernel/irq.c                            |   10 +-
 arch/x86/kernel/irq_32.c                         |   69 +-
 arch/x86/kernel/irq_64.c                         |    2 +-
 arch/x86/kernel/kdebugfs.c                       |    2 +-
 arch/x86/kernel/kgdb.c                           |   25 +-
 arch/x86/kernel/kprobes-opt.c                    |   12 +-
 arch/x86/kernel/kprobes.c                        |   30 +-
 arch/x86/kernel/kvm.c                            |    2 +-
 arch/x86/kernel/ldt.c                            |   31 +-
 arch/x86/kernel/machine_kexec_32.c               |    6 +-
 arch/x86/kernel/microcode_core.c                 |    2 +-
 arch/x86/kernel/microcode_intel.c                |    4 +-
 arch/x86/kernel/module.c                         |   76 +-
 arch/x86/kernel/msr.c                            |    2 +-
 arch/x86/kernel/nmi.c                            |   11 +
 arch/x86/kernel/paravirt-spinlocks.c             |    2 +-
 arch/x86/kernel/paravirt.c                       |   43 +-
 arch/x86/kernel/pci-iommu_table.c                |    2 +-
 arch/x86/kernel/process.c                        |   57 +-
 arch/x86/kernel/process_32.c                     |   29 +-
 arch/x86/kernel/process_64.c                     |   15 +-
 arch/x86/kernel/ptrace.c                         |   25 +-
 arch/x86/kernel/pvclock.c                        |    8 +-
 arch/x86/kernel/reboot.c                         |   44 +-
 arch/x86/kernel/relocate_kernel_64.S             |    4 +-
 arch/x86/kernel/setup.c                          |   14 +-
 arch/x86/kernel/setup_percpu.c                   |   27 +-
 arch/x86/kernel/signal.c                         |   15 +-
 arch/x86/kernel/smp.c                            |    2 +-
 arch/x86/kernel/smpboot.c                        |   15 +-
 arch/x86/kernel/step.c                           |   10 +-
 arch/x86/kernel/sys_i386_32.c                    |  247 ++
 arch/x86/kernel/sys_x86_64.c                     |   19 +-
 arch/x86/kernel/tboot.c                          |   14 +-
 arch/x86/kernel/time.c                           |   10 +-
 arch/x86/kernel/tls.c                            |    7 +-
 arch/x86/kernel/traps.c                          |   64 +-
 arch/x86/kernel/uprobes.c                        |    2 +-
 arch/x86/kernel/vm86_32.c                        |    6 +-
 arch/x86/kernel/vmlinux.lds.S                    |  148 +-
 arch/x86/kernel/vsyscall_64.c                    |   12 +-
 arch/x86/kernel/x8664_ksyms_64.c                 |    2 -
 arch/x86/kernel/x86_init.c                       |    8 +-
 arch/x86/kernel/xsave.c                          |    2 +
 arch/x86/kvm/cpuid.c                             |   21 +-
 arch/x86/kvm/emulate.c                           |    4 +-
 arch/x86/kvm/lapic.c                             |    2 +-
 arch/x86/kvm/paging_tmpl.h                       |    2 +-
 arch/x86/kvm/svm.c                               |    8 +
 arch/x86/kvm/vmx.c                               |   47 +-
 arch/x86/kvm/x86.c                               |   10 +-
 arch/x86/lguest/boot.c                           |    3 +-
 arch/x86/lib/atomic64_386_32.S                   |  164 +
 arch/x86/lib/atomic64_cx8_32.S                   |  103 +-
 arch/x86/lib/checksum_32.S                       |  100 +-
 arch/x86/lib/clear_page_64.S                     |    5 +-
 arch/x86/lib/cmpxchg16b_emu.S                    |    2 +
 arch/x86/lib/copy_page_64.S                      |   24 +-
 arch/x86/lib/copy_user_64.S                      |   47 +-
 arch/x86/lib/copy_user_nocache_64.S              |   20 +-
 arch/x86/lib/csum-copy_64.S                      |    2 +
 arch/x86/lib/csum-wrappers_64.c                  |    4 +-
 arch/x86/lib/getuser.S                           |   68 +-
 arch/x86/lib/insn.c                              |    6 +-
 arch/x86/lib/iomap_copy_64.S                     |    2 +
 arch/x86/lib/memcpy_64.S                         |   18 +-
 arch/x86/lib/memmove_64.S                        |   34 +-
 arch/x86/lib/memset_64.S                         |    7 +-
 arch/x86/lib/mmx_32.c                            |  243 +-
 arch/x86/lib/msr-reg.S                           |   18 +-
 arch/x86/lib/putuser.S                           |   90 +-
 arch/x86/lib/rwlock.S                            |   42 +
 arch/x86/lib/rwsem.S                             |    6 +-
 arch/x86/lib/thunk_64.S                          |    2 +
 arch/x86/lib/usercopy_32.c                       |  376 ++-
 arch/x86/lib/usercopy_64.c                       |   25 +-
 arch/x86/mm/extable.c                            |   25 +-
 arch/x86/mm/fault.c                              |  555 +++-
 arch/x86/mm/gup.c                                |    2 +-
 arch/x86/mm/highmem_32.c                         |    4 +
 arch/x86/mm/hugetlbpage.c                        |   30 +-
 arch/x86/mm/init.c                               |   92 +-
 arch/x86/mm/init_32.c                            |  122 +-
 arch/x86/mm/init_64.c                            |   48 +-
 arch/x86/mm/iomap_32.c                           |    4 +
 arch/x86/mm/ioremap.c                            |   12 +-
 arch/x86/mm/kmemcheck/kmemcheck.c                |    4 +-
 arch/x86/mm/mmap.c                               |   41 +-
 arch/x86/mm/mmio-mod.c                           |   10 +-
 arch/x86/mm/pageattr-test.c                      |    2 +-
 arch/x86/mm/pageattr.c                           |   33 +-
 arch/x86/mm/pat.c                                |   12 +-
 arch/x86/mm/pf_in.c                              |   10 +-
 arch/x86/mm/pgtable.c                            |  137 +-
 arch/x86/mm/pgtable_32.c                         |    3 +
 arch/x86/mm/setup_nx.c                           |    7 +
 arch/x86/mm/tlb.c                                |    4 +
 arch/x86/net/bpf_jit.S                           |   14 +
 arch/x86/net/bpf_jit_comp.c                      |   37 +-
 arch/x86/oprofile/backtrace.c                    |    8 +-
 arch/x86/pci/amd_bus.c                           |    2 +-
 arch/x86/pci/mrst.c                              |    4 +-
 arch/x86/pci/pcbios.c                            |  144 +-
 arch/x86/platform/efi/efi_32.c                   |   19 +
 arch/x86/platform/efi/efi_stub_32.S              |   64 +-
 arch/x86/platform/efi/efi_stub_64.S              |    8 +
 arch/x86/platform/mrst/mrst.c                    |    6 +-
 arch/x86/platform/olpc/olpc_dt.c                 |    2 +-
 arch/x86/power/cpu.c                             |    4 +-
 arch/x86/realmode/init.c                         |    8 +-
 arch/x86/realmode/rm/Makefile                    |    3 +
 arch/x86/realmode/rm/header.S                    |    4 +-
 arch/x86/realmode/rm/trampoline_32.S             |   12 +-
 arch/x86/realmode/rm/trampoline_64.S             |    2 +-
 arch/x86/tools/relocs.c                          |   95 +-
 arch/x86/vdso/Makefile                           |    2 +-
 arch/x86/vdso/vdso32-setup.c                     |   23 +-
 arch/x86/vdso/vma.c                              |   29 +-
 arch/x86/xen/enlighten.c                         |   47 +-
 arch/x86/xen/mmu.c                               |    9 +
 arch/x86/xen/smp.c                               |   18 +-
 arch/x86/xen/xen-asm_32.S                        |   12 +-
 arch/x86/xen/xen-head.S                          |   11 +
 arch/x86/xen/xen-ops.h                           |    2 -
 block/blk-iopoll.c                               |    4 +-
 block/blk-map.c                                  |    2 +-
 block/blk-softirq.c                              |    4 +-
 block/bsg.c                                      |   12 +-
 block/compat_ioctl.c                             |    2 +-
 block/partitions/efi.c                           |    8 +-
 block/scsi_ioctl.c                               |   27 +-
 crypto/cryptd.c                                  |    4 +-
 drivers/acpi/apei/cper.c                         |    8 +-
 drivers/acpi/ec_sys.c                            |   12 +-
 drivers/acpi/processor_driver.c                  |    2 +-
 drivers/ata/libata-core.c                        |    8 +-
 drivers/ata/pata_arasan_cf.c                     |    4 +-
 drivers/atm/adummy.c                             |    2 +-
 drivers/atm/ambassador.c                         |    8 +-
 drivers/atm/atmtcp.c                             |   14 +-
 drivers/atm/eni.c                                |   10 +-
 drivers/atm/firestream.c                         |    8 +-
 drivers/atm/fore200e.c                           |   14 +-
 drivers/atm/he.c                                 |   18 +-
 drivers/atm/horizon.c                            |    4 +-
 drivers/atm/idt77252.c                           |   36 +-
 drivers/atm/iphase.c                             |   34 +-
 drivers/atm/lanai.c                              |   12 +-
 drivers/atm/nicstar.c                            |   46 +-
 drivers/atm/solos-pci.c                          |    4 +-
 drivers/atm/suni.c                               |    4 +-
 drivers/atm/uPD98402.c                           |   16 +-
 drivers/atm/zatm.c                               |    6 +-
 drivers/base/devtmpfs.c                          |    2 +-
 drivers/base/power/wakeup.c                      |    8 +-
 drivers/block/cciss.c                            |   28 +-
 drivers/block/cciss.h                            |    2 +-
 drivers/block/cpqarray.c                         |   28 +-
 drivers/block/cpqarray.h                         |    2 +-
 drivers/block/drbd/drbd_int.h                    |    6 +-
 drivers/block/drbd/drbd_main.c                   |    8 +-
 drivers/block/drbd/drbd_receiver.c               |   18 +-
 drivers/block/loop.c                             |    2 +-
 drivers/cdrom/cdrom.c                            |    9 +-
 drivers/cdrom/gdrom.c                            |    1 -
 drivers/char/agp/frontend.c                      |    2 +-
 drivers/char/hpet.c                              |    2 +-
 drivers/char/ipmi/ipmi_msghandler.c              |    8 +-
 drivers/char/ipmi/ipmi_si_intf.c                 |    8 +-
 drivers/char/mem.c                               |   41 +-
 drivers/char/nvram.c                             |    2 +-
 drivers/char/pcmcia/synclink_cs.c                |   18 +-
 drivers/char/random.c                            |    8 +-
 drivers/char/sonypi.c                            |    9 +-
 drivers/char/tpm/tpm.c                           |    2 +-
 drivers/char/tpm/tpm_acpi.c                      |    3 +-
 drivers/char/tpm/tpm_eventlog.c                  |    7 +-
 drivers/char/virtio_console.c                    |    4 +-
 drivers/clocksource/arm_generic.c                |    2 +-
 drivers/cpufreq/cpufreq.c                        |    2 +-
 drivers/cpufreq/cpufreq_stats.c                  |    2 +-
 drivers/dma/sh/shdma.c                           |    2 +-
 drivers/edac/edac_pci_sysfs.c                    |   20 +-
 drivers/edac/mce_amd.h                           |    2 +-
 drivers/firewire/core-card.c                     |    2 +-
 drivers/firewire/core-cdev.c                     |    3 +-
 drivers/firewire/core-transaction.c              |    1 +
 drivers/firewire/core.h                          |    1 +
 drivers/firmware/dmi_scan.c                      |    7 +-
 drivers/firmware/efivars.c                       |    2 +-
 drivers/gpio/gpio-vr41xx.c                       |    2 +-
 drivers/gpu/drm/drm_crtc_helper.c                |    2 +-
 drivers/gpu/drm/drm_drv.c                        |    4 +-
 drivers/gpu/drm/drm_fops.c                       |   18 +-
 drivers/gpu/drm/drm_global.c                     |   14 +-
 drivers/gpu/drm/drm_info.c                       |   14 +-
 drivers/gpu/drm/drm_ioc32.c                      |    4 +-
 drivers/gpu/drm/drm_ioctl.c                      |    2 +-
 drivers/gpu/drm/drm_lock.c                       |    4 +-
 drivers/gpu/drm/drm_stub.c                       |    2 +-
 drivers/gpu/drm/i810/i810_dma.c                  |    8 +-
 drivers/gpu/drm/i810/i810_drv.h                  |    4 +-
 drivers/gpu/drm/i915/i915_debugfs.c              |    2 +-
 drivers/gpu/drm/i915/i915_dma.c                  |    2 +-
 drivers/gpu/drm/i915/i915_drv.h                  |    6 +-
 drivers/gpu/drm/i915/i915_gem_execbuffer.c       |    6 +-
 drivers/gpu/drm/i915/i915_irq.c                  |   22 +-
 drivers/gpu/drm/i915/intel_display.c             |    9 +-
 drivers/gpu/drm/mga/mga_drv.h                    |    4 +-
 drivers/gpu/drm/mga/mga_irq.c                    |    8 +-
 drivers/gpu/drm/nouveau/nouveau_bios.c           |    2 +-
 drivers/gpu/drm/nouveau/nouveau_drm.h            |    2 +-
 drivers/gpu/drm/nouveau/nouveau_fence.h          |    2 +-
 drivers/gpu/drm/nouveau/nouveau_gem.c            |    2 +-
 drivers/gpu/drm/nouveau/nouveau_vga.c            |    2 +-
 drivers/gpu/drm/r128/r128_cce.c                  |    2 +-
 drivers/gpu/drm/r128/r128_drv.h                  |    4 +-
 drivers/gpu/drm/r128/r128_irq.c                  |    4 +-
 drivers/gpu/drm/r128/r128_state.c                |    4 +-
 drivers/gpu/drm/radeon/mkregtable.c              |    4 +-
 drivers/gpu/drm/radeon/radeon_device.c           |    2 +-
 drivers/gpu/drm/radeon/radeon_drv.h              |    2 +-
 drivers/gpu/drm/radeon/radeon_ioc32.c            |    2 +-
 drivers/gpu/drm/radeon/radeon_irq.c              |    6 +-
 drivers/gpu/drm/radeon/radeon_state.c            |    4 +-
 drivers/gpu/drm/radeon/radeon_ttm.c              |    4 +-
 drivers/gpu/drm/radeon/rs690.c                   |    4 +-
 drivers/gpu/drm/ttm/ttm_page_alloc.c             |    4 +-
 drivers/gpu/drm/via/via_drv.h                    |    4 +-
 drivers/gpu/drm/via/via_irq.c                    |   18 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_drv.h              |    2 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c             |    8 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_irq.c              |    4 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_marker.c           |    2 +-
 drivers/hid/hid-core.c                           |    4 +-
 drivers/hv/channel.c                             |    4 +-
 drivers/hv/hv.c                                  |    2 +-
 drivers/hv/hyperv_vmbus.h                        |    2 +-
 drivers/hv/vmbus_drv.c                           |    4 +-
 drivers/hwmon/coretemp.c                         |    2 +-
 drivers/hwmon/sht15.c                            |   12 +-
 drivers/hwmon/via-cputemp.c                      |    2 +-
 drivers/i2c/busses/i2c-amd756-s4882.c            |    2 +-
 drivers/i2c/busses/i2c-nforce2-s4985.c           |    2 +-
 drivers/ide/ide-cd.c                             |    2 +-
 drivers/infiniband/core/cm.c                     |   32 +-
 drivers/infiniband/core/fmr_pool.c               |   20 +-
 drivers/infiniband/hw/cxgb4/mem.c                |    4 +-
 drivers/infiniband/hw/ipath/ipath_rc.c           |    6 +-
 drivers/infiniband/hw/ipath/ipath_ruc.c          |    6 +-
 drivers/infiniband/hw/nes/nes.c                  |    4 +-
 drivers/infiniband/hw/nes/nes.h                  |   40 +-
 drivers/infiniband/hw/nes/nes_cm.c               |   62 +-
 drivers/infiniband/hw/nes/nes_mgt.c              |    8 +-
 drivers/infiniband/hw/nes/nes_nic.c              |   40 +-
 drivers/infiniband/hw/nes/nes_verbs.c            |   10 +-
 drivers/infiniband/hw/qib/qib.h                  |    1 +
 drivers/input/gameport/gameport.c                |    4 +-
 drivers/input/input.c                            |    4 +-
 drivers/input/joystick/sidewinder.c              |    1 +
 drivers/input/joystick/xpad.c                    |    4 +-
 drivers/input/mousedev.c                         |    2 +-
 drivers/input/serio/serio.c                      |    4 +-
 drivers/isdn/capi/capi.c                         |   10 +-
 drivers/isdn/gigaset/interface.c                 |    8 +-
 drivers/isdn/hardware/avm/b1.c                   |    4 +-
 drivers/isdn/i4l/isdn_tty.c                      |   22 +-
 drivers/isdn/icn/icn.c                           |    2 +-
 drivers/lguest/core.c                            |   10 +-
 drivers/lguest/x86/core.c                        |   12 +-
 drivers/lguest/x86/switcher_32.S                 |   27 +-
 drivers/md/bitmap.c                              |    2 +-
 drivers/md/dm-ioctl.c                            |    2 +-
 drivers/md/dm-raid1.c                            |   16 +-
 drivers/md/dm-stripe.c                           |   10 +-
 drivers/md/dm-table.c                            |    2 +-
 drivers/md/dm-thin-metadata.c                    |    4 +-
 drivers/md/dm.c                                  |   16 +-
 drivers/md/md.c                                  |   26 +-
 drivers/md/md.h                                  |    6 +-
 drivers/md/persistent-data/dm-space-map.h        |    1 +
 drivers/md/raid1.c                               |    4 +-
 drivers/md/raid10.c                              |   16 +-
 drivers/md/raid5.c                               |   10 +-
 drivers/media/dvb-core/dvbdev.c                  |    2 +-
 drivers/media/dvb-frontends/dib3000.h            |    2 +-
 drivers/media/platform/omap/omap_vout.c          |   11 +-
 drivers/media/platform/s5p-tv/mixer.h            |    2 +-
 drivers/media/platform/s5p-tv/mixer_grp_layer.c  |    2 +-
 drivers/media/platform/s5p-tv/mixer_reg.c        |    2 +-
 drivers/media/platform/s5p-tv/mixer_video.c      |   24 +-
 drivers/media/platform/s5p-tv/mixer_vp_layer.c   |    2 +-
 drivers/media/radio/radio-cadet.c                |    2 +
 drivers/media/usb/dvb-usb/cxusb.c                |    2 +-
 drivers/media/usb/dvb-usb/dw2102.c               |    2 +-
 drivers/message/fusion/mptsas.c                  |   34 +-
 drivers/message/fusion/mptscsih.c                |   19 +-
 drivers/message/i2o/i2o_proc.c                   |   51 +-
 drivers/message/i2o/iop.c                        |    8 +-
 drivers/mfd/janz-cmodio.c                        |    1 +
 drivers/misc/kgdbts.c                            |    4 +-
 drivers/misc/lis3lv02d/lis3lv02d.c               |    8 +-
 drivers/misc/lis3lv02d/lis3lv02d.h               |    2 +-
 drivers/misc/sgi-gru/gruhandles.c                |    4 +-
 drivers/misc/sgi-gru/gruprocfs.c                 |    8 +-
 drivers/misc/sgi-gru/grutables.h                 |  154 +-
 drivers/misc/sgi-xp/xp.h                         |    2 +-
 drivers/misc/sgi-xp/xpc.h                        |    3 +-
 drivers/misc/sgi-xp/xpc_main.c                   |    4 +-
 drivers/mmc/core/mmc_ops.c                       |    2 +-
 drivers/mmc/host/dw_mmc.h                        |    2 +-
 drivers/mmc/host/sdhci-s3c.c                     |    8 +-
 drivers/mtd/devices/doc2000.c                    |    2 +-
 drivers/mtd/nand/denali.c                        |    1 +
 drivers/mtd/nftlmount.c                          |    1 +
 drivers/net/ethernet/8390/ax88796.c              |    4 +-
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h  |    2 +-
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c   |   11 +-
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h   |    3 +-
 drivers/net/ethernet/broadcom/tg3.h              |    1 +
 drivers/net/ethernet/chelsio/cxgb3/l2t.h         |    2 +-
 drivers/net/ethernet/dec/tulip/de4x5.c           |    4 +-
 drivers/net/ethernet/emulex/benet/be_main.c      |    2 +-
 drivers/net/ethernet/faraday/ftgmac100.c         |    2 +
 drivers/net/ethernet/faraday/ftmac100.c          |    2 +
 drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c     |    2 +-
 drivers/net/ethernet/neterion/vxge/vxge-config.c |    7 +-
 drivers/net/ethernet/realtek/r8169.c             |    8 +-
 drivers/net/ethernet/sfc/ptp.c                   |    2 +-
 drivers/net/ethernet/stmicro/stmmac/mmc_core.c   |    4 +-
 drivers/net/hyperv/hyperv_net.h                  |    2 +-
 drivers/net/hyperv/rndis_filter.c                |    4 +-
 drivers/net/ieee802154/fakehard.c                |    2 +-
 drivers/net/macvlan.c                            |    2 +-
 drivers/net/macvtap.c                            |    2 +-
 drivers/net/ppp/ppp_generic.c                    |    4 +-
 drivers/net/team/team.c                          |    2 +-
 drivers/net/tun.c                                |    5 +-
 drivers/net/usb/hso.c                            |   23 +-
 drivers/net/wireless/ath/ath9k/ar9002_mac.c      |   30 +-
 drivers/net/wireless/ath/ath9k/ar9003_mac.c      |   58 +-
 drivers/net/wireless/ath/ath9k/hw.h              |    4 +-
 drivers/net/wireless/iwlegacy/3945-mac.c         |    4 +-
 drivers/net/wireless/iwlwifi/dvm/debugfs.c       |   26 +-
 drivers/net/wireless/iwlwifi/pcie/trans.c        |    4 +-
 drivers/net/wireless/mac80211_hwsim.c            |   32 +-
 drivers/net/wireless/rndis_wlan.c                |    2 +-
 drivers/net/wireless/rt2x00/rt2x00.h             |    2 +-
 drivers/net/wireless/rt2x00/rt2x00queue.c        |    4 +-
 drivers/net/wireless/ti/wl1251/sdio.c            |   12 +-
 drivers/net/wireless/ti/wl12xx/main.c            |    8 +-
 drivers/net/wireless/ti/wl18xx/main.c            |    6 +-
 drivers/oprofile/buffer_sync.c                   |    8 +-
 drivers/oprofile/event_buffer.c                  |    2 +-
 drivers/oprofile/oprof.c                         |    2 +-
 drivers/oprofile/oprofile_stats.c                |   10 +-
 drivers/oprofile/oprofile_stats.h                |   10 +-
 drivers/oprofile/oprofilefs.c                    |    2 +-
 drivers/oprofile/timer_int.c                     |    2 +-
 drivers/parport/procfs.c                         |    4 +-
 drivers/pci/hotplug/cpcihp_generic.c             |    6 +-
 drivers/pci/hotplug/cpcihp_zt5550.c              |   14 +-
 drivers/pci/hotplug/cpqphp_nvram.c               |    4 +
 drivers/pci/pcie/aspm.c                          |    6 +-
 drivers/pci/probe.c                              |    2 +-
 drivers/platform/x86/thinkpad_acpi.c             |   70 +-
 drivers/pnp/pnpbios/bioscalls.c                  |   14 +-
 drivers/pnp/resource.c                           |    4 +-
 drivers/power/pda_power.c                        |    7 +-
 drivers/regulator/max8660.c                      |    6 +-
 drivers/regulator/max8973-regulator.c            |    8 +-
 drivers/regulator/mc13892-regulator.c            |    6 +-
 drivers/scsi/bfa/bfa.h                           |    2 +-
 drivers/scsi/bfa/bfa_fcpim.h                     |    2 +-
 drivers/scsi/bfa/bfa_ioc.h                       |    4 +-
 drivers/scsi/hosts.c                             |    4 +-
 drivers/scsi/hpsa.c                              |   30 +-
 drivers/scsi/hpsa.h                              |    2 +-
 drivers/scsi/libfc/fc_exch.c                     |   50 +-
 drivers/scsi/libsas/sas_ata.c                    |    2 +-
 drivers/scsi/lpfc/lpfc.h                         |    8 +-
 drivers/scsi/lpfc/lpfc_debugfs.c                 |   18 +-
 drivers/scsi/lpfc/lpfc_init.c                    |    6 +-
 drivers/scsi/lpfc/lpfc_scsi.c                    |   16 +-
 drivers/scsi/pmcraid.c                           |   20 +-
 drivers/scsi/pmcraid.h                           |    8 +-
 drivers/scsi/qla2xxx/qla_attr.c                  |    4 +-
 drivers/scsi/qla2xxx/qla_gbl.h                   |    4 +-
 drivers/scsi/qla2xxx/qla_os.c                    |    6 +-
 drivers/scsi/qla4xxx/ql4_def.h                   |    2 +-
 drivers/scsi/qla4xxx/ql4_os.c                    |    6 +-
 drivers/scsi/scsi.c                              |    2 +-
 drivers/scsi/scsi_lib.c                          |    6 +-
 drivers/scsi/scsi_sysfs.c                        |    2 +-
 drivers/scsi/scsi_tgt_lib.c                      |    2 +-
 drivers/scsi/scsi_transport_fc.c                 |    8 +-
 drivers/scsi/scsi_transport_iscsi.c              |    6 +-
 drivers/scsi/scsi_transport_srp.c                |    6 +-
 drivers/scsi/sd.c                                |    2 +-
 drivers/scsi/sg.c                                |    2 +-
 drivers/spi/spi.c                                |    2 +-
 drivers/staging/octeon/ethernet-rx.c             |   12 +-
 drivers/staging/octeon/ethernet.c                |    8 +-
 drivers/staging/ramster/tmem.c                   |   54 +-
 drivers/staging/rtl8712/rtl871x_io.h             |    2 +-
 drivers/staging/sbe-2t3e3/netdev.c               |    2 +-
 drivers/staging/usbip/vhci.h                     |    2 +-
 drivers/staging/usbip/vhci_hcd.c                 |    6 +-
 drivers/staging/usbip/vhci_rx.c                  |    2 +-
 drivers/staging/vt6655/hostap.c                  |    7 +-
 drivers/staging/vt6656/hostap.c                  |    7 +-
 drivers/staging/zcache/tmem.c                    |    4 +-
 drivers/staging/zcache/tmem.h                    |    2 +
 drivers/target/target_core_device.c              |    2 +-
 drivers/target/target_core_transport.c           |    2 +-
 drivers/tty/cyclades.c                           |    6 +-
 drivers/tty/hvc/hvc_console.c                    |   14 +-
 drivers/tty/hvc/hvcs.c                           |   21 +-
 drivers/tty/ipwireless/tty.c                     |   27 +-
 drivers/tty/moxa.c                               |    2 +-
 drivers/tty/n_gsm.c                              |    4 +-
 drivers/tty/n_tty.c                              |    3 +-
 drivers/tty/pty.c                                |    4 +-
 drivers/tty/rocket.c                             |    6 +-
 drivers/tty/serial/kgdboc.c                      |   32 +-
 drivers/tty/serial/samsung.c                     |    9 +-
 drivers/tty/serial/serial_core.c                 |    8 +-
 drivers/tty/synclink.c                           |   34 +-
 drivers/tty/synclink_gt.c                        |   28 +-
 drivers/tty/synclinkmp.c                         |   34 +-
 drivers/tty/tty_io.c                             |    2 +-
 drivers/tty/tty_ldisc.c                          |   10 +-
 drivers/tty/tty_port.c                           |   22 +-
 drivers/uio/uio.c                                |   21 +-
 drivers/usb/atm/cxacru.c                         |    2 +-
 drivers/usb/atm/usbatm.c                         |   24 +-
 drivers/usb/core/devices.c                       |    6 +-
 drivers/usb/core/hcd.c                           |    4 +-
 drivers/usb/core/sysfs.c                         |    2 +-
 drivers/usb/core/usb.c                           |    2 +-
 drivers/usb/early/ehci-dbgp.c                    |   16 +-
 drivers/usb/gadget/u_serial.c                    |   22 +-
 drivers/usb/serial/console.c                     |    6 +-
 drivers/usb/wusbcore/wa-hc.h                     |    4 +-
 drivers/usb/wusbcore/wa-xfer.c                   |    2 +-
 drivers/video/aty/aty128fb.c                     |    2 +-
 drivers/video/fbcmap.c                           |    3 +-
 drivers/video/fbmem.c                            |    6 +-
 drivers/video/i810/i810_accel.c                  |    1 +
 drivers/video/udlfb.c                            |   32 +-
 drivers/video/uvesafb.c                          |   39 +-
 drivers/video/vesafb.c                           |   51 +-
 drivers/video/via/via_clock.h                    |    2 +-
 fs/9p/vfs_inode.c                                |    2 +-
 fs/Kconfig.binfmt                                |    2 +-
 fs/aio.c                                         |   11 +-
 fs/autofs4/waitq.c                               |    2 +-
 fs/befs/linuxvfs.c                               |    2 +-
 fs/binfmt_aout.c                                 |   23 +-
 fs/binfmt_elf.c                                  |  604 ++++-
 fs/binfmt_flat.c                                 |    6 +
 fs/bio.c                                         |    6 +-
 fs/block_dev.c                                   |    2 +-
 fs/btrfs/ctree.c                                 |    9 +-
 fs/btrfs/relocation.c                            |    2 +-
 fs/btrfs/super.c                                 |    2 +-
 fs/cachefiles/bind.c                             |    6 +-
 fs/cachefiles/daemon.c                           |    8 +-
 fs/cachefiles/internal.h                         |   12 +-
 fs/cachefiles/namei.c                            |    2 +-
 fs/cachefiles/proc.c                             |   12 +-
 fs/cachefiles/rdwr.c                             |    2 +-
 fs/ceph/dir.c                                    |    2 +-
 fs/cifs/cifs_debug.c                             |   12 +-
 fs/cifs/cifsfs.c                                 |    8 +-
 fs/cifs/cifsglob.h                               |   54 +-
 fs/cifs/link.c                                   |    2 +-
 fs/cifs/misc.c                                   |    4 +-
 fs/cifs/smb1ops.c                                |   80 +-
 fs/cifs/smb2ops.c                                |   84 +-
 fs/cifs/smb2pdu.c                                |    3 +-
 fs/coda/cache.c                                  |   10 +-
 fs/compat.c                                      |    6 +-
 fs/compat_binfmt_elf.c                           |    2 +
 fs/compat_ioctl.c                                |    8 +-
 fs/configfs/dir.c                                |   10 +-
 fs/coredump.c                                    |   24 +-
 fs/dcache.c                                      |    2 +-
 fs/ecryptfs/inode.c                              |    4 +-
 fs/ecryptfs/miscdev.c                            |    2 +-
 fs/ecryptfs/read_write.c                         |    4 +-
 fs/exec.c                                        |  356 ++-
 fs/ext4/ext4.h                                   |   20 +-
 fs/ext4/mballoc.c                                |   44 +-
 fs/fhandle.c                                     |    3 +-
 fs/fifo.c                                        |   22 +-
 fs/fs_struct.c                                   |    8 +-
 fs/fscache/cookie.c                              |   36 +-
 fs/fscache/internal.h                            |  196 +-
 fs/fscache/object.c                              |   28 +-
 fs/fscache/operation.c                           |   30 +-
 fs/fscache/page.c                                |  110 +-
 fs/fscache/stats.c                               |  344 +-
 fs/fuse/cuse.c                                   |   10 +-
 fs/fuse/dev.c                                    |    2 +-
 fs/fuse/dir.c                                    |    2 +-
 fs/gfs2/inode.c                                  |    2 +-
 fs/hugetlbfs/inode.c                             |   13 +-
 fs/inode.c                                       |    4 +-
 fs/jffs2/erase.c                                 |    3 +-
 fs/jffs2/wbuf.c                                  |    3 +-
 fs/jfs/super.c                                   |    2 +-
 fs/libfs.c                                       |   10 +-
 fs/lockd/clntproc.c                              |    4 +-
 fs/locks.c                                       |    8 +-
 fs/namei.c                                       |   15 +-
 fs/namespace.c                                   |    2 +-
 fs/nfs/inode.c                                   |    6 +-
 fs/nfsd/vfs.c                                    |    6 +-
 fs/notify/fanotify/fanotify_user.c               |    4 +-
 fs/notify/notification.c                         |    4 +-
 fs/ntfs/dir.c                                    |    2 +-
 fs/ntfs/file.c                                   |    4 +-
 fs/ocfs2/localalloc.c                            |    2 +-
 fs/ocfs2/ocfs2.h                                 |   10 +-
 fs/ocfs2/suballoc.c                              |   12 +-
 fs/ocfs2/super.c                                 |   20 +-
 fs/pipe.c                                        |   33 +-
 fs/proc/array.c                                  |   20 +
 fs/proc/kcore.c                                  |   32 +-
 fs/proc/meminfo.c                                |    2 +-
 fs/proc/nommu.c                                  |    2 +-
 fs/proc/self.c                                   |    2 +-
 fs/proc/task_mmu.c                               |   39 +-
 fs/proc/task_nommu.c                             |    4 +-
 fs/quota/netlink.c                               |    4 +-
 fs/readdir.c                                     |    2 +-
 fs/reiserfs/do_balan.c                           |    2 +-
 fs/reiserfs/procfs.c                             |    2 +-
 fs/reiserfs/reiserfs.h                           |    4 +-
 fs/seq_file.c                                    |    2 +-
 fs/splice.c                                      |   36 +-
 fs/sysfs/file.c                                  |   10 +-
 fs/sysfs/symlink.c                               |    2 +-
 fs/udf/misc.c                                    |    2 +-
 fs/xattr_acl.c                                   |    4 +-
 fs/xfs/xfs_bmap.c                                |    2 +-
 fs/xfs/xfs_dir2_sf.c                             |   10 +-
 fs/xfs/xfs_ioctl.c                               |    2 +-
 fs/xfs/xfs_iops.c                                |    2 +-
 include/asm-generic/4level-fixup.h               |    2 +
 include/asm-generic/atomic-long.h                |  210 ++
 include/asm-generic/atomic.h                     |    2 +-
 include/asm-generic/atomic64.h                   |   12 +
 include/asm-generic/cache.h                      |    4 +-
 include/asm-generic/emergency-restart.h          |    2 +-
 include/asm-generic/kmap_types.h                 |    4 +-
 include/asm-generic/local.h                      |   13 +
 include/asm-generic/pgtable-nopmd.h              |   18 +-
 include/asm-generic/pgtable-nopud.h              |   15 +-
 include/asm-generic/pgtable.h                    |    8 +
 include/asm-generic/vmlinux.lds.h                |   10 +-
 include/crypto/algapi.h                          |    2 +-
 include/drm/drmP.h                               |    5 +-
 include/drm/drm_crtc_helper.h                    |    2 +-
 include/drm/ttm/ttm_memory.h                     |    2 +-
 include/linux/atmdev.h                           |    2 +-
 include/linux/binfmts.h                          |    1 +
 include/linux/blkdev.h                           |    2 +-
 include/linux/blktrace_api.h                     |    2 +-
 include/linux/cache.h                            |    4 +
 include/linux/cdrom.h                            |    1 -
 include/linux/cleancache.h                       |    2 +-
 include/linux/compiler-gcc4.h                    |   20 +
 include/linux/compiler.h                         |   72 +-
 include/linux/cpu.h                              |    2 +-
 include/linux/crypto.h                           |    6 +-
 include/linux/decompress/mm.h                    |    2 +-
 include/linux/dma-mapping.h                      |    2 +-
 include/linux/dmaengine.h                        |    4 +-
 include/linux/efi.h                              |    1 +
 include/linux/elf.h                              |    2 +
 include/linux/filter.h                           |    4 +
 include/linux/frontswap.h                        |    2 +-
 include/linux/fs.h                               |    3 +-
 include/linux/fs_struct.h                        |    2 +-
 include/linux/fscache-cache.h                    |    4 +-
 include/linux/fsnotify.h                         |    2 +-
 include/linux/ftrace_event.h                     |    2 +-
 include/linux/genhd.h                            |    2 +-
 include/linux/gfp.h                              |   12 +-
 include/linux/highmem.h                          |   12 +
 include/linux/i2c.h                              |    1 +
 include/linux/i2o.h                              |    2 +-
 include/linux/if_pppox.h                         |    2 +-
 include/linux/init.h                             |   33 +-
 include/linux/init_task.h                        |    7 +
 include/linux/interrupt.h                        |    8 +-
 include/linux/kgdb.h                             |    6 +-
 include/linux/kobject.h                          |    2 +-
 include/linux/kref.h                             |    2 +-
 include/linux/kvm_host.h                         |    4 +-
 include/linux/libata.h                           |    2 +-
 include/linux/list.h                             |    3 +
 include/linux/mm.h                               |   91 +-
 include/linux/mm_types.h                         |   22 +-
 include/linux/mmiotrace.h                        |    4 +-
 include/linux/mmzone.h                           |    2 +-
 include/linux/mod_devicetable.h                  |    4 +-
 include/linux/module.h                           |   55 +-
 include/linux/moduleloader.h                     |   18 +-
 include/linux/moduleparam.h                      |    4 +-
 include/linux/namei.h                            |    6 +-
 include/linux/netdevice.h                        |    3 +-
 include/linux/netfilter/ipset/ip_set.h           |    2 +-
 include/linux/netfilter/nfnetlink.h              |    2 +-
 include/linux/notifier.h                         |    3 +-
 include/linux/oprofile.h                         |    4 +-
 include/linux/perf_event.h                       |   10 +-
 include/linux/pipe_fs_i.h                        |    6 +-
 include/linux/platform_data/usb-ehci-s5p.h       |    2 +-
 include/linux/pm_runtime.h                       |    2 +-
 include/linux/poison.h                           |    4 +-
 include/linux/power/smartreflex.h                |    2 +-
 include/linux/random.h                           |    5 +
 include/linux/reboot.h                           |   14 +-
 include/linux/regset.h                           |    3 +-
 include/linux/relay.h                            |    2 +-
 include/linux/rio.h                              |    2 +-
 include/linux/rmap.h                             |    4 +-
 include/linux/sched.h                            |   64 +-
 include/linux/seq_file.h                         |    1 +
 include/linux/skbuff.h                           |   12 +-
 include/linux/slab.h                             |   36 +-
 include/linux/slab_def.h                         |   33 +-
 include/linux/slob_def.h                         |    4 +-
 include/linux/slub_def.h                         |   10 +-
 include/linux/sonet.h                            |    2 +-
 include/linux/sunrpc/clnt.h                      |    8 +-
 include/linux/sunrpc/svc_rdma.h                  |   18 +-
 include/linux/sysrq.h                            |    2 +-
 include/linux/thread_info.h                      |    7 +
 include/linux/tty.h                              |    4 +-
 include/linux/tty_driver.h                       |    2 +-
 include/linux/tty_ldisc.h                        |    2 +-
 include/linux/types.h                            |   16 +
 include/linux/uaccess.h                          |    6 +-
 include/linux/unaligned/access_ok.h              |   12 +-
 include/linux/usb.h                              |    2 +-
 include/linux/usb/renesas_usbhs.h                |    2 +-
 include/linux/vermagic.h                         |   21 +-
 include/linux/vmalloc.h                          |   11 +-
 include/linux/vmstat.h                           |   20 +-
 include/media/v4l2-dev.h                         |    2 +-
 include/media/v4l2-ioctl.h                       |    1 -
 include/net/caif/cfctrl.h                        |    6 +-
 include/net/flow.h                               |    2 +-
 include/net/gro_cells.h                          |    6 +-
 include/net/inet_connection_sock.h               |    2 +-
 include/net/inetpeer.h                           |    8 +-
 include/net/ip_fib.h                             |    2 +-
 include/net/ip_vs.h                              |    4 +-
 include/net/irda/ircomm_tty.h                    |    1 +
 include/net/iucv/af_iucv.h                       |    2 +-
 include/net/neighbour.h                          |    2 +-
 include/net/net_namespace.h                      |    6 +-
 include/net/netdma.h                             |    2 +-
 include/net/netlink.h                            |    2 +-
 include/net/netns/ipv4.h                         |    2 +-
 include/net/protocol.h                           |    4 +-
 include/net/sctp/sctp.h                          |    6 +-
 include/net/sctp/structs.h                       |    4 +-
 include/net/sock.h                               |    6 +-
 include/net/tcp.h                                |    8 +-
 include/net/xfrm.h                               |    4 +-
 include/rdma/iw_cm.h                             |    2 +-
 include/scsi/libfc.h                             |    3 +-
 include/scsi/scsi_device.h                       |    6 +-
 include/scsi/scsi_transport_fc.h                 |    3 +-
 include/sound/soc.h                              |    4 +-
 include/target/target_core_base.h                |    2 +-
 include/trace/events/irq.h                       |    4 +-
 include/uapi/linux/a.out.h                       |    8 +
 include/uapi/linux/byteorder/little_endian.h     |   24 +-
 include/uapi/linux/elf.h                         |   28 +
 include/uapi/linux/screen_info.h                 |    3 +-
 include/uapi/linux/sysctl.h                      |    6 +-
 include/uapi/linux/xattr.h                       |    4 +
 include/video/udlfb.h                            |    8 +-
 include/video/uvesafb.h                          |    1 +
 init/Kconfig                                     |    2 +-
 init/Makefile                                    |    3 +
 init/do_mounts.c                                 |   14 +-
 init/do_mounts.h                                 |    8 +-
 init/do_mounts_initrd.c                          |   22 +-
 init/do_mounts_md.c                              |    6 +-
 init/init_task.c                                 |    4 +
 init/initramfs.c                                 |   40 +-
 init/main.c                                      |   78 +-
 ipc/msg.c                                        |   11 +-
 ipc/sem.c                                        |   11 +-
 ipc/shm.c                                        |   17 +-
 kernel/acct.c                                    |    2 +-
 kernel/audit.c                                   |    8 +-
 kernel/auditsc.c                                 |    4 +-
 kernel/capability.c                              |    3 +
 kernel/compat.c                                  |   40 +-
 kernel/debug/debug_core.c                        |   16 +-
 kernel/debug/kdb/kdb_main.c                      |    4 +-
 kernel/events/core.c                             |   28 +-
 kernel/exit.c                                    |    4 +-
 kernel/fork.c                                    |  167 +-
 kernel/futex.c                                   |    9 +
 kernel/gcov/base.c                               |    7 +-
 kernel/hrtimer.c                                 |    4 +-
 kernel/jump_label.c                              |    5 +
 kernel/kallsyms.c                                |   39 +-
 kernel/kexec.c                                   |    3 +-
 kernel/kmod.c                                    |    2 +-
 kernel/kprobes.c                                 |    8 +-
 kernel/lockdep.c                                 |    7 +-
 kernel/module.c                                  |  333 ++-
 kernel/mutex-debug.c                             |   12 +-
 kernel/mutex-debug.h                             |    4 +-
 kernel/mutex.c                                   |    7 +-
 kernel/notifier.c                                |   17 +-
 kernel/panic.c                                   |    3 +-
 kernel/pid.c                                     |    2 +-
 kernel/posix-cpu-timers.c                        |    4 +-
 kernel/posix-timers.c                            |   20 +-
 kernel/power/process.c                           |   12 +-
 kernel/profile.c                                 |   14 +-
 kernel/ptrace.c                                  |    6 +-
 kernel/rcutiny.c                                 |    4 +-
 kernel/rcutiny_plugin.h                          |    2 +-
 kernel/rcutorture.c                              |   56 +-
 kernel/rcutree.c                                 |   72 +-
 kernel/rcutree.h                                 |   24 +-
 kernel/rcutree_plugin.h                          |   18 +-
 kernel/rcutree_trace.c                           |   22 +-
 kernel/rtmutex-tester.c                          |   24 +-
 kernel/sched/auto_group.c                        |    4 +-
 kernel/sched/core.c                              |    2 +-
 kernel/sched/fair.c                              |    4 +-
 kernel/signal.c                                  |   12 +-
 kernel/smp.c                                     |    2 +-
 kernel/softirq.c                                 |   16 +-
 kernel/srcu.c                                    |    6 +-
 kernel/stop_machine.c                            |    2 +-
 kernel/sys.c                                     |   12 +-
 kernel/sysctl.c                                  |   37 +-
 kernel/sysctl_binary.c                           |   14 +-
 kernel/time/alarmtimer.c                         |    2 +-
 kernel/time/tick-broadcast.c                     |    2 +-
 kernel/time/timer_stats.c                        |   10 +-
 kernel/timer.c                                   |    4 +-
 kernel/trace/blktrace.c                          |    6 +-
 kernel/trace/ftrace.c                            |   20 +-
 kernel/trace/ring_buffer.c                       |   76 +-
 kernel/trace/trace.c                             |    6 +-
 kernel/trace/trace_events.c                      |   25 +-
 kernel/trace/trace_mmiotrace.c                   |    8 +-
 kernel/trace/trace_output.c                      |   12 +-
 kernel/trace/trace_stack.c                       |    2 +-
 lib/Makefile                                     |    2 +-
 lib/bitmap.c                                     |    8 +-
 lib/bug.c                                        |    2 +
 lib/debugobjects.c                               |    2 +-
 lib/devres.c                                     |    4 +-
 lib/dma-debug.c                                  |    4 +-
 lib/inflate.c                                    |    2 +-
 lib/ioremap.c                                    |    4 +-
 lib/list_debug.c                                 |   89 +-
 lib/radix-tree.c                                 |    2 +-
 lib/strncpy_from_user.c                          |    2 +-
 lib/strnlen_user.c                               |    2 +-
 lib/vsprintf.c                                   |   12 +-
 mm/Kconfig                                       |    6 +-
 mm/filemap.c                                     |    2 +-
 mm/fremap.c                                      |    5 +
 mm/highmem.c                                     |    7 +-
 mm/hugetlb.c                                     |   54 +
 mm/internal.h                                    |    1 +
 mm/maccess.c                                     |    4 +-
 mm/madvise.c                                     |   41 +
 mm/memory-failure.c                              |   18 +-
 mm/memory.c                                      |  404 ++-
 mm/mempolicy.c                                   |   26 +
 mm/mlock.c                                       |   16 +-
 mm/mmap.c                                        |  573 +++-
 mm/mprotect.c                                    |  138 +-
 mm/mremap.c                                      |   44 +-
 mm/nommu.c                                       |   11 +-
 mm/page-writeback.c                              |    2 +-
 mm/page_alloc.c                                  |   14 +-
 mm/percpu.c                                      |    2 +-
 mm/process_vm_access.c                           |   14 +-
 mm/rmap.c                                        |   38 +-
 mm/shmem.c                                       |   19 +-
 mm/slab.c                                        |  104 +-
 mm/slab.h                                        |    5 +-
 mm/slab_common.c                                 |    9 +-
 mm/slob.c                                        |  200 +-
 mm/slub.c                                        |   98 +-
 mm/sparse-vmemmap.c                              |    4 +-
 mm/sparse.c                                      |    2 +-
 mm/swap.c                                        |    3 +
 mm/swapfile.c                                    |   12 +-
 mm/util.c                                        |    6 +
 mm/vmalloc.c                                     |   82 +-
 mm/vmstat.c                                      |   12 +-
 net/8021q/vlan.c                                 |    5 +-
 net/9p/trans_fd.c                                |    2 +-
 net/atm/atm_misc.c                               |    8 +-
 net/atm/lec.h                                    |    2 +-
 net/atm/proc.c                                   |    6 +-
 net/atm/resources.c                              |    4 +-
 net/batman-adv/bat_iv_ogm.c                      |    8 +-
 net/batman-adv/hard-interface.c                  |    4 +-
 net/batman-adv/soft-interface.c                  |    4 +-
 net/batman-adv/types.h                           |    6 +-
 net/batman-adv/unicast.c                         |    2 +-
 net/bluetooth/hci_sock.c                         |    2 +-
 net/bluetooth/l2cap_core.c                       |    6 +-
 net/bluetooth/l2cap_sock.c                       |   12 +-
 net/bluetooth/rfcomm/sock.c                      |    4 +-
 net/bluetooth/rfcomm/tty.c                       |   10 +-
 net/bridge/netfilter/ebtables.c                  |    6 +-
 net/caif/cfctrl.c                                |   11 +-
 net/can/af_can.c                                 |    2 +-
 net/can/gw.c                                     |    6 +-
 net/compat.c                                     |   34 +-
 net/core/datagram.c                              |    2 +-
 net/core/dev.c                                   |   16 +-
 net/core/flow.c                                  |    8 +-
 net/core/iovec.c                                 |    4 +-
 net/core/rtnetlink.c                             |    2 +-
 net/core/scm.c                                   |    8 +-
 net/core/sock.c                                  |   24 +-
 net/decnet/sysctl_net_decnet.c                   |    4 +-
 net/ipv4/ah4.c                                   |    2 +-
 net/ipv4/esp4.c                                  |    2 +-
 net/ipv4/fib_frontend.c                          |    6 +-
 net/ipv4/fib_semantics.c                         |    2 +-
 net/ipv4/inetpeer.c                              |    4 +-
 net/ipv4/ip_fragment.c                           |    2 +-
 net/ipv4/ip_sockglue.c                           |    2 +-
 net/ipv4/ipcomp.c                                |    2 +-
 net/ipv4/ipconfig.c                              |    6 +-
 net/ipv4/netfilter/arp_tables.c                  |   12 +-
 net/ipv4/netfilter/ip_tables.c                   |   12 +-
 net/ipv4/ping.c                                  |    2 +-
 net/ipv4/raw.c                                   |   14 +-
 net/ipv4/route.c                                 |    2 +-
 net/ipv4/tcp_input.c                             |    2 +-
 net/ipv4/tcp_probe.c                             |    2 +-
 net/ipv4/udp.c                                   |   10 +-
 net/ipv6/addrconf.c                              |    2 +-
 net/ipv6/ip6_gre.c                               |    2 +-
 net/ipv6/ipv6_sockglue.c                         |    2 +-
 net/ipv6/netfilter/ip6_tables.c                  |   12 +-
 net/ipv6/raw.c                                   |   19 +-
 net/ipv6/udp.c                                   |    8 +-
 net/irda/ircomm/ircomm_tty.c                     |   18 +-
 net/iucv/af_iucv.c                               |    4 +-
 net/iucv/iucv.c                                  |    2 +-
 net/key/af_key.c                                 |    4 +-
 net/mac80211/cfg.c                               |    4 +-
 net/mac80211/ieee80211_i.h                       |    3 +-
 net/mac80211/iface.c                             |   14 +-
 net/mac80211/main.c                              |    2 +-
 net/mac80211/pm.c                                |    6 +-
 net/mac80211/rate.c                              |    2 +-
 net/mac80211/rc80211_pid_debugfs.c               |    2 +-
 net/mac80211/util.c                              |    2 +-
 net/netfilter/ipvs/ip_vs_conn.c                  |    6 +-
 net/netfilter/ipvs/ip_vs_core.c                  |    4 +-
 net/netfilter/ipvs/ip_vs_ctl.c                   |   10 +-
 net/netfilter/ipvs/ip_vs_sync.c                  |    6 +-
 net/netfilter/ipvs/ip_vs_xmit.c                  |    4 +-
 net/netfilter/nfnetlink_log.c                    |    4 +-
 net/netfilter/xt_statistic.c                     |    8 +-
 net/netlink/af_netlink.c                         |    4 +-
 net/packet/af_packet.c                           |   12 +-
 net/phonet/pep.c                                 |    6 +-
 net/phonet/socket.c                              |    2 +-
 net/rds/cong.c                                   |    6 +-
 net/rds/ib.h                                     |    2 +-
 net/rds/ib_cm.c                                  |    2 +-
 net/rds/ib_recv.c                                |    4 +-
 net/rds/iw.h                                     |    2 +-
 net/rds/iw_cm.c                                  |    2 +-
 net/rds/iw_recv.c                                |    4 +-
 net/rds/tcp.c                                    |    2 +-
 net/rds/tcp_send.c                               |    2 +-
 net/rxrpc/af_rxrpc.c                             |    2 +-
 net/rxrpc/ar-ack.c                               |   14 +-
 net/rxrpc/ar-call.c                              |    2 +-
 net/rxrpc/ar-connection.c                        |    2 +-
 net/rxrpc/ar-connevent.c                         |    2 +-
 net/rxrpc/ar-input.c                             |    4 +-
 net/rxrpc/ar-internal.h                          |    8 +-
 net/rxrpc/ar-local.c                             |    2 +-
 net/rxrpc/ar-output.c                            |    4 +-
 net/rxrpc/ar-peer.c                              |    2 +-
 net/rxrpc/ar-proc.c                              |    4 +-
 net/rxrpc/ar-transport.c                         |    2 +-
 net/rxrpc/rxkad.c                                |    4 +-
 net/sctp/ipv6.c                                  |    2 +-
 net/sctp/protocol.c                              |    8 +-
 net/sctp/socket.c                                |    2 +
 net/socket.c                                     |   34 +-
 net/sunrpc/sched.c                               |    4 +-
 net/sunrpc/xprtrdma/svc_rdma.c                   |   38 +-
 net/sunrpc/xprtrdma/svc_rdma_recvfrom.c          |    6 +-
 net/sunrpc/xprtrdma/svc_rdma_sendto.c            |    2 +-
 net/sunrpc/xprtrdma/svc_rdma_transport.c         |   10 +-
 net/tipc/link.c                                  |    6 +-
 net/tipc/msg.c                                   |    2 +-
 net/tipc/subscr.c                                |    2 +-
 net/wireless/wext-core.c                         |   19 +-
 net/xfrm/xfrm_policy.c                           |   16 +-
 net/xfrm/xfrm_state.c                            |    4 +-
 scripts/Makefile.build                           |    2 +-
 scripts/Makefile.clean                           |    3 +-
 scripts/Makefile.host                            |   28 +-
 scripts/basic/fixdep.c                           |   12 +-
 scripts/gcc-plugin.sh                            |   17 +
 scripts/link-vmlinux.sh                          |    2 +-
 scripts/mod/file2alias.c                         |   14 +-
 scripts/mod/modpost.c                            |   25 +-
 scripts/mod/modpost.h                            |    6 +-
 scripts/mod/sumversion.c                         |    2 +-
 scripts/pnmtologo.c                              |    6 +-
 security/Kconfig                                 |  654 ++++-
 security/integrity/ima/ima.h                     |    4 +-
 security/integrity/ima/ima_api.c                 |    2 +-
 security/integrity/ima/ima_fs.c                  |    4 +-
 security/integrity/ima/ima_queue.c               |    2 +-
 security/keys/compat.c                           |    2 +-
 security/keys/keyctl.c                           |    8 +-
 security/keys/keyring.c                          |    6 +-
 security/security.c                              |    9 +-
 security/selinux/hooks.c                         |    2 +-
 security/selinux/include/xfrm.h                  |    2 +-
 security/smack/smack_lsm.c                       |    2 +-
 security/tomoyo/tomoyo.c                         |    2 +-
 sound/aoa/codecs/onyx.c                          |    7 +-
 sound/aoa/codecs/onyx.h                          |    1 +
 sound/core/oss/pcm_oss.c                         |   18 +-
 sound/core/pcm_compat.c                          |    2 +-
 sound/core/pcm_native.c                          |    4 +-
 sound/core/seq/seq_device.c                      |    8 +-
 sound/drivers/mts64.c                            |   14 +-
 sound/drivers/opl4/opl4_lib.c                    |    2 +-
 sound/drivers/portman2x4.c                       |    3 +-
 sound/firewire/amdtp.c                           |    4 +-
 sound/firewire/amdtp.h                           |    2 +-
 sound/firewire/isight.c                          |   10 +-
 sound/firewire/scs1x.c                           |    8 +-
 sound/oss/sb_audio.c                             |    2 +-
 sound/oss/swarm_cs4297a.c                        |    6 +-
 sound/pci/ymfpci/ymfpci.h                        |    2 +-
 sound/pci/ymfpci/ymfpci_main.c                   |   12 +-
 tools/gcc/.gitignore                             |    1 +
 tools/gcc/Makefile                               |   43 +
 tools/gcc/checker_plugin.c                       |  171 +
 tools/gcc/colorize_plugin.c                      |  151 +
 tools/gcc/constify_plugin.c                      |  359 +++
 tools/gcc/generate_size_overflow_hash.sh         |   94 +
 tools/gcc/kallocstat_plugin.c                    |  170 +
 tools/gcc/kernexec_plugin.c                      |  465 +++
 tools/gcc/latent_entropy_plugin.c                |  321 ++
 tools/gcc/size_overflow_hash.data                | 3713 ++++++++++++++++++++++
 tools/gcc/size_overflow_plugin.c                 | 1941 +++++++++++
 tools/gcc/stackleak_plugin.c                     |  327 ++
 tools/perf/util/include/asm/alternative-asm.h    |    3 +
 virt/kvm/kvm_main.c                              |   32 +-
 1311 files changed, 26668 insertions(+), 6394 deletions(-)
commit a00016a11e35e91aec8e2d9b6ec4c6fbb11d6d2b
Merge: 0949bd4 fc53d63
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 22 19:03:44 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit fc53d6338964741b368070ec5c935bc579b8c2a6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 22 19:02:45 2012 -0400

    Update to pax-linux-3.2.12-test33.patch

commit 0949bd46a6455b308f66ad7c993bfee62412db35
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 22 16:56:09 2012 -0400

    Use current_umask() instead of current->fs->umask

commit 22f6432d0fe733619cfcb523782ed7d80c46d645
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 21 19:42:42 2012 -0400

    compile fix

commit 0cad49d6b8fbb32395da924c1665a1110a9a9eef
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 21 19:34:56 2012 -0400

    Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain
    uses of domains with particular hash collisions

commit 47fc52e0a068a29d6cca2f809daf0679cba33c44
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 20:25:49 2012 -0400

    zero kernel_role

commit b00953b43c69238d181d21121ef1577c988d5f6b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 19:29:34 2012 -0400

    zero real_root after releasing it

commit 0b3ab73ce5d34a2c3206955cd65eddd6bdfd32a1
Merge: b724f59 273f98e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 19:11:26 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit 273f98e58cdac555d3b5dce5c1ca168349f95878
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 19:10:52 2012 -0400

    Temporary workaround for (most) size_overflow plugin false-positives
    Increase randomization for brk-managed heap to 21 bits
    Update to pax-linux-3.2.12-test32.patch

commit b724f59125304460c2af8bd4b02921993afbb5d3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 18:58:53 2012 -0400

    compile fix

commit 329f1a9d0f137d0a973316c53bbec18a6eeecd4f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 18:52:23 2012 -0400

    Require default and kernel role

commit a7c5c4f55bdd61cfcd0fb1be7a67160429409878
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 18:47:28 2012 -0400

    Allow policies without special roles
    don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles)

commit 402ec3d24d66d38403dc543c84851f5e72d39e22
Merge: 8e012dc f14661a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 19 18:06:59 2012 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        fs/namei.c

commit f14661aaf202155c97f66626cea0269017bb7775
Merge: eae671f 058b017
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 19 18:05:44 2012 -0400

    Merge branch 'linux-3.2.y' into pax-test

commit 8e012dcf7a50b7cde34c2cec93ecedd049123b75
Author: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
Date:   Fri Mar 16 17:08:39 2012 -0700

    nilfs2: fix NULL pointer dereference in nilfs_load_super_block()
    
    According to the report from Slicky Devil, nilfs caused kernel oops at
    nilfs_load_super_block function during mount after he shrank the
    partition without resizing the filesystem:
    
     BUG: unable to handle kernel NULL pointer dereference at 00000048
     IP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2]
     *pde = 00000000
     Oops: 0000 [#1] PREEMPT SMP
     ...
     Call Trace:
      [<d0d7a87b>] init_nilfs+0x4b/0x2e0 [nilfs2]
      [<d0d6f707>] nilfs_mount+0x447/0x5b0 [nilfs2]
      [<c0226636>] mount_fs+0x36/0x180
      [<c023d961>] vfs_kern_mount+0x51/0xa0
      [<c023ddae>] do_kern_mount+0x3e/0xe0
      [<c023f189>] do_mount+0x169/0x700
      [<c023fa9b>] sys_mount+0x6b/0xa0
      [<c04abd1f>] sysenter_do_call+0x12/0x28
     Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43
     20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72
     48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00
     EIP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc
     CR2: 0000000000000048
    
    This turned out due to a defect in an error path which runs if the
    calculated location of the secondary super block was invalid.
    
    This patch fixes it and eliminates the reported oops.
    
    Reported-by: Slicky Devil <slicky.dvl@gmail.com>
    Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
    Tested-by: Slicky Devil <slicky.dvl@gmail.com>
    Cc: <stable@vger.kernel.org>        [2.6.30+]
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 8067d7f69bf27dc08057a771cf125e71e4575bf2
Author: Haogang Chen <haogangchen@gmail.com>
Date:   Fri Mar 16 17:08:38 2012 -0700

    nilfs2: clamp ns_r_segments_percentage to [1, 99]
    
    ns_r_segments_percentage is read from the disk.  Bogus or malicious
    value could cause integer overflow and malfunction due to meaningless
    disk usage calculation.  This patch reports error when mounting such
    bogus volumes.
    
    Signed-off-by: Haogang Chen <haogangchen@gmail.com>
    Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit e1a90645643f9b0194a5984ec8febd06360d5c8b
Author: Eric Dumazet <eric.dumazet@gmail.com>
Date:   Sat Mar 10 09:20:21 2012 +0000

    tcp: fix syncookie regression
    
    commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit())
    added a serious regression on synflood handling.
    
    Simon Kirby discovered a successful connection was delayed by 20 seconds
    before being responsive.
    
    In my tests, I discovered that xmit frames were lost, and needed ~4
    retransmits and a socket dst rebuild before being really sent.
    
    In case of syncookie initiated connection, we use a different path to
    initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared.
    
    As ip_queue_xmit() now depends on inet flow being setup, fix this by
    copying the temp flowi4 we use in cookie_v4_check().
    
    Reported-by: Simon Kirby <sim@netnation.com>
    Bisected-by: Simon Kirby <sim@netnation.com>
    Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
    Tested-by: Eric Dumazet <eric.dumazet@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 06c6c8628bf38b08b4d97f4c55cde9fdecfb5d65
Author: Stanislav Kinsbursky <skinsbursky@parallels.com>
Date:   Mon Mar 12 02:59:41 2012 +0000

    tun: don't hold network namespace by tun sockets
    
    v3: added previously removed sock_put() to the tun_release() callback, because
    sk_release_kernel() doesn't drop the socket reference.
    
    v2: sk_release_kernel() used for socket release. Dummy tun_release() is
    required for sk_release_kernel() ---> sock_release() ---> sock->ops->release()
    call.
    
    TUN was designed to destroy it's socket on network namesapce shutdown. But this
    will never happen for persistent device, because it's socket holds network
    namespace.
    This patch removes of holding network namespace by TUN socket and replaces it
    by creating socket in init_net and then changing it's net it to desired one. On
    shutdown socket is moved back to init_net prior to final put.
    
    Signed-off-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 46ae7374bd387c58d673a9e58852a9fd31042c5c
Author: Tyler Hicks <tyhicks@canonical.com>
Date:   Mon Dec 12 10:02:30 2011 -0600

    vfs: Correctly set the dir i_mutex lockdep class
    
    9a7aa12f3911853a introduced additional logic around setting the i_mutex
    lockdep class for directory inodes. The idea was that some filesystems
    may want their own special lockdep class for different directory
    inodes and calling unlock_new_inode() should not clobber one of
    those special classes.
    
    I believe that the added conditional, around the *negated* return value
    of lockdep_match_class(), caused directory inodes to be placed in the
    wrong lockdep class.
    
    inode_init_always() sets the i_mutex lockdep class with i_mutex_key for
    all inodes. If the filesystem did not change the class during inode
    initialization, then the conditional mentioned above was false and the
    directory inode was incorrectly left in the non-directory lockdep class.
    If the filesystem did set a special lockdep class, then the conditional
    mentioned above was true and that class was clobbered with
    i_mutex_dir_key.
    
    This patch removes the negation from the conditional so that the i_mutex
    lockdep class is properly set for directory inodes. Special classes are
    preserved and directory inodes with unmodified classes are set with
    i_mutex_dir_key.
    
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Reviewed-by: Jan Kara <jack@suse.cz>
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

commit 603590b0d2eca61ce26499eac9c563bc567a18c9
Author: Jan Kara <jack@suse.cz>
Date:   Mon Feb 20 17:54:00 2012 +0100

    udf: Fix deadlock in udf_release_file()
    
    udf_release_file() can be called from munmap() path with mmap_sem held.  Thus
    we cannot take i_mutex there because that ranks above mmap_sem. Luckily,
    i_mutex is not needed in udf_release_file() anymore since protection by
    i_data_sem is enough to protect from races with write and truncate.
    
    Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
    Reviewed-by: Namjae Jeon <linkinjeon@gmail.com>
    Signed-off-by: Jan Kara <jack@suse.cz>
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

commit ca79ab9034f3c2f7e3f65c35e0d9ed3ecea529bf
Author: Miklos Szeredi <mszeredi@suse.cz>
Date:   Tue Mar 6 13:56:33 2012 +0100

    vfs: fix double put after complete_walk()
    
    complete_walk() already puts nd->path, no need to do it again at cleanup time.
    
    This would result in Oopses if triggered, apparently the codepath is not too
    well exercised.
    
    Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
    CC: stable@vger.kernel.org
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

commit 13885ba2b18400f3ef6540497d30f1af896605e5
Author: Miklos Szeredi <mszeredi@suse.cz>
Date:   Tue Mar 6 13:56:34 2012 +0100

    vfs: fix return value from do_last()
    
    complete_walk() returns either ECHILD or ESTALE.  do_last() turns this into
    ECHILD unconditionally.  If not in RCU mode, this error will reach userspace
    which is complete nonsense.
    
    Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
    CC: stable@vger.kernel.org
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    
    Conflicts:
    
        fs/namei.c

commit f5ab7572c99ffb58953eb1070622307e904c3b7f
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Sat Mar 10 17:07:28 2012 -0500

    restore smp_mb() in unlock_new_inode()
    
    wait_on_inode() doesn't have ->i_lock
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

commit f3e758cd08e3881982d4b78eb72fe8a1ead6b872
Author: David S. Miller <davem@davemloft.net>
Date:   Tue Mar 13 18:19:51 2012 -0700

    sparc32: Add -Av8 to assembler command line.
    
    Newer version of binutils are more strict about specifying the
    correct options to enable certain classes of instructions.
    
    The sparc32 build is done for v7 in order to support sun4c systems
    which lack hardware integer multiply and divide instructions.
    
    So we have to pass -Av8 when building the assembler routines that
    use these instructions and get patched into the kernel when we find
    out that we have a v8 capable cpu.
    
    Reported-by: Paul Gortmaker <paul.gortmaker@windriver.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 66276ec78b2a971d2e704e5ef963cdc8b6a049a4
Author: Thomas Gleixner <tglx@linutronix.de>
Date:   Fri Mar 9 20:55:10 2012 +0100

    x86: Derandom delay_tsc for 64 bit
    
    Commit f0fbf0abc093 ("x86: integrate delay functions") converted
    delay_tsc() into a random delay generator for 64 bit.  The reason is
    that it merged the mostly identical versions of delay_32.c and
    delay_64.c.  Though the subtle difference of the result was:
    
     static void delay_tsc(unsigned long loops)
     {
    -   unsigned bclock, now;
    +   unsigned long bclock, now;
    
    Now the function uses rdtscl() which returns the lower 32bit of the
    TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64
    bit this fails when the lower 32bit are close to wrap around when
    bclock is read, because the following check
    
           if ((now - bclock) >= loops)
                        break;
    
    evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0
    because the unsigned long (now - bclock) of these values results in
    0xffffffff00000001 which is definitely larger than the loops
    value. That explains Tvortkos observation:
    
    "Because I am seeing udelay(500) (_occasionally_) being short, and
     that by delaying for some duration between 0us (yep) and 491us."
    
    Make those variables explicitely u32 again, so this works for both 32
    and 64 bit.
    
    Reported-by: Tvrtko Ursulin <tvrtko.ursulin@onelan.co.uk>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Cc: stable@vger.kernel.org # >= 2.6.27
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 2d0ddb60f5031bdf79b4d51225f9f2d5856255bf
Author: Al Viro <viro@ZenIV.linux.org.uk>
Date:   Thu Mar 8 17:51:19 2012 +0000

    aio: fix the "too late munmap()" race
    
    Current code has put_ioctx() called asynchronously from aio_fput_routine();
    that's done *after* we have killed the request that used to pin ioctx,
    so there's nothing to stop io_destroy() waiting in wait_for_all_aios()
    from progressing.  As the result, we can end up with async call of
    put_ioctx() being the last one and possibly happening during exit_mmap()
    or elf_core_dump(), neither of which expects stray munmap() being done
    to them...
    
    We do need to prevent _freeing_ ioctx until aio_fput_routine() is done
    with that, but that's all we care about - neither io_destroy() nor
    exit_aio() will progress past wait_for_all_aios() until aio_fput_routine()
    does really_put_req(), so the ioctx teardown won't be done until then
    and we don't care about the contents of ioctx past that point.
    
    Since actual freeing of these suckers is RCU-delayed, we don't need to
    bump ioctx refcount when request goes into list for async removal.
    All we need is rcu_read_lock held just over the ->ctx_lock-protected
    area in aio_fput_routine().
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
    Acked-by: Benjamin LaHaise <bcrl@kvack.org>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 002124c055afbf09b52226af65621999e8316448
Author: Al Viro <viro@ZenIV.linux.org.uk>
Date:   Wed Mar 7 05:16:35 2012 +0000

    aio: fix io_setup/io_destroy race
    
    Have ioctx_alloc() return an extra reference, so that caller would drop it
    on success and not bother with re-grabbing it on failure exit.  The current
    code is obviously broken - io_destroy() from another thread that managed
    to guess the address io_setup() would've returned would free ioctx right
    under us; gets especially interesting if aio_context_t * we pass to
    io_setup() points to PROT_READ mapping, so put_user() fails and we end
    up doing io_destroy() on kioctx another thread has just got freed...
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Acked-by: Benjamin LaHaise <bcrl@kvack.org>
    Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit a1cd2719b8ed8e40dbd98c87713ac23a2169f6d8
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Thu Mar 15 15:17:12 2012 -0700

    drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode
    
    strict_strtoul() writes a long but ->gamma_mode only has space to store an
    int, so on 64 bit systems we end up scribbling over ->gamma_table_count as
    well.  I've changed it to use kstrtouint() instead.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Acked-by: Inki Dae <inki.dae@samsung.com>
    Signed-off-by: Florian Tobias Schandinat <FlorianSchandinat@gmx.de>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit cf83f735a5571f4341ee6eab947a1f7d833cea6e
Merge: e4b05b6 eae671f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 16 21:04:27 2012 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        security/Kconfig

commit eae671fafe93f04685c04a089cc13efebc05d600
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 16 20:58:01 2012 -0400

    Update to pax-linux-3.2.11-test31.patch
    Introduction of the size_overflow plugin from Emese Revfy
    Many thanks to Emese for her hard work :)

commit e4b05b65c645c412eceb9c950ee7b4771627e6b1
Merge: e55aa68 258c015
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 15 20:59:19 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit 258c0159fa6dd5044ca984eeaad57bb6e21bacea
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 15 20:59:05 2012 -0400

    fix ARM compilation

commit e55aa68f4bb20e75cd7423123aa612c2a69590c0
Merge: 8f95ea9 55b7573
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 14 19:33:41 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit 55b7573f6c2f3be26fb39c7bd6a9d742d02811ca
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 14 19:33:15 2012 -0400

    Update to pax-linux-3.2.10-test28.patch

commit 8f95ea9f718c293794a1f6bdd2a5f5f336f7bd64
Merge: c8786a2 886ac5e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 13 17:38:13 2012 -0400

    Merge branch 'pax-test' into grsec-test
    
    Greets and thanks to snq for his assistance in testing/debugging REFCOUNT on ARM :)

commit 886ac5eeb1835e87cf7398b8aae9e9ba6b36bf77
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 13 17:37:44 2012 -0400

    Update to pax-linux-3.2.10-test26.patch

commit c8786a2abed5e5327f68efa520c04db99bb6a63a
Merge: 219c982 c061fcf
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 13 17:25:06 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit c061fcfa6b78f3774800821144d8ac2d94d7da3e
Merge: 89373d2 3f4b3b2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 13 17:25:02 2012 -0400

    Merge branch 'linux-3.2.y' into pax-test

commit 219c982a05abe47be4ea7d749e1b408e0cb86f1f
Merge: 54e19a3 89373d2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 12 17:23:57 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit 89373d2abafb9bda97f78bdb157d1d05cf21e008
Merge: a778588 7459f11
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 12 17:23:49 2012 -0400

    Merge branch 'linux-3.2.y' into pax-test

commit 54e19a3979978fca902b14ae25125f26fbbbc7a7
Merge: c4650f1 a778588
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 12 16:51:25 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit a778588c9d1b75c48c1f09aac98c1b28bd87a749
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 12 16:51:12 2012 -0400

    Update to pax-linux-3.2.9-test24.patch

commit c4650f14b13f84735fe3de06a1f3ff5776473eff
Merge: fb2abee 1015790
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 11 21:08:28 2012 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        security/Kconfig

commit 101579028a736c224e590c7e12a7357018c424e1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 11 21:07:27 2012 -0400

    Update to pax-linux-3.2.9-test22.patch

commit fb2abee4b9b49f5f18342a8cdf7aa3ba2b7c9100
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 11 11:02:17 2012 -0400

    Allow 4096 CPUs

commit 96bae28cbe6a41d48e3b56e5904814096e956000
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 11 10:25:58 2012 -0400

    Use a per-cpu 48-bit counter instead of a global atomic64
    Initialize each counter to have the cpu number in the lower 16 bits
    instead of incrementing the counter each time by 1, perform the increments
    above the cpu number so that wrapping/exhausting the counter doesn't corrupt
    any state
    idea from PaX Team

commit b975688101da6e966aebb1bc6b8c5c5983974f9c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 10 20:33:12 2012 -0500

    Special vnsec edition! :)
    Further reduce argv/env allowance for suid/sgid apps to 512KB
    Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap)
    Clear 3GB personality on suid/sgid binaries
    Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64)
      with the main purpose of throwing off program stack -> arg/env alignment
    Update documentation

commit e5cfa902c4e891d11dd2086543d2555aa0c27d33
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 10 19:54:47 2012 -0500

    Resolve skbuff.h warnings that turn into errors during compilation in
    the grsecurity directory with -Werror

commit 2023210ad43a944033fcacc660ce410888f562ee
Merge: ece4383 5f66adf
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 9 19:48:01 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 5f66adf72f83730a07bc79a2fab56afed6dbbd0e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 9 19:47:06 2012 -0500

    Add colorize plugin

commit ece4383e5e91c92d138c4df84225a70b552f4d69
Merge: a366d0e ab4a5a1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 9 17:56:46 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit ab4a5a1a67289c3585e2ff8aa64ecece7bd17eea
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 9 17:56:26 2012 -0500

    Update to pax-linux-3.2.9-test21.patch

commit a366d0ed963ce93fce10121c1100989d5f064e75
Author: Mikulas Patocka <mpatocka@redhat.com>
Date:   Sun Mar 4 19:52:03 2012 -0500

    mm: fix find_vma_prev
    
    Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory
    management on PA-RISC.
    
    After application of the patch, programs that allocate big arrays on the
    stack crash with segfault, for example, this will crash if compiled
    without optimization:
    
      int main()
      {
        char array[200000];
        array[199999] = 0;
        return 0;
      }
    
    The reason is that PA-RISC has up-growing stack and the stack is usually
    the last memory area.  In the above example, a page fault happens above
    the stack.
    
    Previously, if we passed too high address to find_vma_prev, it returned
    NULL and stored the last VMA in *pprev.  After "simplify find_vma_prev"
    change, it stores NULL in *pprev.  Consequently, the stack area is not
    found and it is not expanded, as it used to be before the change.
    
    This patch restores the old behavior and makes it return the last VMA in
    *pprev if the requested address is higher than address of any other VMA.
    
    Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
    Acked-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 9cd8dd4d56051099f11563f72fcd91cd0ce19604
Author: Hugh Dickins <hughd@google.com>
Date:   Tue Mar 6 12:28:52 2012 -0800

    mmap: EINVAL not ENOMEM when rejecting VM_GROWS
    
    Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP
    from shared anonymous: hoist the file case's -EINVAL up for both.
    
    Signed-off-by: Hugh Dickins <hughd@google.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 97745dce6c87f9d9ca5b4be9bd4c2fc1684ca04c
Author: Al Viro <viro@ZenIV.linux.org.uk>
Date:   Mon Mar 5 06:38:42 2012 +0000

    aout: move setup_arg_pages() prior to reading/mapping the binary
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 3b20ce55ae8cffee43cb4afdf5be438b5ac4fef0
Author: Jan Beulich <JBeulich@suse.com>
Date:   Mon Mar 5 16:49:24 2012 +0000

    vsprintf: make %pV handling compatible with kasprintf()
    
    kasprintf() (and potentially other functions that I didn't run across so
    far) want to evaluate argument lists twice.  Caring to do so for the
    primary list is obviously their job, but they can't reasonably be
    expected to check the format string for instances of %pV, which however
    need special handling too: On architectures like x86-64 (as opposed to
    e.g.  ix86), using the same argument list twice doesn't produce the
    expected results, as an internally managed cursor gets updated during
    the first run.
    
    Fix the problem by always acting on a copy of the original list when
    handling %pV.
    
    Signed-off-by: Jan Beulich <jbeulich@suse.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 4146896ab9674f51d4909f3a52bc7fe80f04e4cb
Author: Al Viro <viro@ZenIV.linux.org.uk>
Date:   Mon Mar 5 06:39:47 2012 +0000

    VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit a831bd53764695ea680cc1fa3c98759a610ed2ac
Author: Christian König <deathsimple@vodafone.de>
Date:   Tue Feb 28 23:19:20 2012 +0100

    drm/radeon: fix uninitialized variable
    
    Without this fix the driver randomly treats
    textures as arrays and I'm really wondering
    why gcc isn't complaining about it.
    
    Signed-off-by: Christian König <deathsimple@vodafone.de>
    Reviewed-by: Jerome Glisse <jglisse@redhat.com>
    Signed-off-by: Dave Airlie <airlied@redhat.com>

commit aa2cd55f97f3cc03bdd895b6e8ba99619ee69dfc
Author: H. Peter Anvin <hpa@zytor.com>
Date:   Fri Mar 2 10:43:48 2012 -0800

    regset: Prevent null pointer reference on readonly regsets
    
    The regset common infrastructure assumed that regsets would always
    have .get and .set methods, but not necessarily .active methods.
    Unfortunately people have since written regsets without .set methods.
    
    Rather than putting in stub functions everywhere, handle regsets with
    null .get or .set methods explicitly.
    
    Signed-off-by: H. Peter Anvin <hpa@zytor.com>
    Reviewed-by: Oleg Nesterov <oleg@redhat.com>
    Acked-by: Roland McGrath <roland@hack.frob.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 072ddd99401c79b53c6bf6bff9deb93022124c79
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 5 18:12:57 2012 -0500

    Fix compiler errors reported on forums

commit 1606774b48af24e6f99d99c624c0e447d4b66474
Merge: 3127bd5 4ca2ffd
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 5 17:31:35 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 4ca2ffd9da024f4ba2d0cb6245ba1b2726169452
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 5 17:31:21 2012 -0500

    Update to pax-linux-3.2.9-test20.patch

commit 3127bd581a292966b1057c7433219dac188c3720
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 2 21:30:37 2012 -0500

    Fix memory leak on logged exec_id check failure in /proc/pid/statm
    Thanks to Djalal Harouni for the report

commit d9f1a3be0e97e0632f97379322712d8deeb3ce23
Merge: 0a56be8 9aa8288
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 2 18:38:22 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 9aa8288a09e6e03ce37c08136b26bff17a093b5c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 2 18:37:43 2012 -0500

    Update to pax-linux-3.2.9-test19.patch

commit 0a56be884bbd7ce733cac0b879c45383494d73b0
Merge: 9e66745 3f5c52a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 1 20:18:01 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 3f5c52aba100b3bb252980f9d363aafde52da1a2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 1 20:16:56 2012 -0500

    Update to pax-linux-3.2.9-test18.patch

commit ae53ec231d12719a36bf871f8c5841020ed692ee
Merge: b255baf 44fb317
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 1 20:15:31 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test

commit 9e667456c03eadea2f305be761abe4de9a5877a3
Merge: 5e4e200 b255baf
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 27 20:53:59 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit b255baf50365d39b406f43aab2c64745607baaa2
Merge: 340ce90 1de504e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 27 20:53:29 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test
    Update to pax-linux-3.2.8-test17.patch
    
    Conflicts:
        arch/x86/include/asm/i387.h
        arch/x86/kernel/process_32.c
        arch/x86/kernel/traps.c

commit 5e4e200ac530452884b625cb75de240e1e98c731
Merge: 44306d7 340ce90
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 27 18:02:13 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 340ce90d98a043fa8e4ed9ffc229d4c1f86e2fec
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 27 18:01:48 2012 -0500

    Update to pax-linux-3.2.7-test17.patch

commit 44306d7b3097f77e73040dd25f4f6750751bae7a
Merge: 29d0b07 521c411
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 26 19:04:15 2012 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        Makefile

commit 521c411bb4ca66ce01146fde8bac9dd22414076d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 26 19:03:33 2012 -0500

    Update to pax-linux-3.2.7-test16.patch

commit 29d0b07290bb9a10cdfcc3c30058e16265330dea
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 26 17:12:44 2012 -0500

    fix typo

commit 344f6d84e5d3fdc6ec40a078fc2f5861d340b2ef
Merge: f45b3be caa8f83
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 20:59:27 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit caa8f83456c4d0b204beefffaa1d1993f2348d08
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 20:59:12 2012 -0500

    Update to pax-linux-3.2.7-test15.patch

commit f45b3be34a345502a302e736af9a65742ddef7cb
Merge: 62f35fd 9f1309b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 11:40:15 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 9f1309b0b935e3b30fc87a9e3009b84cf943ef47
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 11:39:57 2012 -0500

    Update to pax-linux-3.2.7-test14.patch

commit 62f35fdbecc58f2988fe13638d907b87a15776bb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 09:08:55 2012 -0500

    We could log on attempted exploits of writing /proc/self/mem, but the current
    log function declares the access a read, so just swap the ordering for now

commit 066ee8f9c26f1549b4ad893508777b549c8d4b79
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 08:46:14 2012 -0500

    Log /proc/pid/mem attempts

commit 674471e581893a94d475acac3e3c4496209b3ac9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 08:15:00 2012 -0500

    Make use of f_version for protecting /proc file structs (fine since we're not a directory
    or seq_file)

commit eab42cfdd237ffcdd8ec24bedecc275a3a9e987f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 24 20:02:19 2012 -0500

    Fix ia64 compilation

commit 50dfea412fd395e0183c2ade368efa525d38b267
Merge: 12db845 4c6f99b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 24 19:00:53 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 4c6f99bf338e03966356b147d0360cb3b522a44f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 24 19:00:36 2012 -0500

    (6:57:09 PM) pipacs: but you can be proactive
    (Fix other-arch atomic64/REFCOUNT compilation failures)

commit 12db8453f6bb0a756f369c9151668ba1249bc478
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 23 21:10:12 2012 -0500

    Remove unnecessary copies, as suggested by solar

commit cc02cab84368467ea03cb35f861a8a7092d91ab4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 23 20:59:35 2012 -0500

    Make global_exec_counter static, as suggested by solar

commit e642091a475ebb3a30e81f85e7751233d0c2af43
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 23 19:00:26 2012 -0500

    sync with stable tree

commit 6df09c3d8e371905b7b8fe90c4188f23614c6be5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 23 18:48:47 2012 -0500

    Remove unneeded gr_acl_handle_fchmod, as the code is shared now by gr_acl_handle_chmod
    Remove handling of old kludge in chmod/fchmod

commit 815cb62f2ca7b58efc39778b3a855feb675ab56c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 23 18:18:49 2012 -0500

    Apply umask checks to chmod/fchmod as well, as requested by sponsor
    Union the enforced umask with the existing one to produce minimal privilege
    Change umask type to u16

commit 0e7668c6abbdbcd3f7f9759e3994d6f4bc9953f0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 22 18:16:11 2012 -0500

    Add per-role umask enforcement to RBAC, requested by a sponsor

commit ad5ac943fe58199f1cc475912a39edb157acb77b
Merge: dda0bb5 41722e3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 20 20:04:42 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 41722e342e116d95f3d3556d66c97c888d752d39
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 20 20:04:00 2012 -0500

    Merge changes from pax-linux-3.2.7-test12.patch, fixes KVM incompatibility with
    KERNEXEC plugin

commit dda0bb57137846a476a866c60db2681aaf6052c0
Merge: 4fd554e d70927a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 20 20:01:41 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit d70927afec977d489a54c106a3c3ddc32e953050
Merge: 1daebf1 9d0231c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 20 20:01:33 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test

commit 4fd554e3a097b22c5049fcdc423897477deff5ef
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 20 09:17:57 2012 -0500

    Fix wrong logic on capability checks for switching roles, broke policies
    Thanks to Richard Kojedzinszky for reporting

commit 12f97d52ac603f24344f8d71569c412a307e9422
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 21:20:10 2012 -0500

    sparc64 compile fix

commit 07af3d8e76a6a47ce1836e5b20ed8c0f879c8201
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 18:38:32 2012 -0500

    Update configuration help and name for GRKERNSEC_PROC_MEMMAP

commit 5ced6f8def06c2176b40b5fa07345fc723dc4dcb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 18:18:01 2012 -0500

    optimize the check a bit

commit 03159050f64989be44ae03be769cbed62a7cd2e5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 18:00:45 2012 -0500

    smile VUPEN :D
    (limit argv+env to 1MB for suid/sgid binaries)

commit dd759d8800d225a397e4de49fe729c7d601298d2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 17:49:33 2012 -0500

    Address Space Protection -> Memory Protections (suggested on IRC for consistency)

commit 4de635bda8ebfb85312e3bf851bdbff93de400da
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 17:45:06 2012 -0500

    Change the long long type for exec_id to the proper u64

commit 4feb07e7cb64b3d0f0f8cca1aef70bc725cae6fa
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Thu Feb 9 00:46:47 2012 +0000

    isdn: type bug in isdn_net_header()
    
    We use len to store the return value from eth_header().  eth_header()
    can return -ETH_HLEN (-14).  We want to pass this back instead of
    truncating it to 65522 and returning that.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Acked-by: Neil Horman <nhorman@tuxdriver.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 134ac8545b47f0f27d550ea6e1edb3a1ed7a9748
Author: Heiko Carstens <heiko.carstens@de.ibm.com>
Date:   Sat Feb 4 10:47:10 2012 +0100

    exec: fix use-after-free bug in setup_new_exec()
    
    Setting the task name is done within setup_new_exec() by accessing
    bprm->filename. However this happens after flush_old_exec().
    This may result in a use after free bug, flush_old_exec() may
    "complete" vfork_done, which will wake up the parent which in turn
    may free the passed in filename.
    To fix this add a new tcomm field in struct linux_binprm which
    contains the now early generated task name until it is used.
    
    Fixes this bug on s390:
    
      Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000
      Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818)
      Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374)
      Call Trace:
      ([<0000000000282e2c>] setup_new_exec+0x38/0x374)
       [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4
       [<0000000000280a42>] search_binary_handler+0x38e/0x5bc
       [<0000000000282b6c>] do_execve_common+0x410/0x514
       [<0000000000282cb6>] do_execve+0x46/0x58
       [<00000000005bce58>] kernel_execve+0x28/0x70
       [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140
       [<00000000005bc8da>] kernel_thread_starter+0x6/0xc
       [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc
      Last Breaking-Event-Address:
       [<00000000002830f0>] setup_new_exec+0x2fc/0x374
    
      Kernel panic - not syncing: Fatal exception: panic_on_oops
    
    Reported-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
    Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit d758ee9f5230893dabb5aab737b3109684bde196
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Fri Feb 10 09:03:58 2012 +0100

    relay: prevent integer overflow in relay_open()
    
    "subbuf_size" and "n_subbufs" come from the user and they need to be
    capped to prevent an integer overflow.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Cc: stable@kernel.org
    Signed-off-by: Jens Axboe <axboe@kernel.dk>

commit 40ed7b34848b8e0d7bf9a3fc21a7c75ce1ae507c
Merge: b1baadf 1daebf1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 13 17:47:04 2012 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        fs/proc/base.c

commit 1daebf1d623fe5b0efdd329f78562eb7078bc772
Merge: 1413df2 c2db2e2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 13 17:45:54 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test

commit b1baadf5047ab67cf61cd20bf58c6afb09c37c7d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 12 16:44:05 2012 -0500

    add missing declaration

commit 3981059c35e8463002517935c28f3d74b8e3703c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 12 16:36:04 2012 -0500

    Require CAP_SETUID/CAP_SETGID in a subject in order to change roles
    in addition to existing checks (this handles the setresuid ruid = euid case)

commit 0beab03263c773f463412c350ad9064b44b6ede0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 12 16:13:40 2012 -0500

    Revert setreuid changes when RBAC is enabled, breaks freeradius
    I'll fix the learning issue Lavish reported a different way through
    gradm modifications
    
    This reverts commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111.

commit 0c61cb1cfbbfec7d07647268c922d51434d22621
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 11 14:22:46 2012 -0500

    copy exec_id on fork

commit 000c08e0890630086b2ed04084050ed856a7ec31
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 10 20:00:36 2012 -0500

    compile fix

commit 54b8c8f54484e5ee18040657827158bc4b63bccc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 10 19:19:52 2012 -0500

    Introduce enhancement to CONFIG_GRKERNSEC_PROC_MEMMAP
    denies reading of sensitive /proc/pid entries where the file descriptor
    was opened in a different task than the one performing the read

commit dd19579049186e2648b9ae5e42af04cfda7ab2dc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 10 17:43:24 2012 -0500

    Remove duplicate signal check

commit 6ff60c34155bb73a4eec7bbfe6f59e9d35e1c0c6
Merge: 4eba97e 1413df2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 8 19:24:34 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 1413df258d4664d928b876ffb57e1bdc1ccd06f6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 8 19:24:08 2012 -0500

    Merge changes from pax-linux-3.2.4-test11.patch

commit 4eba97eda7f7d25b7ab6ad5c9de094545e749044
Merge: 0e058dd 8dd90a2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 6 17:50:12 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 8dd90a21adfeefd86134d1fedf77b958bc59eaa3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 6 17:49:07 2012 -0500

    Merge changes from pax-linux-3.2.4-test10.patch, fixes BPF JIT double-free

commit a6b5dfed0937a0eb386b4b519a387f8e8177ffdc
Merge: 7e4169c 6133971
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 6 17:48:57 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test

commit 0e058dd6d14e0c67c44dd332a871f1fe1bb06095
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 5 19:24:45 2012 -0500

    We now allow configurations with no PaX markings, giving the system no way to override the defaults

commit 9afb0110287e31c3c56d861b4927f64f8dbd7857
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 5 10:01:23 2012 -0500

    Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory

commit a6a0ad24a5f7bef90236d94c1bdfe21d291fc834
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 4 21:01:16 2012 -0500

    Improve security of ptrace-based monitoring/sandboxing
    See:
    http://article.gmane.org/gmane.linux.kernel.lsm/15156

commit ca4ca5a1027b41f9528794e52a53ce9c47926101
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 20:42:55 2012 -0500

    fix typo

commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 20:25:38 2012 -0500

    Reported by lavish on IRC:
    If a suid/sgid binary did not learn any setuid/setgid call during learning,
    we would not any CAP_SETUID/CAP_SETGID capability to the task, nor
    any restrictions on uid/gid changes.  uid and gid can however be changed
    within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to
    euid/egid.
    
    My fix:
    POSIX doesn't specify whether unprivileged users can perform the above
    setresuid/setresgid as an unprivileged user, though Linux has historically
    permitted them.  Modify this behavior when RBAC is enabled to require
    CAP_SETUID/CAP_SETGID for these operations.
    
    Thanks to Lavish for the report!
    
    Conflicts:
    
        kernel/sys.c

commit e55be1f30908f1ad4450cb0558cde71ff5c7247f
Merge: ba586eb 7e4169c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 20:10:21 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 7e4169c6c880ec9641f1178c88545913c8a21e1f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 20:10:05 2012 -0500

    Merge changes from pax-linux-3.2.4-test9.patch

commit ba586ebbcd0ed781e38a99c580a757a00347c6eb
Author: Christopher Yeoh <cyeoh@au1.ibm.com>
Date:   Thu Feb 2 11:34:09 2012 +1030

    Fix race in process_vm_rw_core
    
    This fixes the race in process_vm_core found by Oleg (see
    
      http://article.gmane.org/gmane.linux.kernel/1235667/
    
    for details).
    
    This has been updated since I last sent it as the creation of the new
    mm_access() function did almost exactly the same thing as parts of the
    previous version of this patch did.
    
    In order to use mm_access() even when /proc isn't enabled, we move it to
    kernel/fork.c where other related process mm access functions already
    are.
    
    Signed-off-by: Chris Yeoh <yeohc@au1.ibm.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    Conflicts:
    
        fs/proc/base.c
        mm/process_vm_access.c

commit b9194d60fb9fe579f5c34817ed822abde18939a0
Author: Oleg Nesterov <oleg@redhat.com>
Date:   Tue Jan 31 17:15:11 2012 +0100

    proc: make sure mem_open() doesn't pin the target's memory
    
    Once /proc/pid/mem is opened, the memory can't be released until
    mem_release() even if its owner exits.
    
    Change mem_open() to do atomic_inc(mm_count) + mmput(), this only
    pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count)
    before access_remote_vm(), this verifies that this mm is still alive.
    
    I am not sure what should mem_rw() return if atomic_inc_not_zero()
    fails. With this patch it returns zero to match the "mm == NULL" case,
    may be it should return -EINVAL like it did before e268337d.
    
    Perhaps it makes sense to add the additional fatal_signal_pending()
    check into the main loop, to ensure we do not hold this memory if
    the target task was oom-killed.
    
    Cc: stable@kernel.org
    Signed-off-by: Oleg Nesterov <oleg@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit d4500134f9363bc79556e0e7a1fd811cd8552cc4
Author: Oleg Nesterov <oleg@redhat.com>
Date:   Tue Jan 31 17:14:38 2012 +0100

    proc: mem_release() should check mm != NULL
    
    mem_release() can hit mm == NULL, add the necessary check.
    
    Cc: stable@kernel.org
    Signed-off-by: Oleg Nesterov <oleg@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 5d1c11221a86f233fdbb232312a561f85d0a3a05
Author: Oleg Nesterov <oleg@redhat.com>
Date:   Tue Jan 31 17:14:54 2012 +0100

    note: redisabled mem_write
    
    proc: unify mem_read() and mem_write()
    
    No functional changes, cleanup and preparation.
    
    mem_read() and mem_write() are very similar. Move this code into the
    new common helper, mem_rw(), which takes the additional "int write"
    argument.
    
    Cc: stable@kernel.org
    Signed-off-by: Oleg Nesterov <oleg@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    Conflicts:
    
        fs/proc/base.c

commit af966b421d9f55ab7e1a8b2741beba44b22bc2e0
Merge: 3903f01 01fee18
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 19:50:40 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 01fee1851aef26b898ccba5312cabf1f919b74cb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 19:49:46 2012 -0500

    Merge changes from pax-linux-3.2.4-test8.patch

commit c2490ddbfc3f5dd664dd0e1b8575856c3be01879
Merge: 201c0db 141936c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 19:49:01 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test

commit 3903f0172ecadf7a575ba3535402a1506133640a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jan 30 23:26:44 2012 -0500

    Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT
    
    We'll whitelist required directories for compatibility instead of requiring
    that people disable the feature entirely if they use SELinux, fuse, etc
    
    Conflicts:
    
        fs/sysfs/mount.c

commit e3618feaa7e63807f1b88c199882075b3ec9bd05
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 29 01:12:19 2012 -0500

    perform RBAC check if TPE is on but match fails, matches previous behavior

commit 627b7fe22799a86e2f81a74f0e0c53474bec3100
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jan 28 13:17:06 2012 -0500

    log more information about the reason for a TPE denial for novice users, requested by a sponsor

commit efefd67008cbad8a8591e2484410966a300a39a5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:58:53 2012 -0500

    merge upstream sha512 changes

commit 8a79280377db78fb2091fe01eddb9e24f75d9fe1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:49:07 2012 -0500

    drop lock on error in xfs_readlink
    
    http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0

commit aa5f2f63e37f426bf2211c5fb8f7bc70de14f08a
Author: Li Wang <liwang@nudt.edu.cn>
Date:   Thu Jan 19 09:44:36 2012 +0800

    eCryptfs: Infinite loop due to overflow in ecryptfs_write()
    
    ecryptfs_write() can enter an infinite loop when truncating a file to a
    size larger than 4G. This only happens on architectures where size_t is
    represented by 32 bits.
    
    This was caused by a size_t overflow due to it incorrectly being used to
    store the result of a calculation which uses potentially large values of
    type loff_t.
    
    [tyhicks@canonical.com: rewrite subject and commit message]
    Signed-off-by: Li Wang <liwang@nudt.edu.cn>
    Signed-off-by: Yunchuan Wen <wenyunchuan@kylinos.com.cn>
    Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>

commit a7607747d0f74f357d78bb796d70635dd05f46e8
Author: Tyler Hicks <tyhicks@canonical.com>
Date:   Thu Jan 19 20:33:44 2012 -0600

    eCryptfs: Check inode changes in setattr
    
    Most filesystems call inode_change_ok() very early in ->setattr(), but
    eCryptfs didn't call it at all. It allowed the lower filesystem to make
    the call in its ->setattr() function. Then, eCryptfs would copy the
    appropriate inode attributes from the lower inode to the eCryptfs inode.
    
    This patch changes that and actually calls inode_change_ok() on the
    eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call
    would happen earlier in ecryptfs_setattr(), but there are some possible
    inode initialization steps that must happen first.
    
    Since the call was already being made on the lower inode, the change in
    functionality should be minimal, except for the case of a file extending
    truncate call. In that case, inode_newsize_ok() was never being
    called on the eCryptfs inode. Rather than inode_newsize_ok() catching
    maximum file size errors early on, eCryptfs would encrypt zeroed pages
    and write them to the lower filesystem until the lower filesystem's
    write path caught the error in generic_write_checks(). This patch
    introduces a new function, called ecryptfs_inode_newsize_ok(), which
    checks if the new lower file size is within the appropriate limits when
    the truncate operation will be growing the lower file.
    
    In summary this change prevents eCryptfs truncate operations (and the
    resulting page encryptions), which would exceed the lower filesystem
    limits or FSIZE rlimits, from ever starting.
    
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Reviewed-by: Li Wang <liwang@nudt.edu.cn>
    Cc: <stable@vger.kernel.org>

commit 0d96f190a39505254ace4e9330219aaeda9b64e3
Author: Tyler Hicks <tyhicks@canonical.com>
Date:   Wed Jan 18 18:30:04 2012 -0600

    eCryptfs: Make truncate path killable
    
    ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a
    page, zeroes out the appropriate portions, and then encrypts the page
    before writing it to the lower filesystem. It was unkillable and due to
    the lack of sparse file support could result in tying up a large portion
    of system resources, while encrypting pages of zeros, with no way for
    the truncate operation to be stopped from userspace.
    
    This patch adds the ability for ecryptfs_write() to detect a pending
    fatal signal and return as gracefully as possible. The intent is to
    leave the lower file in a useable state, while still allowing a user to
    break out of the encryption loop. If a pending fatal signal is detected,
    the eCryptfs inode size is updated to reflect the modified inode size
    and then -EINTR is returned.
    
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Cc: <stable@vger.kernel.org>

commit a02d0d2516b9e92edffeb8fca87462bca49c1f6f
Author: Tyler Hicks <tyhicks@canonical.com>
Date:   Tue Jan 24 10:02:22 2012 -0600

    eCryptfs: Fix oops when printing debug info in extent crypto functions
    
    If pages passed to the eCryptfs extent-based crypto functions are not
    mapped and the module parameter ecryptfs_verbosity=1 was specified at
    loading time, a NULL pointer dereference will occur.
    
    Note that this wouldn't happen on a production system, as you wouldn't
    pass ecryptfs_verbosity=1 on a production system. It leaks private
    information to the system logs and is for debugging only.
    
    The debugging info printed in these messages is no longer very useful
    and rather than doing a kmap() in these debugging paths, it will be
    better to simply remove the debugging paths completely.
    
    https://launchpad.net/bugs/913651
    
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Reported-by: Daniel DeFreez
    Cc: <stable@vger.kernel.org>

commit b1c44d3054dc7f293b2e0a98c0e9e5e03e01f04c
Author: Tyler Hicks <tyhicks@canonical.com>
Date:   Thu Jan 12 11:30:44 2012 +0100

    eCryptfs: Sanitize write counts of /dev/ecryptfs
    
    A malicious count value specified when writing to /dev/ecryptfs may
    result in a a very large kernel memory allocation.
    
    This patch peeks at the specified packet payload size, adds that to the
    size of the packet headers and compares the result with the write count
    value. The resulting maximum memory allocation size is approximately 532
    bytes.
    
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Reported-by: Sasha Levin <levinsasha928@gmail.com>
    Cc: <stable@vger.kernel.org>

commit 96dcb7282d323813181a1791f51c0ab7696b675b
Merge: 6c09fa5 201c0db
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:44:15 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 201c0dbf177527367676028151e36d340923f033
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:43:24 2012 -0500

    Merge changes from pax-linux-3.2.2-test6.patch, fixes 0 order vmalloc allocation errors
    on loading modules with empty sections

commit 6c09fa566a7c29f00556ca12f343f2db91c4f42b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:42:13 2012 -0500

    compile fix

commit 917ae526b4fcec2b3e1afefa13de9dff7d8a5423
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:39:28 2012 -0500

    use LSM flags instead of duplicating checks

commit 0cf3be2ea2ae43c9dd4933fb26c0429041b8acb8
Merge: 44b9f11 558718b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 18:56:23 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 558718b2217beff69edf60f34a6f9893d910e9ac
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 18:56:04 2012 -0500

    Merge changes from pax-linux-3.2.2-test6.patch

commit 44b9f1132b2de7cbf5f57525fe0f7f9fb0a76507
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 18:53:55 2012 -0500

    don't increase the size of task_struct when unnecessary
    change ptrace_readexec log message

commit a9c9626e054adb885883aa64f85506852894dd33
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 18:16:28 2012 -0500

    Update documentation for CONFIG_GRKERNSEC_PTRACE_READEXEC --
    the protection applies to all unreadable binaries.

commit 98fdf4ab69eba7a72efb2054295daafdbbc2fb8f
Merge: 7b3f3af 05a1349
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 25 20:52:09 2012 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        block/scsi_ioctl.c
        drivers/scsi/sd.c
        fs/proc/base.c

commit 05a134966efb9cb9346ad3422888969ffc79ac1d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 25 20:47:36 2012 -0500

    Resync with pax-linux-3.2.2-test5.patch

commit 5ecaafd81b229aeeb5656df36f9c8da86307f82a
Merge: c6d443d 3499d64
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 25 20:45:16 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test (and pax-linux-3.2.2-test5.patch)
    
    Conflicts:
        ipc/shm.c

commit 7b3f3afd7444613c759d68ff8c2efaebfae3bab1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 24 19:42:01 2012 -0500

    Add two new features, one is automatic by enabling CONFIG_GRKERNSEC
    (may be changed if it breaks some userland), the other has its own
    config option
    
    First feature requires CAP_SYS_ADMIN to write to any sysctl entry via
    the syscall or /proc/sys.
    
    Second feature requires read access to a suid/sgid binary in order
    to ptrace it, preventing infoleaking of binaries in situations where
    the admin has specified 4711 or 2711 perms.  Feature has been
    given the config option CONFIG_GRKERNSEC_PTRACE_READEXEC and
    a sysctl entry of ptrace_readexec

commit 11a7bb25c411c9dccfdca5718639b4becdffd388
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 22 14:37:10 2012 -0500

    Compilation fixes

commit cd400e21c7c352baba47d6f375297a7847afb33a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 22 14:20:27 2012 -0500

    Initial port of grsecurity 2.2.2 for Linux 3.2.1
    Note that the new syscalls added to this kernel for remote process read/write
    are subject to ptrace hardening/other relevant RBAC features
    /proc/slabinfo is S_IRUSR via mainline now, so I made slab_allocators S_IRUSR by default
    as well
    pax_track_stack has been removed from support for this kernel -- if you're running this kernel
    you should be using a version of gcc with plugin support

commit c6d443d1270f455c56a4ffe0f1dd3d3e7ec12a2f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 22 11:47:31 2012 -0500

    Import pax-linux-3.2.1-test5.patch
commit bfd7db842f835f9837cd43644459b3a95b0b488d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 22 11:02:02 2012 -0500

    Allow processes to access others' /proc/pid/maps files (subject to the normal modification of data)
    instead of returning -EACCES
    thanks to Wraith from irc for the report

commit 873ac13576506cd48ddb527c2540f274e249da50
Merge: 34083dd 8a44fcc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 20 18:04:02 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 8a44fcc90cf3368003dc84e1ed013b2e4248c9b2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 20 18:02:15 2012 -0500

    Merge the diff between pax-linux-3.2.1-test4.patch and pax-linux-3.2.1-test5.patch
    Denies executable shared memory when MPROTECT is active
    Fixes ia32 emulation crash on 64bit host introduced in a recent patch

commit 34083ddf5c0b2b1c0f5e9f7d9e32ddcba223446b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jan 19 20:23:14 2012 -0500

    Introduce new GRKERNSEC_SETXID implementation
    We're not able to change the credentials of other threads in the process until at most
    one syscall after the first thread does it, since we mark the threads as needing rescheduling
    and such work occurs on syscall exit.
    This does however ensure that we're only modifying the current task's credentials
    which upholds RCU expectations
    
    Many thanks to corsac for testing

commit 5f900ad54d3992a4e1cda88273acc2f897a42e71
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jan 19 17:42:48 2012 -0500

    Simplify backport

commit f02e444f7b2fb286f99d3b4031ff4e44a4606c37
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jan 19 17:08:16 2012 -0500

    Commit the latest silent fix for a local privilege escalation from Linus
    Also disable writing to /proc/pid/mem
    http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc

commit 814d38c72b1ee3338294576a05af4f6ca9cffa6c
Merge: 0394a3f 7e6299b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 18 20:22:09 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 7e6299b4733c082dde930375dd207b63237751ec
Merge: 83555fb 9bb1282
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 18 20:21:37 2012 -0500

    Merge branch 'linux-3.1.y' into pax-test

commit 0394a3f36c6195dcaf22e265c94d11bb7338c6f7
Author: Jesper Juhl <jj@chaosbits.net>
Date:   Sun Jan 8 22:44:29 2012 +0100

    audit: always follow va_copy() with va_end()
    
    A call to va_copy() should always be followed by a call to va_end() in
    the same function.  In kernel/autit.c::audit_log_vformat() this is not
    always done.  This patch makes sure va_end() is always called.
    
    Signed-off-by: Jesper Juhl <jj@chaosbits.net>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: Eric Paris <eparis@redhat.com>
    Cc: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit fcbb39319e88bfdf70efe3931cf80a9f23b1a4d9
Author: Andi Kleen <ak@linux.intel.com>
Date:   Thu Jan 12 17:20:30 2012 -0800

    panic: don't print redundant backtraces on oops
    
    When an oops causes a panic and panic prints another backtrace it's pretty
    common to have the original oops data be scrolled away on a 80x50 screen.
    
    The second backtrace is quite redundant and not needed anyways.
    
    So don't print the panic backtrace when oops_in_progress is true.
    
    [akpm@linux-foundation.org: add comment]
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
    Cc: Michael Holzheu <holzheu@linux.vnet.ibm.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 22e4717d04333e2aff6d5d1b2c1b16045f367a1f
Author: Miklos Szeredi <mszeredi@suse.cz>
Date:   Thu Jan 12 17:59:46 2012 +0100

    fsnotify: don't BUG in fsnotify_destroy_mark()
    
    Removing the parent of a watched file results in "kernel BUG at
    fs/notify/mark.c:139".
    
    To reproduce
    
      add "-w /tmp/audit/dir/watched_file" to audit.rules
      rm -rf /tmp/audit/dir
    
    This is caused by fsnotify_destroy_mark() being called without an
    extra reference taken by the caller.
    
    Reported by Francesco Cosoleto here:
    
      https://bugzilla.novell.com/show_bug.cgi?id=689860
    
    Fix by removing the BUG_ON and adding a comment about not accessing mark after
    the iput.
    
    Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
    CC: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 1a90cff66ed00cd57bf00a990d13e95060fa362c
Author: Paolo Bonzini <pbonzini@redhat.com>
Date:   Thu Jan 12 16:01:28 2012 +0100

    block: fail SCSI passthrough ioctls on partition devices
    
    Linux allows executing the SG_IO ioctl on a partition or LVM volume, and
    will pass the command to the underlying block device.  This is
    well-known, but it is also a large security problem when (via Unix
    permissions, ACLs, SELinux or a combination thereof) a program or user
    needs to be granted access only to part of the disk.
    
    This patch lets partitions forward a small set of harmless ioctls;
    others are logged with printk so that we can see which ioctls are
    actually sent.  In my tests only CDROM_GET_CAPABILITY actually occurred.
    Of course it was being sent to a (partition on a) hard disk, so it would
    have failed with ENOTTY and the patch isn't changing anything in
    practice.  Still, I'm treating it specially to avoid spamming the logs.
    
    In principle, this restriction should include programs running with
    CAP_SYS_RAWIO.  If for example I let a program access /dev/sda2 and
    /dev/sdb, it still should not be able to read/write outside the
    boundaries of /dev/sda2 independent of the capabilities.  However, for
    now programs with CAP_SYS_RAWIO will still be allowed to send the
    ioctls.  Their actions will still be logged.
    
    This patch does not affect the non-libata IDE driver.  That driver
    however already tests for bd != bd->bd_contains before issuing some
    ioctl; it could be restricted further to forbid these ioctls even for
    programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO.
    
    Cc: linux-scsi@vger.kernel.org
    Cc: Jens Axboe <axboe@kernel.dk>
    Cc: James Bottomley <JBottomley@parallels.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    [ Make it also print the command name when warning - Linus ]
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit b41a1178caa15bd7d6d5b36c04c7b1ead05717e2
Author: Paolo Bonzini <pbonzini@redhat.com>
Date:   Thu Jan 12 16:01:27 2012 +0100

    block: add and use scsi_blk_cmd_ioctl
    
    Introduce a wrapper around scsi_cmd_ioctl that takes a block device.
    
    The function will then be enhanced to detect partition block devices
    and, in that case, subject the ioctls to whitelisting.
    
    Cc: linux-scsi@vger.kernel.org
    Cc: Jens Axboe <axboe@kernel.dk>
    Cc: James Bottomley <JBottomley@parallels.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 97a79814903fc350e1d13704ea31528a42705401
Author: Kees Cook <keescook@chromium.org>
Date:   Sat Jan 7 10:41:04 2012 -0800

    audit: treat s_id as an untrusted string
    
    The use of s_id should go through the untrusted string path, just to be
    extra careful.
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Acked-by: Mimi Zohar <zohar@us.ibm.com>
    Signed-off-by: Eric Paris <eparis@redhat.com>

commit 2d3f39e9dd73f26a8248fd4442f110d983c5b419
Author: Xi Wang <xi.wang@gmail.com>
Date:   Tue Dec 20 18:39:41 2011 -0500

    audit: fix signedness bug in audit_log_execve_info()
    
    In the loop, a size_t "len" is used to hold the return value of
    audit_log_single_execve_arg(), which returns -1 on error.  In that
    case the error handling (len <= 0) will be bypassed since "len" is
    unsigned, and the loop continues with (p += len) being wrapped.
    Change the type of "len" to signed int to fix the error handling.
    
        size_t len;
        ...
        for (...) {
                len = audit_log_single_execve_arg(...);
                if (len <= 0)
                        break;
                p += len;
        }
    
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Signed-off-by: Eric Paris <eparis@redhat.com>

commit 1b3dc2ea3204fb22b9d0d30b2b7953991f5be594
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Tue Jan 17 03:28:51 2012 -0300

    [media] ds3000: using logical && instead of bitwise &
    
    The intent here was to test if the FE_HAS_LOCK was set.  The current
    test is equivalent to "if (status) { ..."
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>

commit 36522330dc59d2fc70c042f3f081d75c32b6259a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jan 16 13:10:38 2012 -0500

    Ignore the 0 signal for protected task RBAC checks

commit d513acd55f7a683f6e146a4f570cdb63300479ab
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jan 16 11:56:13 2012 -0500

    whitespace cleanup

commit ced261c4b82818c700aff8487f647f6f3e5b5122
Merge: d48751f 83555fb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 13 20:12:54 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 83555fb431e5be6c0e09687ff3bdc583f0caf9d9
Merge: fcd8129 93dad39
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 13 20:12:43 2012 -0500

    Merge branch 'linux-3.1.y' into pax-test

commit d48751f3919ae855fda0ff6c149db82442329253
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 11 19:05:47 2012 -0500

    Call our own set_user when forcing change to new id

commit 26d9d497f6b926bc1699980aa18c360a3d3c52a0
Merge: e6578ff fcd8129
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 10 16:00:10 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit fcd8129277601f2e2d5a2066120cf8b2472d7d1f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 10 15:58:43 2012 -0500

    Merge changes from pax-linux-3.1.8-test23.patch

commit e6578ff3e7629c432ed9b99bde6af2a1c00279b5
Merge: 8859ec3 a120549
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 21:45:56 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit a12054967a77090de1caa07c41e694a77db4e237
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 21:45:30 2012 -0500

    Merge changes from pax-linux-3.1.8-test22.patch

commit 8859ec32f9815c274df65448f9f2960176c380d3
Merge: a5016b4 ddd4114
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 21:26:08 2012 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        fs/binfmt_elf.c
        security/Kconfig

commit ddd41147e158a79704983a409b7433eba797cf66
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 21:12:42 2012 -0500

    Resync with PaX patch (whitespace difference)

commit 29e569df8205c5f0e043fe4803aa984406c8b118
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 21:09:47 2012 -0500

    Merge changes from pax-linux-3.1.8-test21.patch

commit a5016b4f9c09c337b17e063a7f369af1e86d944d
Merge: 0124c92 04231d5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 18:52:20 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 04231d52dc8d0d6788a6bc6709dc046d3eb37097
Merge: 7bdddeb a919904
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 18:51:50 2012 -0500

    Merge branch 'linux-3.1.y' into pax-test
    
    Conflicts:
        include/net/flow.h

commit 0124c9264234c450904a0a5fa2f8c608ab8e3796
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 18:33:05 2012 -0500

    Make GRKERNSEC_SETXID option compatible with credential debugging

commit 69919c6da7cf8a781439da15b597a7d6bc9b3abe
Author: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Date:   Wed Dec 28 15:57:11 2011 -0800

    mm/mempolicy.c: refix mbind_range() vma issue
    
    commit 8aacc9f550 ("mm/mempolicy.c: fix pgoff in mbind vma merge") is the
    slightly incorrect fix.
    
    Why? Think following case.
    
    1. map 4 pages of a file at offset 0
    
       [0123]
    
    2. map 2 pages just after the first mapping of the same file but with
       page offset 2
    
       [0123][23]
    
    3. mbind() 2 pages from the first mapping at offset 2.
       mbind_range() should treat new vma is,
    
       [0123][23]
         |23|
         mbind vma
    
       but it does
    
       [0123][23]
         |01|
         mbind vma
    
       Oops. then, it makes wrong vma merge and splitting ([01][0123] or similar).
    
    This patch fixes it.
    
    [testcase]
      test result - before the patch
    
        case4: 126: test failed. expect '2,4', actual '2,2,2'
                case5: passed
        case6: passed
        case7: passed
        case8: passed
        case_n: 246: test failed. expect '4,2', actual '1,4'
    
        ------------[ cut here ]------------
        kernel BUG at mm/filemap.c:135!
        invalid opcode: 0000 [#4] SMP DEBUG_PAGEALLOC
    
        (snip long bug on messages)
    
      test result - after the patch
    
        case4: passed
                case5: passed
        case6: passed
        case7: passed
        case8: passed
        case_n: passed
    
      source:  mbind_vma_test.c
    ============================================================
     #include <numaif.h>
     #include <numa.h>
     #include <sys/mman.h>
     #include <stdio.h>
     #include <unistd.h>
     #include <stdlib.h>
     #include <string.h>
    
    static unsigned long pagesize;
    void* mmap_addr;
    struct bitmask *nmask;
    char buf[1024];
    FILE *file;
    char retbuf[10240] = "";
    int mapped_fd;
    
    char *rubysrc = "ruby -e '\
      pid = %d; \
      vstart = 0x%llx; \
      vend = 0x%llx; \
      s = `pmap -q #{pid}`; \
      rary = []; \
      s.each_line {|line|; \
        ary=line.split(\" \"); \
        addr = ary[0].to_i(16); \
        if(vstart <= addr && addr < vend) then \
          rary.push(ary[1].to_i()/4); \
        end; \
      }; \
      print rary.join(\",\"); \
    '";
    
    void init(void)
    {
        void* addr;
        char buf[128];
    
        nmask = numa_allocate_nodemask();
        numa_bitmask_setbit(nmask, 0);
    
        pagesize = getpagesize();
    
        sprintf(buf, "%s", "mbind_vma_XXXXXX");
        mapped_fd = mkstemp(buf);
        if (mapped_fd == -1)
                perror("mkstemp "), exit(1);
        unlink(buf);
    
        if (lseek(mapped_fd, pagesize*8, SEEK_SET) < 0)
                perror("lseek "), exit(1);
        if (write(mapped_fd, "\0", 1) < 0)
                perror("write "), exit(1);
    
        addr = mmap(NULL, pagesize*8, PROT_NONE,
                    MAP_SHARED, mapped_fd, 0);
        if (addr == MAP_FAILED)
                perror("mmap "), exit(1);
    
        if (mprotect(addr+pagesize, pagesize*6, PROT_READ|PROT_WRITE) < 0)
                perror("mprotect "), exit(1);
    
        mmap_addr = addr + pagesize;
    
        /* make page populate */
        memset(mmap_addr, 0, pagesize*6);
    }
    
    void fin(void)
    {
        void* addr = mmap_addr - pagesize;
        munmap(addr, pagesize*8);
    
        memset(buf, 0, sizeof(buf));
        memset(retbuf, 0, sizeof(retbuf));
    }
    
    void mem_bind(int index, int len)
    {
        int err;
    
        err = mbind(mmap_addr+pagesize*index, pagesize*len,
                    MPOL_BIND, nmask->maskp, nmask->size, 0);
        if (err)
                perror("mbind "), exit(err);
    }
    
    void mem_interleave(int index, int len)
    {
        int err;
    
        err = mbind(mmap_addr+pagesize*index, pagesize*len,
                    MPOL_INTERLEAVE, nmask->maskp, nmask->size, 0);
        if (err)
                perror("mbind "), exit(err);
    }
    
    void mem_unbind(int index, int len)
    {
        int err;
    
        err = mbind(mmap_addr+pagesize*index, pagesize*len,
                    MPOL_DEFAULT, NULL, 0, 0);
        if (err)
                perror("mbind "), exit(err);
    }
    
    void Assert(char *expected, char *value, char *name, int line)
    {
        if (strcmp(expected, value) == 0) {
                fprintf(stderr, "%s: passed\n", name);
                return;
        }
        else {
                fprintf(stderr, "%s: %d: test failed. expect '%s', actual '%s'\n",
                        name, line,
                        expected, value);
    //          exit(1);
        }
    }
    
    /*
          AAAA
        PPPPPPNNNNNN
        might become
        PPNNNNNNNNNN
        case 4 below
    */
    void case4(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        mem_bind(0, 4);
        mem_unbind(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("2,4", retbuf, "case4", __LINE__);
    
        fin();
    }
    
    /*
           AAAA
     PPPPPPNNNNNN
     might become
     PPPPPPPPPPNN
     case 5 below
    */
    void case5(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        mem_bind(0, 2);
        mem_bind(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("4,2", retbuf, "case5", __LINE__);
    
        fin();
    }
    
    /*
            AAAA
        PPPPNNNNXXXX
        might become
        PPPPPPPPPPPP 6
    */
    void case6(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        mem_bind(0, 2);
        mem_bind(4, 2);
        mem_bind(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("6", retbuf, "case6", __LINE__);
    
        fin();
    }
    
    /*
        AAAA
    PPPPNNNNXXXX
    might become
    PPPPPPPPXXXX 7
    */
    void case7(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        mem_bind(0, 2);
        mem_interleave(4, 2);
        mem_bind(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("4,2", retbuf, "case7", __LINE__);
    
        fin();
    }
    
    /*
        AAAA
    PPPPNNNNXXXX
    might become
    PPPPNNNNNNNN 8
    */
    void case8(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        mem_bind(0, 2);
        mem_interleave(4, 2);
        mem_interleave(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("2,4", retbuf, "case8", __LINE__);
    
        fin();
    }
    
    void case_n(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        /* make redundunt mappings [0][1234][34][7] */
        mmap(mmap_addr + pagesize*4, pagesize*2, PROT_READ|PROT_WRITE,
             MAP_FIXED|MAP_SHARED, mapped_fd, pagesize*3);
    
        /* Expect to do nothing. */
        mem_unbind(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("4,2", retbuf, "case_n", __LINE__);
    
        fin();
    }
    
    int main(int argc, char** argv)
    {
        case4();
        case5();
        case6();
        case7();
        case8();
        case_n();
    
        return 0;
    }
    =============================================================
    
    Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
    Acked-by: Johannes Weiner <hannes@cmpxchg.org>
    Cc: Minchan Kim <minchan.kim@gmail.com>
    Cc: Caspar Zhang <caspar@casparzhang.com>
    Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
    Cc: Christoph Lameter <cl@linux.com>
    Cc: Hugh Dickins <hugh.dickins@tiscali.co.uk>
    Cc: Mel Gorman <mel@csn.ul.ie>
    Cc: Lee Schermerhorn <lee.schermerhorn@hp.com>
    Cc: <stable@vger.kernel.org>                [3.1.x]
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit f3a1082005781777086df235049f8c0b7efe524e
Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Date:   Tue Dec 27 22:32:41 2011 -0500

    packet: fix possible dev refcnt leak when bind fail
    
    If bind is fail when bind is called after set PACKET_FANOUT
    sock option, the dev refcnt will leak.
    
    Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 915f8b08dac68839dc7204ee81cf9852fda16d24
Author: Haogang Chen <haogangchen@gmail.com>
Date:   Mon Dec 19 17:11:56 2011 -0800

    nilfs2: potential integer overflow in nilfs_ioctl_clean_segments()
    
    There is a potential integer overflow in nilfs_ioctl_clean_segments().
    When a large argv[n].v_nmembs is passed from the userspace, the subsequent
    call to vmalloc() will allocate a buffer smaller than expected, which
    leads to out-of-bound access in nilfs_ioctl_move_blocks() and
    lfs_clean_segments().
    
    The following check does not prevent the overflow because nsegs is also
    controlled by the userspace and could be very large.
    
                if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment)
                        goto out_free;
    
    This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and
    returns -EINVAL when overflow.
    
    Signed-off-by: Haogang Chen <haogangchen@gmail.com>
    Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 006afb6eb7a7398edc0068c3a7b9510ffaf80f72
Author: Kautuk Consul <consul.kautuk@gmail.com>
Date:   Mon Dec 19 17:12:04 2011 -0800

    mm/vmalloc.c: remove static declaration of va from __get_vm_area_node
    
    Static storage is not required for the struct vmap_area in
    __get_vm_area_node.
    
    Removing "static" to store this variable on the stack instead.
    
    Signed-off-by: Kautuk Consul <consul.kautuk@gmail.com>
    Acked-by: David Rientjes <rientjes@google.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 461ecdf221edb089e5fa0d5563e1688cd0a36f66
Author: Michel Lespinasse <walken@google.com>
Date:   Mon Dec 19 17:12:06 2011 -0800

    binary_sysctl(): fix memory leak
    
    binary_sysctl() calls sysctl_getname() which allocates from names_cache
    slab usin __getname()
    
    The matching function to free the name is __putname(), and not putname()
    which should be used only to match getname() allocations.
    
    This is because when auditing is enabled, putname() calls audit_putname
    *instead* (not in addition) to __putname().  Then, if a syscall is in
    progress, audit_putname does not release the name - instead, it expects
    the name to get released when the syscall completes, but that will happen
    only if audit_getname() was called previously, i.e.  if the name was
    allocated with getname() rather than the naked __getname().  So,
    __getname() followed by putname() ends up leaking memory.
    
    Signed-off-by: Michel Lespinasse <walken@google.com>
    Acked-by: Al Viro <viro@zeniv.linux.org.uk>
    Cc: Christoph Hellwig <hch@infradead.org>
    Cc: Eric Paris <eparis@redhat.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 0a2cd3ef50c0bae70d59c74a77db0455d26fde56
Author: Sean Hefty <sean.hefty@intel.com>
Date:   Tue Dec 6 21:17:11 2011 +0000

    RDMA/cma: Verify private data length
    
    private_data_len is defined as a u8.  If the user specifies a large
    private_data size (> 220 bytes), we will calculate a total length that
    exceeds 255, resulting in private_data_len wrapping back to 0.  This
    can lead to overwriting random kernel memory.  Avoid this by verifying
    that the resulting size fits into a u8.
    
    Reported-by: B. Thery <benjamin.thery@bull.net>
    Addresses: <http://bugs.openfabrics.org/bugzilla/show_bug.cgi?id=2335>
    Signed-off-by: Sean Hefty <sean.hefty@intel.com>
    Signed-off-by: Roland Dreier <roland@purestorage.com>

commit 6b618c54aaec99078629ec5b9575cb7d6fc31176
Author: Xi Wang <xi.wang@gmail.com>
Date:   Sun Dec 11 23:40:56 2011 -0800

    Input: cma3000_d0x - fix signedness bug in cma3000_thread_irq()
    
    The error check (intr_status < 0) didn't work because intr_status is
    a u8.  Change its type to signed int.
    
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Signed-off-by: Dmitry Torokhov <dtor@mail.ru>

commit e27f34e383d7863b2528a63b81b23db09781f6b6
Author: Xi Wang <xi.wang@gmail.com>
Date:   Fri Dec 16 12:44:15 2011 +0000

    sctp: fix incorrect overflow check on autoclose
    
    Commit 8ffd3208 voids the previous patches f6778aab and 810c0719 for
    limiting the autoclose value.  If userspace passes in -1 on 32-bit
    platform, the overflow check didn't work and autoclose would be set
    to 0xffffffff.
    
    This patch defines a max_autoclose (in seconds) for limiting the value
    and exposes it through sysctl, with the following intentions.
    
    1) Avoid overflowing autoclose * HZ.
    
    2) Keep the default autoclose bound consistent across 32- and 64-bit
       platforms (INT_MAX / HZ in this patch).
    
    3) Keep the autoclose value consistent between setsockopt() and
       getsockopt() calls.
    
    Suggested-by: Vlad Yasevich <vladislav.yasevich@hp.com>
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 8ebdfaad2f46ff0ac9fef9858e436bcc712a1ac8
Author: Xi Wang <xi.wang@gmail.com>
Date:   Wed Dec 21 05:18:33 2011 -0500

    vmwgfx: fix incorrect VRAM size check in vmw_kms_fb_create()
    
    Commit e133e737 didn't correctly fix the integer overflow issue.
    
    -   unsigned int required_size;
    +   u64 required_size;
        ...
        required_size = mode_cmd->pitch * mode_cmd->height;
    -   if (unlikely(required_size > dev_priv->vram_size)) {
    +   if (unlikely(required_size > (u64) dev_priv->vram_size)) {
    
    Note that both pitch and height are u32.  Their product is still u32 and
    would overflow before being assigned to required_size.  A correct way is
    to convert pitch and height to u64 before the multiplication.
    
        required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height;
    
    This patch calls the existing vmw_kms_validate_mode_vram() for
    validation.
    
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Reviewed-and-tested-by: Thomas Hellstrom <thellstrom@vmware.com>
    Signed-off-by: Dave Airlie <airlied@redhat.com>
    
    Conflicts:
    
        drivers/gpu/drm/vmwgfx/vmwgfx_kms.c

commit eb8f0bd01fb994c9abc77dc84729794cd841753d
Author: Xi Wang <xi.wang@gmail.com>
Date:   Thu Dec 22 13:35:22 2011 +0000

    rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt()
    
    Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will
    cause a kernel oops due to insufficient bounds checking.
    
        if (count > 1<<30) {
                /* Enforce a limit to prevent overflow */
                return -EINVAL;
        }
        count = roundup_pow_of_two(count);
        table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count));
    
    Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as:
    
        ... + (count * sizeof(struct rps_dev_flow))
    
    where sizeof(struct rps_dev_flow) is 8.  (1 << 30) * 8 will overflow
    32 bits.
    
    This patch replaces the magic number (1 << 30) with a symbolic bound.
    
    Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 648188958672024b616c42c1f6c98c8cfc85619d
Author: Xi Wang <xi.wang@gmail.com>
Date:   Fri Dec 30 10:40:17 2011 -0500

    netfilter: ctnetlink: fix timeout calculation
    
    The sanity check (timeout < 0) never works; the dividend is unsigned
    and so is the division, which should have been a signed division.
    
        long timeout = (ct->timeout.expires - jiffies) / HZ;
        if (timeout < 0)
                timeout = 0;
    
    This patch converts the time values to signed for the division.
    
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

commit ab03a0973cee73f88655ff4981812ad316a6cd59
Merge: 76f82df 7bdddeb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 3 17:42:50 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 7bdddebd9d274a344a1c57a561152160c9e9a32a
Merge: 3e59cb5 55cc81a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 3 17:42:36 2012 -0500

    Merge branch 'linux-3.1.y' into pax-test

commit 76f82df18ba181687f454426fa9ced7a92b2ac1f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 22 20:15:02 2011 -0500

    Only further restrict futex targeting another process -- our modified
    permission check also happened to allow a case where a process retaining
    uid 0 could issue futex syscalls against other uid 0 tasks, despite the euid
    being non-zero (reported on forums by ben_w)

commit 6b235a4450a5fea41663ec35fa0608988b6078c6
Merge: 97c16f0 3e59cb5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 22 19:11:06 2011 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        fs/hfs/btree.c

commit 3e59cb503d4ca6ce0954b8d3eb508cf7d1a31f50
Merge: 285eb4e c26f60b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 22 19:09:57 2011 -0500

    Merge branch 'linux-3.1.y' into pax-test
    
    Conflicts:
        arch/x86/kernel/process.c

commit 97c16f0fcff592160c1787bd1c56ae7ad070ac17
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Dec 19 21:54:01 2011 -0500

    Add new option: "Enforce consistent multithreaded privileges"

commit 7d125a16a5245b2bafc9184b8f93e864394ba1cb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Dec 7 19:58:31 2011 -0500

    Remove harmless duplicate code -- exec_file would be null already so the
    second check would never pass.

commit 4e3304e94aa72737810bc50169519af157dce4ce
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Dec 7 19:50:39 2011 -0500

    Revert back to (possibly?) undocumented /proc/pid behavior that gdb
    depended on for attaching to a thread.  Entries exist in /proc for
    threads, but are not visible in a readdir.

commit 1bd899335f23815cfe8deac44c6b346398f3b95e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 18:03:28 2011 -0500

    Put the already-walked path if in RCU-walk mode

commit ec7ae36b7159f10649709779443a988662965d66
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 17:35:21 2011 -0500

    Fix memory leak introduced by recent (unpublished) commit
    75ab998b94a29d464518d6d501bdde3fbfcbfa14

commit 1e2318a8ea2e67eaf17236be374b5da8a5ba5e04
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 13:56:10 2011 -0500

    Explicitly check size copied to userland in override_release to silence gcc

commit c30a85d0fff67e0724e726febb934c0b6fa01c6c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 13:54:02 2011 -0500

    Initialize variable to silence erroneous gcc warning

commit 2cf8e7a3bf4e97b2cd3de9ebc453bc505dc7eb78
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 13:47:47 2011 -0500

    Future-proof other potential RCU-aware locations where we can log.

commit 0c904e8c7ea0338c47c7ae825e093a152dc8f8a8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 13:02:54 2011 -0500

    Fix freeze reported by 'vs' on the forums.  Bug occurred due to
    MAY_NOT_BLOCK added to Linux 3.1.  Our logging code, when a capability used
    in generic_permission() was in the task's effective set but disallowed by
    RBAC, would block when acquiring locks resulting in the freeze.
    
    Also update the ordering of checks so that CAP_DAC_READ_SEARCH isn't logged
    as being required when CAP_DAC_OVERRIDE is present (consistent with
    older patches).

commit ab694e5eccfbc369baa593ebc1269d1908cf16dc
Author: Xi Wang <xi.wang@gmail.com>
Date:   Tue Nov 29 09:26:30 2011 +0000

    sctp: better integer overflow check in sctp_auth_create_key()
    
    The check from commit 30c2235c is incomplete and cannot prevent
    cases like key_len = 0x80000000 (INT_MAX + 1).  In that case, the
    left-hand side of the check (INT_MAX - key_len), which is unsigned,
    becomes 0xffffffff (UINT_MAX) and bypasses the check.
    
    However this shouldn't be a security issue.  The function is called
    from the following two code paths:
    
     1) setsockopt()
    
     2) sctp_auth_asoc_set_secret()
    
    In case (1), sca_keylength is never going to exceed 65535 since it's
    bounded by a u16 from the user API.  As such, the key length will
    never overflow.
    
    In case (2), sca_keylength is computed based on the user key (1 short)
    and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still
    will not overflow.
    
    In other words, this overflow check is not really necessary.  Just
    make it more correct.
    
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Cc: Vlad Yasevich <vladislav.yasevich@hp.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit e565e28c3635a1d50f80541fbf6b606d742fec76
Author: Josh Boyer <jwboyer@redhat.com>
Date:   Fri Aug 19 14:50:26 2011 -0400

    fs/minix: Verify bitmap block counts before mounting
    
    Newer versions of MINIX can create filesystems that allocate an extra
    bitmap block.  Mounting of this succeeds, but doing a statfs call will
    result in an oops in count_free because of a negative number being used
    for the bh index.
    
    Avoid this by verifying the number of allocated blocks at mount time,
    erroring out if there are not enough and make statfs ignore the extras
    if there are too many.
    
    This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792
    
    Signed-off-by: Josh Boyer <jwboyer@redhat.com>
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

commit 6e134e398ec1a3f428261680e83df4319e64bed9
Author: Julia Lawall <julia@diku.dk>
Date:   Tue Nov 15 14:53:11 2011 -0800

    drivers/gpu/vga/vgaarb.c: add missing kfree
    
    kbuf is a buffer that is local to this function, so all of the error paths
    leaving the function should release it.
    
    Signed-off-by: Julia Lawall <julia@diku.dk>
    Cc: Jesper Juhl <jj@chaosbits.net>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Dave Airlie <airlied@redhat.com>

commit 2b9057b321e36860e8d63985b5c4e496f254b717
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Dec 3 21:33:28 2011 -0500

    Import changes between pax-linux-3.1.4-test18.patch and grsecurity-2.2.2-3.1.4-201112021740.patch

commit 5dfe6091dca281a456eaff5e7b4692d768a05cfd
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Dec 3 21:29:37 2011 -0500

    Import pax-linux-3.1.4-test18.patch

commit 285eb4ea45d853ae00426b3315a61c1368080dad
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Dec 10 18:33:46 2011 -0500

    Import changes from pax-linux-3.1.5-test20.patch

commit a6bda918fc90ec1d5c387e978d147ad2044153f1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 8 20:55:54 2011 -0500

    Import changes from pax-linux-3.1.4-test19.patch

commit e6d987bdb782b280f882cc20055e3d9cb28ad3a5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Dec 3 21:29:37 2011 -0500

    Import pax-linux-3.1.4-test18.patch
commit 9a7168e3d96ba81ab00bde22d38f7a035cc25466
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Nov 24 17:50:21 2013 -0500

    remove unnecessary code/comments after new reload method

 grsecurity/gracl.c        |    4 ----
 grsecurity/gracl_policy.c |   13 -------------
 2 files changed, 0 insertions(+), 17 deletions(-)

commit 4e61142788b54cbbc4e0d3418987ee892b34ee7d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Nov 24 16:05:01 2013 -0500

    Version bumped to 3.0 (we'd been on 2.9.1 for way too long and numerous
    features have been added since then)
    
    Introduce new atomic RBAC reload method, developed as part of sponsorship
    by EIG
    
    This is accompanied by an updated 3.0 gradm which will use the new reload
    method when -R is passed to gradm.  The old method will still be available
    via gradm -r (which is what a 2.9.1 gradm will continue to use).
    
    The new RBAC reload method is atomic in the sense that at no point in the
    reload process will the system not be covered by a coherent full policy.
    In contrast to previous reload behavior, it also preserves inherited subjects
    and special roles.
    
    The old RBAC reload method has also been made atomic.  Both methods have
    been updated to perform role_allowed_ip checks only against the IP tagged
    to the task at the time its role was first applied or changed.  This resolves
    long-standing usability problems with the use of role_allowed_ip and matches
    the policies created by learning.

 grsecurity/Makefile         |    2 +-
 grsecurity/gracl.c          | 3903 +++++++++++++------------------------------
 grsecurity/gracl_alloc.c    |   42 +-
 grsecurity/gracl_compat.c   |    3 +-
 grsecurity/gracl_policy.c   | 1838 ++++++++++++++++++++
 grsecurity/gracl_segv.c     |   12 +-
 grsecurity/grsec_disabled.c |    7 -
 grsecurity/grsec_init.c     |   15 -
 include/linux/gracl.h       |   43 +-
 include/linux/grinternal.h  |    1 -
 include/linux/grsecurity.h  |    1 -
 include/linux/sched.h       |    2 +
 12 files changed, 3082 insertions(+), 2787 deletions(-)

commit d8981a4fd03025434a466fd87a0eaea93755bc70
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Nov 24 15:08:28 2013 -0500

    compile fix for recent GRKERNSEC_CHROOT_INITRD change

 init/main.c |   12 +++---------
 1 files changed, 3 insertions(+), 9 deletions(-)

commit c3f95fe9875bea3eeb61cad1586b3f9b6226a42f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Nov 23 18:27:37 2013 -0500

    Make the recent usermode_helper protection race-free as far as userland
    is concerned by creating a copy of the path to be executed, then check against
    that copied path instead of the still-mutable original path

 include/linux/kmod.h |    3 +++
 kernel/kmod.c        |   13 +++++++++++++
 2 files changed, 16 insertions(+), 0 deletions(-)

commit ecdd0610bef058fd33fee50b489d949c1a0db07a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Nov 23 17:20:15 2013 -0500

    Produce a UDEREF message when faulting on kernel access to a non-present
    page in the userland range.  This is purely for consistency of logs,
    due to there being no domain present to fault based on.  An
    "Unable to handle kernel fault.." oops would already (and still is)
    generated for these cases, triggering grsec's bruteforce prevention.
    
    Reported by acez on IRC

 arch/arm/mm/fault.c |   11 +++++++++++
 1 files changed, 11 insertions(+), 0 deletions(-)

commit 3f4adfade80bba0d865b5c603bd58da555ca4553
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Nov 23 16:56:46 2013 -0500

    Make GRKERNSEC_CHROOT_INITRD depend on the correct initrd option,
    Also make sure we mark init as run if no initrd was used. Though this
    should already be enforced in grsec_chroot.c, this should future-proof
    the feature a bit in case userland somehow changes drastically.
    
    Conflicts:
    
        init/main.c

 grsecurity/Kconfig        |    2 +-
 grsecurity/grsec_chroot.c |    2 +-
 init/main.c               |   15 +++++++++++++++
 3 files changed, 17 insertions(+), 2 deletions(-)

commit d4a9bb63091852b5b49ebd216796b374e5c0dc71
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Nov 23 16:33:20 2013 -0500

    limit all usermode helper binaries to /sbin, all other attempts will be logged and rejected

 kernel/kmod.c |    8 ++++++++
 1 files changed, 8 insertions(+), 0 deletions(-)

commit e727db195f8bed17c65d050e1772643d730fe565
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Nov 23 16:02:01 2013 -0500

    perform USERCOPY kernel text checks against the linear mapping on amd64 as well

 fs/exec.c |    8 ++++++++
 1 files changed, 8 insertions(+), 0 deletions(-)

commit 7e0e0cf6d81af9c7901e16345737157fd563ccfb
Merge: 2fcc3a5 2d1263b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Nov 22 21:11:44 2013 -0500

    Merge branch 'pax-test' into grsec-test

commit 2d1263be436ef0c7c964a2028dec3fc7e90205a1
Merge: d52f291 e0cd057
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Nov 22 21:11:33 2013 -0500

    Merge branch 'linux-3.11.y' into pax-test
    
    Conflicts:
        drivers/net/ethernet/chelsio/cxgb3/sge.c

commit 2fcc3a573d2b676c6cdb1aa0c9f61ce723189972
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Nov 22 20:31:37 2013 -0500

    Revert "Upstream commit: bceaa90240b6019ed73b49965eac7d167610be69"
    
    This reverts commit 8bb32f2682953e1b748a59c4a4363b237c3510df.
    
    It caused errors with traceroute, reported to upstream and fixed with
    http://patchwork.ozlabs.org/patch/293614/
    But there's no reason for us to maintain this backport as we're
    already impervious to recvmsg/msg_name infoleaks
    
    Conflicts:
    
        net/ipv4/ping.c

 net/ieee802154/dgram.c |    3 ++-
 net/ipv4/ping.c        |   11 +++++++++--
 net/ipv4/raw.c         |    4 +++-
 net/ipv4/udp.c         |    7 ++++++-
 net/ipv6/raw.c         |    4 +++-
 net/ipv6/udp.c         |    5 ++++-
 net/l2tp/l2tp_ip.c     |    4 +++-
 net/phonet/datagram.c  |    9 +++++----
 8 files changed, 35 insertions(+), 12 deletions(-)

commit 5a0b39755f07014ed0d34a432b89cfbb38b82e0b
Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
Date:   Mon Nov 18 07:07:45 2013 +0100

    Upstream commit: cf970c002d270c36202bd5b9c2804d3097a52da0
    
    ping: prevent NULL pointer dereference on write to msg_name
    
    A plain read() on a socket does set msg->msg_name to NULL. So check for
    NULL pointer first.
    
    Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/ping.c |   34 +++++++++++++++++++---------------
 1 files changed, 19 insertions(+), 15 deletions(-)

commit 8bb32f2682953e1b748a59c4a4363b237c3510df
Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
Date:   Mon Nov 18 04:20:45 2013 +0100

    Upstream commit: bceaa90240b6019ed73b49965eac7d167610be69
    
    inet: prevent leakage of uninitialized memory to user in recv syscalls
    
    Only update *addr_len when we actually fill in sockaddr, otherwise we
    can return uninitialized memory from the stack to the caller in the
    recvfrom, recvmmsg and recvmsg syscalls. Drop the the (addr_len == NULL)
    checks because we only get called with a valid addr_len pointer either
    from sock_common_recvmsg or inet_recvmsg.
    
    If a blocking read waits on a socket which is concurrently shut down we
    now return zero and set msg_msgnamelen to 0.
    
    Reported-by: mpb <mpb.mail@gmail.com>
    Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
    Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ieee802154/dgram.c |    3 +--
 net/ipv4/ping.c        |   19 +++++++------------
 net/ipv4/raw.c         |    4 +---
 net/ipv4/udp.c         |    7 +------
 net/ipv6/raw.c         |    4 +---
 net/ipv6/udp.c         |    5 +----
 net/l2tp/l2tp_ip.c     |    4 +---
 net/phonet/datagram.c  |    9 ++++-----
 8 files changed, 17 insertions(+), 38 deletions(-)

commit 642d754081c130a151e7df27e5c07edf2f368106
Author: Jeff Layton <jlayton@redhat.com>
Date:   Wed Nov 13 09:08:21 2013 -0500

    Upstream commit: 6d769f1e1420179d1f83cf1a9cdc585b46c28545
    
    nfs: don't retry detect_trunking with RPC_AUTH_UNIX more than once
    
    Currently, when we try to mount and get back NFS4ERR_CLID_IN_USE or
    NFS4ERR_WRONGSEC, we create a new rpc_clnt and then try the call again.
    There is no guarantee that doing so will work however, so we can end up
    retrying the call in an infinite loop.
    
    Worse yet, we create the new client using rpc_clone_client_set_auth,
    which creates the new client as a child of the old one. Thus, we can end
    up with a *very* long lineage of rpc_clnts. When we go to put all of the
    references to them, we can end up with a long call chain that can smash
    the stack as each rpc_free_client() call can recurse back into itself.
    
    This patch fixes this by simply ensuring that the SETCLIENTID call will
    only be retried in this situation if the last attempt did not use
    RPC_AUTH_UNIX.
    
    Note too that with this change, we don't need the (i > 2) check in the
    -EACCES case since we now have a more reliable test as to whether we
    should reattempt.
    
    Cc: stable@vger.kernel.org # v3.10+
    Cc: Chuck Lever <chuck.lever@oracle.com>
    Tested-by/Acked-by: Weston Andros Adamson <dros@netapp.com>
    Signed-off-by: Jeff Layton <jlayton@redhat.com>
    Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>

 fs/nfs/nfs4state.c |    7 ++++++-
 1 files changed, 6 insertions(+), 1 deletions(-)

commit a96ee20d2e099c56fd89b91ee309551e7b50b8f2
Author: Chuck Lever <chuck.lever@oracle.com>
Date:   Wed Jul 24 12:28:28 2013 -0400

    Upstream commit: d688f7b8f62857c252b886fa16e8b38b83cfaf7e
    
    NFS: Use root's credential for lease management when keytab is missing
    
    Commit 05f4c350 "NFS: Discover NFSv4 server trunking when mounting"
    Fri Sep 14 17:24:32 2012 introduced Uniform Client String support,
    which forces our NFS client to establish a client ID immediately
    during a mount operation rather than waiting until a user wants to
    open a file.
    
    Normally machine credentials (eg. from a keytab) are used to perform
    a mount operation that is protected by Kerberos.  Before 05fc350,
    SETCLIENTID used a machine credential, or fell back to a regular
    user's credential if no keytab is available.
    
    On clients that don't have a keytab, performing SETCLIENTID early
    means there's no user credential to fall back on, since no regular
    user has kinit'd yet.  05f4c350 seems to have broken the ability
    to mount with sec=krb5 on clients that don't have a keytab in
    kernels 3.7 - 3.10.
    
    To address this regression, commit 4edaa308 (NFS: Use "krb5i" to
    establish NFSv4 state whenever possible), Sat Mar 16 15:56:20 2013,
    was merged in 3.10.  This commit forces the NFS client to fall back
    to AUTH_SYS for lease management operations if no keytab is
    available.
    
    Neil Brown noticed that, since root is required to kinit to do a
    sec=krb5 mount when a client doesn't have a keytab, we can try to
    use root's Kerberos credential before AUTH_SYS.
    
    Now, when determining a principal and flavor to use for lease
    management, the NFS client tries in this order:
    
      1.  Flavor: AUTH_GSS, krb5i
          Principal: service principal (via keytab)
    
      2.  Flavor: AUTH_GSS, krb5i
          Principal: user principal established for UID 0 (via kinit)
    
      3.  Flavor: AUTH_SYS
          Principal: UID 0 / GID 0
    
    Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
    Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>

 fs/nfs/nfs4state.c |   19 ++++++++++++++++++-
 1 files changed, 18 insertions(+), 1 deletions(-)

commit 6ebab64904f37af82e950b0c6d321437e810b248
Author: Trond Myklebust <Trond.Myklebust@netapp.com>
Date:   Tue Nov 12 17:24:36 2013 -0500

    Upstream commit: d07ba8422f1e58be94cc98a1f475946dc1b89f1b
    
    SUNRPC: Avoid deep recursion in rpc_release_client
    
    In cases where an rpc client has a parent hierarchy, then
    rpc_free_client may end up calling rpc_release_client() on the
    parent, thus recursing back into rpc_free_client. If the hierarchy
    is deep enough, then we can get into situations where the stack
    simply overflows.
    
    The fix is to have rpc_release_client() loop so that it can take
    care of the parent rpc client hierarchy without needing to
    recurse.
    
    Reported-by: Jeff Layton <jlayton@redhat.com>
    Reported-by: Weston Andros Adamson <dros@netapp.com>
    Reported-by: Bruce Fields <bfields@fieldses.org>
    Link: http://lkml.kernel.org/r/2C73011F-0939-434C-9E4D-13A1EB1403D7@netapp.com
    Cc: stable@vger.kernel.org
    Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>

 net/sunrpc/clnt.c |   29 +++++++++++++++++------------
 1 files changed, 17 insertions(+), 12 deletions(-)

commit fcb4306973aed105cc6d042077bf31e21b812008
Author: Trond Myklebust <Trond.Myklebust@netapp.com>
Date:   Fri Nov 8 16:03:50 2013 -0500

    Upstream commit: a6b31d18b02ff9d7915c5898c9b5ca41a798cd73
    
    SUNRPC: Fix a data corruption issue when retransmitting RPC calls
    
    The following scenario can cause silent data corruption when doing
    NFS writes. It has mainly been observed when doing database writes
    using O_DIRECT.
    
    1) The RPC client uses sendpage() to do zero-copy of the page data.
    2) Due to networking issues, the reply from the server is delayed,
       and so the RPC client times out.
    
    3) The client issues a second sendpage of the page data as part of
       an RPC call retransmission.
    
    4) The reply to the first transmission arrives from the server
       _before_ the client hardware has emptied the TCP socket send
       buffer.
    5) After processing the reply, the RPC state machine rules that
       the call to be done, and triggers the completion callbacks.
    6) The application notices the RPC call is done, and reuses the
       pages to store something else (e.g. a new write).
    
    7) The client NIC drains the TCP socket send buffer. Since the
       page data has now changed, it reads a corrupted version of the
       initial RPC call, and puts it on the wire.
    
    This patch fixes the problem in the following manner:
    
    The ordering guarantees of TCP ensure that when the server sends a
    reply, then we know that the _first_ transmission has completed. Using
    zero-copy in that situation is therefore safe.
    If a time out occurs, we then send the retransmission using sendmsg()
    (i.e. no zero-copy), We then know that the socket contains a full copy of
    the data, and so it will retransmit a faithful reproduction even if the
    RPC call completes, and the application reuses the O_DIRECT buffer in
    the meantime.
    
    Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
    Cc: stable@vger.kernel.org

 net/sunrpc/xprtsock.c |   28 +++++++++++++++++++++-------
 1 files changed, 21 insertions(+), 7 deletions(-)

commit 2c59d4080ae744532dbe595f6923dcba72279977
Merge: b2b99c6 d52f291
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Nov 18 19:07:55 2013 -0500

    Merge branch 'pax-test' into grsec-test

commit d52f291621da9227cda5fd647e82dfe9bfc11265
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Nov 18 19:07:14 2013 -0500

    Update to pax-linux-3.11.8-test14.patch:
    - fixed a gcc-4.6 crash caused by a recent change in the latent entropy plugin, reported by Marko Randjelovic and mckinney (http://forums.grsecurity.net/viewtopic.php?f=3&t=3878)

 mm/page_alloc.c                   |    2 +-
 tools/gcc/latent_entropy_plugin.c |   34 ++++++++++++++++++++++++----------
 2 files changed, 25 insertions(+), 11 deletions(-)

commit b2b99c6972e345565d561b722de210f071e5e259
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Nov 14 20:47:37 2013 -0500

    Upstream commit: 0e033e04c2678dbbe74a46b23fffb7bb918c288e
    
    ipv6: fix headroom calculation in udp6_ufo_fragment
    Commit 1e2bd517c108816220f262d7954b697af03b5f9c ("udp6: Fix udp
    fragmentation for tunnel traffic.") changed the calculation if
    there is enough space to include a fragment header in the skb from a
    skb->mac_header dervived one to skb_headroom. Because we already peeled
    off the skb to transport_header this is wrong. Change this back to check
    if we have enough room before the mac_header.
    
    This fixes a panic Saran Neti reported. He used the tbf scheduler which
    skb_gso_segments the skb. The offsets get negative and we panic in memcpy
    because the skb was erroneously not expanded at the head.
    
    Reported-by: Saran Neti <Saran.Neti@telus.com>
    Cc: Pravin B Shelar <pshelar@nicira.com>
    Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv6/udp_offload.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 012ee7647e16f464f8d1ad004e28eac2ba778158
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Thu Nov 14 11:21:10 2013 +0300

    Upstream commit: f9a23c84486ed350cce7bb1b2828abd1f6658796
    
    isdnloop: use strlcpy() instead of strcpy()
    
    These strings come from a copy_from_user() and there is no way to be
    sure they are NUL terminated.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/isdn/isdnloop/isdnloop.c |    8 +++++---
 1 files changed, 5 insertions(+), 3 deletions(-)

commit 2a897c9870257c3cd6dd17ec6ff453331dc71a4f
Author: Eric Dumazet <edumazet@google.com>
Date:   Thu Nov 14 13:37:54 2013 -0800

    Upstream commit: c9e9042994d37cbc1ee538c500e9da1bb9d1bcdf
    
    ipv4: fix possible seqlock deadlock
    
    ip4_datagram_connect() being called from process context,
    it should use IP_INC_STATS() instead of IP_INC_STATS_BH()
    otherwise we can deadlock on 32bit arches, or get corruptions of
    SNMP counters.
    
    Fixes: 584bdf8cbdf6 ("[IPV4]: Fix "ipOutNoRoutes" counter error for TCP and UDP")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Reported-by: Dave Jones <davej@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/datagram.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 1a642170613ae336331f2df38aa8f2c1227d3c96
Merge: 60c6423 84d78c7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Nov 14 20:28:51 2013 -0500

    Merge branch 'pax-test' into grsec-test

commit 84d78c7b2f5d1517e8c9d5ef2ca178c90e80a730
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Nov 14 20:28:07 2013 -0500

    Update to pax-linux-3.11.8-test13.patch:
    - forward port to 3.11.8
    - removed some no longer used code from bpf jit
    - fixed some atomic_unchecked_t usage in oprofile and uio
    - fixed a few incorrect uses of static local variables based on an analysis plugin written by Emese Revfy

 arch/x86/include/asm/mmu_context.h                 |    8 ++++++++
 arch/x86/kernel/setup.c                            |    2 +-
 drivers/bluetooth/btwilink.c                       |    2 +-
 drivers/md/dm-table.c                              |    2 +-
 drivers/message/i2o/i2o_proc.c                     |   16 ++++++++--------
 drivers/mfd/max8925-i2c.c                          |    2 +-
 drivers/mfd/tps65910.c                             |    2 +-
 drivers/mtd/chips/cfi_cmdset_0020.c                |    2 +-
 drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c    |    2 +-
 .../net/ethernet/qlogic/qlcnic/qlcnic_minidump.c   |    2 +-
 drivers/net/wireless/airo.c                        |    2 +-
 drivers/net/wireless/b43/phy_lp.c                  |    2 +-
 drivers/nfc/nfcwilink.c                            |    2 +-
 drivers/oprofile/oprofilefs.c                      |    4 ++--
 drivers/platform/x86/msi-wmi.c                     |    2 +-
 drivers/scsi/aic7xxx/aic79xx_pci.c                 |   18 +++++-------------
 drivers/scsi/mpt2sas/mpt2sas_scsih.c               |    8 ++++----
 drivers/usb/serial/console.c                       |    2 +-
 include/linux/filter.h                             |    4 ----
 kernel/audit.c                                     |    2 +-
 20 files changed, 41 insertions(+), 45 deletions(-)

commit 60c642339ceb814688d1fdfa9bf3f9bc4cd0a38c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Nov 14 20:15:51 2013 -0500

    GRKERNSEC_HARDEN_IPC should depend on SYSVIPC

 grsecurity/Kconfig |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit a5bc567fc9cea02e7e0146d4d25bbc25d9903f43
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Nov 14 19:07:11 2013 -0500

    Not necessary since CPU_V6 is the only bool that would select CPU_USE_DOMAINS
    and that depended on !PAX_KERNEXEC && !PAX_MEMORY_UDEREF, but this helps
    make it more obvious that while we make use of domains, CPU_USE_DOMAINS is
    disabled as far as the kernel knows

 arch/arm/mm/Kconfig |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit a2568c19e361c8599fb9bb0a58ba758f5cb40dba
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Nov 14 19:01:59 2013 -0500

    Add a new feature: GRKERNSEC_HARDEN_IPC in response to Tim Brown's research
    on overly-permissive shared memory found in hundreds of areas in Linux
    distros:
    http://labs.portcullis.co.uk/whitepapers/memory-squatting-attacks-on-system-v-shared-memory/
    
    Will let this sit in -test for a while to weed out any app incompatibilities

 grsecurity/Kconfig         |   17 +++++++++++++++++
 grsecurity/Makefile        |    2 +-
 grsecurity/grsec_init.c    |    4 ++++
 grsecurity/grsec_ipc.c     |   22 ++++++++++++++++++++++
 grsecurity/grsec_sysctl.c  |    9 +++++++++
 include/linux/grinternal.h |    1 +
 include/linux/grmsg.h      |    1 +
 ipc/util.c                 |    5 +++++
 8 files changed, 60 insertions(+), 1 deletions(-)

commit 27c3b43bd5ad9c9b877016f26192dbc30da54018
Merge: 08e883f d0a09ad
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Nov 13 22:27:13 2013 -0500

    Merge branch 'pax-test' into grsec-test

commit d0a09ad6430008135b98da6e1941e98a6110b59e
Merge: 4e826ac 02709ef
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Nov 13 22:27:03 2013 -0500

    Merge branch 'linux-3.11.y' into pax-test

commit 08e883f3159b541ec8b2740a4b3f35fb25629fd1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Nov 11 10:48:10 2013 -0500

    Fix the overflowable range check just to be correct.
    Referenced in http://www.x90c.org/advisories/xadv-2013003_linux_kernel.txt
    but I believe this to be unexploitable due to bounds checks on 'count'
    from rw_verify_area() in fs/read_write.c

 drivers/video/arcfb.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 094c08532f9877a287ffac7a87b05841a56b4e5d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Nov 10 22:01:33 2013 -0500

    Add missing include

 fs/proc/proc_sysctl.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit e383790f8252620f52895e202cc057c4318da3f4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Nov 10 17:50:12 2013 -0500

    add an option to handle old ARM userlands to properly toggle the KUSER_HELPERS
    option: GRKERNSEC_OLD_ARM_USERLAND

 arch/arm/mm/Kconfig |    2 +-
 grsecurity/Kconfig  |   14 ++++++++++++++
 2 files changed, 15 insertions(+), 1 deletions(-)

commit 9b2775742dbcfcc004f02e5cc6bed6dcd9d73d26
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Nov 10 15:19:27 2013 -0500

    On ARM (and other arches) we were defaulting mmap_min_addr to 64K if the LSM-based mmap_min_addr
    was disabled in config.  This caused non-root execs to fail in some cases (via SIGKILL during ELF
    loading).  Fix this by setting a proper default on these architectures like set on the LSM-based
    mmap_min_addr.
    
    Thanks to acez from IRC for debugging.

 mm/Kconfig |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 17f832897194f46c4759aa02e048ad5623a04eed
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Nov 10 13:54:25 2013 -0500

    Compatibility fix for LXC:
    Don't require CAP_SYS_ADMIN to modify our own net namespace's sysctl values,
    use a CAP_NET_ADMIN check within the user namespace of the process performing the modification
    CAP_SYS_ADMIN is still required for any other sysctl modification, including modification
    of sysctls of a net namespace other than our own
    
    This allows for LXC containers to not need CAP_SYS_ADMIN to be able to set up their namespace's
    networking
    
    Thanks to ncopa from IRC for testing

 fs/proc/proc_sysctl.c |    9 +++++++--
 1 files changed, 7 insertions(+), 2 deletions(-)

commit b374a895f9ecfccbf3c8536a5a1a51b359a66a20
Merge: fb281bd 4e826ac
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Nov 6 17:27:16 2013 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        net/l2tp/l2tp_core.c

commit 4e826ac763867707352d93b7d23ed86e4c6829cf
Merge: e309bfb 39773be
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Nov 6 17:26:23 2013 -0500

    Merge branch 'linux-3.11.y' into pax-test
    
    Conflicts:
        net/compat.c

commit fb281bdee5ccb76facfe1172318a867b624011f4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Nov 6 16:23:36 2013 -0500

    Force on DEBUG_LIST so all users can benefit from safe linking/unlinking
    
    Conflicts:
    
        security/Kconfig

 security/Kconfig |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit e249a2a0ee333a6ec0234de20d17670fe0d2b64a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Nov 6 16:19:21 2013 -0500

    change DEBUG_LIST WARNs back to BUGs so they can benefit from the kernel
    bruteforce deterrence
    
    Conflicts:
    
        lib/list_debug.c

 lib/list_debug.c |   65 ++++++++++++++++++++++++++++++++++-------------------
 1 files changed, 42 insertions(+), 23 deletions(-)

commit 61f8b4eb5c8b11ff11d28372a44d6e0f3b9b68ba
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Tue Oct 29 23:01:43 2013 +0300

    Upstream commit: a8b33654b1e3b0c74d4a1fed041c9aae50b3c427
    
    Staging: sb105x: info leak in mp_get_count()
    
    The icount.reserved[] array isn't initialized so it leaks stack
    information to userspace.
    
    Reported-by: Nico Golde <nico@ngolde.de>
    Reported-by: Fabian Yamaguchi <fabs@goesec.de>
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Cc: stable@kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 drivers/staging/sb105x/sb_pci_mp.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 731cf7d12aa699cc30c18e5fe25b8c72b97df3de
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Tue Oct 29 22:06:04 2013 +0300

    Upstream commit: 201f99f170df14ba52ea4c52847779042b7a623b
    
    uml: check length in exitcode_proc_write()
    
    We don't cap the size of buffer from the user so we could write past the
    end of the array here.  Only root can write to this file.
    
    Reported-by: Nico Golde <nico@ngolde.de>
    Reported-by: Fabian Yamaguchi <fabs@goesec.de>
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Cc: stable@kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 arch/um/kernel/exitcode.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

commit 1285d10ec38f216f3c5de7ce085ce43447c78916
Author: Jason Wang <jasowang@redhat.com>
Date:   Fri Nov 1 15:01:10 2013 +0800

    Upstream commit: 6f092343855a71e03b8d209815d8c45bf3a27fcd
    
    net: flow_dissector: fail on evil iph->ihl
    
    We don't validate iph->ihl which may lead a dead loop if we meet a IPIP
    skb whose iph->ihl is zero. Fix this by failing immediately when iph->ihl
    is evil (less than 5).
    
    This issue were introduced by commit ec5efe7946280d1e84603389a1030ccec0a767ae
    (rps: support IPIP encapsulation).
    
    Cc: Eric Dumazet <edumazet@google.com>
    Cc: Petr Matousek <pmatouse@redhat.com>
    Cc: Michael S. Tsirkin <mst@redhat.com>
    Cc: Daniel Borkmann <dborkman@redhat.com>
    Signed-off-by: Jason Wang <jasowang@redhat.com>
    Acked-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/core/flow_dissector.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 3afa8cd39a80620059d7de6c382c853afe1ab4cc
Author: Ming Lei <ming.lei@canonical.com>
Date:   Thu Oct 31 16:34:17 2013 -0700

    Upstream commit: 3d77b50c5874b7e923be946ba793644f82336b75
    
    lib/scatterlist.c: don't flush_kernel_dcache_page on slab page
    
    Commit b1adaf65ba03 ("[SCSI] block: add sg buffer copy helper
    functions") introduces two sg buffer copy helpers, and calls
    flush_kernel_dcache_page() on pages in SG list after these pages are
    written to.
    
    Unfortunately, the commit may introduce a potential bug:
    
     - Before sending some SCSI commands, kmalloc() buffer may be passed to
       block layper, so flush_kernel_dcache_page() can see a slab page
       finally
    
     - According to cachetlb.txt, flush_kernel_dcache_page() is only called
       on "a user page", which surely can't be a slab page.
    
     - ARCH's implementation of flush_kernel_dcache_page() may use page
       mapping information to do optimization so page_mapping() will see the
       slab page, then VM_BUG_ON() is triggered.
    
    Aaro Koskinen reported the bug on ARM/kirkwood when DEBUG_VM is enabled,
    and this patch fixes the bug by adding test of '!PageSlab(miter->page)'
    before calling flush_kernel_dcache_page().
    
    Signed-off-by: Ming Lei <ming.lei@canonical.com>
    Reported-by: Aaro Koskinen <aaro.koskinen@iki.fi>
    Tested-by: Simon Baatz <gmbnomis@gmail.com>
    Cc: Russell King - ARM Linux <linux@arm.linux.org.uk>
    Cc: Will Deacon <will.deacon@arm.com>
    Cc: Aaro Koskinen <aaro.koskinen@iki.fi>
    Acked-by: Catalin Marinas <catalin.marinas@arm.com>
    Cc: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>
    Cc: Tejun Heo <tj@kernel.org>
    Cc: "James E.J. Bottomley" <JBottomley@parallels.com>
    Cc: Jens Axboe <axboe@kernel.dk>
    Cc: <stable@vger.kernel.org>        [3.2+]
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 lib/scatterlist.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 54a2d1367d37e6ff23e91e81e8a293f6db3572c4
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Tue Oct 29 23:01:11 2013 +0300

    Upstream commit: 8d1e72250c847fa96498ec029891de4dc638a5ba
    
    Staging: bcm: info leak in ioctl
    
    The DevInfo.u32Reserved[] array isn't initialized so it leaks kernel
    information to user space.
    
    Reported-by: Nico Golde <nico@ngolde.de>
    Reported-by: Fabian Yamaguchi <fabs@goesec.de>
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Cc: stable@kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 drivers/staging/bcm/Bcmchar.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit a2ab9d69265a08280241a2f2152e535316d02f53
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Tue Oct 29 22:11:06 2013 +0300

    Upstream commit: f856567b930dfcdbc3323261bf77240ccdde01f5
    
    aacraid: missing capable() check in compat ioctl
    
    In commit d496f94d22d1 ('[SCSI] aacraid: fix security weakness') we
    added a check on CAP_SYS_RAWIO to the ioctl.  The compat ioctls need the
    check as well.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Cc: stable@kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 drivers/scsi/aacraid/linit.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 45be53b2583e3c3d9eb0bad55f22e03ad7943b3e
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Tue Oct 29 23:00:15 2013 +0300

    Upstream commit: b5e2f339865fb443107e5b10603e53bbc92dc054
    
    staging: wlags49_h2: buffer overflow setting station name
    
    We need to check the length parameter before doing the memcpy().  I've
    actually changed it to strlcpy() as well so that it's NUL terminated.
    
    You need CAP_NET_ADMIN to trigger these so it's not the end of the
    world.
    
    Reported-by: Nico Golde <nico@ngolde.de>
    Reported-by: Fabian Yamaguchi <fabs@goesec.de>
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Cc: stable@kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 drivers/staging/wlags49_h2/wl_priv.c |    9 ++++++---
 1 files changed, 6 insertions(+), 3 deletions(-)

commit afd645c1684265260b64ec8189cbc2703b91f6ab
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Tue Oct 29 22:07:47 2013 +0300

    Upstream commit: c2c65cd2e14ada6de44cb527e7f1990bede24e15
    
    staging: ozwpan: prevent overflow in oz_cdev_write()
    
    We need to check "count" so we don't overflow the ei->data buffer.
    
    Reported-by: Nico Golde <nico@ngolde.de>
    Reported-by: Fabian Yamaguchi <fabs@goesec.de>
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Cc: stable@kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 drivers/staging/ozwpan/ozcdev.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit 4a907baeb462b7e0f50923be5a9d842aec93c97a
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date:   Tue Oct 29 10:21:34 2013 -0700

    Fixed a little differently than Linus...
    
    Obfuscated upstream security commit: 7314e613d5ff9f0934f7a0f74ed7973b903315d1
    
    Fix a few incorrectly checked [io_]remap_pfn_range() calls
    
    Nico Golde reports a few straggling uses of [io_]remap_pfn_range() that
    really should use the vm_iomap_memory() helper.  This trivially converts
    two of them to the helper, and comments about why the third one really
    needs to continue to use remap_pfn_range(), and adds the missing size
    check.
    
    Reported-by: Nico Golde <nico@ngolde.de>
    Cc: stable@kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org.
    
    Conflicts:
    
        drivers/uio/uio.c

 drivers/uio/uio.c        |   19 +++++++++++++++++--
 drivers/video/au1100fb.c |   26 +-------------------------
 drivers/video/au1200fb.c |   23 +----------------------
 3 files changed, 19 insertions(+), 49 deletions(-)

commit e68e94ddd03cf81d875b30a5e7b0e1bb4682e61f
Merge: 0970b16 e309bfb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Oct 27 15:17:05 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit e309bfbf7b506b2294b30233f7a3299173a75cf7
Author: Hugh Dickins <hughd@google.com>
Date:   Wed Oct 16 13:47:09 2013 -0700

    Upstream commit: 57a8f0cdb87da776bf0e4ce7554a9133854fa779
    
    mm: revert mremap pud_free anti-fix
    
    Revert commit 1ecfd533f4c5 ("mm/mremap.c: call pud_free() after fail
    calling pmd_alloc()").
    
    The original code was correct: pud_alloc(), pmd_alloc(), pte_alloc_map()
    ensure that the pud, pmd, pt is already allocated, and seldom do they
    need to allocate; on failure, upper levels are freed if appropriate by
    the subsequent do_munmap().  Whereas commit 1ecfd533f4c5 did an
    unconditional pud_free() of a most-likely still-in-use pud: saved only
    by the near-impossiblity of pmd_alloc() failing.
    
    Signed-off-by: Hugh Dickins <hughd@google.com>
    Cc: Chen Gang <gang.chen@asianux.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 mm/mremap.c |    5 +----
 1 files changed, 1 insertions(+), 4 deletions(-)

commit 0970b16a9df08b8cca6929b6443f67df432ac3e5
Author: Eric Dumazet <edumazet@google.com>
Date:   Tue Oct 1 21:04:11 2013 -0700

    Upstream commit: 80ad1d61e72d626e30ebe8529a0455e660ca4693
    
    net: do not call sock_put() on TIMEWAIT sockets
    
    commit 3ab5aee7fe84 ("net: Convert TCP & DCCP hash tables to use RCU /
    hlist_nulls") incorrectly used sock_put() on TIMEWAIT sockets.
    
    We should instead use inet_twsk_put()
    
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/inet_hashtables.c  |    2 +-
 net/ipv6/inet6_hashtables.c |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

commit ed0c9c47bc3468ad88b45b8ec55d0ad335214d28
Author: Andi Kleen <ak@linux.intel.com>
Date:   Mon Sep 30 13:29:08 2013 -0700

    Upstream commit: 58e4e1f6cacddb7823c44bcfb272174553f6c645
    
    igb: Avoid uninitialized advertised variable in eee_set_cur
    
    eee_get_cur assumes that the output data is already zeroed. It can
    read-modify-write the advertised field:
    
                  if (ipcnfg & E1000_IPCNFG_EEE_100M_AN)
    2594                        edata->advertised |= ADVERTISED_100baseT_Full;
    
    This is ok for the normal ethtool eee_get call, which always
    zeroes the input data before.
    
    But eee_set_cur also calls eee_get_cur and it did not zero the input
    field. Later on it then compares agsinst the field, which can contain partial
    stack garbage.
    
    Zero the input field in eee_set_cur() too.
    
    Cc: jeffrey.t.kirsher@intel.com
    Cc: netdev@vger.kernel.org
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
    Acked-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/ethernet/intel/igb/igb_ethtool.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 651730a8caabce37f78d8e6c84283b96e434d19f
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Thu Oct 3 00:27:20 2013 +0300

    Upstream commit: 1661bf364ae9c506bc8795fef70d1532931be1e8
    
    net: heap overflow in __audit_sockaddr()
    
    We need to cap ->msg_namelen or it leads to a buffer overflow when we
    to the memcpy() in __audit_sockaddr().  It requires CAP_AUDIT_CONTROL to
    exploit this bug.
    
    The call tree is:
    ___sys_recvmsg()
      move_addr_to_user()
        audit_sockaddr()
          __audit_sockaddr()
    
    Reported-by: Jüri Aedla <juri.aedla@gmail.com>
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    
    Conflicts:
    
        net/compat.c

 net/compat.c |    2 ++
 net/socket.c |   24 ++++++++++++++++++++----
 2 files changed, 22 insertions(+), 4 deletions(-)

commit b52e008aa27ecec1ca4a2d92ffe2fe874c47fcfc
Author: Salva Peiró <speiro@ai2.upv.es>
Date:   Wed Oct 16 12:46:50 2013 +0200

    Upstream commit: 2b13d06c9584b4eb773f1e80bbaedab9a1c344e1
    
    wanxl: fix info leak in ioctl
    
    The wanxl_ioctl() code fails to initialize the two padding bytes of
    struct sync_serial_settings after the ->loopback member. Add an explicit
    memset(0) before filling the structure to avoid the info leak.
    
    Signed-off-by: Salva Peiró <speiro@ai2.upv.es>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/wan/wanxl.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit d7e5b4f97fbdd06c03433939efe0e444d877ab4f
Author: Geyslan G. Bem <geyslan@gmail.com>
Date:   Fri Oct 11 16:49:16 2013 -0300

    Upstream commit: 3edc8376c06133e3386265a824869cad03a4efd4
    
    ecryptfs: Fix memory leakage in keystore.c
    
    In 'decrypt_pki_encrypted_session_key' function:
    
    Initializes 'payload' pointer and releases it on exit.
    
    Signed-off-by: Geyslan G. Bem <geyslan@gmail.com>
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Cc: stable@vger.kernel.org # v2.6.28+

 fs/ecryptfs/keystore.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 0ccb7b191245318a36bbd1f59a1846dda72cb738
Author: Colin Ian King <colin.king@canonical.com>
Date:   Thu Oct 24 14:08:07 2013 +0000

    Upstream commit: 43b7c6c6a4e3916edd186ceb61be0c67d1e0969e
    
    eCryptfs: fix 32 bit corruption issue
    
    Shifting page->index on 32 bit systems was overflowing, causing
    data corruption of > 4GB files. Fix this by casting it first.
    
    https://launchpad.net/bugs/1243636
    
    Signed-off-by: Colin Ian King <colin.king@canonical.com>
    Reported-by: Lars Duesing <lars.duesing@camelotsweb.de>
    Cc: stable@vger.kernel.org # v3.11+
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>

 fs/ecryptfs/crypto.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit eeb8d56181a3fa3cdfbc106156d4f60cf3a386d4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Oct 27 13:29:49 2013 -0400

    This is a replacement patch only for stable which does fix the problems
    handled by the following two commits in -net:
    
    "ip_output: do skb ufo init for peeked non ufo skb as well" (e93b7d748be887cd7639b113ba7d7ef792a7efb9)
    "ip6_output: do skb ufo init for peeked non ufo skb as well" (c547dbf55d5f8cf615ccc0e7265e98db27d3fb8b)
    
    Three frames are written on a corked udp socket for which the output
    netdevice has UFO enabled.  If the first and third frame are smaller than
    the mtu and the second one is bigger, we enqueue the second frame with
    skb_append_datato_frags without initializing the gso fields. This leads
    to the third frame appended regulary and thus constructing an invalid skb.
    
    This fixes the problem by always using skb_append_datato_frags as soon
    as the first frag got enqueued to the skb without marking the packet
    as SKB_GSO_UDP.
    
    The problem with only two frames for ipv6 was fixed by "ipv6: udp
    packets following an UFO enqueued packet need also be handled by UFO"
    (2811ebac2521ceac84f2bdae402455baa6a7fb47).
    
    Cc: Jiri Pirko <jiri@resnulli.us>
    Cc: Eric Dumazet <eric.dumazet@gmail.com>
    Cc: David Miller <davem@davemloft.net>
    Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>

 include/linux/skbuff.h |    5 +++++
 net/ipv4/ip_output.c   |    2 +-
 net/ipv6/ip6_output.c  |    2 +-
 3 files changed, 7 insertions(+), 2 deletions(-)

commit aead8ff29424c6a5d25eb4614be91a01f9f6af00
Merge: 5cf8361 ddadc82
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Oct 26 08:42:26 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        security/Kconfig

commit ddadc822a1de40d3992a5c58ca2f970b5fee57ec
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Oct 26 08:41:24 2013 -0400

    - fixed miscompilation caused by a kernexec plugin related change in copy_user_generic, by Timo Teräs <timo.teras@iki.f> and Natanael Copa <ncopa@alpinelinux.org> (https://github.com/ncopa/linux-stable-grsec/commit/b8bf456d13988fb38cfe248676327f44a2d2ed2e)
    - updated config help for latent entropy to reflect recent changes

 arch/x86/include/asm/uaccess_64.h |    4 ++--
 security/Kconfig                  |    6 +++---
 2 files changed, 5 insertions(+), 5 deletions(-)

commit 5cf8361c2a7762aa1cdd3d75655361058ad451ad
Author: Johannes Weiner <hannes@cmpxchg.org>
Date:   Wed Oct 16 13:47:00 2013 -0700

    Upstream commit: 84235de394d9775bfaa7fa9762a59d91fef0c1fc
    
    fs: buffer: move allocation failure loop into the allocator
    
    Buffer allocation has a very crude indefinite loop around waking the
    flusher threads and performing global NOFS direct reclaim because it can
    not handle allocation failures.
    
    The most immediate problem with this is that the allocation may fail due
    to a memory cgroup limit, where flushers + direct reclaim might not make
    any progress towards resolving the situation at all.  Because unlike the
    global case, a memory cgroup may not have any cache at all, only
    anonymous pages but no swap.  This situation will lead to a reclaim
    livelock with insane IO from waking the flushers and thrashing unrelated
    filesystem cache in a tight loop.
    
    Use __GFP_NOFAIL allocations for buffers for now.  This makes sure that
    any looping happens in the page allocator, which knows how to
    orchestrate kswapd, direct reclaim, and the flushers sensibly.  It also
    allows memory cgroups to detect allocations that can't handle failure
    and will allow them to ultimately bypass the limit if reclaim can not
    make progress.
    
    Reported-by: azurIt <azurit@pobox.sk>
    Signed-off-by: Johannes Weiner <hannes@cmpxchg.org>
    Cc: Michal Hocko <mhocko@suse.cz>
    Cc: <stable@kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 fs/buffer.c     |   14 ++++++++++++--
 mm/memcontrol.c |    2 ++
 2 files changed, 14 insertions(+), 2 deletions(-)

commit 799326c8683d8d70b2035b1e5ab913c159112b6b
Author: Miklos Szeredi <mszeredi@suse.cz>
Date:   Thu Oct 10 16:48:19 2013 +0200

    Upstream commit: 43ae9e3fc70ca0057ae0a24ef5eedff05e3fae06
    
    ext[34]: fix double put in tmpfile
    
    d_tmpfile() already swallowed the inode ref.
    
    Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
    Cc: stable@vger.kernel.org
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

 fs/ext3/namei.c |    5 ++---
 fs/ext4/namei.c |    5 ++---
 2 files changed, 4 insertions(+), 6 deletions(-)

commit 799651db9a3b5b08eac1de0ee05f406df7a9a2e3
Author: Jan Klos <honza.klos@gmail.com>
Date:   Sun Oct 6 21:08:20 2013 +0200

    Upstream commit: 2f6c9479633780ba4a3484bba7eba5a721a5cf20
    
    cifs: Fix inability to write files >2GB to SMB2/3 shares
    
    When connecting to SMB2/3 shares, maximum file size is set to non-LFS maximum in superblock. This is due to cap_large_files bit being different for SMB1 and SMB2/3 (where it is just an internal flag that is not negotiated and the SMB1 one corresponds to multichannel capability, so maybe LFS works correctly if server sends 0x08 flag) while capabilities are checked always for the SMB1 bit in cifs_read_super().
    
    The patch fixes this by checking for the correct bit according to the protocol version.
    
    CC: Stable <stable@kernel.org>
    Signed-off-by: Jan Klos <honza.klos@gmail.com>
    Reviewed-by: Jeff Layton <jlayton@redhat.com>
    Signed-off-by: Steve French <smfrench@gmail.com>

 fs/cifs/cifsfs.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

commit 549fe4c5bb5e67cb1351bb09455b1d77abe5ab22
Author: Tim Gardner <tim.gardner@canonical.com>
Date:   Sun Oct 13 13:29:03 2013 -0600

    Upstream commit: 0c26606cbe4937f2228a27bb0c2cad19855be87a
    
    cifs: ntstatus_to_dos_map[] is not terminated
    
    Functions that walk the ntstatus_to_dos_map[] array could
    run off the end. For example, ntstatus_to_dos() loops
    while ntstatus_to_dos_map[].ntstatus is not 0. Granted,
    this is mostly theoretical, but could be used as a DOS attack
    if the error code in the SMB header is bogus.
    
    [Might consider adding to stable, as this patch is low risk - Steve]
    
    Reviewed-by: Jeff Layton <jlayton@redhat.com>
    Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
    Signed-off-by: Steve French <smfrench@gmail.com>

 fs/cifs/netmisc.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

commit ed8c09a96fa260e1864c632e1dd91b1320876305
Author: Eric Dumazet <edumazet@google.com>
Date:   Tue Oct 15 11:54:30 2013 -0700

    Upstream commit: c52e2421f7368fd36cbe330d2cf41b10452e39a9
    
    tcp: must unclone packets before mangling them
    
    TCP stack should make sure it owns skbs before mangling them.
    
    We had various crashes using bnx2x, and it turned out gso_size
    was cleared right before bnx2x driver was populating TC descriptor
    of the _previous_ packet send. TCP stack can sometime retransmit
    packets that are still in Qdisc.
    
    Of course we could make bnx2x driver more robust (using
    ACCESS_ONCE(shinfo->gso_size) for example), but the bug is TCP stack.
    
    We have identified two points where skb_unclone() was needed.
    
    This patch adds a WARN_ON_ONCE() to warn us if we missed another
    fix of this kind.
    
    Kudos to Neal for finding the root cause of this bug. Its visible
    using small MSS.
    
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: Neal Cardwell <ncardwell@google.com>
    Cc: Yuchung Cheng <ycheng@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/tcp_output.c |    9 ++++++---
 1 files changed, 6 insertions(+), 3 deletions(-)

commit e5dcf1772ca2a85952da10a21d0650507dc061d3
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Mon Oct 14 15:28:38 2013 +0300

    Upstream commit: 9e5f1721907fcfbd4b575bcafa0314188f7330a5
    
    yam: integer underflow in yam_ioctl()
    
    We cap bitrate at YAM_MAXBITRATE in yam_ioctl(), but it could also be
    negative.  I don't know the impact of using a negative bitrate but let's
    prevent it.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 include/linux/yam.h |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 1f5d72d633f317248bba25158c326a61394aebf2
Merge: 7ca4328 4df1b96
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Oct 18 19:36:17 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        ipc/shm.c

commit 4df1b965687831808af2548487e0f35a2ccc5c29
Merge: e41125e 5070441
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Oct 18 19:35:31 2013 -0400

    Merge branch 'linux-3.11.y' into pax-test
    
    Conflicts:
        arch/x86/kernel/setup.c

commit 7ca43282302f7777ca3ae48d2552dbd0a6cef525
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Oct 16 18:35:00 2013 -0400

    From: Mathias Krause <minipli@googlemail.com>
    To: Evgeniy Polyakov <zbr@ioremap.net>
    Cc: Mathias Krause <minipli@googlemail.com>, netdev@vger.kernel.org
    Subject: [PATCH 2/4] connector: use nlmsg_len() to check message length
    
    The current code tests the length of the whole netlink message to be
    at least as long to fit a cn_msg. This is wrong as nlmsg_len includes
    the length of the netlink message header. Use nlmsg_len() instead to
    fix this "off-by-NLMSG_HDRLEN" size check.
    
    Cc: stable@vger.kernel.org  # v2.6.14+
    Signed-off-by: Mathias Krause <minipli@googlemail.com>

 drivers/connector/connector.c |    7 ++++---
 1 files changed, 4 insertions(+), 3 deletions(-)

commit 6c495f94e2f002ed19fb8e265e2746fd6ee08489
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Oct 16 18:36:25 2013 -0400

    From: Mathias Krause <minipli@googlemail.com>
    To: linux-audit@redhat.com
    Cc: Mathias Krause <minipli@googlemail.com>, Al Viro <viro@zeniv.linux.org.uk>, Eric Paris <eparis@redhat.com>
    Subject: [PATCH 1/2] audit: fix info leak in AUDIT_GET requests
    
    We leak 4 bytes of kernel stack in response to an AUDIT_GET request as
    we miss to initialize the mask member of status_set. Fix that.
    
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: Eric Paris <eparis@redhat.com>
    Cc: stable@vger.kernel.org  # v2.6.6+
    Signed-off-by: Mathias Krause <minipli@googlemail.com>

 kernel/audit.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 9557a8727fd46e68f092dec0830a982e85b231f7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Oct 16 19:02:32 2013 -0400

    add 2nd chunk of audit nlmsg_len() fix from minipli

 kernel/audit.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit ceb5f8bae05f3321af941eddb9d2bbe264e0d2cd
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Oct 16 18:37:59 2013 -0400

    From: Mathias Krause <minipli@googlemail.com>
    To: linux-audit@redhat.com
    Cc: Mathias Krause <minipli@googlemail.com>, Al Viro <viro@zeniv.linux.org.uk>, Eric Paris <eparis@redhat.com>
    Subject: [PATCH 2/2] audit: use nlmsg_len() to get message payload length
    
    Using the nlmsg_len member of the netlink header to test if the message
    is valid is wrong as it includes the size of the netlink header itself.
    Thereby allowing to send short netlink messages that pass those checks.
    
    Use nlmsg_len() instead to test for the right message length. The result
    of nlmsg_len() is guaranteed to be non-negative as the netlink message
    already passed the checks of nlmsg_ok().
    
    Also switch to min_t() to please checkpatch.pl.
    
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: Eric Paris <eparis@redhat.com>
    Cc: stable@vger.kernel.org  # v2.6.6+ for the 1st hunk, v2.6.23+ for the 2nd

 kernel/audit.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 7547b29750381c776dfd47f4b1277a492d5b0f72
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Oct 16 18:41:01 2013 -0400

    From: Mathias Krause <minipli@googlemail.com>
    To: netfilter-devel@vger.kernel.org
    Cc: Mathias Krause <minipli@googlemail.com>, Pablo Neira Ayuso <pablo@netfilter.org>, Patrick McHardy <kaber@trash.net>, Jozsef Kadlecsik
            <kadlec@blackhole.kfki.hu>, Bart De Schuymer <bart.de.schuymer@pandora.be>
    Subject: [PATCH 1/2] netfilter: ebt_ulog: fix info leaks
    
    The ulog messages leak heap bytes by the means of padding bytes and
    incompletely filled string arrays. Fix those by memset(0)'ing the
    whole struct before filling it.
    
    Cc: Bart De Schuymer <bart.de.schuymer@pandora.be>
    Signed-off-by: Mathias Krause <minipli@googlemail.com>
    
    Conflicts:
    
        net/bridge/netfilter/ebt_ulog.c

 net/bridge/netfilter/ebt_ulog.c |    9 +++------
 1 files changed, 3 insertions(+), 6 deletions(-)

commit c1da6a5ba1b529d70214142de4eaa7f1b9d62528
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Oct 16 18:43:01 2013 -0400

    From: Mathias Krause <minipli@googlemail.com>
    To: netfilter-devel@vger.kernel.org
    Cc: Mathias Krause <minipli@googlemail.com>, Pablo Neira Ayuso <pablo@netfilter.org>, Patrick McHardy <kaber@trash.net>, Jozsef Kadlecsik
            <kadlec@blackhole.kfki.hu>
    Subject: [PATCH 2/2] netfilter: ipt_ULOG: fix info leaks
    
    The ulog messages leak heap bytes by the means of padding bytes and
    incompletely filled string arrays. Fix those by memset(0)'ing the
    whole struct before filling it.
    
    Cc: Pablo Neira Ayuso <pablo@netfilter.org>
    Cc: Patrick McHardy <kaber@trash.net>
    Cc: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
    Signed-off-by: Mathias Krause <minipli@googlemail.com>
    
    Conflicts:
    
        net/ipv4/netfilter/ipt_ULOG.c

 net/ipv4/netfilter/ipt_ULOG.c |    7 +------
 1 files changed, 1 insertions(+), 6 deletions(-)

commit 2965f6e6122325a18e69296ad3817c66ca59b7e3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Oct 16 18:49:45 2013 -0400

    From: Mathias Krause <minipli@googlemail.com>
    To: "David S. Miller" <davem@davemloft.net>
    Cc: Mathias Krause <minipli@googlemail.com>, netdev@vger.kernel.org
    Subject: [PATCH net] unix_diag: fix info leak
    
    When filling the netlink message we miss to wipe the pad field,
    therefore leak one byte of heap memory to userland. Fix this by
    setting pad to 0.
    
    Signed-off-by: Mathias Krause <minipli@googlemail.com>

 net/unix/diag.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit c6bc48165dc213ad8b24fbd872d5c01deb4508bc
Author: Mathias Krause <minipli@googlemail.com>
Date:   Mon Sep 30 22:03:06 2013 +0200

    Upstream commit: e727ca82e0e9616ab4844301e6bae60ca7327682
    
    proc connector: fix info leaks
    
    Initialize event_data for all possible message types to prevent leaking
    kernel stack contents to userland (up to 20 bytes). Also set the flags
    member of the connector message to 0 to prevent leaking two more stack
    bytes this way.
    
    Cc: stable@vger.kernel.org  # v2.6.15+
    Signed-off-by: Mathias Krause <minipli@googlemail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/connector/cn_proc.c |   18 ++++++++++++++++++
 1 files changed, 18 insertions(+), 0 deletions(-)

commit 6398c8e93f1f8fcf80ae2f024a8cca9ea84ccd04
Author: AKASHI Takahiro <takahiro.akashi@linaro.org>
Date:   Wed Oct 9 15:58:29 2013 +0100

    Upstream commit: 3c1532df5c1b54b5f6246cdef94eeb73a39fe43a
    
    ARM: 7851/1: check for number of arguments in syscall_get/set_arguments()
    
    In ftrace_syscall_enter(),
        syscall_get_arguments(..., 0, n, ...)
            if (i == 0) { <handle ORIG_r0> ...; n--;}
            memcpy(..., n * sizeof(args[0]));
    If 'number of arguments(n)' is zero and 'argument index(i)' is also zero in
    syscall_get_arguments(), none of arguments should be copied by memcpy().
    Otherwise 'n--' can be a big positive number and unexpected amount of data
    will be copied. Tracing system calls which take no argument, say sync(void),
    may hit this case and eventually make the system corrupted.
    This patch fixes the issue both in syscall_get_arguments() and
    syscall_set_arguments().
    
    Cc: <stable@vger.kernel.org>
    Acked-by: Will Deacon <will.deacon@arm.com>
    Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
    Signed-off-by: Will Deacon <will.deacon@arm.com>
    Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>

 arch/arm/include/asm/syscall.h |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

commit c062c6b6774efea3e8b21dc5262f8bf9b34609c2
Author: Dave Jones <davej@redhat.com>
Date:   Thu Oct 10 20:05:35 2013 -0400

    Upstream commit: 6e4ea8e33b2057b85d75175dd89b93f5e26de3bc
    
    ext4: fix memory leak in xattr
    
    If we take the 2nd retry path in ext4_expand_extra_isize_ea, we
    potentionally return from the function without having freed these
    allocations.  If we don't do the return, we over-write the previous
    allocation pointers, so we leak either way.
    
    Spotted with Coverity.
    
    [ Fixed by tytso to set is and bs to NULL after freeing these
      pointers, in case in the retry loop we later end up triggering an
      error causing a jump to cleanup, at which point we could have a double
      free bug. -- Ted ]
    
    Signed-off-by: Dave Jones <davej@fedoraproject.org>
    Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
    Reviewed-by: Eric Sandeen <sandeen@redhat.com>
    Cc: stable@vger.kernel.org

 fs/ext4/xattr.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 224e55268fbd4f81fca479e315c9483df591411d
Author: Salva Peiró <speiro@ai2.upv.es>
Date:   Fri Oct 11 12:50:03 2013 +0300

    Upstream commit: 96b340406724d87e4621284ebac5e059d67b2194
    
    farsync: fix info leak in ioctl
    
    The fst_get_iface() code fails to initialize the two padding bytes of
    struct sync_serial_settings after the ->loopback member. Add an explicit
    memset(0) before filling the structure to avoid the info leak.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/wan/farsync.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 2df2f7f9ca7c383331795980a56a2f47a0d0dfd9
Author: James Hogan <james.hogan@imgtec.com>
Date:   Mon Oct 7 12:14:26 2013 +0100

    Upstream commit: 8b3c569a3999a8fd5a819f892525ab5520777c92
    
    MIPS: stack protector: Fix per-task canary switch
    
    Commit 1400eb6 (MIPS: r4k,octeon,r2300: stack protector: change canary
    per task) was merged in v3.11 and introduced assembly in the MIPS resume
    functions to update the value of the current canary in
    __stack_chk_guard. However it used PTR_L resulting in a load of the
    canary value, instead of PTR_LA to construct its address. The value is
    intended to be random but is then treated as an address in the
    subsequent LONG_S (store).
    
    This was observed to cause a fault and panic:
    
    CPU 0 Unable to handle kernel paging request at virtual address 139fea20, epc == 8000cc0c, ra == 8034f2a4
    Oops[#1]:
    ...
    $24   : 139fea20 1e1f7cb6
    ...
    Call Trace:
    [<8000cc0c>] resume+0xac/0x118
    [<8034f2a4>] __schedule+0x5f8/0x78c
    [<8034f4e0>] schedule_preempt_disabled+0x20/0x2c
    [<80348eec>] rest_init+0x74/0x84
    [<804dc990>] start_kernel+0x43c/0x454
    Code: 3c18804b  8f184030  8cb901f8 <af190000> 00c0e021  8cb002f0 8cb102f4  8cb202f8  8cb302fc
    
    This can also be forced by modifying
    arch/mips/include/asm/stackprotector.h so that the default
    __stack_chk_guard value is more likely to be a bad (or unaligned)
    pointer.
    
    Fix it to use PTR_LA instead, to load the address of the canary value,
    which the LONG_S can then use to write into it.
    
    Reported-by: bobjones (via #mipslinux on IRC)
    Signed-off-by: James Hogan <james.hogan@imgtec.com>
    Cc: Ralf Baechle <ralf@linux-mips.org>
    Cc: Gregory Fong <gregory.0xf0@gmail.com>
    Cc: linux-mips@linux-mips.org
    Cc: stable@vger.kernel.org
    Patchwork: https://patchwork.linux-mips.org/patch/6026/
    Signed-off-by: Ralf Baechle <ralf@linux-mips.org>

 arch/mips/kernel/octeon_switch.S |    2 +-
 arch/mips/kernel/r2300_switch.S  |    2 +-
 arch/mips/kernel/r4k_switch.S    |    2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

commit 4541f6c6871c1cffa3637ccbc817a37d6f093d1c
Author: Fan Du <fan.du@windriver.com>
Date:   Tue Sep 17 15:14:13 2013 +0800

    Upstream commit: 33fce60d6a6e137035f8e23a89d7fd55f3a24cda
    
    xfrm: Guard IPsec anti replay window against replay bitmap
    
    For legacy IPsec anti replay mechanism:
    
    bitmap in struct xfrm_replay_state could only provide a 32 bits
    window size limit in current design, thus user level parameter
    sadb_sa_replay should honor this limit, otherwise misleading
    outputs("replay=244") by setkey -D will be:
    
    192.168.25.2 192.168.22.2
        esp mode=transport spi=147561170(0x08cb9ad2) reqid=0(0x00000000)
        E: aes-cbc  9a8d7468 7655cf0b 719d27be b0ddaac2
        A: hmac-sha1  2d2115c2 ebf7c126 1c54f186 3b139b58 264a7331
        seq=0x00000000 replay=244 flags=0x00000000 state=mature
        created: Sep 17 14:00:00 2013   current: Sep 17 14:00:22 2013
        diff: 22(s)     hard: 30(s)     soft: 26(s)
        last: Sep 17 14:00:00 2013      hard: 0(s)      soft: 0(s)
        current: 1408(bytes)    hard: 0(bytes)  soft: 0(bytes)
        allocated: 22   hard: 0 soft: 0
        sadb_seq=1 pid=4854 refcnt=0
    192.168.22.2 192.168.25.2
        esp mode=transport spi=255302123(0x0f3799eb) reqid=0(0x00000000)
        E: aes-cbc  6485d990 f61a6bd5 e5660252 608ad282
        A: hmac-sha1  0cca811a eb4fa893 c47ae56c 98f6e413 87379a88
        seq=0x00000000 replay=244 flags=0x00000000 state=mature
        created: Sep 17 14:00:00 2013   current: Sep 17 14:00:22 2013
        diff: 22(s)     hard: 30(s)     soft: 26(s)
        last: Sep 17 14:00:00 2013      hard: 0(s)      soft: 0(s)
        current: 1408(bytes)    hard: 0(bytes)  soft: 0(bytes)
        allocated: 22   hard: 0 soft: 0
        sadb_seq=0 pid=4854 refcnt=0
    
    And also, optimizing xfrm_replay_check window checking by setting the
    desirable x->props.replay_window with only doing the comparison once
    for all when xfrm_state is first born.
    
    Signed-off-by: Fan Du <fan.du@windriver.com>
    Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>

 net/key/af_key.c       |    3 ++-
 net/xfrm/xfrm_replay.c |    3 +--
 net/xfrm/xfrm_user.c   |    3 ++-
 3 files changed, 5 insertions(+), 4 deletions(-)

commit 3853002f1fb21ca8e23784e9eaeb971eaebc7541
Author: Thomas Egerer <thomas.egerer@secunet.com>
Date:   Thu Sep 19 13:19:19 2013 +0200

    Upstream commit: cd808fc9a6c7cd3a4311d9d2cffc4adbeaef5f6c
    
    xfrm: Fix aevent generation for each received packet
    
    If asynchronous events are enabled for a particular netlink socket,
    the notify function is called by the advance function. The notify
    function creates and dispatches a km_event if a replay timeout occurred,
    or at least replay_maxdiff packets have been received since the last
    asynchronous event has been sent. The function is supposed to return if
    neither of the two events were detected for a state, or replay_maxdiff
    is equal to zero.
    Replay_maxdiff is initialized in xfrm_state_construct to the value of
    the xfrm.sysctl_aevent_rseqth (2 by default), and updated if for a state
    if the netlink attribute XFRMA_REPLAY_THRESH is set.
    If, however, replay_maxdiff is set to zero, then all of the three notify
    implementations perform a break from the switch statement instead of
    checking whether a timeout occurred, and -- if not -- return.  As a
    result an asynchronous event is generated for every replay update of a
    state that has a zero replay_maxdiff value.
    This patch modifies the notify functions such that they immediately
    return if replay_maxdiff has the value zero, unless a timeout occurred.
    
    Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
    Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>

 net/xfrm/xfrm_replay.c |   51 +++++++++++++++++++++++++----------------------
 1 files changed, 27 insertions(+), 24 deletions(-)

commit dafbbf04fb91cc92c049dcf7cabcc92fd5d29cb8
Author: Steffen Klassert <steffen.klassert@secunet.com>
Date:   Tue Oct 8 10:49:45 2013 +0200

    Upstream commit: e7d8f6cb2f8735693396872f4608bbe305e8baee
    
    xfrm: Add refcount handling to queued policies
    
    We need to ensure that policies can't go away as long as the hold timer
    is armed, so take a refcont when we arm the timer and drop one if we
    delete it.
    
    Bug was introduced with git commit a0073fe18 ("xfrm: Add a state
    resolution packet queue")
    
    Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>

 net/xfrm/xfrm_policy.c |   24 +++++++++++++++++-------
 1 files changed, 17 insertions(+), 7 deletions(-)

commit b4948dc963442682534b3a039664b564c764e4f8
Author: Steffen Klassert <steffen.klassert@secunet.com>
Date:   Tue Oct 8 10:49:51 2013 +0200

    Upstream commit: 2bb53e2557964c2c5368a0392cf3b3b63a288cd0
    
    xfrm: check for a vaild skb in xfrm_policy_queue_process
    
    We might dreference a NULL pointer if the hold_queue is empty,
    so add a check to avoid this.
    
    Bug was introduced with git commit a0073fe18 ("xfrm: Add a state
    resolution packet queue")
    
    Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>

 net/xfrm/xfrm_policy.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

commit fad7f264b264b0b17a307aa16162cb43c7688a30
Author: Marc Kleine-Budde <mkl@pengutronix.de>
Date:   Mon Oct 7 23:19:58 2013 +0200

    Upstream commit: c33a39c575068c2ea9bffb22fd6de2df19c74b89
    
    net: vlan: fix nlmsg size calculation in vlan_get_size()
    
    This patch fixes the calculation of the nlmsg size, by adding the missing
    nla_total_size().
    
    Cc: Patrick McHardy <kaber@trash.net>
    Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/8021q/vlan_netlink.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 675e5611464fe6b4d41e7d8ba56ed845286b28dd
Author: François Cachereul <f.cachereul@alphalink.fr>
Date:   Wed Oct 2 10:16:02 2013 +0200

    Upstream commit: e18503f41f9b12132c95d7c31ca6ee5155e44e5c
    
    l2tp: fix kernel panic when using IPv4-mapped IPv6 addresses
    
    IPv4 mapped addresses cause kernel panic.
    The patch juste check whether the IPv6 address is an IPv4 mapped
    address. If so, use IPv4 API instead of IPv6.
    
    [  940.026915] general protection fault: 0000 [#1]
    [  940.026915] Modules linked in: l2tp_ppp l2tp_netlink l2tp_core pppox ppp_generic slhc loop psmouse
    [  940.026915] CPU: 0 PID: 3184 Comm: memcheck-amd64- Not tainted 3.11.0+ #1
    [  940.026915] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007
    [  940.026915] task: ffff880007130e20 ti: ffff88000737e000 task.ti: ffff88000737e000
    [  940.026915] RIP: 0010:[<ffffffff81333780>]  [<ffffffff81333780>] ip6_xmit+0x276/0x326
    [  940.026915] RSP: 0018:ffff88000737fd28  EFLAGS: 00010286
    [  940.026915] RAX: c748521a75ceff48 RBX: ffff880000c30800 RCX: 0000000000000000
    [  940.026915] RDX: ffff88000075cc4e RSI: 0000000000000028 RDI: ffff8800060e5a40
    [  940.026915] RBP: ffff8800060e5a40 R08: 0000000000000000 R09: ffff88000075cc90
    [  940.026915] R10: 0000000000000000 R11: 0000000000000000 R12: ffff88000737fda0
    [  940.026915] R13: 0000000000000000 R14: 0000000000002000 R15: ffff880005d3b580
    [  940.026915] FS:  00007f163dc5e800(0000) GS:ffffffff81623000(0000) knlGS:0000000000000000
    [  940.026915] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    [  940.026915] CR2: 00000004032dc940 CR3: 0000000005c25000 CR4: 00000000000006f0
    [  940.026915] Stack:
    [  940.026915]  ffff88000075cc4e ffffffff81694e90 ffff880000c30b38 0000000000000020
    [  940.026915]  11000000523c4bac ffff88000737fdb4 0000000000000000 ffff880000c30800
    [  940.026915]  ffff880005d3b580 ffff880000c30b38 ffff8800060e5a40 0000000000000020
    [  940.026915] Call Trace:
    [  940.026915]  [<ffffffff81356cc3>] ? inet6_csk_xmit+0xa4/0xc4
    [  940.026915]  [<ffffffffa0038535>] ? l2tp_xmit_skb+0x503/0x55a [l2tp_core]
    [  940.026915]  [<ffffffff812b8d3b>] ? pskb_expand_head+0x161/0x214
    [  940.026915]  [<ffffffffa003e91d>] ? pppol2tp_xmit+0xf2/0x143 [l2tp_ppp]
    [  940.026915]  [<ffffffffa00292e0>] ? ppp_channel_push+0x36/0x8b [ppp_generic]
    [  940.026915]  [<ffffffffa00293fe>] ? ppp_write+0xaf/0xc5 [ppp_generic]
    [  940.026915]  [<ffffffff8110ead4>] ? vfs_write+0xa2/0x106
    [  940.026915]  [<ffffffff8110edd6>] ? SyS_write+0x56/0x8a
    [  940.026915]  [<ffffffff81378ac0>] ? system_call_fastpath+0x16/0x1b
    [  940.026915] Code: 00 49 8b 8f d8 00 00 00 66 83 7c 11 02 00 74 60 49
    8b 47 58 48 83 e0 fe 48 8b 80 18 01 00 00 48 85 c0 74 13 48 8b 80 78 02
    00 00 <48> ff 40 28 41 8b 57 68 48 01 50 30 48 8b 54 24 08 49 c7 c1 51
    [  940.026915] RIP  [<ffffffff81333780>] ip6_xmit+0x276/0x326
    [  940.026915]  RSP <ffff88000737fd28>
    [  940.057945] ---[ end trace be8aba9a61c8b7f3 ]---
    [  940.058583] Kernel panic - not syncing: Fatal exception in interrupt
    
    Signed-off-by: François CACHEREUL <f.cachereul@alphalink.fr>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/l2tp/l2tp_core.c |   27 +++++++++++++++++++++++----
 net/l2tp/l2tp_core.h |    3 +++
 2 files changed, 26 insertions(+), 4 deletions(-)

commit 2db6fe58460d400bc8b995fa2328be03e27e55e1
Merge: 28f9622 e41125e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Oct 15 10:00:52 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        arch/sparc/kernel/ds.c
        net/sysctl_net.c

commit e41125e4742f332cd8cd8cf0c00cb189dba0e037
Merge: 740e5ec a145cb9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Oct 15 09:58:29 2013 -0400

    Merge branch 'linux-3.11.y' into pax-test

commit 28f9622091224541efadf3ae006f0e5651c7fa45
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Oct 1 22:48:34 2013 -0400

    Fix this strlcpy crap properly

 arch/sparc/kernel/ds.c |    7 +++----
 1 files changed, 3 insertions(+), 4 deletions(-)

commit 837193210e4125fe4e9e554b28d7bc33985f3554
Author: David S. Miller <davem@davemloft.net>
Date:   Fri Sep 27 13:46:04 2013 -0700

    Upstream commit: 2bd161a605f1f84a5fc8a4fe8410113a94f79355
    
    sparc64: Fix buggy strlcpy() conversion in ldom_reboot().
    
    Commit 117a0c5fc9c2d06045bd217385b2b39ea426b5a6 ("sparc: kernel: using
    strlcpy() instead of strcpy()") added a bug to ldom_reboot in
    arch/sparc/kernel/ds.c
    
    -           strcpy(full_boot_str + strlen("boot "), boot_command);
    +                                strlcpy(full_boot_str + strlen("boot "), boot_command,
    +                                                        sizeof(full_boot_str + strlen("boot ")));
    
    That last sizeof() expression evaluates to sizeof(size_t) which is
    not what was intended.
    
    Also even the corrected:
    
         sizeof(full_boot_str) + strlen("boot ")
    
    is not right as the destination buffer length is just plain
    "sizeof(full_boot_str)" and that's what the final argument
    should be.
    
    Signed-off-by: David S. Miller <davem@davemloft.net>

 arch/sparc/kernel/ds.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit fc25f7a8bc9f268e659f0265bcdb4dcac648c249
Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
Date:   Sun Sep 29 05:40:50 2013 +0200

    Upstream commit: 3da812d860755925da890e8c713f2d2e2d7b1bae
    
    ipv6: gre: correct calculation of max_headroom
    
    gre_hlen already accounts for sizeof(struct ipv6_hdr) + gre header,
    so initialize max_headroom to zero. Otherwise the
    
        if (encap_limit >= 0) {
                max_headroom += 8;
                mtu -= 8;
        }
    
    increments an uninitialized variable before max_headroom was reset.
    
    Found with coverity: 728539
    
    Cc: Dmitry Kozlov <xeb@mail.ru>
    Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Acked-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    
    Conflicts:
    
        net/ipv6/ip6_gre.c

 net/ipv6/ip6_gre.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 0d68ac550952d0eaf60851497ceee68dbba24516
Merge: 64257ad 740e5ec
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Oct 1 18:11:52 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        drivers/hid/hid-core.c
        drivers/hid/hid-lg2ff.c
        drivers/hid/hid-lg3ff.c
        drivers/hid/hid-lg4ff.c
        drivers/hid/hid-lgff.c
        drivers/hid/hid-logitech-dj.c
        drivers/hid/hid-steelseries.c
        drivers/hid/hid-zpff.c
        include/linux/hid.h

commit 740e5ec087969afd43ae0b552b4e05914437ed32
Merge: c38c6b0 db20388
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Oct 1 17:40:46 2013 -0400

    Merge branch 'linux-3.11.y' into pax-test

commit 64257ad95c51285d415f93ebdd486fae6bb9415d
Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
Date:   Sat Sep 21 06:27:00 2013 +0200

    Upstream commit: 2811ebac2521ceac84f2bdae402455baa6a7fb47
    
    ipv6: udp packets following an UFO enqueued packet need also be handled by UFO
    
    In the following scenario the socket is corked:
    If the first UDP packet is larger then the mtu we try to append it to the
    write queue via ip6_ufo_append_data. A following packet, which is smaller
    than the mtu would be appended to the already queued up gso-skb via
    plain ip6_append_data. This causes random memory corruptions.
    
    In ip6_ufo_append_data we also have to be careful to not queue up the
    same skb multiple times. So setup the gso frame only when no first skb
    is available.
    
    This also fixes a shortcoming where we add the current packet's length to
    cork->length but return early because of a packet > mtu with dontfrag set
    (instead of sutracting it again).
    
    Found with trinity.
    
    Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
    Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Reported-by: Dmitry Vyukov <dvyukov@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv6/ip6_output.c |   53 ++++++++++++++++++++----------------------------
 1 files changed, 22 insertions(+), 31 deletions(-)

commit ee4ab63f6dfd57e8c5d67e1e154b86d1139937f6
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Tue Sep 24 15:27:45 2013 -0700

    Just a whitespace fix to sync with upstream as we already applied this fix
    via Vasiliy Kulikov in 2010.  It fell through the cracks upstream
    
    cciss: fix info leak in cciss_ioctl32_passthru()
    
    The arg64 struct has a hole after ->buf_size which isn't cleared.  Or if
    any of the calls to copy_from_user() fail then that would cause an
    information leak as well.
    
    This was assigned CVE-2013-2147.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Acked-by: Mike Miller <mike.miller@hp.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    Conflicts:
    
        drivers/block/cciss.c

 drivers/block/cciss.c |    1 -
 1 files changed, 0 insertions(+), 1 deletions(-)

commit 2a5d630a83f5ddd2ab0ce9cb32a93ad3e1f6dc3e
Author: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Date:   Tue Sep 24 18:29:11 2013 -0700

    Upstream commit: 22356f447ceb8d97a4885792e7d9e4607f712e1b
    
    mm: Place preemption point in do_mlockall() loop
    
    There is a loop in do_mlockall() that lacks a preemption point, which
    means that the following can happen on non-preemptible builds of the
    kernel. Dave Jones reports:
    
     "My fuzz tester keeps hitting this.  Every instance shows the non-irq
      stack came in from mlockall.  I'm only seeing this on one box, but
      that has more ram (8gb) than my other machines, which might explain
      it.
    
        INFO: rcu_preempt self-detected stall on CPU { 3}  (t=6500 jiffies g=470344 c=470343 q=0)
        sending NMI to all CPUs:
        NMI backtrace for cpu 3
        CPU: 3 PID: 29664 Comm: trinity-child2 Not tainted 3.11.0-rc1+ #32
        Call Trace:
          lru_add_drain_all+0x15/0x20
          SyS_mlockall+0xa5/0x1a0
          tracesys+0xdd/0xe2"
    
    This commit addresses this problem by inserting the required preemption
    point.
    
    Reported-by: Dave Jones <davej@redhat.com>
    Signed-off-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
    Cc: KOSAKI Motohiro <kosaki.motohiro@gmail.com>
    Cc: Michel Lespinasse <walken@google.com>
    Cc: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 mm/mlock.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 042ecff756f1246abb9c84dd20ad9f6e9c429ed9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Sep 27 21:06:17 2013 -0400

    Don't log attempts to create a socket with a family that the kernel doesn't
    support
    Further, if the kernel doesn't support the socket family, instead of returning
    -EACCES, return -EAFNOSUPPORT -- should resolve the need to allow ipv6
    sockets in RBAC policy despite a kernel that doesn't support ipv6
    observed during a Debian userland update necessitating a policy change

 grsecurity/gracl_ip.c |    7 +++----
 net/socket.c          |   26 +++++++++++++++-----------
 2 files changed, 18 insertions(+), 15 deletions(-)

commit 55f1e409275973513a3314fe5bfa76a4781c0db7
Merge: 2eac654 c38c6b0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Sep 27 20:35:04 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        drivers/hid/hid-picolcd_core.c

commit c38c6b0bbbe53bd528aeeb4a059764abc028c276
Merge: 115bf6a a3308b5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Sep 27 20:34:15 2013 -0400

    Merge branch 'linux-3.11.y' into pax-test
    
    Conflicts:
        arch/x86/ia32/ia32_signal.c
        arch/x86/include/asm/checksum_32.h
        arch/x86/include/asm/mmu_context.h
        arch/x86/kernel/signal.c
        arch/x86/lib/csum-wrappers_64.c
        include/linux/compat.h

commit 2eac65435fdffca548a56e5187840908438fc95c
Merge: ba0ebde 115bf6a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Sep 26 20:00:00 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 115bf6af0083ea28c751d551a39cfdba1798e9dc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Sep 26 19:59:14 2013 -0400

    Update to pax-linux-3.11.1-test10.patch:
    - added missing exports for module_alloc_exec/module_free_exec on arm, by Arnaud Fontaine
    - fixed potential .exit.text section reference problem with REFCOUNT on arm, reported by Corey Minyard
    - fixed REFCOUNT false positive in the new percpu refcount code, reported by Alexander Tsoy (https://bugs.gentoo.org/show_bug.cgi?id=486040)
    - fixed an integer overflow in the ELF loader that happens to be harmless due to another overflow, found by Emese Revfy's new size overflow plugin (not yet released)
    - beefed up latent entropy extraction
      - latent_entropy itself will be initialized to a compile-time random value (instead of 0)
      - entropy will be collected from various irq and softirq handlers

 arch/arm/kernel/module.c          |    2 ++
 arch/arm/kernel/vmlinux.lds.S     |    2 +-
 block/blk-iopoll.c                |    2 +-
 block/blk-softirq.c               |    2 +-
 fs/binfmt_elf.c                   |    8 +++++---
 include/linux/genhd.h             |    2 +-
 include/linux/random.h            |    4 ++--
 kernel/hrtimer.c                  |    2 +-
 kernel/rcutiny.c                  |    2 +-
 kernel/rcutree.c                  |    2 +-
 kernel/sched/fair.c               |    2 +-
 kernel/softirq.c                  |    4 ++--
 kernel/timer.c                    |    2 +-
 lib/percpu-refcount.c             |    2 +-
 net/core/dev.c                    |    4 ++--
 tools/gcc/latent_entropy_plugin.c |    2 +-
 16 files changed, 24 insertions(+), 20 deletions(-)

commit ba0ebdedeb2e128654dac48641bdc9d8b34530d6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Sep 22 18:14:07 2013 -0400

    Revert "Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db"
    
    This reverts commit 7a430f97a2f6538693cb8e354c67c874f24c5ebf.

 net/netlink/genetlink.c |    7 -------
 1 files changed, 0 insertions(+), 7 deletions(-)

commit ca27c99c4f2df039e21ec15c52824d84e2cd2f35
Merge: f1e4228 90db383
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Sep 18 17:34:37 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 90db383fd7d650172d52229b0116ad7604c9bec1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Sep 18 17:32:42 2013 -0400

    Update to pax-linux-3.11.1-test9.patch:
    - fixed some arm compile regressions, reported by Arnaud Ebalard and Michael Tremer
    - better implementation of __read_only for modules
    - fixed a regression and an apparently needed kuser emulation on arm, reported by Arnaud Ebalard

 arch/arm/kernel/entry-common.S            |   12 ++++++------
 arch/arm/mach-omap2/omap-mpuss-lowpower.c |    4 ++--
 arch/arm/mm/fault.c                       |   26 +++++++++++++++++++++++++-
 arch/x86/include/asm/cache.h              |    4 ----
 drivers/bus/arm-cci.c                     |    2 +-
 drivers/clk/socfpga/clk.c                 |    2 +-
 drivers/mmc/host/mmci.c                   |    4 +++-
 drivers/net/ethernet/chelsio/cxgb3/sge.c  |    2 +-
 include/linux/cache.h                     |    4 ++++
 net/netfilter/ipvs/ip_vs_lblc.c           |    2 +-
 net/netfilter/ipvs/ip_vs_lblcr.c          |    2 +-
 scripts/module-common.lds                 |    4 ++++
 12 files changed, 49 insertions(+), 19 deletions(-)

commit 43fd6b476981f2b72f1fcb7dd4de6b04643e0810
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Sep 18 17:32:25 2013 -0400

    Revert "mark sctp_af_inet forward declaration as __read_only to fix compile error"
    
    This reverts commit 5e30989102e2d0df166ab6ff915b90f675f8786f.

 net/sctp/protocol.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit f1e42285e17479067b6cbcffc43916720e6dedd3
Merge: 456ca17 5e30989
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Sep 16 21:42:34 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 5e30989102e2d0df166ab6ff915b90f675f8786f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Sep 16 21:41:44 2013 -0400

    mark sctp_af_inet forward declaration as __read_only to fix compile error

 net/sctp/protocol.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 456ca176141f10355c1569b29225c9ce4b7db18e
Merge: b406eac 5df8f36
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Sep 16 20:02:05 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 5df8f36fbb39fbd47e04945001d11e52c16fc0b6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Sep 16 20:01:38 2013 -0400

    Update to pax-linux-3.11.1-test7.patch:
    - fixed arm compile error, reported by Arnaud Ebalard
    - fixed NULL deref due to some xfrm constification, reported by marcin1j (http://forums.grsecurity.net/viewtopic.php?f=3&t=3743)
    - fixed od_ops constification, fixes cpufreq ondemand on AMD
    - latent entropy will now be gathered from module init code as well (i.e., at module load/init time)
    - __read_only will now be enforced in modules as well
    - removed unneccessary __read_only from ntfs

 arch/arm/lib/uaccess_with_memcpy.c |    2 +-
 arch/x86/include/asm/cache.h       |    4 ++++
 drivers/cpufreq/cpufreq_governor.h |    2 +-
 drivers/cpufreq/cpufreq_ondemand.c |    2 +-
 fs/ntfs/file.c                     |    4 ++--
 include/linux/init.h               |    5 -----
 include/net/xfrm.h                 |    5 ++++-
 init/main.c                        |    9 +++------
 mm/page_alloc.c                    |    1 +
 net/ipv4/xfrm4_policy.c            |    4 ++--
 net/ipv6/xfrm6_policy.c            |    4 ++--
 net/xfrm/xfrm_policy.c             |   11 ++---------
 12 files changed, 23 insertions(+), 30 deletions(-)

commit b406eac579bb3a5faa1c9d73b8af5530f942009a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Sep 16 12:53:22 2013 -0400

    Backport commit from https://git.kernel.org/cgit/linux/kernel/git/klassert/ipsec.git/commit/?h=testing&id=4479ff76c43607b680f9349128d8493228b49dce
    
    author      Steffen Klassert <steffen.klassert@secunet.com> 2013-09-09 07:39:01 (GMT)
    committer    Steffen Klassert <steffen.klassert@secunet.com>        2013-09-16 07:39:37 (GMT)
    
    xfrm: Fix replay size checking on async events
    We pass the wrong netlink attribute to xfrm_replay_verify_len().
    It should be XFRMA_REPLAY_ESN_VAL and not XFRMA_REPLAY_VAL as
    we currently doing. This causes memory corruptions if the
    replay esn attribute has incorrect length. Fix this by passing
    the right attribute to xfrm_replay_verify_len().
    
    Reported-by: Michael Rossberg <michael.rossberg@tu-ilmenau.de>
    Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>

 net/xfrm/xfrm_user.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 9eeb1f53a99068a1f2a77e4d250e334165b789c9
Merge: 84843a3 0a0ced6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Sep 15 11:24:30 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        drivers/net/wireless/ath/ath10k/core.c
        drivers/net/wireless/ath/ath10k/htc.c

commit 0a0ced69ec737fc1abe5bc1c5a66579a22e9bb1d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Sep 15 11:21:43 2013 -0400

    Update to pax-linux-3.11.1-test6.patch:
    - forward port to 3.11.1
    - fixed some CONSTIFY fallout, reported by spender
    - fixed INVPCID on i386, reported by spender
    - simplified/consolidated the recent security_ops change

 arch/x86/include/asm/mmu_context.h         |    4 ++--
 arch/x86/include/asm/tlbflush.h            |    6 +++---
 arch/x86/kernel/cpu/perf_event_amd_iommu.c |    2 +-
 drivers/net/wireless/ath/ath10k/core.c     |    6 +++---
 drivers/net/wireless/ath/ath10k/htc.c      |    7 ++++---
 include/linux/security.h                   |    2 --
 security/security.c                        |    3 ---
 security/selinux/hooks.c                   |    5 +++--
 8 files changed, 16 insertions(+), 19 deletions(-)

commit 84843a394cde0578be728cb5fd34da9859dcf110
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Sep 15 09:19:21 2013 -0400

    remove unnecessary check from when protocol was signed

 net/phonet/af_phonet.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit cc7c916cac4c2eb0ec243690627e2b6a13234fef
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Sep 15 08:53:27 2013 -0400

    resync with PaX

 security/selinux/hooks.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit fdeadf7ba061242685e07a2504c6be99161f292c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Sep 14 23:04:53 2013 -0400

    Fix constification of ath10k_hif_cb struct located on stack

 drivers/net/wireless/ath/ath10k/hif.h |    1 +
 drivers/net/wireless/ath/ath10k/htc.c |    2 +-
 2 files changed, 2 insertions(+), 1 deletions(-)

commit 73c6875760e610cb636f86566a1be7a744d89b82
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Sep 14 22:41:06 2013 -0400

    use a no_const typedef for ath10k_htc_ops, which is located on the stack

 drivers/net/wireless/ath/ath10k/core.c |    6 +++---
 drivers/net/wireless/ath/ath10k/htc.h  |    1 +
 2 files changed, 4 insertions(+), 3 deletions(-)

commit bffb0279b95b717c739365a5a25ca0391e7479b1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Sep 14 22:13:46 2013 -0400

    fix compilation error under constify

 drivers/net/wireless/ath/ath10k/core.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

commit 1044c726fd98de89a711c6655f811600d4051e46
Merge: ffc8003 e39d12a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Sep 14 21:57:25 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit e39d12a3b877293ba677bf7642c8887144ae1576
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Sep 14 21:56:56 2013 -0400

    Update to pax-linux-3.11-test5.patch:
    - backported 1ecfd533f4c528b0b4cc5bc115c4c47f0b5e4828 (pud leak in alloc_new_pmd)
    - build_string doesn't need to account for the null terminator, fix some usage in the kernexec plugin

 mm/mremap.c                 |    5 ++++-
 tools/gcc/kernexec_plugin.c |    4 ++--
 2 files changed, 6 insertions(+), 3 deletions(-)

commit ffc8003e9c6d9a26c92ca83a8cdc48f1bf0d7a4b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Sep 14 21:48:03 2013 -0400

    fix compile error introduced by pipacs

 security/selinux/hooks.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 874e80f445b1325df45f04cc317f67587e241218
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Sep 14 21:12:45 2013 -0400

    Fix invalid dependency causing warning:
    warning: (DEBUG_WW_MUTEX_SLOWPATH) selects DEBUG_LOCK_ALLOC which has unmet direct dependencies (DEBUG_KERNEL && TRACE_IRQFLAGS_SUPPORT && STACKTRACE_SUPPORT && LOCKDEP_SUPPORT && !PAX_CONSTIFY_PLUGIN)

 lib/Kconfig.debug |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 76675229b0398d812bd885c2ea9ebdc66cd5d74a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Sep 14 19:53:56 2013 -0400

    change unsigned long descriptor array to u64, for 32bit kernels on Haswell CPUs

 arch/x86/include/asm/tlbflush.h |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

commit b6dd7c7dd3e78d549c4c0e18f7803aa918d3a838
Author: Daniel Borkmann <dborkman@redhat.com>
Date:   Sat Sep 7 16:44:59 2013 +0200

    Upstream commit: a0fb05d1aef0f5df936f80b726d1b3bfd4275f95
    
    net: sctp: fix bug in sctp_poll for SOCK_SELECT_ERR_QUEUE
    
    If we do not add braces around ...
    
      mask |= POLLERR |
              sock_flag(sk, SOCK_SELECT_ERR_QUEUE) ? POLLPRI : 0;
    
    ... then this condition always evaluates to true as POLLERR is
    defined as 8 and binary or'd with whatever result comes out of
    sock_flag(). Hence instead of (X | Y) ? A : B, transform it into
    X | (Y ? A : B). Unfortunatelty, commit 8facd5fb73 ("net: fix
    smatch warnings inside datagram_poll") forgot about SCTP. :-(
    
    Introduced by 7d4c04fc170 ("net: add option to enable error queue
    packets waking select").
    
    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
    Cc: Jacob Keller <jacob.e.keller@intel.com>
    Acked-by: Neil Horman <nhorman@tuxdriver.com>
    Acked-by: Vlad Yasevich <vyasevich@gmail.com>
    Acked-by: Jacob Keller <jacob.e.keller@intel.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/sctp/socket.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 4ad458cf887df99b3de3ce11fb83cd27bd13d986
Author: Jason Wang <jasowang@redhat.com>
Date:   Wed Sep 11 18:09:48 2013 +0800

    Upstream commit: 662ca437e714caaab855b12415d6ffd815985bc0
    
    tuntap: correctly handle error in tun_set_iff()
    
    Commit c8d68e6be1c3b242f1c598595830890b65cea64a
    (tuntap: multiqueue support) only call free_netdev() on error in
    tun_set_iff(). This causes several issues:
    
    - memory of tun security were leaked
    - use after free since the flow gc timer was not deleted and the tfile
      were not detached
    
    This patch solves the above issues.
    
    Reported-by: Wannes Rombouts <wannes.rombouts@epitech.eu>
    Cc: Michael S. Tsirkin <mst@redhat.com>
    Signed-off-by: Jason Wang <jasowang@redhat.com>
    Acked-by: Michael S. Tsirkin <mst@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/tun.c |   11 ++++++++---
 1 files changed, 8 insertions(+), 3 deletions(-)

commit b504140d8590bd67ed481ea84824a9846dde2d74
Author: Herbert Xu <herbert@gondor.apana.org.au>
Date:   Sun Sep 8 14:33:50 2013 +1000

    Upstream commit: 77dbd7a95e4a4f15264c333a9e9ab97ee27dc2aa
    
    crypto: api - Fix race condition in larval lookup
    
    crypto_larval_lookup should only return a larval if it created one.
    Any larval created by another entity must be processed through
    crypto_larval_wait before being returned.
    
    Otherwise this will lead to a larval being killed twice, which
    will most likely lead to a crash.
    
    Cc: stable@vger.kernel.org
    Reported-by: Kees Cook <keescook@chromium.org>
    Tested-by: Kees Cook <keescook@chromium.org>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

 crypto/api.c |    7 ++++++-
 1 files changed, 6 insertions(+), 1 deletions(-)

commit f4212fa9ec1c34c59fabc43904e16112b776b6b2
Author: Daniel Borkmann <dborkman@redhat.com>
Date:   Wed Sep 11 16:58:36 2013 +0200

    Upstream commit: 95ee62083cb6453e056562d91f597552021e6ae7
    
    net: sctp: fix ipv6 ipsec encryption bug in sctp_v6_xmit
    
    Alan Chester reported an issue with IPv6 on SCTP that IPsec traffic is not
    being encrypted, whereas on IPv4 it is. Setting up an AH + ESP transport
    does not seem to have the desired effect:
    
    SCTP + IPv4:
    
      22:14:20.809645 IP (tos 0x2,ECT(0), ttl 64, id 0, offset 0, flags [DF], proto AH (51), length 116)
        192.168.0.2 > 192.168.0.5: AH(spi=0x00000042,sumlen=16,seq=0x1): ESP(spi=0x00000044,seq=0x1), length 72
      22:14:20.813270 IP (tos 0x2,ECT(0), ttl 64, id 0, offset 0, flags [DF], proto AH (51), length 340)
        192.168.0.5 > 192.168.0.2: AH(spi=0x00000043,sumlen=16,seq=0x1):
    
    SCTP + IPv6:
    
      22:31:19.215029 IP6 (class 0x02, hlim 64, next-header SCTP (132) payload length: 364)
        fe80::222:15ff:fe87:7fc.3333 > fe80::92e6:baff:fe0d:5a54.36767: sctp
        1) [INIT ACK] [init tag: 747759530] [rwnd: 62464] [OS: 10] [MIS: 10]
    
    Moreover, Alan says:
    
      This problem was seen with both Racoon and Racoon2. Other people have seen
      this with OpenSwan. When IPsec is configured to encrypt all upper layer
      protocols the SCTP connection does not initialize. After using Wireshark to
      follow packets, this is because the SCTP packet leaves Box A unencrypted and
      Box B believes all upper layer protocols are to be encrypted so it drops
      this packet, causing the SCTP connection to fail to initialize. When IPsec
      is configured to encrypt just SCTP, the SCTP packets are observed unencrypted.
    
    In fact, using `socat sctp6-listen:3333 -` on one end and transferring "plaintext"
    string on the other end, results in cleartext on the wire where SCTP eventually
    does not report any errors, thus in the latter case that Alan reports, the
    non-paranoid user might think he's communicating over an encrypted transport on
    SCTP although he's not (tcpdump ... -X):
    
      ...
      0x0030: 5d70 8e1a 0003 001a 177d eb6c 0000 0000  ]p.......}.l....
      0x0040: 0000 0000 706c 6169 6e74 6578 740a 0000  ....plaintext...
    
    Only in /proc/net/xfrm_stat we can see XfrmInTmplMismatch increasing on the
    receiver side. Initial follow-up analysis from Alan's bug report was done by
    Alexey Dobriyan. Also thanks to Vlad Yasevich for feedback on this.
    
    SCTP has its own implementation of sctp_v6_xmit() not calling inet6_csk_xmit().
    This has the implication that it probably never really got updated along with
    changes in inet6_csk_xmit() and therefore does not seem to invoke xfrm handlers.
    
    SCTP's IPv4 xmit however, properly calls ip_queue_xmit() to do the work. Since
    a call to inet6_csk_xmit() would solve this problem, but result in unecessary
    route lookups, let us just use the cached flowi6 instead that we got through
    sctp_v6_get_dst(). Since all SCTP packets are being sent through sctp_packet_transmit(),
    we do the route lookup / flow caching in sctp_transport_route(), hold it in
    tp->dst and skb_dst_set() right after that. If we would alter fl6->daddr in
    sctp_v6_xmit() to np->opt->srcrt, we possibly could run into the same effect
    of not having xfrm layer pick it up, hence, use fl6_update_dst() in sctp_v6_get_dst()
    instead to get the correct source routed dst entry, which we assign to the skb.
    
    Also source address routing example from 625034113 ("sctp: fix sctp to work with
    ipv6 source address routing") still works with this patch! Nevertheless, in RFC5095
    it is actually 'recommended' to not use that anyway due to traffic amplification [1].
    So it seems we're not supposed to do that anyway in sctp_v6_xmit(). Moreover, if
    we overwrite the flow destination here, the lower IPv6 layer will be unable to
    put the correct destination address into IP header, as routing header is added in
    ipv6_push_nfrag_opts() but then probably with wrong final destination. Things aside,
    result of this patch is that we do not have any XfrmInTmplMismatch increase plus on
    the wire with this patch it now looks like:
    
    SCTP + IPv6:
    
      08:17:47.074080 IP6 2620:52:0:102f:7a2b:cbff:fe27:1b0a > 2620:52:0:102f:213:72ff:fe32:7eba:
        AH(spi=0x00005fb4,seq=0x1): ESP(spi=0x00005fb5,seq=0x1), length 72
      08:17:47.074264 IP6 2620:52:0:102f:213:72ff:fe32:7eba > 2620:52:0:102f:7a2b:cbff:fe27:1b0a:
        AH(spi=0x00003d54,seq=0x1): ESP(spi=0x00003d55,seq=0x1), length 296
    
    This fixes Kernel Bugzilla 24412. This security issue seems to be present since
    2.6.18 kernels. Lets just hope some big passive adversary in the wild didn't have
    its fun with that. lksctp-tools IPv6 regression test suite passes as well with
    this patch.
    
     [1] http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf
    
    Reported-by: Alan Chester <alan.chester@tekelec.com>
    Reported-by: Alexey Dobriyan <adobriyan@gmail.com>
    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
    Cc: Steffen Klassert <steffen.klassert@secunet.com>
    Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Acked-by: Vlad Yasevich <vyasevich@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/sctp/ipv6.c |   42 +++++++++++++-----------------------------
 1 files changed, 13 insertions(+), 29 deletions(-)

commit 726915e42b1a23b88cd420029003d82208a30006
Author: Kees Cook <keescook@chromium.org>
Date:   Fri Sep 13 14:52:04 2013 -0700

    Upstream commit: 35a4a5733b0a8290de39558b82896ab795b108a7
    
    isdn: clean up debug format string usage
    
    Avoid unneeded local string buffers for constructing debug output.  Also
    cleans up debug calls that contain a single parameter so that they cannot
    be accidentally parsed as format strings.
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: Karsten Keil <isdn@linux-pingi.de>
    Cc: David Miller <davem@davemloft.net>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/isdn/hisax/amd7930_fn.c |    4 +-
 drivers/isdn/hisax/avm_pci.c    |    4 +-
 drivers/isdn/hisax/config.c     |    2 +-
 drivers/isdn/hisax/diva.c       |    4 +-
 drivers/isdn/hisax/elsa.c       |    2 +-
 drivers/isdn/hisax/elsa_ser.c   |    2 +-
 drivers/isdn/hisax/hfc_pci.c    |    2 +-
 drivers/isdn/hisax/hfc_sx.c     |    2 +-
 drivers/isdn/hisax/hscx_irq.c   |    4 +-
 drivers/isdn/hisax/icc.c        |    4 +-
 drivers/isdn/hisax/ipacx.c      |    8 +++---
 drivers/isdn/hisax/isac.c       |    4 +-
 drivers/isdn/hisax/isar.c       |    6 ++--
 drivers/isdn/hisax/jade.c       |   18 ++++----------
 drivers/isdn/hisax/jade_irq.c   |    4 +-
 drivers/isdn/hisax/l3_1tr6.c    |   50 ++++++++++++++-------------------------
 drivers/isdn/hisax/netjet.c     |    2 +-
 drivers/isdn/hisax/q931.c       |    6 ++--
 drivers/isdn/hisax/w6692.c      |    8 +++---
 19 files changed, 57 insertions(+), 79 deletions(-)

commit 4c90e693066a984f2c3a05bd2b75fe2273906eb3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Sep 14 19:16:48 2013 -0400

    Fix a bad git merge, re-applied a previously reverted patch

 arch/x86/include/asm/processor.h |    4 ++--
 arch/x86/kernel/cpu/common.c     |    2 +-
 arch/x86/kernel/process_64.c     |    2 +-
 arch/x86/kernel/smpboot.c        |    2 +-
 arch/x86/xen/smp.c               |    2 +-
 5 files changed, 6 insertions(+), 6 deletions(-)

commit 5dea4b212b0405d6bcbea57516d77b21035d1178
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Sep 14 16:56:37 2013 -0400

    finish porting namei.c

 fs/namei.c |   50 +++++++++++---------------------------------------
 1 files changed, 11 insertions(+), 39 deletions(-)

commit a7d5c5e2d0fd4831df19247e41c73c362809b00f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Sep 14 16:44:08 2013 -0400

    cred->user -> current_user()

 fs/exec.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit be3db5fa6532557384fb66d2d9297d77666912cf
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Sep 14 16:36:24 2013 -0400

    Fix GRKERNSEC_DENYUSB dependency as reported by Victor Roman of Funtoo Linux

 grsecurity/Kconfig |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit ce9afc12137b65991bfc7cce70e28d86bbb76956
Author: Daniel Borkmann <dborkman@redhat.com>
Date:   Tue Sep 3 19:29:12 2013 +0200

    Upstream commit: 3a1c756590633c0e86df606e5c618c190926a0df
    
    net: ipv6: tcp: fix potential use after free in tcp_v6_do_rcv
    
    In tcp_v6_do_rcv() code, when processing pkt options, we soley work
    on our skb clone opt_skb that we've created earlier before entering
    tcp_rcv_established() on our way. However, only in condition ...
    
      if (np->rxopt.bits.rxtclass)
        np->rcv_tclass = ipv6_get_dsfield(ipv6_hdr(skb));
    
    ... we work on skb itself. As we extract every other information out
    of opt_skb in ipv6_pktoptions path, this seems wrong, since skb can
    already be released by tcp_rcv_established() earlier on. When we try
    to access it in ipv6_hdr(), we will dereference freed skb.
    
    [ Bug added by commit 4c507d2897bd9b ("net: implement IP_RECVTOS for
      IP_PKTOPTIONS") ]
    
    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
    Cc: Eric Dumazet <eric.dumazet@gmail.com>
    Acked-by: Eric Dumazet <edumazet@google.com>
    Acked-by: Jiri Benc <jbenc@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 net/ipv6/tcp_ipv6.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 84aa149aa0f178516f5784d028522d60d35696c9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Sep 5 19:36:23 2013 -0400

    fix dependencies for GRKERNSEC_ROFS / GRKERNSEC_DENYUSB
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/Kconfig |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 1145b56059535549be226da9891b56ab2d902b2f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Sep 5 19:17:02 2013 -0400

    Allow the deny_new_usb sysctl to be toggled off by a user with CAP_SYS_ADMIN. This allows for more inventive uses of the feature that would be impossible otherwise (like toggling it while the screen is locked, etc)
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/grsec_sysctl.c |    4 +---
 1 files changed, 1 insertions(+), 3 deletions(-)

commit cc604c1c66e7034ad7ddc7fb3cec749e0e5828a3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Sep 5 18:41:49 2013 -0400

    Add a new GRKERNSEC_DENYUSB_FORCE option that achieves what GRKERNSEC_DENYUSB does without the need for a sysctl toggle, for users who know they want the functionality but don't want to bother with modifying init scripts
    
    Also eliminate reset_security_ops() as a ROP target when
    SECURITY_SELINUX_DISABLE is disabled as it's the only user
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/Kconfig        |   17 ++++++++++++++++-
 grsecurity/grsec_init.c   |    3 +++
 grsecurity/grsec_sysctl.c |    2 +-
 3 files changed, 20 insertions(+), 2 deletions(-)

commit 06f8e6fe41a0de311b0c94bf853cb2c15aee67d4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Aug 30 17:11:11 2013 -0400

    fix compilation with GRKERNSEC_DENYUSB as reported by slashbeast
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/grsec_sysctl.c |    7 ++++---
 1 files changed, 4 insertions(+), 3 deletions(-)

commit 74dc00678ec84a254617b500a2880974dac95220
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Aug 28 20:42:39 2013 -0400

    add export of gr_handle_new_usb()
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/grsec_usb.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit f9b60ffe6e67563faa8d207fa6d00bd04252cf4f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Aug 28 19:24:47 2013 -0400

    Add new GRKERNSEC_DENYUSB feature that I've been sitting on for a bit Kees' recent findings are motivation enough to publish it
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 drivers/usb/core/hub.c     |    5 +++++
 grsecurity/Kconfig         |   20 ++++++++++++++++++++
 grsecurity/Makefile        |    3 ++-
 grsecurity/grsec_init.c    |    1 +
 grsecurity/grsec_sysctl.c  |   11 +++++++++++
 grsecurity/grsec_usb.c     |   13 +++++++++++++
 include/linux/grinternal.h |    1 +
 include/linux/grsecurity.h |    2 ++
 8 files changed, 55 insertions(+), 1 deletions(-)

commit 889852764d245f44e416da4eb203fda0bd327584
Author: Kees Cook <keescook@chromium.org>
Date:   Wed Aug 14 09:35:07 2013 -0700

    HID: zeroplus: validate output report details
    
    The zeroplus HID driver was not checking the size of allocated values
    in fields it used. A HID device could send a malicious output report
    that would cause the driver to write beyond the output report allocation
    during initialization, causing a heap overflow:
    
    [ 1442.728680] usb 1-1: New USB device found, idVendor=0c12, idProduct=0005
    ...
    [ 1466.243173] BUG kmalloc-192 (Tainted: G        W   ): Redzone overwritten
    
    CVE-2013-2889
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 drivers/hid/hid-zpff.c |   14 ++------------
 1 files changed, 2 insertions(+), 12 deletions(-)

commit f30e932a87f25b53779d1f92b49923f8a2dc9834
Author: Kees Cook <keescook@chromium.org>
Date:   Wed Aug 14 14:36:15 2013 -0700

    HID: provide a helper for validating hid reports
    
    Many drivers need to validate the characteristics of their HID report
    during initialization to avoid misusing the reports. This adds a common
    helper to perform validation of the report, its field count, and the
    value count within the fields.
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 drivers/hid/hid-core.c |   50 ++++++++++++++++++++++++++++++++++++++++++++++++
 include/linux/hid.h    |    4 +++
 2 files changed, 54 insertions(+), 0 deletions(-)

commit f9eac59133855befee23d0c899e0d0e6ebcd3d44
Author: Kees Cook <keescook@chromium.org>
Date:   Wed Aug 14 09:14:34 2013 -0700

    HID: steelseries: validate output report details
    
    A HID device could send a malicious output report that would cause the
    steelseries HID driver to write beyond the output report allocation
    during initialization, causing a heap overflow:
    
    [  167.981534] usb 1-1: New USB device found, idVendor=1038, idProduct=1410
    ...
    [  182.050547] BUG kmalloc-256 (Tainted: G        W   ): Redzone overwritten
    
    CVE-2013-2891
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 drivers/hid/hid-steelseries.c |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

commit 9f5ae466957014bc300929374ebb7afdd9d116d6
Author: Kees Cook <keescook@chromium.org>
Date:   Wed Aug 14 08:49:21 2013 -0700

    HID: pantherlord: validate output report details
    
    A HID device could send a malicious output report that would cause the
    pantherlord HID driver to write beyond the output report allocation
    during initialization, causing a heap overflow:
    
    [  310.939483] usb 1-1: New USB device found, idVendor=0e8f, idProduct=0003
    ...
    [  315.980774] BUG kmalloc-192 (Tainted: G        W   ): Redzone overwritten
    
    CVE-2013-2892
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 drivers/hid/hid-pl.c |   10 ++++++++--
 1 files changed, 8 insertions(+), 2 deletions(-)

commit b643b8f8af23488d92f16a817bf16c162d612ce1
Author: Kees Cook <keescook@chromium.org>
Date:   Tue Aug 13 16:49:01 2013 -0700

    HID: LG: validate HID output report details
    
    A HID device could send a malicious output report that would cause the
    lg, lg3, and lg4 HID drivers to write beyond the output report allocation
    during an event, causing a heap overflow:
    
    [  325.245240] usb 1-1: New USB device found, idVendor=046d, idProduct=c287
    ...
    [  414.518960] BUG kmalloc-4096 (Not tainted): Redzone overwritten
    
    Additionally, while lg2 did correctly validate the report details, it was
    cleaned up and shortened.
    
    CVE-2013-2893
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 drivers/hid/hid-lg2ff.c |   19 +++----------------
 drivers/hid/hid-lg3ff.c |   29 ++++++-----------------------
 drivers/hid/hid-lg4ff.c |   20 +-------------------
 drivers/hid/hid-lgff.c  |   17 ++---------------
 4 files changed, 12 insertions(+), 73 deletions(-)

commit 975723a41239b1befae172e88082ff4422753508
Author: Kees Cook <keescook@chromium.org>
Date:   Thu Aug 15 23:21:23 2013 -0700

    HID: lenovo-tpkbd: validate output report details
    
    A HID device could send a malicious output report that would cause the
    lenovo-tpkbd HID driver to write just beyond the output report allocation
    during initialization, causing a heap overflow:
    
    [   76.109807] usb 1-1: New USB device found, idVendor=17ef, idProduct=6009
    ...
    [   80.462540] BUG kmalloc-192 (Tainted: G        W   ): Redzone overwritten
    
    CVE-2013-2894
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 drivers/hid/hid-lenovo-tpkbd.c |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

commit 54b39084efe20a3f10fcb58ee8327d7b6250b7cd
Author: Kees Cook <keescook@chromium.org>
Date:   Thu Aug 15 23:45:03 2013 -0700

    HID: logitech-dj: validate output report details
    
    A HID device could send a malicious output report that would cause the
    logitech-dj HID driver to leak kernel memory contents to the device, or
    trigger a NULL dereference during initialization:
    
    [  304.424553] usb 1-1: New USB device found, idVendor=046d, idProduct=c52b
    ...
    [  304.780467] BUG: unable to handle kernel NULL pointer dereference at 0000000000000028
    [  304.781409] IP: [<ffffffff815d50aa>] logi_dj_recv_send_report.isra.11+0x1a/0x90
    
    CVE-2013-2895
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 drivers/hid/hid-logitech-dj.c |   12 ++++++++++--
 1 files changed, 10 insertions(+), 2 deletions(-)

commit 05c3db7daee82d79c628c15b304f8621159e14f3
Author: Kees Cook <keescook@chromium.org>
Date:   Fri Aug 16 00:18:15 2013 -0700

    HID: ntrig: validate feature report details
    
    A HID device could send a malicious feature report that would cause the
    ntrig HID driver to trigger a NULL dereference during initialization:
    
    [57383.031190] usb 3-1: New USB device found, idVendor=1b96, idProduct=0001
    ...
    [57383.315193] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
    [57383.315308] IP: [<ffffffffa08102de>] ntrig_probe+0x25e/0x420 [hid_ntrig]
    
    CVE-2013-2896
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 drivers/hid/hid-ntrig.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit a79f25f59fdd0abaf4ecfab93017aa49de089498
Author: Kees Cook <keescook@chromium.org>
Date:   Fri Aug 16 00:11:32 2013 -0700

    HID: multitouch: validate feature report details
    
    When working on report indexes, always validate that they are in bounds.
    Without this, a HID device could report a malicious feature report that
    could trick the driver into a heap overflow:
    
    [  634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500
    ...
    [  676.469629] BUG kmalloc-192 (Tainted: G        W   ): Redzone overwritten
    
    CVE-2013-2897
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 drivers/hid/hid-multitouch.c |   25 ++++++++++++++++++++-----
 1 files changed, 20 insertions(+), 5 deletions(-)

commit 6fe8eb06e432f165872d3486fdce0d09de1515b3
Author: Kees Cook <keescook@chromium.org>
Date:   Fri Aug 16 08:12:45 2013 -0700

    HID: sensor-hub: validate feature report details
    
    A HID device could send a malicious feature report that would cause the
    sensor-hub HID driver to read past the end of heap allocation, leaking
    kernel memory contents to the caller.
    
    CVE-2013-2898
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 drivers/hid/hid-sensor-hub.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit cd5ea45deb4aae3a6ca7b99e261d771792c2e8bf
Author: Kees Cook <keescook@chromium.org>
Date:   Fri Aug 16 08:05:10 2013 -0700

    HID: picolcd_core: validate output report details
    
    A HID device could send a malicious output report that would cause the
    picolcd HID driver to trigger a NULL dereference during attr file writing.
    
    CVE-2013-2899
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 drivers/hid/hid-picolcd_core.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit c147e32922dd91edf1969b8a6eb333aafb4abb79
Author: Kees Cook <keescook@chromium.org>
Date:   Fri Aug 16 08:09:54 2013 -0700

    HID: check for NULL field when setting values
    
    Defensively check that the field to be worked on is not NULL.
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 drivers/hid/hid-core.c |    7 ++++++-
 1 files changed, 6 insertions(+), 1 deletions(-)

commit 51b66e0a8cfd2eedb4f3275c7ffc2f7a831b4683
Author: Kees Cook <keescook@chromium.org>
Date:   Wed Aug 28 18:09:18 2013 -0400

    http://marc.info/?l=linux-input&m=137772180514608&q=raw
    
    The "Report ID" field of a HID report is used to build indexes of
    reports. The kernel's index of these is limited to 256 entries, so any
    malicious device that sets a Report ID greater than 255 will trigger
    memory corruption on the host:
    
    [ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878
    [ 1347.156261] IP: [<ffffffff813e4da0>] hid_register_report+0x2a/0x8b
    
    CVE-2013-2888
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 drivers/hid/hid-core.c |   10 +++++++---
 include/linux/hid.h    |    4 +++-
 2 files changed, 10 insertions(+), 4 deletions(-)

commit 4ab7b9ed96612f5621898cead7163b6eecf30c7c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Aug 19 22:10:04 2013 -0400

    fix bad git merge (call to __cpu_disable_lazy_restore was duplicated) as reported by pipacs
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 arch/x86/kernel/smpboot.c |    3 ---
 1 files changed, 0 insertions(+), 3 deletions(-)

commit 8a6f59dd3e43d20d8e999d50001b85ba605a4dac
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 17 12:00:20 2013 -0400

    make kallsyms_lookup_size_offset available to approved source files
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 include/linux/kallsyms.h |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit abde07f6c047c0331f511318cb49a36d49218dfc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 17 11:18:09 2013 -0400

    allow use of kallsyms_lookup_name to approved source files
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 include/linux/kallsyms.h |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 7a430f97a2f6538693cb8e354c67c874f24c5ebf
Author: Johannes Berg <johannes.berg@intel.com>
Date:   Tue Aug 13 09:04:05 2013 +0200

    Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db
    
    genetlink: fix family dump race
    
    When dumping generic netlink families, only the first dump call
    is locked with genl_lock(), which protects the list of families,
    and thus subsequent calls can access the data without locking,
    racing against family addition/removal. This can cause a crash.
    Fix it - the locking needs to be conditional because the first
    time around it's already locked.
    
    A similar bug was reported to me on an old kernel (3.4.47) but
    the exact scenario that happened there is no longer possible,
    on those kernels the first round wasn't locked either. Looking
    at the current code I found the race described above, which had
    also existed on the old kernel.
    
    Cc: stable@vger.kernel.org
    Reported-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 net/netlink/genetlink.c |    7 +++++++
 1 files changed, 7 insertions(+), 0 deletions(-)

commit ab0fc298348a3fce6c8aaf4bef11f388b1bf4782
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 17 08:58:34 2013 -0400

    Fix two harmless compiler warnings
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 arch/arm/kernel/process.c |    4 ++--
 fs/exec.c                 |    2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

commit d502375416b17270008ebdf11f1c3be7837f7c50
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Aug 16 22:46:01 2013 -0400

    Fix HIDESYM compatibility with kprobes, as reported by feandil at: http://forums.grsecurity.net/viewtopic.php?t=3701&p=13376#p13376
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 include/linux/kallsyms.h |    2 +-
 kernel/kprobes.c         |    3 +++
 2 files changed, 4 insertions(+), 1 deletions(-)

commit f6c363aba68cccff2815a488a7e9ed68990100d2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 10 09:41:40 2013 -0400

    propagate the threadstack offset through to the topdown/bottomup allocators on sparc64 hugepages
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 arch/sparc/mm/hugetlbpage.c |   12 ++++++++----
 1 files changed, 8 insertions(+), 4 deletions(-)

commit 279d4c6643931d6488b2d5f1e7d29db8a3c3a347
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Aug 5 17:58:42 2013 -0400

    Disable RANDKSTACK for a VirtualBox host as mentioned on the gentoo-hardened bugzilla: https://bugs.gentoo.org/show_bug.cgi?id=382793
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 security/Kconfig |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 55ee7adc9d4cd900fd86a4cfad7e0841b4373ee1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Aug 5 17:26:40 2013 -0400

    Move user namespace capability check to shared create_user_ns code so we cover unshare() as well.
    
    Also kill a trivial 1-line, 22-character upstream kernel DoS, thanks to
    user namespaces!
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 kernel/fork.c           |   17 -----------------
 kernel/user_namespace.c |   15 +++++++++++++++
 2 files changed, 15 insertions(+), 17 deletions(-)

commit 5c0737b045d057152a39154746d8c8e5d59185ed
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Aug 5 16:05:41 2013 -0400

    silence a warning on older gcc
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit b9cb48614b154a4c9a4caec48f5c6a391c7b4eb8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 3 08:31:08 2013 -0400

    we only care about mmaps of the beginning of an ELF, filter out all others as suggested by pipacs
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 mm/mmap.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit abc10b7630ee1a61c18e7b03b3cbbc9849a346c6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Aug 2 23:54:51 2013 -0400

    add include
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/grsec_log.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 448fdce6e5e32cc5dc8f6a649d58104c11cbe2f5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Aug 2 23:49:13 2013 -0400

    fix compilation
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 include/linux/grinternal.h |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit d4d49138661d5cb646f0dd012178447380b79956
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Aug 2 23:34:35 2013 -0400

    Improve PaX reporting (tells when anon mapping is stack or heap) Remove textrel logging option, combine into rwx logging option Enhance RWX logging option to display when PT_GNU_STACK-enabled library is loaded under an MPROTECTed binary Enhance RWX mprotect logging to display stack/heap instead of just anon mapping
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 fs/binfmt_elf.c            |   37 +++++++++++++++++++++++++++++++++++++
 fs/exec.c                  |    4 ++++
 grsecurity/Kconfig         |   21 +++++----------------
 grsecurity/grsec_init.c    |    4 ----
 grsecurity/grsec_log.c     |   14 ++++++++++++++
 grsecurity/grsec_pax.c     |   19 ++++++++++++++-----
 grsecurity/grsec_sysctl.c  |    9 ---------
 include/linux/binfmts.h    |    1 +
 include/linux/grinternal.h |    2 +-
 include/linux/grmsg.h      |    3 ++-
 include/linux/grsecurity.h |    3 ++-
 mm/mmap.c                  |    7 +++++++
 mm/mprotect.c              |    2 +-
 13 files changed, 88 insertions(+), 38 deletions(-)

commit cfa6b85e91c7e8e7f00eeaf1908d22cbec4b0a15
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Aug 1 18:52:02 2013 -0400

    add missing #define
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 4a307f7d3ff3ab232c0b6341415088e7618c494e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Aug 1 18:43:53 2013 -0400

    fix compilation for !COMPAT as reported on the forums
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl.c |  195 ++++++++++++++++++++++++++--------------------------
 1 files changed, 97 insertions(+), 98 deletions(-)

commit 78011eb5c2454b8afc96b98bd86ac172e589b13c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jul 31 17:47:20 2013 -0400

    Revert "revert recent PaX change that causes boot failures with 32bit userland"
    
    This reverts commit 23278a1ee1c7738dd1e7005241394d32b82196e4.
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 arch/x86/include/asm/processor.h |    4 ++--
 arch/x86/kernel/cpu/common.c     |    2 +-
 arch/x86/kernel/process_64.c     |    2 +-
 arch/x86/kernel/smpboot.c        |    2 +-
 arch/x86/xen/smp.c               |    2 +-
 5 files changed, 6 insertions(+), 6 deletions(-)

commit 17cdb36c3bee85c0985f7cc18aa8405fc7838cad
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jul 31 16:26:58 2013 -0400

    compile fix for !COMPAT as mentioned on forums
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit e670dc535e4501fd12d8bf00f1e1306c44266fe7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 22:33:14 2013 -0400

    perform compat conversion of rlimit infinity
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl_compat.c |   10 ++++++++--
 1 files changed, 8 insertions(+), 2 deletions(-)

commit 2834fe28e69176da6ac4989c6e3dc713faafefe5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 22:21:40 2013 -0400

    remove debugging
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl_compat.c |   44 +++++++++++---------------------------------
 1 files changed, 11 insertions(+), 33 deletions(-)

commit 2669672647f6955f0e5154596492c73cd4fda330
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 22:20:32 2013 -0400

    eliminate compat_dev_t
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 include/linux/gracl_compat.h |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 75de5da79f5e03936a79ffe2c827462000001985
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 22:13:22 2013 -0400

    fix compat rlimit size
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl_compat.c    |   68 +++++++++++++++++++++++++++++-------------
 include/linux/gracl_compat.h |    4 +-
 2 files changed, 49 insertions(+), 23 deletions(-)

commit 9055a8feb8493a30d1ad0fcef25eb496630d223f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 21:20:18 2013 -0400

    compile fix
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 080577d5a71de3d2700c4c17e1d13c67bc9b6720
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 21:14:29 2013 -0400

    copy correct pointer size in new compat code
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl.c        |    8 ++++----
 grsecurity/gracl_compat.c |    4 ++--
 2 files changed, 6 insertions(+), 6 deletions(-)

commit 129b6204587740fd082e731a54d00e8a9fc35f8b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 19:15:50 2013 -0400

    compile fix
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl_compat.c |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

commit 1a8481118c2da1cf9610ec5ba9ad950358e8cd3f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 19:12:46 2013 -0400

    remove BUILD_BUG_ONs
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl_compat.c |   20 --------------------
 1 files changed, 0 insertions(+), 20 deletions(-)

commit 67fc73af0876d311c0d01d3b16fa429f44af12b9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 00:18:36 2013 -0400

    compile fixes
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl_compat.c    |    8 ++++----
 include/linux/gracl_compat.h |    2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

commit 32f9c3609f8d6c5c893c848e0bd76e0d8d3fa096
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 00:16:42 2013 -0400

    compile fixes
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl.c        |    4 ++--
 grsecurity/gracl_compat.c |    2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

commit 798adb5cab6c3a8056e1b415e6f34a270f369721
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 00:13:51 2013 -0400

    compile fixes
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl.c |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

commit 4d4945ce90d83784634b898f83cb5a7699537733
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 00:11:03 2013 -0400

    compile fixes
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl_compat.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit 2e0b7505d92a89b872d9ebccae57720e3c00e4a2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 00:08:21 2013 -0400

    more compile fixes
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl.c |   28 ++++++++++++++--------------
 1 files changed, 14 insertions(+), 14 deletions(-)

commit 6db464f72eff84f77335b69dc2748a3759e151d1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jul 29 23:59:50 2013 -0400

    more compile fixes
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl.c |   10 +++++++++-
 1 files changed, 9 insertions(+), 1 deletions(-)

commit c5c54a2490dd8ec3fcad322d5c64b8cdfc6ce8d7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jul 29 23:56:47 2013 -0400

    additional compile fixes
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl.c |   59 +++++++++++++++++++++++++++++++++++++++++++--------
 1 files changed, 49 insertions(+), 10 deletions(-)

commit e78a78dcfc089142273243b54509840d3b50c538
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jul 29 23:47:15 2013 -0400

    fix typo
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit b27005e62bebc09e6604a6f5dc099742bb6b4434
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jul 29 23:46:59 2013 -0400

    compile fixes
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/gracl.c |   53 ++++++++++++++++++++++++++++++++++++++-------------
 1 files changed, 39 insertions(+), 14 deletions(-)

commit 101b84a778c254dfd7399f5bcd6264ff437f1176
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jul 29 23:22:44 2013 -0400

    Initial commit of compat RBAC loading Permits 32bit gradm to load policy for a 64bit kernel
    
    Also removed code duplication for copying strings into the kernel
    
    Work performed as part of sponsorship
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/Makefile          |    4 +
 grsecurity/gracl.c           |  315 +++++++++++++++++++++++-------------------
 grsecurity/gracl_compat.c    |  270 ++++++++++++++++++++++++++++++++++++
 include/linux/gracl_compat.h |  156 +++++++++++++++++++++
 4 files changed, 603 insertions(+), 142 deletions(-)

commit 9b2b2be730d058a2bac5ded5b51d087aa65eed9e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 16 20:40:24 2013 -0400

    allow viewing of ecryptfs version under SYSFS_RESTRICT
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 fs/sysfs/dir.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 3e182e4da46de4c6b9a9f45d41030bef19260954
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 14 11:49:17 2013 -0400

    Update PaX fix, just return the error
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 mm/madvise.c |   11 +++++------
 1 files changed, 5 insertions(+), 6 deletions(-)

commit 0e4d6c92225be5ed70eb4d826d020c1e49fb4870
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 14 11:36:00 2013 -0400

    Fix madvise oops reported by Peter Keel
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 mm/madvise.c |   11 ++++++-----
 1 files changed, 6 insertions(+), 5 deletions(-)

commit 32537d92b8da84f38bf45eb85b6953f452064936
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 9 22:04:59 2013 -0400

    compile fixes
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 fs/exec.c |    2 +-
 mm/mmap.c |    4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

commit a03302441afb0f56cccc9648a5d5e3c4c4d0db70
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Sep 14 16:15:10 2013 -0400

    Initial port of grsecurity to 3.11 using new git method

 Documentation/kernel-parameters.txt                |    4 +
 Makefile                                           |    8 +-
 arch/alpha/include/asm/cache.h                     |    4 +-
 arch/alpha/kernel/osf_sys.c                        |   12 +-
 arch/arm/include/asm/thread_info.h                 |    3 +-
 arch/arm/kernel/ptrace.c                           |    9 +
 arch/arm/kernel/traps.c                            |    7 +-
 arch/arm/mm/fault.c                                |   29 +-
 arch/arm/mm/mmap.c                                 |    8 +-
 arch/avr32/include/asm/cache.h                     |    4 +-
 arch/blackfin/include/asm/cache.h                  |    3 +-
 arch/cris/include/arch-v10/arch/cache.h            |    3 +-
 arch/cris/include/arch-v32/arch/cache.h            |    3 +-
 arch/frv/include/asm/cache.h                       |    3 +-
 arch/frv/mm/elf-fdpic.c                            |    4 +-
 arch/hexagon/include/asm/cache.h                   |    6 +-
 arch/ia64/include/asm/cache.h                      |    3 +-
 arch/ia64/kernel/sys_ia64.c                        |    2 +
 arch/ia64/mm/hugetlbpage.c                         |    2 +
 arch/m32r/include/asm/cache.h                      |    4 +-
 arch/m68k/include/asm/cache.h                      |    4 +-
 arch/metag/mm/hugetlbpage.c                        |    1 +
 arch/microblaze/include/asm/cache.h                |    3 +-
 arch/mips/include/asm/cache.h                      |    3 +-
 arch/mips/include/asm/thread_info.h                |   12 +-
 arch/mips/kernel/ptrace.c                          |    9 +
 arch/mips/mm/mmap.c                                |    4 +-
 arch/mn10300/proc-mn103e010/include/proc/cache.h   |    4 +-
 arch/mn10300/proc-mn2ws0050/include/proc/cache.h   |    4 +-
 arch/openrisc/include/asm/cache.h                  |    4 +-
 arch/parisc/include/asm/cache.h                    |    5 +-
 arch/parisc/kernel/sys_parisc.c                    |   17 +-
 arch/powerpc/include/asm/cache.h                   |    3 +-
 arch/powerpc/kernel/process.c                      |   10 +-
 arch/powerpc/kernel/ptrace.c                       |   14 +
 arch/powerpc/kernel/traps.c                        |    5 +
 arch/s390/include/asm/cache.h                      |    4 +-
 arch/score/include/asm/cache.h                     |    4 +-
 arch/sh/include/asm/cache.h                        |    3 +-
 arch/sh/mm/mmap.c                                  |    6 +-
 arch/sparc/include/asm/cache.h                     |    4 +-
 arch/sparc/include/asm/thread_info_64.h            |    9 +-
 arch/sparc/kernel/process_32.c                     |    6 +-
 arch/sparc/kernel/process_64.c                     |    4 +-
 arch/sparc/kernel/ptrace_64.c                      |   14 +
 arch/sparc/kernel/sys_sparc_64.c                   |    8 +-
 arch/sparc/kernel/syscalls.S                       |    8 +-
 arch/sparc/kernel/traps_32.c                       |    8 +-
 arch/sparc/kernel/traps_64.c                       |   28 +-
 arch/sparc/kernel/unaligned_64.c                   |    2 +-
 arch/sparc/mm/fault_64.c                           |    2 +-
 arch/sparc/mm/hugetlbpage.c                        |    3 +-
 arch/tile/include/asm/cache.h                      |    3 +-
 arch/tile/mm/hugetlbpage.c                         |    2 +
 arch/um/defconfig                                  |    1 -
 arch/um/include/asm/cache.h                        |    3 +-
 arch/unicore32/include/asm/cache.h                 |    6 +-
 arch/x86/Kconfig                                   |    5 +-
 arch/x86/ia32/ia32_aout.c                          |    2 +
 arch/x86/include/asm/thread_info.h                 |    8 +-
 arch/x86/kernel/dumpstack.c                        |    8 +
 arch/x86/kernel/entry_32.S                         |    2 +-
 arch/x86/kernel/entry_64.S                         |    2 +-
 arch/x86/kernel/ioport.c                           |   13 +
 arch/x86/kernel/ptrace.c                           |   14 +
 arch/x86/kernel/signal.c                           |    9 +-
 arch/x86/kernel/smpboot.c                          |    3 +
 arch/x86/kernel/sys_i386_32.c                      |    9 +-
 arch/x86/kernel/sys_x86_64.c                       |    8 +-
 arch/x86/kernel/verify_cpu.S                       |    1 +
 arch/x86/kernel/vm86_32.c                          |    1 +
 arch/x86/mm/fault.c                                |   12 +-
 arch/x86/mm/hugetlbpage.c                          |   15 +-
 arch/x86/mm/init.c                                 |   66 +-
 arch/x86/net/bpf_jit_comp.c                        |  128 ++-
 arch/xtensa/variants/dc232b/include/variant/core.h |    2 +-
 arch/xtensa/variants/fsf/include/variant/core.h    |    3 +-
 arch/xtensa/variants/s6000/include/variant/core.h  |    3 +-
 drivers/block/cciss.c                              |    2 +
 drivers/block/cpqarray.c                           |    1 +
 drivers/cdrom/cdrom.c                              |    2 +-
 drivers/char/Kconfig                               |    4 +-
 drivers/char/genrtc.c                              |    1 +
 drivers/char/mem.c                                 |   17 +
 drivers/char/random.c                              |   12 +
 drivers/gpu/drm/drm_info.c                         |    4 +
 drivers/hid/hid-wiimote-debug.c                    |    2 +-
 drivers/media/radio/radio-cadet.c                  |    2 +-
 drivers/message/fusion/mptbase.c                   |    9 +
 drivers/net/bonding/bond_main.c                    |    2 +-
 drivers/net/phy/mdio-bitbang.c                     |    1 +
 drivers/net/wireless/zd1211rw/zd_usb.c             |    2 +-
 drivers/pci/proc.c                                 |    9 +
 drivers/rtc/rtc-dev.c                              |    3 +
 drivers/tty/sysrq.c                                |    2 +-
 drivers/tty/vt/keyboard.c                          |   22 +-
 drivers/video/logo/logo_linux_clut224.ppm          | 2000 +++++++++++---------
 drivers/xen/xenfs/xenstored.c                      |    5 +
 fs/attr.c                                          |    1 +
 fs/autofs4/waitq.c                                 |    9 +
 fs/binfmt_aout.c                                   |    7 +
 fs/binfmt_elf.c                                    |    8 +-
 fs/btrfs/ioctl.c                                   |    6 +-
 fs/compat.c                                        |   20 +-
 fs/coredump.c                                      |    9 +-
 fs/debugfs/inode.c                                 |    4 +
 fs/exec.c                                          |  184 ++-
 fs/ext2/balloc.c                                   |    4 +-
 fs/ext3/balloc.c                                   |    4 +-
 fs/fcntl.c                                         |    5 +
 fs/file.c                                          |    4 +
 fs/filesystems.c                                   |    4 +
 fs/fs_struct.c                                     |   13 +-
 fs/hugetlbfs/inode.c                               |    5 +-
 fs/namei.c                                         |  256 +++-
 fs/namespace.c                                     |   16 +
 fs/open.c                                          |   38 +
 fs/proc/Kconfig                                    |   10 +-
 fs/proc/array.c                                    |   59 +-
 fs/proc/base.c                                     |  166 ++-
 fs/proc/cmdline.c                                  |    4 +
 fs/proc/devices.c                                  |    4 +
 fs/proc/fd.c                                       |   17 +-
 fs/proc/inode.c                                    |    4 +
 fs/proc/kcore.c                                    |    3 +
 fs/proc/proc_net.c                                 |   12 +
 fs/proc/proc_sysctl.c                              |   43 +-
 fs/proc/root.c                                     |    8 +
 fs/proc/task_mmu.c                                 |   75 +-
 fs/readdir.c                                       |   19 +
 fs/select.c                                        |    2 +
 fs/seq_file.c                                      |   12 +-
 fs/stat.c                                          |   19 +-
 fs/sysfs/dir.c                                     |   12 +
 fs/utimes.c                                        |    7 +
 fs/xattr.c                                         |   19 +-
 include/linux/capability.h                         |    5 +
 include/linux/cred.h                               |    3 +
 include/linux/fs.h                                 |   10 +
 include/linux/fsnotify.h                           |    6 +
 include/linux/kallsyms.h                           |   14 +-
 include/linux/kmod.h                               |    2 +
 include/linux/mm.h                                 |    1 +
 include/linux/perf_event.h                         |   13 +-
 include/linux/printk.h                             |    3 +-
 include/linux/sched.h                              |   24 +-
 include/linux/security.h                           |    1 +
 include/linux/seq_file.h                           |    3 +
 include/linux/shm.h                                |    4 +
 include/linux/skbuff.h                             |    3 +
 include/linux/slab.h                               |    9 -
 include/linux/sysctl.h                             |    2 +
 include/linux/thread_info.h                        |    2 +
 include/linux/uidgid.h                             |    5 +
 include/linux/vermagic.h                           |    9 +-
 include/uapi/linux/personality.h                   |    1 +
 init/Kconfig                                       |    3 +-
 init/main.c                                        |   14 +
 ipc/mqueue.c                                       |    1 +
 ipc/shm.c                                          |   28 +
 kernel/capability.c                                |   39 +-
 kernel/cgroup.c                                    |    2 +-
 kernel/compat.c                                    |    1 +
 kernel/configs.c                                   |   11 +
 kernel/cred.c                                      |  110 ++-
 kernel/events/core.c                               |   14 +-
 kernel/exit.c                                      |   10 +-
 kernel/fork.c                                      |   41 +-
 kernel/futex.c                                     |    1 +
 kernel/kallsyms.c                                  |    9 +
 kernel/kcmp.c                                      |    4 +
 kernel/kmod.c                                      |   64 +-
 kernel/kprobes.c                                   |    4 +-
 kernel/ksysfs.c                                    |    2 +
 kernel/lockdep_proc.c                              |   10 +-
 kernel/module.c                                    |   81 +-
 kernel/panic.c                                     |    2 +-
 kernel/pid.c                                       |   19 +-
 kernel/posix-timers.c                              |    7 +
 kernel/printk/printk.c                             |    5 +
 kernel/ptrace.c                                    |   20 +-
 kernel/resource.c                                  |   10 +
 kernel/sched/core.c                                |    6 +-
 kernel/signal.c                                    |   37 +-
 kernel/sys.c                                       |   45 +-
 kernel/sysctl.c                                    |   69 +-
 kernel/taskstats.c                                 |    6 +
 kernel/time.c                                      |    5 +
 kernel/time/timekeeping.c                          |    1 +
 kernel/time/timer_list.c                           |   12 +
 kernel/time/timer_stats.c                          |   10 +-
 lib/Kconfig.debug                                  |    5 +-
 lib/is_single_threaded.c                           |    3 +
 mm/Kconfig                                         |    4 +-
 mm/filemap.c                                       |    1 +
 mm/kmemleak.c                                      |    4 +-
 mm/mempolicy.c                                     |   12 +-
 mm/migrate.c                                       |    3 +-
 mm/mlock.c                                         |    3 +
 mm/mmap.c                                          |   63 +-
 mm/mprotect.c                                      |    8 +
 mm/process_vm_access.c                             |    6 +
 mm/slab.c                                          |    2 +-
 mm/slub.c                                          |   14 +-
 mm/vmalloc.c                                       |    4 +
 mm/vmstat.c                                        |   18 +-
 net/core/dev_ioctl.c                               |    4 +
 net/core/sock_diag.c                               |    7 +
 net/ipv4/inet_hashtables.c                         |    5 +
 net/ipv4/ip_sockglue.c                             |    3 +-
 net/ipv4/tcp_input.c                               |    4 +-
 net/ipv4/tcp_ipv4.c                                |   24 +-
 net/ipv4/tcp_minisocks.c                           |    9 +-
 net/ipv4/tcp_timer.c                               |   11 +
 net/ipv4/udp.c                                     |   24 +
 net/ipv6/tcp_ipv6.c                                |   23 +-
 net/ipv6/udp.c                                     |    4 +
 net/netfilter/Kconfig                              |   10 +
 net/netfilter/Makefile                             |    1 +
 net/netfilter/nf_conntrack_core.c                  |    8 +
 net/netrom/af_netrom.c                             |    1 -
 net/phonet/af_phonet.c                             |    2 +-
 net/sctp/proc.c                                    |    3 +-
 net/socket.c                                       |   66 +-
 net/sysctl_net.c                                   |    2 +-
 net/unix/af_unix.c                                 |   31 +-
 security/Kconfig                                   |  341 +++-
 security/apparmor/Kconfig                          |    9 +
 security/apparmor/apparmorfs.c                     |  231 +++
 security/commoncap.c                               |   29 +
 security/min_addr.c                                |    2 +
 security/security.c                                |    2 -
 security/selinux/hooks.c                           |    2 -
 security/tomoyo/mount.c                            |    4 +
 security/yama/Kconfig                              |    2 +-
 235 files changed, 4384 insertions(+), 1312 deletions(-)

commit a76b033c58b4886552911442f1b89e0cee041dae
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 9 20:57:40 2013 -0400

    Commit merge of new files and rejected patches
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 arch/arm/include/asm/thread_info.h     |    6 +-
 arch/arm/kernel/process.c              |    4 +-
 arch/powerpc/include/asm/thread_info.h |    7 +-
 arch/powerpc/mm/slice.c                |    2 +-
 arch/sparc/kernel/process_64.c         |    4 +-
 arch/x86/kernel/vm86_32.c              |   15 +
 fs/coredump.c                          |    1 +
 fs/ext4/balloc.c                       |    4 +-
 fs/namei.c                             |    7 +
 fs/namespace.c                         |    8 +
 fs/pipe.c                              |    2 +-
 fs/proc/inode.c                        |   13 +
 fs/proc/internal.h                     |    3 +
 grsecurity/Kconfig                     | 1054 +++++++++
 grsecurity/Makefile                    |   38 +
 grsecurity/gracl.c                     | 4073 ++++++++++++++++++++++++++++++++
 grsecurity/gracl_alloc.c               |  105 +
 grsecurity/gracl_cap.c                 |  110 +
 grsecurity/gracl_fs.c                  |  431 ++++
 grsecurity/gracl_ip.c                  |  387 +++
 grsecurity/gracl_learn.c               |  207 ++
 grsecurity/gracl_res.c                 |   68 +
 grsecurity/gracl_segv.c                |  305 +++
 grsecurity/gracl_shm.c                 |   40 +
 grsecurity/grsec_chdir.c               |   19 +
 grsecurity/grsec_chroot.c              |  370 +++
 grsecurity/grsec_disabled.c            |  434 ++++
 grsecurity/grsec_exec.c                |  187 ++
 grsecurity/grsec_fifo.c                |   24 +
 grsecurity/grsec_fork.c                |   23 +
 grsecurity/grsec_init.c                |  283 +++
 grsecurity/grsec_link.c                |   58 +
 grsecurity/grsec_log.c                 |  326 +++
 grsecurity/grsec_mem.c                 |   40 +
 grsecurity/grsec_mount.c               |   62 +
 grsecurity/grsec_pax.c                 |   36 +
 grsecurity/grsec_ptrace.c              |   30 +
 grsecurity/grsec_sig.c                 |  246 ++
 grsecurity/grsec_sock.c                |  244 ++
 grsecurity/grsec_sysctl.c              |  469 ++++
 grsecurity/grsec_time.c                |   16 +
 grsecurity/grsec_tpe.c                 |   73 +
 grsecurity/grsum.c                     |   61 +
 include/linux/gracl.h                  |  319 +++
 include/linux/gralloc.h                |    9 +
 include/linux/grdefs.h                 |  140 ++
 include/linux/grinternal.h             |  227 ++
 include/linux/grmsg.h                  |  112 +
 include/linux/grsecurity.h             |  241 ++
 include/linux/grsock.h                 |   19 +
 include/linux/netfilter/xt_gradm.h     |    9 +
 include/linux/proc_fs.h                |   13 +
 include/linux/sched.h                  |   48 +-
 include/trace/events/fs.h              |   53 +
 kernel/kmod.c                          |    7 +-
 kernel/panic.c                         |    2 +-
 kernel/posix-timers.c                  |    1 +
 kernel/time/timekeeping.c              |    2 +
 lib/Kconfig.debug                      |    2 +-
 lib/vsprintf.c                         |   31 +
 localversion-grsec                     |    1 +
 mm/mmap.c                              |   13 +-
 mm/shmem.c                             |    2 +-
 net/core/net-procfs.c                  |    5 +
 net/ipv6/udp.c                         |    3 +
 net/netfilter/xt_gradm.c               |   51 +
 66 files changed, 11184 insertions(+), 21 deletions(-)

commit d1cf217118e0750f54aca9136d8c6a41f0ae439c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Sep 14 14:36:40 2013 -0400

    Initial import of pax-linux-3.11-test4.patch

 Documentation/dontdiff                             |   46 +-
 Documentation/kernel-parameters.txt                |   23 +
 Makefile                                           |  100 +-
 arch/alpha/include/asm/atomic.h                    |   10 +
 arch/alpha/include/asm/elf.h                       |    7 +
 arch/alpha/include/asm/pgalloc.h                   |    6 +
 arch/alpha/include/asm/pgtable.h                   |   11 +
 arch/alpha/kernel/module.c                         |    2 +-
 arch/alpha/kernel/osf_sys.c                        |    8 +-
 arch/alpha/mm/fault.c                              |  141 +-
 arch/arm/Kconfig                                   |    2 +-
 arch/arm/include/asm/atomic.h                      |  444 ++-
 arch/arm/include/asm/cache.h                       |    5 +-
 arch/arm/include/asm/cacheflush.h                  |    2 +-
 arch/arm/include/asm/checksum.h                    |   14 +-
 arch/arm/include/asm/cmpxchg.h                     |    2 +
 arch/arm/include/asm/domain.h                      |   33 +-
 arch/arm/include/asm/elf.h                         |   13 +-
 arch/arm/include/asm/fncpy.h                       |    2 +
 arch/arm/include/asm/futex.h                       |   10 +
 arch/arm/include/asm/kmap_types.h                  |    2 +-
 arch/arm/include/asm/mach/dma.h                    |    2 +-
 arch/arm/include/asm/mach/map.h                    |    7 +-
 arch/arm/include/asm/outercache.h                  |    2 +-
 arch/arm/include/asm/page.h                        |    2 +-
 arch/arm/include/asm/pgalloc.h                     |   22 +-
 arch/arm/include/asm/pgtable-2level-hwdef.h        |    5 +
 arch/arm/include/asm/pgtable-2level.h              |    3 +
 arch/arm/include/asm/pgtable-3level-hwdef.h        |    1 +
 arch/arm/include/asm/pgtable-3level.h              |    2 +
 arch/arm/include/asm/pgtable.h                     |   54 +-
 arch/arm/include/asm/proc-fns.h                    |    2 +-
 arch/arm/include/asm/psci.h                        |    2 +-
 arch/arm/include/asm/smp.h                         |    2 +-
 arch/arm/include/asm/thread_info.h                 |    6 +-
 arch/arm/include/asm/uaccess.h                     |   95 +-
 arch/arm/include/uapi/asm/ptrace.h                 |    2 +-
 arch/arm/kernel/armksyms.c                         |    8 +-
 arch/arm/kernel/entry-armv.S                       |  110 +-
 arch/arm/kernel/entry-common.S                     |   40 +-
 arch/arm/kernel/entry-header.S                     |   60 +
 arch/arm/kernel/fiq.c                              |    3 +
 arch/arm/kernel/head.S                             |    6 +-
 arch/arm/kernel/module.c                           |   29 +-
 arch/arm/kernel/patch.c                            |    2 +
 arch/arm/kernel/process.c                          |   42 +-
 arch/arm/kernel/psci.c                             |    2 +-
 arch/arm/kernel/setup.c                            |   22 +-
 arch/arm/kernel/signal.c                           |   35 +-
 arch/arm/kernel/smp.c                              |    2 +-
 arch/arm/kernel/traps.c                            |    8 +-
 arch/arm/kernel/vmlinux.lds.S                      |   22 +-
 arch/arm/kvm/arm.c                                 |    8 +-
 arch/arm/lib/clear_user.S                          |    6 +-
 arch/arm/lib/copy_from_user.S                      |    6 +-
 arch/arm/lib/copy_page.S                           |    1 +
 arch/arm/lib/copy_to_user.S                        |    6 +-
 arch/arm/lib/csumpartialcopyuser.S                 |    4 +-
 arch/arm/lib/delay.c                               |    2 +-
 arch/arm/lib/uaccess_with_memcpy.c                 |    2 +-
 arch/arm/mach-kirkwood/common.c                    |   19 +-
 arch/arm/mach-omap2/board-n8x0.c                   |    2 +-
 arch/arm/mach-omap2/gpmc.c                         |   22 +-
 arch/arm/mach-omap2/omap-wakeupgen.c               |    2 +-
 arch/arm/mach-omap2/omap_device.c                  |    4 +-
 arch/arm/mach-omap2/omap_device.h                  |    4 +-
 arch/arm/mach-omap2/omap_hwmod.c                   |    4 +-
 arch/arm/mach-omap2/wd_timer.c                     |    6 +-
 arch/arm/mach-tegra/cpuidle-tegra20.c              |    2 +-
 arch/arm/mach-ux500/setup.h                        |    7 -
 arch/arm/mm/Kconfig                                |    6 +-
 arch/arm/mm/alignment.c                            |    8 +
 arch/arm/mm/context.c                              |   10 +-
 arch/arm/mm/fault.c                                |  104 +
 arch/arm/mm/fault.h                                |   12 +
 arch/arm/mm/init.c                                 |   41 +
 arch/arm/mm/ioremap.c                              |    4 +-
 arch/arm/mm/mmap.c                                 |   30 +-
 arch/arm/mm/mmu.c                                  |  185 +-
 arch/arm/plat-omap/sram.c                          |    2 +
 arch/arm/plat-samsung/include/plat/dma-ops.h       |    2 +-
 arch/avr32/include/asm/elf.h                       |    8 +-
 arch/avr32/include/asm/kmap_types.h                |    4 +-
 arch/avr32/mm/fault.c                              |   27 +
 arch/frv/include/asm/atomic.h                      |   10 +
 arch/frv/include/asm/kmap_types.h                  |    2 +-
 arch/frv/mm/elf-fdpic.c                            |    3 +-
 arch/ia64/include/asm/atomic.h                     |   10 +
 arch/ia64/include/asm/elf.h                        |    7 +
 arch/ia64/include/asm/pgalloc.h                    |   12 +
 arch/ia64/include/asm/pgtable.h                    |   13 +-
 arch/ia64/include/asm/spinlock.h                   |    2 +-
 arch/ia64/include/asm/uaccess.h                    |   26 +-
 arch/ia64/kernel/module.c                          |   48 +-
 arch/ia64/kernel/palinfo.c                         |    2 +-
 arch/ia64/kernel/sys_ia64.c                        |    7 +
 arch/ia64/kernel/vmlinux.lds.S                     |    2 +-
 arch/ia64/mm/fault.c                               |   32 +-
 arch/ia64/mm/init.c                                |   13 +
 arch/m32r/lib/usercopy.c                           |    6 +
 arch/mips/include/asm/atomic.h                     |  728 +++-
 arch/mips/include/asm/elf.h                        |   11 +-
 arch/mips/include/asm/exec.h                       |    2 +-
 arch/mips/include/asm/local.h                      |   57 +
 arch/mips/include/asm/page.h                       |    2 +-
 arch/mips/include/asm/pgalloc.h                    |    5 +
 arch/mips/include/asm/smtc_proc.h                  |    2 +-
 arch/mips/kernel/binfmt_elfn32.c                   |    7 +
 arch/mips/kernel/binfmt_elfo32.c                   |    7 +
 arch/mips/kernel/irq.c                             |    6 +-
 arch/mips/kernel/process.c                         |   12 -
 arch/mips/kernel/smtc-proc.c                       |    6 +-
 arch/mips/kernel/smtc.c                            |    2 +-
 arch/mips/kernel/sync-r4k.c                        |   24 +-
 arch/mips/kernel/traps.c                           |   13 +-
 arch/mips/mm/fault.c                               |   25 +
 arch/mips/mm/mmap.c                                |   51 +-
 arch/mips/sgi-ip27/ip27-nmi.c                      |    6 +-
 arch/parisc/include/asm/atomic.h                   |   10 +
 arch/parisc/include/asm/elf.h                      |    7 +
 arch/parisc/include/asm/pgalloc.h                  |    6 +
 arch/parisc/include/asm/pgtable.h                  |   11 +
 arch/parisc/include/asm/uaccess.h                  |    4 +-
 arch/parisc/kernel/module.c                        |   50 +-
 arch/parisc/kernel/sys_parisc.c                    |    9 +-
 arch/parisc/kernel/traps.c                         |    4 +-
 arch/parisc/mm/fault.c                             |  140 +-
 arch/powerpc/include/asm/atomic.h                  |   10 +
 arch/powerpc/include/asm/elf.h                     |   19 +-
 arch/powerpc/include/asm/exec.h                    |    2 +-
 arch/powerpc/include/asm/kmap_types.h              |    2 +-
 arch/powerpc/include/asm/mman.h                    |    2 +-
 arch/powerpc/include/asm/page.h                    |    8 +-
 arch/powerpc/include/asm/page_64.h                 |    7 +-
 arch/powerpc/include/asm/pgalloc-64.h              |    7 +
 arch/powerpc/include/asm/pgtable.h                 |    1 +
 arch/powerpc/include/asm/pte-hash32.h              |    1 +
 arch/powerpc/include/asm/reg.h                     |    1 +
 arch/powerpc/include/asm/smp.h                     |    2 +-
 arch/powerpc/include/asm/uaccess.h                 |  140 +-
 arch/powerpc/kernel/exceptions-64e.S               |    4 +-
 arch/powerpc/kernel/exceptions-64s.S               |    2 +-
 arch/powerpc/kernel/module_32.c                    |   13 +-
 arch/powerpc/kernel/process.c                      |   55 -
 arch/powerpc/kernel/signal_32.c                    |    2 +-
 arch/powerpc/kernel/signal_64.c                    |    2 +-
 arch/powerpc/kernel/vdso.c                         |    5 +-
 arch/powerpc/lib/usercopy_64.c                     |   18 -
 arch/powerpc/mm/fault.c                            |   54 +-
 arch/powerpc/mm/mmap.c                             |   16 +
 arch/powerpc/mm/slice.c                            |   13 +-
 arch/powerpc/platforms/cell/spufs/file.c           |    4 +-
 arch/s390/include/asm/atomic.h                     |   10 +
 arch/s390/include/asm/elf.h                        |   13 +-
 arch/s390/include/asm/exec.h                       |    2 +-
 arch/s390/include/asm/uaccess.h                    |   15 +-
 arch/s390/kernel/module.c                          |   22 +-
 arch/s390/kernel/process.c                         |   36 -
 arch/s390/mm/mmap.c                                |   24 +
 arch/score/include/asm/exec.h                      |    2 +-
 arch/score/kernel/process.c                        |    5 -
 arch/sh/mm/mmap.c                                  |   22 +-
 arch/sparc/include/asm/atomic_64.h                 |  106 +-
 arch/sparc/include/asm/cache.h                     |    2 +-
 arch/sparc/include/asm/elf_32.h                    |    7 +
 arch/sparc/include/asm/elf_64.h                    |    7 +
 arch/sparc/include/asm/pgalloc_32.h                |    1 +
 arch/sparc/include/asm/pgalloc_64.h                |    1 +
 arch/sparc/include/asm/pgtable_32.h                |   15 +-
 arch/sparc/include/asm/pgtsrmmu.h                  |    5 +
 arch/sparc/include/asm/spinlock_64.h               |   35 +-
 arch/sparc/include/asm/thread_info_32.h            |    2 +
 arch/sparc/include/asm/thread_info_64.h            |    2 +
 arch/sparc/include/asm/uaccess.h                   |    1 +
 arch/sparc/include/asm/uaccess_32.h                |   27 +-
 arch/sparc/include/asm/uaccess_64.h                |   19 +-
 arch/sparc/kernel/Makefile                         |    2 +-
 arch/sparc/kernel/prom_common.c                    |    2 +-
 arch/sparc/kernel/smp_64.c                         |   12 +-
 arch/sparc/kernel/sys_sparc_32.c                   |    2 +-
 arch/sparc/kernel/sys_sparc_64.c                   |   52 +-
 arch/sparc/kernel/traps_64.c                       |   27 +-
 arch/sparc/lib/Makefile                            |    2 +-
 arch/sparc/lib/atomic_64.S                         |  136 +-
 arch/sparc/lib/ksyms.c                             |    6 +
 arch/sparc/mm/Makefile                             |    2 +-
 arch/sparc/mm/fault_32.c                           |  292 +
 arch/sparc/mm/fault_64.c                           |  486 ++
 arch/sparc/mm/hugetlbpage.c                        |   21 +-
 arch/sparc/mm/init_64.c                            |   10 +-
 arch/tile/include/asm/atomic_64.h                  |   10 +
 arch/tile/include/asm/uaccess.h                    |    4 +-
 arch/um/Makefile                                   |    4 +
 arch/um/include/asm/kmap_types.h                   |    2 +-
 arch/um/include/asm/page.h                         |    3 +
 arch/um/include/asm/pgtable-3level.h               |    1 +
 arch/um/kernel/process.c                           |   16 -
 arch/x86/Kconfig                                   |   10 +-
 arch/x86/Kconfig.cpu                               |    6 +-
 arch/x86/Kconfig.debug                             |    4 +-
 arch/x86/Makefile                                  |   10 +
 arch/x86/boot/Makefile                             |    3 +
 arch/x86/boot/bitops.h                             |    4 +-
 arch/x86/boot/boot.h                               |    4 +-
 arch/x86/boot/compressed/Makefile                  |    3 +
 arch/x86/boot/compressed/eboot.c                   |    2 -
 arch/x86/boot/compressed/efi_stub_32.S             |   16 +-
 arch/x86/boot/compressed/head_32.S                 |    7 +-
 arch/x86/boot/compressed/head_64.S                 |    8 +-
 arch/x86/boot/compressed/misc.c                    |    4 +-
 arch/x86/boot/cpucheck.c                           |   28 +-
 arch/x86/boot/header.S                             |    6 +-
 arch/x86/boot/memory.c                             |    2 +-
 arch/x86/boot/video-vesa.c                         |    1 +
 arch/x86/boot/video.c                              |    2 +-
 arch/x86/crypto/aes-x86_64-asm_64.S                |    4 +
 arch/x86/crypto/aesni-intel_asm.S                  |   22 +
 arch/x86/crypto/blowfish-x86_64-asm_64.S           |    7 +
 arch/x86/crypto/camellia-aesni-avx-asm_64.S        |   10 +
 arch/x86/crypto/camellia-aesni-avx2-asm_64.S       |   10 +
 arch/x86/crypto/camellia-x86_64-asm_64.S           |    7 +
 arch/x86/crypto/cast5-avx-x86_64-asm_64.S          |    7 +
 arch/x86/crypto/cast6-avx-x86_64-asm_64.S          |    9 +
 arch/x86/crypto/crc32c-pcl-intel-asm_64.S          |    2 +
 arch/x86/crypto/ghash-clmulni-intel_asm.S          |    5 +
 arch/x86/crypto/salsa20-x86_64-asm_64.S            |    4 +
 arch/x86/crypto/serpent-avx-x86_64-asm_64.S        |    9 +
 arch/x86/crypto/serpent-avx2-asm_64.S              |    9 +
 arch/x86/crypto/serpent-sse2-x86_64-asm_64.S       |    4 +
 arch/x86/crypto/sha1_ssse3_asm.S                   |    2 +
 arch/x86/crypto/sha256-avx-asm.S                   |    2 +
 arch/x86/crypto/sha256-avx2-asm.S                  |    2 +
 arch/x86/crypto/sha256-ssse3-asm.S                 |    2 +
 arch/x86/crypto/sha512-avx-asm.S                   |    2 +
 arch/x86/crypto/sha512-avx2-asm.S                  |    2 +
 arch/x86/crypto/sha512-ssse3-asm.S                 |    2 +
 arch/x86/crypto/twofish-avx-x86_64-asm_64.S        |    9 +
 arch/x86/crypto/twofish-x86_64-asm_64-3way.S       |    4 +
 arch/x86/crypto/twofish-x86_64-asm_64.S            |    3 +
 arch/x86/ia32/ia32_signal.c                        |   16 +-
 arch/x86/ia32/ia32entry.S                          |  157 +-
 arch/x86/ia32/sys_ia32.c                           |    4 +-
 arch/x86/include/asm/alternative-asm.h             |   39 +
 arch/x86/include/asm/alternative.h                 |    4 +-
 arch/x86/include/asm/apic.h                        |    2 +-
 arch/x86/include/asm/apm.h                         |    4 +-
 arch/x86/include/asm/atomic.h                      |  307 +-
 arch/x86/include/asm/atomic64_32.h                 |  100 +
 arch/x86/include/asm/atomic64_64.h                 |  202 +-
 arch/x86/include/asm/bitops.h                      |    4 +-
 arch/x86/include/asm/boot.h                        |    7 +-
 arch/x86/include/asm/cache.h                       |    5 +-
 arch/x86/include/asm/cacheflush.h                  |    2 +-
 arch/x86/include/asm/checksum_32.h                 |   12 +-
 arch/x86/include/asm/cmpxchg.h                     |   35 +
 arch/x86/include/asm/compat.h                      |    2 +-
 arch/x86/include/asm/cpufeature.h                  |   16 +-
 arch/x86/include/asm/desc.h                        |   74 +-
 arch/x86/include/asm/desc_defs.h                   |    6 +
 arch/x86/include/asm/div64.h                       |    2 +-
 arch/x86/include/asm/elf.h                         |   31 +-
 arch/x86/include/asm/emergency-restart.h           |    2 +-
 arch/x86/include/asm/fpu-internal.h                |    8 +-
 arch/x86/include/asm/futex.h                       |   20 +-
 arch/x86/include/asm/hw_irq.h                      |    4 +-
 arch/x86/include/asm/i8259.h                       |    2 +-
 arch/x86/include/asm/io.h                          |   21 +-
 arch/x86/include/asm/irqflags.h                    |    5 +
 arch/x86/include/asm/kprobes.h                     |    9 +-
 arch/x86/include/asm/local.h                       |  142 +-
 arch/x86/include/asm/mman.h                        |   15 +
 arch/x86/include/asm/mmu.h                         |   16 +-
 arch/x86/include/asm/mmu_context.h                 |  128 +-
 arch/x86/include/asm/module.h                      |   17 +-
 arch/x86/include/asm/nmi.h                         |    6 +-
 arch/x86/include/asm/page.h                        |    1 +
 arch/x86/include/asm/page_64.h                     |    4 +-
 arch/x86/include/asm/paravirt.h                    |   46 +-
 arch/x86/include/asm/paravirt_types.h              |   17 +-
 arch/x86/include/asm/pgalloc.h                     |   23 +
 arch/x86/include/asm/pgtable-2level.h              |    2 +
 arch/x86/include/asm/pgtable-3level.h              |    4 +
 arch/x86/include/asm/pgtable.h                     |  124 +-
 arch/x86/include/asm/pgtable_32.h                  |   14 +-
 arch/x86/include/asm/pgtable_32_types.h            |   15 +-
 arch/x86/include/asm/pgtable_64.h                  |   19 +-
 arch/x86/include/asm/pgtable_64_types.h            |    5 +
 arch/x86/include/asm/pgtable_types.h               |   36 +-
 arch/x86/include/asm/processor.h                   |   82 +-
 arch/x86/include/asm/ptrace.h                      |   26 +-
 arch/x86/include/asm/realmode.h                    |    4 +-
 arch/x86/include/asm/reboot.h                      |   10 +-
 arch/x86/include/asm/rwsem.h                       |   60 +-
 arch/x86/include/asm/segment.h                     |   29 +-
 arch/x86/include/asm/smap.h                        |   64 +-
 arch/x86/include/asm/smp.h                         |   14 +-
 arch/x86/include/asm/spinlock.h                    |   36 +-
 arch/x86/include/asm/stackprotector.h              |    4 +-
 arch/x86/include/asm/stacktrace.h                  |   32 +-
 arch/x86/include/asm/switch_to.h                   |    4 +-
 arch/x86/include/asm/thread_info.h                 |   83 +-
 arch/x86/include/asm/tlbflush.h                    |   74 +-
 arch/x86/include/asm/uaccess.h                     |  112 +-
 arch/x86/include/asm/uaccess_32.h                  |  106 +-
 arch/x86/include/asm/uaccess_64.h                  |  232 +-
 arch/x86/include/asm/word-at-a-time.h              |    2 +-
 arch/x86/include/asm/x86_init.h                    |   10 +-
 arch/x86/include/asm/xsave.h                       |   14 +-
 arch/x86/include/uapi/asm/e820.h                   |    2 +-
 arch/x86/kernel/Makefile                           |    2 +-
 arch/x86/kernel/acpi/boot.c                        |    4 +-
 arch/x86/kernel/acpi/sleep.c                       |    4 +
 arch/x86/kernel/acpi/wakeup_32.S                   |    6 +-
 arch/x86/kernel/alternative.c                      |   65 +-
 arch/x86/kernel/apic/apic.c                        |    4 +-
 arch/x86/kernel/apic/apic_flat_64.c                |    4 +-
 arch/x86/kernel/apic/apic_noop.c                   |    2 +-
 arch/x86/kernel/apic/bigsmp_32.c                   |    2 +-
 arch/x86/kernel/apic/es7000_32.c                   |    5 +-
 arch/x86/kernel/apic/io_apic.c                     |    8 +-
 arch/x86/kernel/apic/numaq_32.c                    |    3 +-
 arch/x86/kernel/apic/probe_32.c                    |    2 +-
 arch/x86/kernel/apic/summit_32.c                   |    2 +-
 arch/x86/kernel/apic/x2apic_cluster.c              |    4 +-
 arch/x86/kernel/apic/x2apic_phys.c                 |    2 +-
 arch/x86/kernel/apic/x2apic_uv_x.c                 |    2 +-
 arch/x86/kernel/apm_32.c                           |   19 +-
 arch/x86/kernel/asm-offsets.c                      |   20 +
 arch/x86/kernel/asm-offsets_64.c                   |    1 +
 arch/x86/kernel/cpu/Makefile                       |    4 -
 arch/x86/kernel/cpu/amd.c                          |    2 +-
 arch/x86/kernel/cpu/common.c                       |  130 +-
 arch/x86/kernel/cpu/intel_cacheinfo.c              |   48 +-
 arch/x86/kernel/cpu/mcheck/mce.c                   |   31 +-
 arch/x86/kernel/cpu/mcheck/p5.c                    |    3 +
 arch/x86/kernel/cpu/mcheck/winchip.c               |    3 +
 arch/x86/kernel/cpu/mtrr/main.c                    |    2 +-
 arch/x86/kernel/cpu/mtrr/mtrr.h                    |    2 +-
 arch/x86/kernel/cpu/perf_event.c                   |    8 +-
 arch/x86/kernel/cpu/perf_event_intel.c             |    6 +-
 arch/x86/kernel/cpu/perf_event_intel_uncore.c      |    2 +-
 arch/x86/kernel/cpu/perf_event_intel_uncore.h      |    2 +-
 arch/x86/kernel/cpuid.c                            |    2 +-
 arch/x86/kernel/crash.c                            |    4 +-
 arch/x86/kernel/crash_dump_64.c                    |    2 +-
 arch/x86/kernel/doublefault.c                      |    8 +-
 arch/x86/kernel/dumpstack.c                        |   30 +-
 arch/x86/kernel/dumpstack_32.c                     |   34 +-
 arch/x86/kernel/dumpstack_64.c                     |   61 +-
 arch/x86/kernel/e820.c                             |    4 +-
 arch/x86/kernel/early_printk.c                     |    1 +
 arch/x86/kernel/entry_32.S                         |  356 +-
 arch/x86/kernel/entry_64.S                         |  669 ++-
 arch/x86/kernel/ftrace.c                           |   14 +-
 arch/x86/kernel/head64.c                           |   13 +-
 arch/x86/kernel/head_32.S                          |  228 +-
 arch/x86/kernel/head_64.S                          |  138 +-
 arch/x86/kernel/i386_ksyms_32.c                    |   12 +
 arch/x86/kernel/i387.c                             |    2 +-
 arch/x86/kernel/i8259.c                            |   10 +-
 arch/x86/kernel/io_delay.c                         |    2 +-
 arch/x86/kernel/ioport.c                           |    2 +-
 arch/x86/kernel/irq.c                              |    8 +-
 arch/x86/kernel/irq_32.c                           |   67 +-
 arch/x86/kernel/irq_64.c                           |    2 +-
 arch/x86/kernel/kdebugfs.c                         |    2 +-
 arch/x86/kernel/kgdb.c                             |   25 +-
 arch/x86/kernel/kprobes/core.c                     |   30 +-
 arch/x86/kernel/kprobes/opt.c                      |   16 +-
 arch/x86/kernel/ldt.c                              |   31 +-
 arch/x86/kernel/machine_kexec_32.c                 |    6 +-
 arch/x86/kernel/microcode_core.c                   |    2 +-
 arch/x86/kernel/microcode_intel.c                  |    4 +-
 arch/x86/kernel/module.c                           |   76 +-
 arch/x86/kernel/msr.c                              |    2 +-
 arch/x86/kernel/nmi.c                              |   19 +-
 arch/x86/kernel/nmi_selftest.c                     |    4 +-
 arch/x86/kernel/paravirt-spinlocks.c               |    2 +-
 arch/x86/kernel/paravirt.c                         |   43 +-
 arch/x86/kernel/pci-calgary_64.c                   |    2 +-
 arch/x86/kernel/pci-iommu_table.c                  |    2 +-
 arch/x86/kernel/pci-swiotlb.c                      |    2 +-
 arch/x86/kernel/process.c                          |   55 +-
 arch/x86/kernel/process_32.c                       |   29 +-
 arch/x86/kernel/process_64.c                       |   20 +-
 arch/x86/kernel/ptrace.c                           |   25 +-
 arch/x86/kernel/pvclock.c                          |    8 +-
 arch/x86/kernel/reboot.c                           |   42 +-
 arch/x86/kernel/reboot_fixups_32.c                 |    2 +-
 arch/x86/kernel/relocate_kernel_64.S               |    5 +-
 arch/x86/kernel/setup.c                            |   65 +-
 arch/x86/kernel/setup_percpu.c                     |   29 +-
 arch/x86/kernel/signal.c                           |   19 +-
 arch/x86/kernel/smp.c                              |    2 +-
 arch/x86/kernel/smpboot.c                          |   28 +-
 arch/x86/kernel/step.c                             |   10 +-
 arch/x86/kernel/sys_i386_32.c                      |  184 +
 arch/x86/kernel/sys_x86_64.c                       |   22 +-
 arch/x86/kernel/tboot.c                            |   12 +-
 arch/x86/kernel/time.c                             |   10 +-
 arch/x86/kernel/tls.c                              |    7 +-
 arch/x86/kernel/tracepoint.c                       |    4 +-
 arch/x86/kernel/traps.c                            |   62 +-
 arch/x86/kernel/uprobes.c                          |    4 +-
 arch/x86/kernel/vm86_32.c                          |    6 +-
 arch/x86/kernel/vmlinux.lds.S                      |  147 +-
 arch/x86/kernel/vsyscall_64.c                      |   12 +-
 arch/x86/kernel/x8664_ksyms_64.c                   |    6 +-
 arch/x86/kernel/x86_init.c                         |    6 +-
 arch/x86/kernel/xsave.c                            |    2 +
 arch/x86/kvm/cpuid.c                               |   21 +-
 arch/x86/kvm/lapic.c                               |    2 +-
 arch/x86/kvm/paging_tmpl.h                         |    2 +-
 arch/x86/kvm/svm.c                                 |    8 +
 arch/x86/kvm/vmx.c                                 |   61 +-
 arch/x86/kvm/x86.c                                 |    8 +-
 arch/x86/lguest/boot.c                             |    3 +-
 arch/x86/lib/atomic64_386_32.S                     |  164 +
 arch/x86/lib/atomic64_cx8_32.S                     |  103 +-
 arch/x86/lib/checksum_32.S                         |  100 +-
 arch/x86/lib/clear_page_64.S                       |    5 +-
 arch/x86/lib/cmpxchg16b_emu.S                      |    2 +
 arch/x86/lib/copy_page_64.S                        |   24 +-
 arch/x86/lib/copy_user_64.S                        |   89 +-
 arch/x86/lib/copy_user_nocache_64.S                |   22 +-
 arch/x86/lib/csum-copy_64.S                        |    2 +
 arch/x86/lib/csum-wrappers_64.c                    |   13 +-
 arch/x86/lib/getuser.S                             |   74 +-
 arch/x86/lib/insn.c                                |    6 +-
 arch/x86/lib/iomap_copy_64.S                       |    2 +
 arch/x86/lib/memcpy_64.S                           |   22 +-
 arch/x86/lib/memmove_64.S                          |   36 +-
 arch/x86/lib/memset_64.S                           |   11 +-
 arch/x86/lib/mmx_32.c                              |  243 +-
 arch/x86/lib/msr-reg.S                             |   18 +-
 arch/x86/lib/putuser.S                             |   90 +-
 arch/x86/lib/rwlock.S                              |   42 +
 arch/x86/lib/rwsem.S                               |    6 +-
 arch/x86/lib/thunk_64.S                            |    2 +
 arch/x86/lib/usercopy_32.c                         |  363 +-
 arch/x86/lib/usercopy_64.c                         |   18 +-
 arch/x86/mm/Makefile                               |    4 +
 arch/x86/mm/extable.c                              |   25 +-
 arch/x86/mm/fault.c                                |  571 ++-
 arch/x86/mm/gup.c                                  |    2 +-
 arch/x86/mm/highmem_32.c                           |    4 +
 arch/x86/mm/hugetlbpage.c                          |   30 +-
 arch/x86/mm/init.c                                 |  101 +-
 arch/x86/mm/init_32.c                              |  111 +-
 arch/x86/mm/init_64.c                              |   45 +-
 arch/x86/mm/iomap_32.c                             |    4 +
 arch/x86/mm/ioremap.c                              |   15 +-
 arch/x86/mm/kmemcheck/kmemcheck.c                  |    4 +-
 arch/x86/mm/mmap.c                                 |   36 +-
 arch/x86/mm/mmio-mod.c                             |   10 +-
 arch/x86/mm/numa.c                                 |    2 +-
 arch/x86/mm/pageattr-test.c                        |    2 +-
 arch/x86/mm/pageattr.c                             |   33 +-
 arch/x86/mm/pat.c                                  |   12 +-
 arch/x86/mm/pat_rbtree.c                           |    2 +-
 arch/x86/mm/pf_in.c                                |   10 +-
 arch/x86/mm/pgtable.c                              |  139 +-
 arch/x86/mm/pgtable_32.c                           |    3 +
 arch/x86/mm/physaddr.c                             |    4 +-
 arch/x86/mm/setup_nx.c                             |    7 +
 arch/x86/mm/tlb.c                                  |    4 +
 arch/x86/mm/uderef_64.c                            |   37 +
 arch/x86/net/bpf_jit.S                             |   14 +
 arch/x86/net/bpf_jit_comp.c                        |   39 +-
 arch/x86/oprofile/backtrace.c                      |    8 +-
 arch/x86/oprofile/nmi_int.c                        |    8 +-
 arch/x86/oprofile/op_model_amd.c                   |    8 +-
 arch/x86/oprofile/op_model_ppro.c                  |    7 +-
 arch/x86/oprofile/op_x86_model.h                   |    2 +-
 arch/x86/pci/irq.c                                 |    8 +-
 arch/x86/pci/mrst.c                                |    4 +-
 arch/x86/pci/pcbios.c                              |  144 +-
 arch/x86/platform/efi/efi_32.c                     |   24 +
 arch/x86/platform/efi/efi_64.c                     |   10 +
 arch/x86/platform/efi/efi_stub_32.S                |   64 +-
 arch/x86/platform/efi/efi_stub_64.S                |    8 +
 arch/x86/platform/mrst/mrst.c                      |    6 +-
 arch/x86/platform/olpc/olpc_dt.c                   |    2 +-
 arch/x86/power/cpu.c                               |   11 +-
 arch/x86/realmode/init.c                           |   10 +-
 arch/x86/realmode/rm/Makefile                      |    3 +
 arch/x86/realmode/rm/header.S                      |    4 +-
 arch/x86/realmode/rm/trampoline_32.S               |   12 +-
 arch/x86/realmode/rm/trampoline_64.S               |    3 +-
 arch/x86/tools/Makefile                            |    2 +-
 arch/x86/tools/relocs.c                            |   94 +-
 arch/x86/um/tls_32.c                               |    2 +-
 arch/x86/vdso/Makefile                             |    2 +-
 arch/x86/vdso/vdso32-setup.c                       |   23 +-
 arch/x86/vdso/vma.c                                |   29 +-
 arch/x86/xen/enlighten.c                           |   45 +-
 arch/x86/xen/mmu.c                                 |    9 +
 arch/x86/xen/smp.c                                 |   18 +-
 arch/x86/xen/xen-asm_32.S                          |   12 +-
 arch/x86/xen/xen-head.S                            |   11 +
 arch/x86/xen/xen-ops.h                             |    2 -
 block/blk-cgroup.c                                 |    4 +-
 block/blk-iopoll.c                                 |    2 +-
 block/blk-map.c                                    |    2 +-
 block/blk-softirq.c                                |    2 +-
 block/bsg.c                                        |   12 +-
 block/compat_ioctl.c                               |    2 +-
 block/genhd.c                                      |    9 +-
 block/partitions/efi.c                             |    8 +-
 block/scsi_ioctl.c                                 |   27 +-
 crypto/cryptd.c                                    |    4 +-
 crypto/pcrypt.c                                    |    2 +-
 drivers/acpi/apei/apei-internal.h                  |    2 +-
 drivers/acpi/apei/cper.c                           |    8 +-
 drivers/acpi/apei/ghes.c                           |    4 +-
 drivers/acpi/bgrt.c                                |    6 +-
 drivers/acpi/blacklist.c                           |    4 +-
 drivers/acpi/processor_idle.c                      |    2 +-
 drivers/acpi/sysfs.c                               |    4 +-
 drivers/ata/libahci.c                              |    2 +-
 drivers/ata/libata-core.c                          |   12 +-
 drivers/ata/libata-scsi.c                          |    2 +-
 drivers/ata/libata.h                               |    2 +-
 drivers/ata/pata_arasan_cf.c                       |    4 +-
 drivers/atm/adummy.c                               |    2 +-
 drivers/atm/ambassador.c                           |    8 +-
 drivers/atm/atmtcp.c                               |   14 +-
 drivers/atm/eni.c                                  |   10 +-
 drivers/atm/firestream.c                           |    8 +-
 drivers/atm/fore200e.c                             |   14 +-
 drivers/atm/he.c                                   |   18 +-
 drivers/atm/horizon.c                              |    4 +-
 drivers/atm/idt77252.c                             |   36 +-
 drivers/atm/iphase.c                               |   34 +-
 drivers/atm/lanai.c                                |   12 +-
 drivers/atm/nicstar.c                              |   46 +-
 drivers/atm/solos-pci.c                            |    4 +-
 drivers/atm/suni.c                                 |    4 +-
 drivers/atm/uPD98402.c                             |   16 +-
 drivers/atm/zatm.c                                 |    6 +-
 drivers/base/bus.c                                 |    4 +-
 drivers/base/devtmpfs.c                            |    8 +-
 drivers/base/node.c                                |    2 +-
 drivers/base/power/domain.c                        |    4 +-
 drivers/base/power/sysfs.c                         |    2 +-
 drivers/base/power/wakeup.c                        |    8 +-
 drivers/base/syscore.c                             |    4 +-
 drivers/block/cciss.c                              |   28 +-
 drivers/block/cciss.h                              |    2 +-
 drivers/block/cpqarray.c                           |   28 +-
 drivers/block/cpqarray.h                           |    2 +-
 drivers/block/drbd/drbd_int.h                      |    6 +-
 drivers/block/drbd/drbd_main.c                     |    8 +-
 drivers/block/drbd/drbd_nl.c                       |    4 +-
 drivers/block/drbd/drbd_receiver.c                 |   22 +-
 drivers/block/loop.c                               |    2 +-
 drivers/block/pktcdvd.c                            |    2 +-
 drivers/cdrom/cdrom.c                              |   11 +-
 drivers/cdrom/gdrom.c                              |    1 -
 drivers/char/agp/compat_ioctl.c                    |    2 +-
 drivers/char/agp/frontend.c                        |    4 +-
 drivers/char/hpet.c                                |    2 +-
 drivers/char/hw_random/intel-rng.c                 |    2 +-
 drivers/char/ipmi/ipmi_msghandler.c                |    8 +-
 drivers/char/ipmi/ipmi_si_intf.c                   |    8 +-
 drivers/char/mem.c                                 |   43 +-
 drivers/char/nvram.c                               |    2 +-
 drivers/char/pcmcia/synclink_cs.c                  |   18 +-
 drivers/char/random.c                              |   10 +-
 drivers/char/sonypi.c                              |    9 +-
 drivers/char/tpm/tpm_acpi.c                        |    3 +-
 drivers/char/tpm/tpm_eventlog.c                    |    7 +-
 drivers/char/virtio_console.c                      |    4 +-
 drivers/clk/clk-composite.c                        |    2 +-
 drivers/clk/socfpga/clk.c                          |    7 +-
 drivers/cpufreq/acpi-cpufreq.c                     |   20 +-
 drivers/cpufreq/cpufreq.c                          |    9 +-
 drivers/cpufreq/cpufreq_governor.c                 |    6 +-
 drivers/cpufreq/cpufreq_governor.h                 |    2 +-
 drivers/cpufreq/cpufreq_ondemand.c                 |    8 +-
 drivers/cpufreq/cpufreq_stats.c                    |    2 +-
 drivers/cpufreq/p4-clockmod.c                      |   12 +-
 drivers/cpufreq/sparc-us3-cpufreq.c                |   69 +-
 drivers/cpufreq/speedstep-centrino.c               |    7 +-
 drivers/cpuidle/cpuidle.c                          |    2 +-
 drivers/cpuidle/governor.c                         |    4 +-
 drivers/cpuidle/sysfs.c                            |    2 +-
 drivers/crypto/hifn_795x.c                         |    4 +-
 drivers/devfreq/devfreq.c                          |    4 +-
 drivers/dma/sh/shdma.c                             |    2 +-
 drivers/edac/edac_device.c                         |    4 +-
 drivers/edac/edac_mc_sysfs.c                       |   12 +-
 drivers/edac/edac_pci.c                            |    4 +-
 drivers/edac/edac_pci_sysfs.c                      |   22 +-
 drivers/edac/mce_amd.h                             |    2 +-
 drivers/firewire/core-card.c                       |    6 +-
 drivers/firewire/core-device.c                     |    2 +-
 drivers/firewire/core-transaction.c                |    1 +
 drivers/firewire/core.h                            |    1 +
 drivers/firmware/dmi-id.c                          |    2 +-
 drivers/firmware/dmi_scan.c                        |    7 +-
 drivers/firmware/efi/efi.c                         |   12 +-
 drivers/firmware/efi/efivars.c                     |    2 +-
 drivers/firmware/google/memconsole.c               |    4 +-
 drivers/gpio/gpio-ich.c                            |    2 +-
 drivers/gpio/gpio-vr41xx.c                         |    2 +-
 drivers/gpu/drm/drm_crtc_helper.c                  |    2 +-
 drivers/gpu/drm/drm_drv.c                          |    6 +-
 drivers/gpu/drm/drm_fops.c                         |   18 +-
 drivers/gpu/drm/drm_global.c                       |   14 +-
 drivers/gpu/drm/drm_info.c                         |   14 +-
 drivers/gpu/drm/drm_ioc32.c                        |   13 +-
 drivers/gpu/drm/drm_ioctl.c                        |    2 +-
 drivers/gpu/drm/drm_lock.c                         |    4 +-
 drivers/gpu/drm/drm_stub.c                         |    2 +-
 drivers/gpu/drm/drm_sysfs.c                        |    2 +-
 drivers/gpu/drm/i810/i810_dma.c                    |    8 +-
 drivers/gpu/drm/i810/i810_drv.h                    |    4 +-
 drivers/gpu/drm/i915/i915_debugfs.c                |    2 +-
 drivers/gpu/drm/i915/i915_dma.c                    |    2 +-
 drivers/gpu/drm/i915/i915_drv.h                    |    2 +-
 drivers/gpu/drm/i915/i915_gem_execbuffer.c         |    4 +-
 drivers/gpu/drm/i915/i915_ioc32.c                  |   11 +-
 drivers/gpu/drm/i915/i915_irq.c                    |   24 +-
 drivers/gpu/drm/i915/intel_display.c               |   26 +-
 drivers/gpu/drm/mga/mga_drv.h                      |    4 +-
 drivers/gpu/drm/mga/mga_ioc32.c                    |   11 +-
 drivers/gpu/drm/mga/mga_irq.c                      |    8 +-
 drivers/gpu/drm/nouveau/nouveau_bios.c             |    2 +-
 drivers/gpu/drm/nouveau/nouveau_drm.h              |    1 -
 drivers/gpu/drm/nouveau/nouveau_ioc32.c            |    2 +-
 drivers/gpu/drm/nouveau/nouveau_vga.c              |    2 +-
 drivers/gpu/drm/qxl/qxl_ttm.c                      |   38 +-
 drivers/gpu/drm/r128/r128_cce.c                    |    2 +-
 drivers/gpu/drm/r128/r128_drv.h                    |    4 +-
 drivers/gpu/drm/r128/r128_ioc32.c                  |   11 +-
 drivers/gpu/drm/r128/r128_irq.c                    |    4 +-
 drivers/gpu/drm/r128/r128_state.c                  |    4 +-
 drivers/gpu/drm/radeon/mkregtable.c                |    4 +-
 drivers/gpu/drm/radeon/radeon_device.c             |    2 +-
 drivers/gpu/drm/radeon/radeon_drv.h                |    2 +-
 drivers/gpu/drm/radeon/radeon_ioc32.c              |   13 +-
 drivers/gpu/drm/radeon/radeon_irq.c                |    6 +-
 drivers/gpu/drm/radeon/radeon_state.c              |    4 +-
 drivers/gpu/drm/radeon/radeon_ttm.c                |   57 +-
 drivers/gpu/drm/radeon/rs690.c                     |    4 +-
 drivers/gpu/drm/ttm/ttm_memory.c                   |    4 +-
 drivers/gpu/drm/ttm/ttm_page_alloc.c               |    4 +-
 drivers/gpu/drm/udl/udl_fb.c                       |    1 -
 drivers/gpu/drm/via/via_drv.h                      |    4 +-
 drivers/gpu/drm/via/via_irq.c                      |   18 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_drv.h                |    2 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c               |    8 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c              |    4 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_irq.c                |    4 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_marker.c             |    2 +-
 drivers/gpu/host1x/drm/dc.c                        |    2 +-
 drivers/hid/hid-core.c                             |    4 +-
 drivers/hid/uhid.c                                 |    6 +-
 drivers/hv/channel.c                               |    4 +-
 drivers/hv/hv.c                                    |    2 +-
 drivers/hv/hv_balloon.c                            |   18 +-
 drivers/hv/hyperv_vmbus.h                          |    2 +-
 drivers/hv/vmbus_drv.c                             |    4 +-
 drivers/hwmon/acpi_power_meter.c                   |    4 +-
 drivers/hwmon/applesmc.c                           |    2 +-
 drivers/hwmon/asus_atk0110.c                       |   10 +-
 drivers/hwmon/coretemp.c                           |    2 +-
 drivers/hwmon/ibmaem.c                             |    2 +-
 drivers/hwmon/iio_hwmon.c                          |    2 +-
 drivers/hwmon/pmbus/pmbus_core.c                   |   10 +-
 drivers/hwmon/sht15.c                              |   12 +-
 drivers/hwmon/via-cputemp.c                        |    2 +-
 drivers/i2c/busses/i2c-amd756-s4882.c              |    2 +-
 drivers/i2c/busses/i2c-nforce2-s4985.c             |    2 +-
 drivers/i2c/i2c-dev.c                              |    2 +-
 drivers/ide/ide-cd.c                               |    2 +-
 drivers/iio/industrialio-core.c                    |    2 +-
 drivers/infiniband/core/cm.c                       |   32 +-
 drivers/infiniband/core/fmr_pool.c                 |   20 +-
 drivers/infiniband/hw/cxgb4/mem.c                  |    4 +-
 drivers/infiniband/hw/ipath/ipath_rc.c             |    6 +-
 drivers/infiniband/hw/ipath/ipath_ruc.c            |    6 +-
 drivers/infiniband/hw/mlx4/mad.c                   |    2 +-
 drivers/infiniband/hw/mlx4/mcg.c                   |    2 +-
 drivers/infiniband/hw/mlx4/mlx4_ib.h               |    2 +-
 drivers/infiniband/hw/mthca/mthca_cmd.c            |    2 +-
 drivers/infiniband/hw/mthca/mthca_mr.c             |    2 +-
 drivers/infiniband/hw/nes/nes.c                    |    4 +-
 drivers/infiniband/hw/nes/nes.h                    |   40 +-
 drivers/infiniband/hw/nes/nes_cm.c                 |   62 +-
 drivers/infiniband/hw/nes/nes_mgt.c                |    8 +-
 drivers/infiniband/hw/nes/nes_nic.c                |   40 +-
 drivers/infiniband/hw/nes/nes_verbs.c              |   10 +-
 drivers/infiniband/hw/qib/qib.h                    |    1 +
 drivers/input/gameport/gameport.c                  |    4 +-
 drivers/input/input.c                              |    4 +-
 drivers/input/joystick/sidewinder.c                |    1 +
 drivers/input/joystick/xpad.c                      |    4 +-
 drivers/input/misc/ims-pcu.c                       |    4 +-
 drivers/input/mouse/psmouse.h                      |    2 +-
 drivers/input/mousedev.c                           |    2 +-
 drivers/input/serio/serio.c                        |    4 +-
 drivers/input/serio/serio_raw.c                    |    4 +-
 drivers/iommu/iommu.c                              |    2 +-
 drivers/iommu/irq_remapping.c                      |   12 +-
 drivers/irqchip/irq-gic.c                          |    4 +-
 drivers/isdn/capi/capi.c                           |   10 +-
 drivers/isdn/gigaset/interface.c                   |    8 +-
 drivers/isdn/gigaset/usb-gigaset.c                 |    2 +-
 drivers/isdn/hardware/avm/b1.c                     |    4 +-
 drivers/isdn/i4l/isdn_common.c                     |    2 +
 drivers/isdn/i4l/isdn_tty.c                        |   22 +-
 drivers/isdn/icn/icn.c                             |    2 +-
 drivers/leds/leds-clevo-mail.c                     |    2 +-
 drivers/leds/leds-ss4200.c                         |    2 +-
 drivers/lguest/core.c                              |   10 +-
 drivers/lguest/page_tables.c                       |    2 +-
 drivers/lguest/x86/core.c                          |   12 +-
 drivers/lguest/x86/switcher_32.S                   |   27 +-
 drivers/md/bcache/closure.h                        |    2 +-
 drivers/md/bcache/super.c                          |    2 +-
 drivers/md/bitmap.c                                |    2 +-
 drivers/md/dm-ioctl.c                              |    2 +-
 drivers/md/dm-raid1.c                              |   16 +-
 drivers/md/dm-stripe.c                             |   10 +-
 drivers/md/dm-table.c                              |    2 +-
 drivers/md/dm-thin-metadata.c                      |    4 +-
 drivers/md/dm.c                                    |   16 +-
 drivers/md/md.c                                    |   26 +-
 drivers/md/md.h                                    |    6 +-
 drivers/md/persistent-data/dm-space-map.h          |    1 +
 drivers/md/raid1.c                                 |    4 +-
 drivers/md/raid10.c                                |   16 +-
 drivers/md/raid5.c                                 |   10 +-
 drivers/media/dvb-core/dvbdev.c                    |    2 +-
 drivers/media/dvb-frontends/dib3000.h              |    2 +-
 drivers/media/pci/cx88/cx88-video.c                |    6 +-
 drivers/media/pci/ivtv/ivtv-driver.c               |    2 +-
 drivers/media/platform/omap/omap_vout.c            |   11 +-
 drivers/media/platform/s5p-tv/mixer.h              |    2 +-
 drivers/media/platform/s5p-tv/mixer_grp_layer.c    |    2 +-
 drivers/media/platform/s5p-tv/mixer_reg.c          |    2 +-
 drivers/media/platform/s5p-tv/mixer_video.c        |   24 +-
 drivers/media/platform/s5p-tv/mixer_vp_layer.c     |    2 +-
 drivers/media/radio/radio-cadet.c                  |    2 +
 drivers/media/radio/radio-maxiradio.c              |    2 +-
 drivers/media/radio/radio-shark.c                  |    2 +-
 drivers/media/radio/radio-shark2.c                 |    2 +-
 drivers/media/radio/radio-si476x.c                 |    2 +-
 drivers/media/rc/rc-main.c                         |    4 +-
 drivers/media/usb/dvb-usb/cxusb.c                  |    2 +-
 drivers/media/usb/dvb-usb/dw2102.c                 |    2 +-
 drivers/media/v4l2-core/v4l2-compat-ioctl32.c      |    6 +-
 drivers/media/v4l2-core/v4l2-device.c              |    4 +-
 drivers/media/v4l2-core/v4l2-ioctl.c               |   11 +-
 drivers/message/fusion/mptsas.c                    |   34 +-
 drivers/message/fusion/mptscsih.c                  |   19 +-
 drivers/message/i2o/i2o_proc.c                     |   51 +-
 drivers/message/i2o/iop.c                          |    8 +-
 drivers/mfd/janz-cmodio.c                          |    1 +
 drivers/mfd/twl4030-irq.c                          |    9 +-
 drivers/mfd/twl6030-irq.c                          |   10 +-
 drivers/misc/c2port/core.c                         |    4 +-
 drivers/misc/kgdbts.c                              |    4 +-
 drivers/misc/lis3lv02d/lis3lv02d.c                 |    8 +-
 drivers/misc/lis3lv02d/lis3lv02d.h                 |    2 +-
 drivers/misc/sgi-gru/gruhandles.c                  |    4 +-
 drivers/misc/sgi-gru/gruprocfs.c                   |    8 +-
 drivers/misc/sgi-gru/grutables.h                   |  154 +-
 drivers/misc/sgi-xp/xp.h                           |    2 +-
 drivers/misc/sgi-xp/xpc.h                          |    3 +-
 drivers/misc/sgi-xp/xpc_main.c                     |    4 +-
 drivers/mmc/core/mmc_ops.c                         |    2 +-
 drivers/mmc/host/dw_mmc.h                          |    2 +-
 drivers/mmc/host/sdhci-s3c.c                       |    8 +-
 drivers/mtd/nand/denali.c                          |    1 +
 drivers/mtd/nftlmount.c                            |    1 +
 drivers/mtd/sm_ftl.c                               |    2 +-
 drivers/net/bonding/bond_main.c                    |    2 +-
 drivers/net/ethernet/8390/ax88796.c                |    4 +-
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h    |    2 +-
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c     |   11 +-
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h     |    3 +-
 drivers/net/ethernet/broadcom/tg3.h                |    1 +
 drivers/net/ethernet/chelsio/cxgb3/l2t.h           |    2 +-
 drivers/net/ethernet/dec/tulip/de4x5.c             |    4 +-
 drivers/net/ethernet/emulex/benet/be_main.c        |    2 +-
 drivers/net/ethernet/faraday/ftgmac100.c           |    2 +
 drivers/net/ethernet/faraday/ftmac100.c            |    2 +
 drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c       |    2 +-
 drivers/net/ethernet/neterion/vxge/vxge-config.c   |    7 +-
 .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c  |    4 +-
 .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c  |   12 +-
 drivers/net/ethernet/realtek/r8169.c               |    8 +-
 drivers/net/ethernet/sfc/ptp.c                     |    2 +-
 drivers/net/ethernet/stmicro/stmmac/mmc_core.c     |    4 +-
 drivers/net/hyperv/hyperv_net.h                    |    2 +-
 drivers/net/hyperv/rndis_filter.c                  |    4 +-
 drivers/net/ieee802154/fakehard.c                  |    2 +-
 drivers/net/macvlan.c                              |   18 +-
 drivers/net/macvtap.c                              |    2 +-
 drivers/net/ppp/ppp_generic.c                      |    4 +-
 drivers/net/slip/slhc.c                            |    2 +-
 drivers/net/team/team.c                            |    2 +-
 drivers/net/tun.c                                  |    5 +-
 drivers/net/usb/hso.c                              |   23 +-
 drivers/net/usb/sierra_net.c                       |    4 +-
 drivers/net/vxlan.c                                |    2 +-
 drivers/net/wimax/i2400m/rx.c                      |    2 +-
 drivers/net/wireless/at76c50x-usb.c                |    2 +-
 drivers/net/wireless/ath/ath9k/ar9002_mac.c        |   30 +-
 drivers/net/wireless/ath/ath9k/ar9003_mac.c        |   58 +-
 drivers/net/wireless/ath/ath9k/hw.h                |    4 +-
 drivers/net/wireless/iwlegacy/3945-mac.c           |    4 +-
 drivers/net/wireless/iwlwifi/dvm/debugfs.c         |   34 +-
 drivers/net/wireless/iwlwifi/dvm/main.c            |    3 +-
 drivers/net/wireless/iwlwifi/pcie/trans.c          |    4 +-
 drivers/net/wireless/mac80211_hwsim.c              |   32 +-
 drivers/net/wireless/rndis_wlan.c                  |    2 +-
 drivers/net/wireless/rt2x00/rt2x00.h               |    2 +-
 drivers/net/wireless/rt2x00/rt2x00queue.c          |    4 +-
 drivers/net/wireless/ti/wl1251/sdio.c              |   12 +-
 drivers/net/wireless/ti/wl12xx/main.c              |    8 +-
 drivers/net/wireless/ti/wl18xx/main.c              |    6 +-
 drivers/oprofile/buffer_sync.c                     |    8 +-
 drivers/oprofile/event_buffer.c                    |    2 +-
 drivers/oprofile/oprof.c                           |    2 +-
 drivers/oprofile/oprofile_files.c                  |    2 +-
 drivers/oprofile/oprofile_stats.c                  |   10 +-
 drivers/oprofile/oprofile_stats.h                  |   10 +-
 drivers/oprofile/oprofilefs.c                      |    2 +-
 drivers/oprofile/timer_int.c                       |    2 +-
 drivers/parport/procfs.c                           |    4 +-
 drivers/pci/hotplug/acpiphp_ibm.c                  |    4 +-
 drivers/pci/hotplug/cpcihp_generic.c               |    6 +-
 drivers/pci/hotplug/cpcihp_zt5550.c                |   14 +-
 drivers/pci/hotplug/cpqphp_nvram.c                 |    4 +
 drivers/pci/hotplug/pci_hotplug_core.c             |    6 +-
 drivers/pci/hotplug/pciehp_core.c                  |    2 +-
 drivers/pci/pci-sysfs.c                            |    6 +-
 drivers/pci/pci.h                                  |    2 +-
 drivers/pci/pcie/aspm.c                            |    6 +-
 drivers/pci/probe.c                                |    2 +-
 drivers/platform/x86/chromeos_laptop.c             |    2 +-
 drivers/platform/x86/msi-laptop.c                  |   14 +-
 drivers/platform/x86/sony-laptop.c                 |    2 +-
 drivers/platform/x86/thinkpad_acpi.c               |   70 +-
 drivers/pnp/pnpbios/bioscalls.c                    |   14 +-
 drivers/pnp/resource.c                             |    4 +-
 drivers/power/pda_power.c                          |    7 +-
 drivers/power/power_supply.h                       |    4 +-
 drivers/power/power_supply_core.c                  |    7 +-
 drivers/power/power_supply_sysfs.c                 |    6 +-
 drivers/regulator/core.c                           |    4 +-
 drivers/regulator/max8660.c                        |    6 +-
 drivers/regulator/max8973-regulator.c              |    8 +-
 drivers/regulator/mc13892-regulator.c              |    6 +-
 drivers/rtc/rtc-cmos.c                             |    4 +-
 drivers/rtc/rtc-ds1307.c                           |    2 +-
 drivers/rtc/rtc-m48t59.c                           |    4 +-
 drivers/scsi/bfa/bfa_fcpim.h                       |    2 +-
 drivers/scsi/bfa/bfa_ioc.h                         |    4 +-
 drivers/scsi/fcoe/fcoe_sysfs.c                     |   12 +-
 drivers/scsi/hosts.c                               |    4 +-
 drivers/scsi/hpsa.c                                |   30 +-
 drivers/scsi/hpsa.h                                |    2 +-
 drivers/scsi/libfc/fc_exch.c                       |   50 +-
 drivers/scsi/libsas/sas_ata.c                      |    2 +-
 drivers/scsi/lpfc/lpfc.h                           |    8 +-
 drivers/scsi/lpfc/lpfc_debugfs.c                   |   18 +-
 drivers/scsi/lpfc/lpfc_init.c                      |    6 +-
 drivers/scsi/lpfc/lpfc_scsi.c                      |   16 +-
 drivers/scsi/pmcraid.c                             |   20 +-
 drivers/scsi/pmcraid.h                             |    8 +-
 drivers/scsi/qla2xxx/qla_attr.c                    |    4 +-
 drivers/scsi/qla2xxx/qla_gbl.h                     |    4 +-
 drivers/scsi/qla2xxx/qla_os.c                      |    6 +-
 drivers/scsi/qla4xxx/ql4_def.h                     |    2 +-
 drivers/scsi/qla4xxx/ql4_os.c                      |    6 +-
 drivers/scsi/scsi.c                                |    2 +-
 drivers/scsi/scsi_lib.c                            |    6 +-
 drivers/scsi/scsi_sysfs.c                          |    2 +-
 drivers/scsi/scsi_tgt_lib.c                        |    2 +-
 drivers/scsi/scsi_transport_fc.c                   |    8 +-
 drivers/scsi/scsi_transport_iscsi.c                |    6 +-
 drivers/scsi/scsi_transport_srp.c                  |    6 +-
 drivers/scsi/sd.c                                  |    2 +-
 drivers/scsi/sg.c                                  |    2 +-
 drivers/spi/spi.c                                  |    2 +-
 drivers/staging/android/timed_output.c             |    6 +-
 drivers/staging/media/solo6x10/solo6x10-core.c     |    2 +-
 drivers/staging/media/solo6x10/solo6x10-p2m.c      |    2 +-
 drivers/staging/media/solo6x10/solo6x10.h          |    2 +-
 drivers/staging/octeon/ethernet-rx.c               |   12 +-
 drivers/staging/octeon/ethernet.c                  |    8 +-
 drivers/staging/rtl8712/rtl871x_io.h               |    2 +-
 drivers/staging/sbe-2t3e3/netdev.c                 |    2 +-
 drivers/staging/usbip/vhci.h                       |    2 +-
 drivers/staging/usbip/vhci_hcd.c                   |    6 +-
 drivers/staging/usbip/vhci_rx.c                    |    2 +-
 drivers/staging/vt6655/hostap.c                    |    7 +-
 drivers/staging/vt6656/hostap.c                    |    7 +-
 drivers/staging/zcache/tmem.h                      |    4 +-
 drivers/target/sbp/sbp_target.c                    |    4 +-
 drivers/target/target_core_device.c                |    2 +-
 drivers/target/target_core_transport.c             |    2 +-
 drivers/tty/cyclades.c                             |    6 +-
 drivers/tty/hvc/hvc_console.c                      |   14 +-
 drivers/tty/hvc/hvcs.c                             |   21 +-
 drivers/tty/hvc/hvsi.c                             |   12 +-
 drivers/tty/hvc/hvsi_lib.c                         |    6 +-
 drivers/tty/ipwireless/tty.c                       |   27 +-
 drivers/tty/moxa.c                                 |    2 +-
 drivers/tty/n_gsm.c                                |    4 +-
 drivers/tty/n_tty.c                                |    3 +-
 drivers/tty/pty.c                                  |    4 +-
 drivers/tty/rocket.c                               |    6 +-
 drivers/tty/serial/ioc4_serial.c                   |    6 +-
 drivers/tty/serial/kgdboc.c                        |   32 +-
 drivers/tty/serial/msm_serial.c                    |    4 +-
 drivers/tty/serial/samsung.c                       |    9 +-
 drivers/tty/serial/serial_core.c                   |    8 +-
 drivers/tty/synclink.c                             |   34 +-
 drivers/tty/synclink_gt.c                          |   28 +-
 drivers/tty/synclinkmp.c                           |   34 +-
 drivers/tty/tty_io.c                               |    2 +-
 drivers/tty/tty_ldisc.c                            |   10 +-
 drivers/tty/tty_port.c                             |   22 +-
 drivers/uio/uio.c                                  |   21 +-
 drivers/usb/atm/cxacru.c                           |    2 +-
 drivers/usb/atm/usbatm.c                           |   24 +-
 drivers/usb/core/devices.c                         |    6 +-
 drivers/usb/core/hcd.c                             |    4 +-
 drivers/usb/core/message.c                         |    2 +-
 drivers/usb/core/sysfs.c                           |    2 +-
 drivers/usb/core/usb.c                             |    2 +-
 drivers/usb/dwc3/gadget.c                          |    2 -
 drivers/usb/early/ehci-dbgp.c                      |   16 +-
 drivers/usb/gadget/u_serial.c                      |   22 +-
 drivers/usb/misc/appledisplay.c                    |    4 +-
 drivers/usb/serial/console.c                       |    6 +-
 drivers/usb/storage/usb.h                          |    2 +-
 drivers/usb/wusbcore/wa-hc.h                       |    4 +-
 drivers/usb/wusbcore/wa-xfer.c                     |    2 +-
 drivers/vfio/vfio.c                                |    2 +-
 drivers/vhost/vringh.c                             |    2 +-
 drivers/video/aty/aty128fb.c                       |    2 +-
 drivers/video/aty/atyfb_base.c                     |    8 +-
 drivers/video/aty/mach64_cursor.c                  |    5 +-
 drivers/video/backlight/kb3886_bl.c                |    2 +-
 drivers/video/fb_defio.c                           |    6 +-
 drivers/video/fbcmap.c                             |    3 +-
 drivers/video/fbmem.c                              |    6 +-
 drivers/video/hyperv_fb.c                          |    4 +-
 drivers/video/i810/i810_accel.c                    |    1 +
 drivers/video/mb862xx/mb862xxfb_accel.c            |   16 +-
 drivers/video/nvidia/nvidia.c                      |   27 +-
 drivers/video/s1d13xxxfb.c                         |    6 +-
 drivers/video/smscufx.c                            |    4 +-
 drivers/video/udlfb.c                              |   36 +-
 drivers/video/uvesafb.c                            |   53 +-
 drivers/video/vesafb.c                             |   58 +-
 drivers/video/via/via_clock.h                      |    2 +-
 fs/9p/vfs_addr.c                                   |    2 +-
 fs/9p/vfs_inode.c                                  |    2 +-
 fs/Kconfig.binfmt                                  |    2 +-
 fs/afs/inode.c                                     |    4 +-
 fs/aio.c                                           |   12 +-
 fs/autofs4/waitq.c                                 |    2 +-
 fs/befs/endian.h                                   |    4 +-
 fs/befs/linuxvfs.c                                 |    2 +-
 fs/binfmt_aout.c                                   |   23 +-
 fs/binfmt_elf.c                                    |  648 ++-
 fs/binfmt_flat.c                                   |    6 +
 fs/bio.c                                           |    6 +-
 fs/block_dev.c                                     |    2 +-
 fs/btrfs/ctree.c                                   |    9 +-
 fs/btrfs/delayed-inode.c                           |    6 +-
 fs/btrfs/delayed-inode.h                           |    4 +-
 fs/btrfs/super.c                                   |    2 +-
 fs/buffer.c                                        |    2 +-
 fs/cachefiles/bind.c                               |    6 +-
 fs/cachefiles/daemon.c                             |    8 +-
 fs/cachefiles/internal.h                           |   12 +-
 fs/cachefiles/namei.c                              |    2 +-
 fs/cachefiles/proc.c                               |   12 +-
 fs/cachefiles/rdwr.c                               |    2 +-
 fs/ceph/dir.c                                      |    2 +-
 fs/ceph/super.c                                    |    4 +-
 fs/cifs/cifs_debug.c                               |   12 +-
 fs/cifs/cifsfs.c                                   |    8 +-
 fs/cifs/cifsglob.h                                 |   54 +-
 fs/cifs/link.c                                     |    2 +-
 fs/cifs/misc.c                                     |    4 +-
 fs/cifs/smb1ops.c                                  |   80 +-
 fs/cifs/smb2ops.c                                  |   84 +-
 fs/cifs/smb2pdu.c                                  |    3 +-
 fs/coda/cache.c                                    |   10 +-
 fs/compat.c                                        |    4 +-
 fs/compat_binfmt_elf.c                             |    2 +
 fs/compat_ioctl.c                                  |   12 +-
 fs/configfs/dir.c                                  |   10 +-
 fs/coredump.c                                      |   18 +-
 fs/dcache.c                                        |    3 +-
 fs/ecryptfs/inode.c                                |    4 +-
 fs/ecryptfs/miscdev.c                              |    2 +-
 fs/exec.c                                          |  362 +-
 fs/ext4/ext4.h                                     |   20 +-
 fs/ext4/mballoc.c                                  |   44 +-
 fs/ext4/mmp.c                                      |    2 +-
 fs/ext4/super.c                                    |    4 +-
 fs/fhandle.c                                       |    3 +-
 fs/fs_struct.c                                     |    8 +-
 fs/fscache/cookie.c                                |   38 +-
 fs/fscache/internal.h                              |  196 +-
 fs/fscache/object.c                                |   26 +-
 fs/fscache/operation.c                             |   30 +-
 fs/fscache/page.c                                  |  110 +-
 fs/fscache/stats.c                                 |  344 +-
 fs/fuse/cuse.c                                     |   10 +-
 fs/fuse/dev.c                                      |    4 +-
 fs/fuse/dir.c                                      |    2 +-
 fs/gfs2/inode.c                                    |    2 +-
 fs/hugetlbfs/inode.c                               |   13 +-
 fs/inode.c                                         |    4 +-
 fs/jffs2/erase.c                                   |    3 +-
 fs/jffs2/wbuf.c                                    |    3 +-
 fs/jfs/super.c                                     |    2 +-
 fs/libfs.c                                         |   10 +-
 fs/lockd/clntproc.c                                |    4 +-
 fs/locks.c                                         |    8 +-
 fs/namei.c                                         |   15 +-
 fs/namespace.c                                     |   16 +-
 fs/nfs/callback_xdr.c                              |    2 +-
 fs/nfs/inode.c                                     |    6 +-
 fs/nfsd/nfs4proc.c                                 |    2 +-
 fs/nfsd/nfs4xdr.c                                  |    6 +-
 fs/nfsd/nfscache.c                                 |    9 +-
 fs/nfsd/vfs.c                                      |    6 +-
 fs/nls/nls_base.c                                  |   18 +-
 fs/nls/nls_euc-jp.c                                |    6 +-
 fs/nls/nls_koi8-ru.c                               |    6 +-
 fs/notify/fanotify/fanotify_user.c                 |    4 +-
 fs/notify/notification.c                           |    4 +-
 fs/ntfs/dir.c                                      |    2 +-
 fs/ntfs/file.c                                     |    6 +-
 fs/ntfs/super.c                                    |    6 +-
 fs/ocfs2/localalloc.c                              |    2 +-
 fs/ocfs2/ocfs2.h                                   |   10 +-
 fs/ocfs2/suballoc.c                                |   12 +-
 fs/ocfs2/super.c                                   |   20 +-
 fs/pipe.c                                          |   61 +-
 fs/proc/array.c                                    |   20 +
 fs/proc/base.c                                     |    4 +-
 fs/proc/kcore.c                                    |   32 +-
 fs/proc/meminfo.c                                  |    2 +-
 fs/proc/nommu.c                                    |    2 +-
 fs/proc/proc_sysctl.c                              |   18 +-
 fs/proc/self.c                                     |    2 +-
 fs/proc/task_mmu.c                                 |   39 +-
 fs/proc/task_nommu.c                               |    4 +-
 fs/proc/vmcore.c                                   |   12 +-
 fs/qnx6/qnx6.h                                     |    4 +-
 fs/quota/netlink.c                                 |    4 +-
 fs/read_write.c                                    |    2 +-
 fs/reiserfs/do_balan.c                             |    2 +-
 fs/reiserfs/procfs.c                               |    2 +-
 fs/reiserfs/reiserfs.h                             |    4 +-
 fs/seq_file.c                                      |    2 +-
 fs/splice.c                                        |   41 +-
 fs/sysfs/bin.c                                     |    6 +-
 fs/sysfs/dir.c                                     |    2 +-
 fs/sysfs/file.c                                    |   10 +-
 fs/sysfs/symlink.c                                 |    2 +-
 fs/sysv/sysv.h                                     |    2 +-
 fs/ubifs/io.c                                      |    2 +-
 fs/udf/misc.c                                      |    2 +-
 fs/ufs/swab.h                                      |    4 +-
 fs/xattr.c                                         |   21 +
 fs/xattr_acl.c                                     |    4 +-
 fs/xfs/xfs_bmap.c                                  |    2 +-
 fs/xfs/xfs_dir2_sf.c                               |    7 +-
 fs/xfs/xfs_ioctl.c                                 |    2 +-
 fs/xfs/xfs_iops.c                                  |    2 +-
 include/asm-generic/4level-fixup.h                 |    2 +
 include/asm-generic/atomic-long.h                  |  210 +
 include/asm-generic/atomic.h                       |    2 +-
 include/asm-generic/atomic64.h                     |   12 +
 include/asm-generic/cache.h                        |    4 +-
 include/asm-generic/emergency-restart.h            |    2 +-
 include/asm-generic/kmap_types.h                   |    4 +-
 include/asm-generic/local.h                        |   13 +
 include/asm-generic/pgtable-nopmd.h                |   18 +-
 include/asm-generic/pgtable-nopud.h                |   15 +-
 include/asm-generic/pgtable.h                      |   16 +
 include/asm-generic/uaccess.h                      |   16 +
 include/asm-generic/vmlinux.lds.h                  |   10 +-
 include/crypto/algapi.h                            |    2 +-
 include/drm/drmP.h                                 |   17 +-
 include/drm/drm_crtc_helper.h                      |    2 +-
 include/drm/ttm/ttm_memory.h                       |    2 +-
 include/keys/asymmetric-subtype.h                  |    2 +-
 include/linux/atmdev.h                             |    4 +-
 include/linux/binfmts.h                            |    3 +-
 include/linux/blkdev.h                             |    2 +-
 include/linux/blktrace_api.h                       |    2 +-
 include/linux/cache.h                              |    4 +
 include/linux/cdrom.h                              |    1 -
 include/linux/cleancache.h                         |    2 +-
 include/linux/clk-provider.h                       |    1 +
 include/linux/compat.h                             |    5 +-
 include/linux/compiler-gcc4.h                      |   20 +
 include/linux/compiler.h                           |   65 +-
 include/linux/completion.h                         |    6 +-
 include/linux/configfs.h                           |    2 +-
 include/linux/cpufreq.h                            |    3 +-
 include/linux/cpuidle.h                            |    5 +-
 include/linux/cpumask.h                            |   12 +-
 include/linux/crypto.h                             |    6 +-
 include/linux/ctype.h                              |    2 +-
 include/linux/decompress/mm.h                      |    2 +-
 include/linux/devfreq.h                            |    2 +-
 include/linux/device.h                             |    7 +-
 include/linux/dma-mapping.h                        |    2 +-
 include/linux/dmaengine.h                          |    4 +-
 include/linux/efi.h                                |    1 +
 include/linux/elf.h                                |    2 +
 include/linux/err.h                                |    4 +-
 include/linux/extcon.h                             |    2 +-
 include/linux/fb.h                                 |    2 +-
 include/linux/fdtable.h                            |    2 +-
 include/linux/filter.h                             |    4 +
 include/linux/frontswap.h                          |    2 +-
 include/linux/fs.h                                 |    3 +-
 include/linux/fs_struct.h                          |    2 +-
 include/linux/fscache-cache.h                      |    4 +-
 include/linux/fscache.h                            |    2 +-
 include/linux/fsnotify.h                           |    2 +-
 include/linux/genhd.h                              |    2 +-
 include/linux/genl_magic_func.h                    |    2 +-
 include/linux/gfp.h                                |   12 +-
 include/linux/highmem.h                            |   12 +
 include/linux/hwmon-sysfs.h                        |    5 +-
 include/linux/i2c.h                                |    1 +
 include/linux/i2o.h                                |    2 +-
 include/linux/if_pppox.h                           |    2 +-
 include/linux/init.h                               |   17 +-
 include/linux/init_task.h                          |    7 +
 include/linux/interrupt.h                          |    8 +-
 include/linux/iommu.h                              |    2 +-
 include/linux/ioport.h                             |    2 +-
 include/linux/irq.h                                |    3 +-
 include/linux/irqchip/arm-gic.h                    |    4 +-
 include/linux/key-type.h                           |    2 +-
 include/linux/kgdb.h                               |    6 +-
 include/linux/kobject.h                            |    3 +-
 include/linux/kobject_ns.h                         |    2 +-
 include/linux/kref.h                               |    2 +-
 include/linux/kvm_host.h                           |    4 +-
 include/linux/libata.h                             |    2 +-
 include/linux/linkage.h                            |    1 +
 include/linux/list.h                               |   15 +
 include/linux/math64.h                             |    8 +-
 include/linux/mm.h                                 |  116 +-
 include/linux/mm_types.h                           |   20 +
 include/linux/mmiotrace.h                          |    4 +-
 include/linux/mmzone.h                             |    2 +-
 include/linux/mod_devicetable.h                    |    6 +-
 include/linux/module.h                             |   60 +-
 include/linux/moduleloader.h                       |   16 +
 include/linux/moduleparam.h                        |    4 +-
 include/linux/namei.h                              |    6 +-
 include/linux/net.h                                |    2 +-
 include/linux/netdevice.h                          |    3 +-
 include/linux/netfilter.h                          |    2 +-
 include/linux/netfilter/ipset/ip_set.h             |    2 +-
 include/linux/netfilter/nfnetlink.h                |    2 +-
 include/linux/nls.h                                |    2 +-
 include/linux/notifier.h                           |    3 +-
 include/linux/oprofile.h                           |    4 +-
 include/linux/pci_hotplug.h                        |    3 +-
 include/linux/perf_event.h                         |   10 +-
 include/linux/pipe_fs_i.h                          |    8 +-
 include/linux/platform_data/usb-ehci-s5p.h         |    2 +-
 include/linux/platform_data/usb-ohci-exynos.h      |    2 +-
 include/linux/pm_domain.h                          |    2 +-
 include/linux/pm_runtime.h                         |    2 +-
 include/linux/pnp.h                                |    2 +-
 include/linux/poison.h                             |    4 +-
 include/linux/power/smartreflex.h                  |    2 +-
 include/linux/ppp-comp.h                           |    2 +-
 include/linux/preempt.h                            |   19 +
 include/linux/proc_ns.h                            |    2 +-
 include/linux/random.h                             |   15 +
 include/linux/rculist.h                            |   16 +
 include/linux/reboot.h                             |   14 +-
 include/linux/regset.h                             |    3 +-
 include/linux/relay.h                              |    2 +-
 include/linux/rio.h                                |    2 +-
 include/linux/rmap.h                               |    4 +-
 include/linux/sched.h                              |   67 +-
 include/linux/sched/sysctl.h                       |    1 +
 include/linux/security.h                           |    2 +-
 include/linux/seq_file.h                           |    1 +
 include/linux/signal.h                             |    1 +
 include/linux/skbuff.h                             |   12 +-
 include/linux/slab.h                               |   48 +-
 include/linux/slab_def.h                           |   32 +-
 include/linux/slob_def.h                           |    4 +-
 include/linux/slub_def.h                           |    8 +-
 include/linux/smp.h                                |    2 +
 include/linux/sock_diag.h                          |    2 +-
 include/linux/sonet.h                              |    2 +-
 include/linux/sunrpc/addr.h                        |    8 +-
 include/linux/sunrpc/clnt.h                        |    2 +-
 include/linux/sunrpc/svc.h                         |    2 +-
 include/linux/sunrpc/svc_rdma.h                    |   18 +-
 include/linux/sunrpc/svcauth.h                     |    2 +-
 include/linux/swiotlb.h                            |    3 +-
 include/linux/syscalls.h                           |   18 +-
 include/linux/syscore_ops.h                        |    2 +-
 include/linux/sysctl.h                             |    6 +-
 include/linux/sysfs.h                              |    9 +-
 include/linux/sysrq.h                              |    3 +-
 include/linux/thread_info.h                        |    7 +
 include/linux/tty.h                                |    4 +-
 include/linux/tty_driver.h                         |    2 +-
 include/linux/tty_ldisc.h                          |    2 +-
 include/linux/types.h                              |   16 +
 include/linux/uaccess.h                            |    6 +-
 include/linux/unaligned/access_ok.h                |   24 +-
 include/linux/usb.h                                |    4 +-
 include/linux/usb/renesas_usbhs.h                  |    2 +-
 include/linux/vermagic.h                           |   21 +-
 include/linux/vmalloc.h                            |   11 +-
 include/linux/vmstat.h                             |   20 +-
 include/linux/xattr.h                              |    5 +-
 include/linux/zlib.h                               |    3 +-
 include/media/v4l2-dev.h                           |    2 +-
 include/media/v4l2-device.h                        |    2 +-
 include/net/9p/transport.h                         |    2 +-
 include/net/bluetooth/l2cap.h                      |    2 +-
 include/net/caif/cfctrl.h                          |    6 +-
 include/net/flow.h                                 |    2 +-
 include/net/genetlink.h                            |    2 +-
 include/net/gro_cells.h                            |    2 +-
 include/net/inet_connection_sock.h                 |    2 +-
 include/net/inetpeer.h                             |   17 +-
 include/net/ip.h                                   |    2 +-
 include/net/ip_fib.h                               |    2 +-
 include/net/ip_vs.h                                |    8 +-
 include/net/irda/ircomm_tty.h                      |    1 +
 include/net/iucv/af_iucv.h                         |    2 +-
 include/net/llc_c_ac.h                             |    2 +-
 include/net/llc_c_ev.h                             |    4 +-
 include/net/llc_c_st.h                             |    2 +-
 include/net/llc_s_ac.h                             |    2 +-
 include/net/llc_s_st.h                             |    2 +-
 include/net/mac80211.h                             |    2 +-
 include/net/neighbour.h                            |    2 +-
 include/net/net_namespace.h                        |   18 +-
 include/net/netdma.h                               |    2 +-
 include/net/netlink.h                              |    2 +-
 include/net/netns/conntrack.h                      |    6 +-
 include/net/netns/ipv4.h                           |    2 +-
 include/net/netns/ipv6.h                           |    2 +-
 include/net/ping.h                                 |    2 +-
 include/net/protocol.h                             |    4 +-
 include/net/rtnetlink.h                            |    2 +-
 include/net/sctp/sm.h                              |    4 +-
 include/net/sctp/structs.h                         |    2 +-
 include/net/sock.h                                 |    6 +-
 include/net/tcp.h                                  |    8 +-
 include/net/xfrm.h                                 |    8 +-
 include/rdma/iw_cm.h                               |    2 +-
 include/scsi/libfc.h                               |    3 +-
 include/scsi/scsi_device.h                         |    6 +-
 include/scsi/scsi_transport_fc.h                   |    3 +-
 include/sound/compress_driver.h                    |    2 +-
 include/sound/soc.h                                |    4 +-
 include/target/target_core_base.h                  |    2 +-
 include/trace/events/irq.h                         |    4 +-
 include/uapi/linux/a.out.h                         |    8 +
 include/uapi/linux/byteorder/little_endian.h       |   28 +-
 include/uapi/linux/elf.h                           |   28 +
 include/uapi/linux/screen_info.h                   |    3 +-
 include/uapi/linux/swab.h                          |    6 +-
 include/uapi/linux/sysctl.h                        |    6 +-
 include/uapi/linux/xattr.h                         |    4 +
 include/video/udlfb.h                              |    8 +-
 include/video/uvesafb.h                            |    1 +
 init/Kconfig                                       |    2 +-
 init/Makefile                                      |    3 +
 init/do_mounts.c                                   |   14 +-
 init/do_mounts.h                                   |    8 +-
 init/do_mounts_initrd.c                            |   30 +-
 init/do_mounts_md.c                                |    6 +-
 init/init_task.c                                   |    4 +
 init/initramfs.c                                   |   42 +-
 init/main.c                                        |   84 +-
 ipc/ipc_sysctl.c                                   |   10 +-
 ipc/mq_sysctl.c                                    |    2 +-
 ipc/msg.c                                          |   11 +-
 ipc/sem.c                                          |   11 +-
 ipc/shm.c                                          |   17 +-
 kernel/acct.c                                      |    2 +-
 kernel/audit.c                                     |    8 +-
 kernel/auditsc.c                                   |    4 +-
 kernel/capability.c                                |    3 +
 kernel/compat.c                                    |   38 +-
 kernel/debug/debug_core.c                          |   16 +-
 kernel/debug/kdb/kdb_main.c                        |    4 +-
 kernel/events/core.c                               |   30 +-
 kernel/events/internal.h                           |   12 +-
 kernel/events/uprobes.c                            |    2 +-
 kernel/exit.c                                      |    4 +-
 kernel/fork.c                                      |  170 +-
 kernel/futex.c                                     |   11 +-
 kernel/futex_compat.c                              |    2 +-
 kernel/gcov/base.c                                 |    7 +-
 kernel/hrtimer.c                                   |    2 +-
 kernel/irq_work.c                                  |    7 +-
 kernel/jump_label.c                                |    5 +
 kernel/kallsyms.c                                  |   39 +-
 kernel/kexec.c                                     |    3 +-
 kernel/kmod.c                                      |    4 +-
 kernel/kprobes.c                                   |    8 +-
 kernel/ksysfs.c                                    |    2 +-
 kernel/lockdep.c                                   |    7 +-
 kernel/module.c                                    |  337 +-
 kernel/mutex-debug.c                               |   12 +-
 kernel/mutex-debug.h                               |    4 +-
 kernel/mutex.c                                     |   10 +-
 kernel/notifier.c                                  |   17 +-
 kernel/panic.c                                     |    3 +-
 kernel/pid.c                                       |    2 +-
 kernel/pid_namespace.c                             |    2 +-
 kernel/posix-cpu-timers.c                          |    4 +-
 kernel/posix-timers.c                              |   24 +-
 kernel/power/process.c                             |   12 +-
 kernel/profile.c                                   |   14 +-
 kernel/ptrace.c                                    |    8 +-
 kernel/rcupdate.c                                  |    4 +-
 kernel/rcutiny.c                                   |    4 +-
 kernel/rcutorture.c                                |   56 +-
 kernel/rcutree.c                                   |   74 +-
 kernel/rcutree.h                                   |   24 +-
 kernel/rcutree_plugin.h                            |   20 +-
 kernel/rcutree_trace.c                             |   22 +-
 kernel/rtmutex-tester.c                            |   24 +-
 kernel/sched/auto_group.c                          |    4 +-
 kernel/sched/core.c                                |   49 +-
 kernel/sched/fair.c                                |    4 +-
 kernel/sched/sched.h                               |    2 +-
 kernel/signal.c                                    |   32 +-
 kernel/smpboot.c                                   |    4 +-
 kernel/softirq.c                                   |   14 +-
 kernel/srcu.c                                      |    4 +-
 kernel/sys.c                                       |   10 +-
 kernel/sysctl.c                                    |   39 +-
 kernel/time.c                                      |    2 +-
 kernel/time/alarmtimer.c                           |    2 +-
 kernel/time/timer_stats.c                          |   10 +-
 kernel/timer.c                                     |    4 +-
 kernel/trace/blktrace.c                            |    6 +-
 kernel/trace/ftrace.c                              |   18 +-
 kernel/trace/ring_buffer.c                         |   76 +-
 kernel/trace/trace.c                               |    2 +-
 kernel/trace/trace.h                               |    2 +-
 kernel/trace/trace_clock.c                         |    4 +-
 kernel/trace/trace_events.c                        |   25 +-
 kernel/trace/trace_mmiotrace.c                     |    8 +-
 kernel/trace/trace_output.c                        |   12 +-
 kernel/trace/trace_stack.c                         |    2 +-
 kernel/user_namespace.c                            |    2 +-
 kernel/utsname_sysctl.c                            |    2 +-
 kernel/watchdog.c                                  |    2 +-
 kernel/workqueue.c                                 |    2 +-
 lib/Kconfig.debug                                  |    8 +-
 lib/Makefile                                       |    2 +-
 lib/bitmap.c                                       |    8 +-
 lib/bug.c                                          |    2 +
 lib/debugobjects.c                                 |    2 +-
 lib/devres.c                                       |    4 +-
 lib/div64.c                                        |    4 +-
 lib/dma-debug.c                                    |    4 +-
 lib/inflate.c                                      |    2 +-
 lib/ioremap.c                                      |    4 +-
 lib/kobject.c                                      |    4 +-
 lib/list_debug.c                                   |  126 +-
 lib/radix-tree.c                                   |    2 +-
 lib/strncpy_from_user.c                            |    2 +-
 lib/strnlen_user.c                                 |    2 +-
 lib/swiotlb.c                                      |    2 +-
 lib/usercopy.c                                     |    6 +
 lib/vsprintf.c                                     |   12 +-
 mm/Kconfig                                         |    6 +-
 mm/backing-dev.c                                   |    4 +-
 mm/filemap.c                                       |   10 +-
 mm/fremap.c                                        |    5 +
 mm/highmem.c                                       |    7 +-
 mm/hugetlb.c                                       |   70 +-
 mm/internal.h                                      |    3 +-
 mm/maccess.c                                       |    4 +-
 mm/madvise.c                                       |   41 +
 mm/memory-failure.c                                |   26 +-
 mm/memory.c                                        |  424 ++-
 mm/mempolicy.c                                     |   25 +
 mm/mlock.c                                         |   15 +-
 mm/mmap.c                                          |  588 ++-
 mm/mprotect.c                                      |  139 +-
 mm/mremap.c                                        |   44 +-
 mm/nommu.c                                         |   21 +-
 mm/page-writeback.c                                |    2 +-
 mm/page_alloc.c                                    |   41 +-
 mm/page_io.c                                       |    2 +-
 mm/percpu.c                                        |    2 +-
 mm/process_vm_access.c                             |   14 +-
 mm/rmap.c                                          |   44 +-
 mm/shmem.c                                         |   19 +-
 mm/slab.c                                          |  108 +-
 mm/slab.h                                          |   15 +-
 mm/slab_common.c                                   |   60 +-
 mm/slob.c                                          |  206 +-
 mm/slub.c                                          |   88 +-
 mm/sparse-vmemmap.c                                |    4 +-
 mm/sparse.c                                        |    2 +-
 mm/swap.c                                          |    3 +
 mm/swapfile.c                                      |   12 +-
 mm/util.c                                          |    6 +
 mm/vmalloc.c                                       |   77 +-
 mm/vmstat.c                                        |   10 +-
 net/8021q/vlan.c                                   |    5 +-
 net/9p/mod.c                                       |    4 +-
 net/9p/trans_fd.c                                  |    2 +-
 net/atm/atm_misc.c                                 |    8 +-
 net/atm/lec.h                                      |    2 +-
 net/atm/proc.c                                     |    6 +-
 net/atm/resources.c                                |    4 +-
 net/ax25/sysctl_net_ax25.c                         |    2 +-
 net/batman-adv/bat_iv_ogm.c                        |    8 +-
 net/batman-adv/hard-interface.c                    |    2 +-
 net/batman-adv/soft-interface.c                    |    4 +-
 net/batman-adv/types.h                             |    6 +-
 net/batman-adv/unicast.c                           |    2 +-
 net/bluetooth/hci_sock.c                           |    2 +-
 net/bluetooth/l2cap_core.c                         |    6 +-
 net/bluetooth/l2cap_sock.c                         |   12 +-
 net/bluetooth/rfcomm/sock.c                        |    4 +-
 net/bluetooth/rfcomm/tty.c                         |   10 +-
 net/bridge/netfilter/ebtables.c                    |    6 +-
 net/caif/cfctrl.c                                  |   11 +-
 net/can/af_can.c                                   |    2 +-
 net/can/gw.c                                       |    6 +-
 net/ceph/messenger.c                               |    4 +-
 net/compat.c                                       |   34 +-
 net/core/datagram.c                                |    2 +-
 net/core/dev.c                                     |   16 +-
 net/core/flow.c                                    |    8 +-
 net/core/iovec.c                                   |    4 +-
 net/core/neighbour.c                               |    2 +-
 net/core/net-sysfs.c                               |    2 +-
 net/core/net_namespace.c                           |    8 +-
 net/core/netpoll.c                                 |    4 +-
 net/core/rtnetlink.c                               |   13 +-
 net/core/scm.c                                     |    8 +-
 net/core/skbuff.c                                  |    6 +-
 net/core/sock.c                                    |   24 +-
 net/core/sock_diag.c                               |    9 +-
 net/core/sysctl_net_core.c                         |   18 +-
 net/decnet/af_decnet.c                             |    1 +
 net/decnet/sysctl_net_decnet.c                     |    4 +-
 net/ieee802154/6lowpan.c                           |    2 +-
 net/ipv4/af_inet.c                                 |    8 +-
 net/ipv4/devinet.c                                 |   18 +-
 net/ipv4/fib_frontend.c                            |    6 +-
 net/ipv4/fib_semantics.c                           |    2 +-
 net/ipv4/inet_connection_sock.c                    |    2 +-
 net/ipv4/inetpeer.c                                |    4 +-
 net/ipv4/ip_fragment.c                             |   15 +-
 net/ipv4/ip_gre.c                                  |    6 +-
 net/ipv4/ip_sockglue.c                             |    2 +-
 net/ipv4/ip_vti.c                                  |    4 +-
 net/ipv4/ipconfig.c                                |    6 +-
 net/ipv4/ipip.c                                    |    4 +-
 net/ipv4/netfilter/arp_tables.c                    |   12 +-
 net/ipv4/netfilter/ip_tables.c                     |   12 +-
 net/ipv4/ping.c                                    |   14 +-
 net/ipv4/raw.c                                     |   14 +-
 net/ipv4/route.c                                   |   20 +-
 net/ipv4/sysctl_net_ipv4.c                         |   45 +-
 net/ipv4/tcp_input.c                               |    2 +-
 net/ipv4/tcp_probe.c                               |    2 +-
 net/ipv4/udp.c                                     |   10 +-
 net/ipv4/xfrm4_policy.c                            |   14 +-
 net/ipv6/addrconf.c                                |   12 +-
 net/ipv6/datagram.c                                |    2 +-
 net/ipv6/icmp.c                                    |    2 +-
 net/ipv6/ip6_gre.c                                 |    8 +-
 net/ipv6/ip6_tunnel.c                              |    4 +-
 net/ipv6/ipv6_sockglue.c                           |    2 +-
 net/ipv6/netfilter/ip6_tables.c                    |   12 +-
 net/ipv6/netfilter/nf_conntrack_reasm.c            |   14 +-
 net/ipv6/output_core.c                             |   15 +-
 net/ipv6/ping.c                                    |   28 +-
 net/ipv6/raw.c                                     |   19 +-
 net/ipv6/reassembly.c                              |   13 +-
 net/ipv6/route.c                                   |    2 +-
 net/ipv6/sit.c                                     |    4 +-
 net/ipv6/sysctl_net_ipv6.c                         |    2 +-
 net/ipv6/udp.c                                     |    6 +-
 net/ipv6/xfrm6_policy.c                            |   13 +-
 net/irda/ircomm/ircomm_tty.c                       |   18 +-
 net/iucv/af_iucv.c                                 |    4 +-
 net/iucv/iucv.c                                    |    2 +-
 net/key/af_key.c                                   |    4 +-
 net/mac80211/cfg.c                                 |    8 +-
 net/mac80211/ieee80211_i.h                         |    3 +-
 net/mac80211/iface.c                               |   16 +-
 net/mac80211/main.c                                |    2 +-
 net/mac80211/pm.c                                  |    6 +-
 net/mac80211/rate.c                                |    2 +-
 net/mac80211/rc80211_pid_debugfs.c                 |    2 +-
 net/mac80211/util.c                                |    4 +-
 net/netfilter/ipset/ip_set_core.c                  |    2 +-
 net/netfilter/ipvs/ip_vs_conn.c                    |    6 +-
 net/netfilter/ipvs/ip_vs_core.c                    |    4 +-
 net/netfilter/ipvs/ip_vs_ctl.c                     |   14 +-
 net/netfilter/ipvs/ip_vs_lblc.c                    |    2 +-
 net/netfilter/ipvs/ip_vs_lblcr.c                   |    2 +-
 net/netfilter/ipvs/ip_vs_sync.c                    |    6 +-
 net/netfilter/ipvs/ip_vs_xmit.c                    |    4 +-
 net/netfilter/nf_conntrack_acct.c                  |    2 +-
 net/netfilter/nf_conntrack_ecache.c                |    2 +-
 net/netfilter/nf_conntrack_helper.c                |    2 +-
 net/netfilter/nf_conntrack_proto.c                 |    2 +-
 net/netfilter/nf_conntrack_proto_dccp.c            |   10 +-
 net/netfilter/nf_conntrack_standalone.c            |    2 +-
 net/netfilter/nf_conntrack_timestamp.c             |    2 +-
 net/netfilter/nf_log.c                             |   10 +-
 net/netfilter/nf_sockopt.c                         |    4 +-
 net/netfilter/nfnetlink_log.c                      |    4 +-
 net/netfilter/xt_statistic.c                       |    8 +-
 net/netlink/af_netlink.c                           |    4 +-
 net/netlink/genetlink.c                            |   16 +-
 net/packet/af_packet.c                             |   12 +-
 net/phonet/pep.c                                   |    6 +-
 net/phonet/socket.c                                |    2 +-
 net/phonet/sysctl.c                                |    2 +-
 net/rds/cong.c                                     |    6 +-
 net/rds/ib.h                                       |    2 +-
 net/rds/ib_cm.c                                    |    2 +-
 net/rds/ib_recv.c                                  |    4 +-
 net/rds/iw.h                                       |    2 +-
 net/rds/iw_cm.c                                    |    2 +-
 net/rds/iw_recv.c                                  |    4 +-
 net/rds/rds.h                                      |    2 +-
 net/rds/tcp.c                                      |    2 +-
 net/rds/tcp_send.c                                 |    2 +-
 net/rxrpc/af_rxrpc.c                               |    2 +-
 net/rxrpc/ar-ack.c                                 |   14 +-
 net/rxrpc/ar-call.c                                |    2 +-
 net/rxrpc/ar-connection.c                          |    2 +-
 net/rxrpc/ar-connevent.c                           |    2 +-
 net/rxrpc/ar-input.c                               |    4 +-
 net/rxrpc/ar-internal.h                            |    8 +-
 net/rxrpc/ar-local.c                               |    2 +-
 net/rxrpc/ar-output.c                              |    4 +-
 net/rxrpc/ar-peer.c                                |    2 +-
 net/rxrpc/ar-proc.c                                |    4 +-
 net/rxrpc/ar-transport.c                           |    2 +-
 net/rxrpc/rxkad.c                                  |    4 +-
 net/sctp/ipv6.c                                    |    6 +-
 net/sctp/protocol.c                                |   10 +-
 net/sctp/sm_sideeffect.c                           |    2 +-
 net/sctp/socket.c                                  |   21 +-
 net/sctp/sysctl.c                                  |    4 +-
 net/socket.c                                       |   18 +-
 net/sunrpc/auth_gss/svcauth_gss.c                  |    4 +-
 net/sunrpc/clnt.c                                  |    4 +-
 net/sunrpc/sched.c                                 |    4 +-
 net/sunrpc/svc.c                                   |    4 +-
 net/sunrpc/xprtrdma/svc_rdma.c                     |   38 +-
 net/sunrpc/xprtrdma/svc_rdma_recvfrom.c            |    6 +-
 net/sunrpc/xprtrdma/svc_rdma_sendto.c              |    2 +-
 net/sunrpc/xprtrdma/svc_rdma_transport.c           |   10 +-
 net/tipc/link.c                                    |    4 +-
 net/tipc/msg.c                                     |    2 +-
 net/tipc/subscr.c                                  |    2 +-
 net/unix/sysctl_net_unix.c                         |    2 +-
 net/wireless/wext-core.c                           |   19 +-
 net/xfrm/xfrm_policy.c                             |   27 +-
 net/xfrm/xfrm_state.c                              |   33 +-
 net/xfrm/xfrm_sysctl.c                             |    2 +-
 scripts/Makefile.build                             |    2 +-
 scripts/Makefile.clean                             |    3 +-
 scripts/Makefile.host                              |   28 +-
 scripts/basic/fixdep.c                             |   12 +-
 scripts/gcc-plugin.sh                              |   17 +
 scripts/headers_install.sh                         |    1 +
 scripts/link-vmlinux.sh                            |    2 +-
 scripts/mod/file2alias.c                           |   14 +-
 scripts/mod/modpost.c                              |   25 +-
 scripts/mod/modpost.h                              |    6 +-
 scripts/mod/sumversion.c                           |    2 +-
 scripts/package/builddeb                           |    1 +
 scripts/pnmtologo.c                                |    6 +-
 scripts/sortextable.h                              |    6 +-
 security/Kconfig                                   |  690 +++-
 security/apparmor/lsm.c                            |    2 +-
 security/integrity/ima/ima.h                       |    4 +-
 security/integrity/ima/ima_api.c                   |    2 +-
 security/integrity/ima/ima_fs.c                    |    4 +-
 security/integrity/ima/ima_queue.c                 |    2 +-
 security/keys/compat.c                             |    2 +-
 security/keys/internal.h                           |    2 +-
 security/keys/key.c                                |   18 +-
 security/keys/keyctl.c                             |    8 +-
 security/keys/keyring.c                            |    6 +-
 security/security.c                                |   12 +-
 security/selinux/avc.c                             |    6 +-
 security/selinux/hooks.c                           |    6 +-
 security/selinux/include/xfrm.h                    |    2 +-
 security/smack/smack_lsm.c                         |    2 +-
 security/tomoyo/tomoyo.c                           |    2 +-
 security/yama/yama_lsm.c                           |   22 +-
 sound/aoa/codecs/onyx.c                            |    7 +-
 sound/aoa/codecs/onyx.h                            |    1 +
 sound/core/oss/pcm_oss.c                           |   18 +-
 sound/core/pcm_compat.c                            |    2 +-
 sound/core/pcm_native.c                            |    4 +-
 sound/core/seq/seq_device.c                        |    8 +-
 sound/core/sound.c                                 |    2 +-
 sound/drivers/mts64.c                              |   14 +-
 sound/drivers/opl4/opl4_lib.c                      |    2 +-
 sound/drivers/portman2x4.c                         |    3 +-
 sound/firewire/amdtp.c                             |    4 +-
 sound/firewire/amdtp.h                             |    2 +-
 sound/firewire/isight.c                            |   10 +-
 sound/firewire/scs1x.c                             |    8 +-
 sound/oss/sb_audio.c                               |    2 +-
 sound/oss/swarm_cs4297a.c                          |    6 +-
 sound/pci/hda/hda_codec.c                          |    8 +-
 sound/pci/ymfpci/ymfpci.h                          |    2 +-
 sound/pci/ymfpci/ymfpci_main.c                     |   12 +-
 sound/soc/fsl/fsl_ssi.c                            |    2 +-
 tools/gcc/.gitignore                               |    1 +
 tools/gcc/Makefile                                 |   45 +
 tools/gcc/checker_plugin.c                         |  172 +
 tools/gcc/colorize_plugin.c                        |  151 +
 tools/gcc/constify_plugin.c                        |  560 ++
 tools/gcc/generate_size_overflow_hash.sh           |   94 +
 tools/gcc/kallocstat_plugin.c                      |  170 +
 tools/gcc/kernexec_plugin.c                        |  471 ++
 tools/gcc/latent_entropy_plugin.c                  |  321 +
 tools/gcc/size_overflow_hash.data                  | 6350 ++++++++++++++++++++
 tools/gcc/size_overflow_plugin.c                   | 2113 +++++++
 tools/gcc/stackleak_plugin.c                       |  327 +
 tools/gcc/structleak_plugin.c                      |  277 +
 tools/lib/lk/Makefile                              |    2 +-
 tools/perf/util/include/asm/alternative-asm.h      |    3 +
 tools/perf/util/include/linux/compiler.h           |    8 +
 virt/kvm/kvm_main.c                                |   32 +-
 1664 files changed, 32957 insertions(+), 7636 deletions(-)
commit 4c61dba17c53d0a775c77aed0c0ddb15a12daa3c
Merge: c3ccfb2 777e08c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Sep 8 19:49:04 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 777e08c6a87ef43439f4431d8d458732ca5e17c6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Sep 8 19:47:32 2013 -0400

    Update to pax-linux-3.10.11-test26.patch:
    - reworked __SC_LONG to care about only int and smaller types, this eliminates size overflow false positives reported by hunger
    - fixed an uninitialized read in splice, reported by hunger

 fs/splice.c                       |    1 +
 include/linux/syscalls.h          |   14 +-
 tools/gcc/size_overflow_hash.data |  426 +++++++++++++++++++++----------------
 3 files changed, 247 insertions(+), 194 deletions(-)

commit 5c3161364270c842d901789faac731f79a9f9cd6
Merge: cf9c476 85cdabb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Sep 8 19:24:25 2013 -0400

    Merge branch 'linux-3.10.y' into pax-test

commit c3ccfb29794a03413095422100ce90d40ef7df0f
Author: Jakob Bornecrantz <jakob@vmware.com>
Date:   Thu Aug 29 02:32:53 2013 +0200

    Upstream commit: 6e4dcff3adbf25acb87e74500a58e3c07bdec40f
    
    drm/vmwgfx: Split GMR2_REMAP commands if they are to large
    
    This fixes the piglit test texturing/max-texture-size
    causing the VM to die due to a too large SVGA command.
    
    Signed-off-by: Jakob Bornecrantz <jakob@vmware.com>
    Reviewed-by: Biran Paul <brianp@vmware.com>
    Reviewed-by: Zack Rusin <zackr@vmware.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Dave Airlie <airlied@gmail.com>

 drivers/gpu/drm/vmwgfx/vmwgfx_gmr.c |   58 +++++++++++++++++++++++-----------
 1 files changed, 39 insertions(+), 19 deletions(-)

commit d260badf708d6aa16c44f56f54727532dcae826e
Author: Daniel Borkmann <dborkman@redhat.com>
Date:   Tue Sep 3 19:29:12 2013 +0200

    Upstream commit: 3a1c756590633c0e86df606e5c618c190926a0df
    
    net: ipv6: tcp: fix potential use after free in tcp_v6_do_rcv
    
    In tcp_v6_do_rcv() code, when processing pkt options, we soley work
    on our skb clone opt_skb that we've created earlier before entering
    tcp_rcv_established() on our way. However, only in condition ...
    
      if (np->rxopt.bits.rxtclass)
        np->rcv_tclass = ipv6_get_dsfield(ipv6_hdr(skb));
    
    ... we work on skb itself. As we extract every other information out
    of opt_skb in ipv6_pktoptions path, this seems wrong, since skb can
    already be released by tcp_rcv_established() earlier on. When we try
    to access it in ipv6_hdr(), we will dereference freed skb.
    
    [ Bug added by commit 4c507d2897bd9b ("net: implement IP_RECVTOS for
      IP_PKTOPTIONS") ]
    
    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
    Cc: Eric Dumazet <eric.dumazet@gmail.com>
    Acked-by: Eric Dumazet <edumazet@google.com>
    Acked-by: Jiri Benc <jbenc@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv6/tcp_ipv6.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit ee3db7a4fb3619d70b8e0c1a8de07402a67e8d31
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Thu Aug 29 11:47:00 2013 +0300

    Upstream commit: 0d63c27d9e879a0b54eb405636d60ab12040ca46
    
    mISDN: return -EINVAL on error in dsp_control_req()
    
    If skb->len is too short then we should return an error.  Otherwise we
    read beyond the end of skb->data for several bytes.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/isdn/mISDN/dsp_core.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

commit af7c2bc789c8fe5ef7474f22dacf212be22fd0af
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Sep 5 19:36:23 2013 -0400

    fix dependencies for GRKERNSEC_ROFS / GRKERNSEC_DENYUSB

 grsecurity/Kconfig |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit da68dbcd96c617923a0aedb177d36b2701f9c858
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Sep 5 19:17:02 2013 -0400

    Allow the deny_new_usb sysctl to be toggled off by a user with
    CAP_SYS_ADMIN.  This allows for more inventive uses of the feature
    that would be impossible otherwise (like toggling it while the screen is
    locked, etc)

 grsecurity/grsec_sysctl.c |    4 +---
 1 files changed, 1 insertions(+), 3 deletions(-)

commit ce0e893adc830ee110f97071cc17e661fb35ae3d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Sep 5 18:41:49 2013 -0400

    Add a new GRKERNSEC_DENYUSB_FORCE option that achieves what
    GRKERNSEC_DENYUSB does without the need for a sysctl toggle, for
    users who know they want the functionality but don't want to bother
    with modifying init scripts
    
    Also eliminate reset_security_ops() as a ROP target when
    SECURITY_SELINUX_DISABLE is disabled as it's the only user

 grsecurity/Kconfig        |   17 ++++++++++++++++-
 grsecurity/grsec_init.c   |    3 +++
 grsecurity/grsec_sysctl.c |    2 +-
 security/security.c       |    4 ++++
 4 files changed, 24 insertions(+), 2 deletions(-)

commit 0d5ca3a057ae48b5fdccb2f0a7a841a5cc76d3dd
Merge: 7ee3899 cf9c476
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Sep 1 13:56:57 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit cf9c47690fa0f3da590de766ea8c6a543984ee3c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Sep 1 13:56:16 2013 -0400

    Update to pax-linux-3.10.10-test25.patch:
    - fixed a few more REFCOUNT false positives, by Mathias Krause <minipli@googlemail.com>
    - got inet_getid and ipv6_select_ident rid of the cmpxchg loop

 block/blk-cgroup.c                |    4 ++--
 drivers/video/hyperv_fb.c         |    4 ++--
 fs/namespace.c                    |    4 ++--
 include/net/inetpeer.h            |   13 +++++--------
 kernel/trace/trace_clock.c        |    4 ++--
 net/ipv6/output_core.c            |   15 ++++++---------
 net/sunrpc/auth_gss/svcauth_gss.c |    4 ++--
 7 files changed, 21 insertions(+), 27 deletions(-)

commit 7ee3899312d611b85cadd3eda173f7a3952bb8aa
Merge: fd0338c 2bdeae7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 31 22:07:38 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 2bdeae76eab5c34e4b88c7090a435b969037a3c1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 31 22:06:55 2013 -0400

    Update to pax-linux-3.10.10-test24.patch:
    - fixed a REFCOUNT false positive, by Mathias Krause <minipli@googlemail.com>
    - fixed a bunch more after a quick audit of atomic_inc_return users

 drivers/acpi/apei/ghes.c                      |    4 ++--
 drivers/ata/libata-core.c                     |    4 ++--
 drivers/ata/libata-scsi.c                     |    2 +-
 drivers/ata/libata.h                          |    2 +-
 drivers/block/drbd/drbd_nl.c                  |    4 ++--
 drivers/crypto/hifn_795x.c                    |    4 ++--
 drivers/edac/edac_device.c                    |    4 ++--
 drivers/edac/edac_pci.c                       |    4 ++--
 drivers/firewire/core-card.c                  |    4 ++--
 drivers/hv/hv_balloon.c                       |   18 +++++++++---------
 drivers/infiniband/hw/mlx4/mad.c              |    2 +-
 drivers/infiniband/hw/mlx4/mlx4_ib.h          |    2 +-
 drivers/input/misc/ims-pcu.c                  |    4 ++--
 drivers/input/serio/serio_raw.c               |    4 ++--
 drivers/media/pci/ivtv/ivtv-driver.c          |    2 +-
 drivers/media/radio/radio-maxiradio.c         |    2 +-
 drivers/media/radio/radio-shark.c             |    2 +-
 drivers/media/radio/radio-shark2.c            |    2 +-
 drivers/media/radio/radio-si476x.c            |    2 +-
 drivers/media/rc/rc-main.c                    |    4 ++--
 drivers/media/v4l2-core/v4l2-device.c         |    4 ++--
 drivers/net/usb/sierra_net.c                  |    4 ++--
 drivers/pci/hotplug/pciehp_hpc.c              |    4 +---
 drivers/regulator/core.c                      |    4 ++--
 drivers/scsi/fcoe/fcoe_sysfs.c                |   12 ++++++------
 drivers/staging/android/timed_output.c        |    6 +++---
 drivers/staging/media/solo6x10/solo6x10-p2m.c |    2 +-
 drivers/staging/media/solo6x10/solo6x10.h     |    2 +-
 drivers/target/sbp/sbp_target.c               |    4 ++--
 drivers/tty/hvc/hvsi.c                        |   12 ++++++------
 drivers/tty/hvc/hvsi_lib.c                    |    6 +++---
 drivers/tty/serial/ioc4_serial.c              |    6 +++---
 drivers/tty/serial/msm_serial.c               |    4 ++--
 drivers/usb/misc/appledisplay.c               |    4 ++--
 fs/afs/inode.c                                |    4 ++--
 fs/btrfs/delayed-inode.c                      |    6 +++---
 fs/btrfs/delayed-inode.h                      |    4 ++--
 fs/fscache/cookie.c                           |    4 ++--
 include/media/v4l2-device.h                   |    2 +-
 net/ceph/messenger.c                          |    4 ++--
 net/core/netpoll.c                            |    4 ++--
 net/xfrm/xfrm_state.c                         |    4 ++--
 security/selinux/avc.c                        |    6 +++---
 43 files changed, 93 insertions(+), 95 deletions(-)

commit fd0338c8877c47789a9cc61f3a26c83e68aa3d37
Merge: 1bdf7ec 85099d2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 31 21:07:29 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 85099d220fb014b6e4c6ffe18a55b20c61f6daed
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 31 21:06:55 2013 -0400

    Update to pax-linux-3.10.10-test23.patch:
    - added the necessary atomic_unchecked_t conversion for mips
    - audited and fixed arm and sparc for proper atomic_unchecked_t usage

 arch/arm/kvm/arm.c            |    8 ++++----
 arch/arm/mm/context.c         |   10 +++++-----
 arch/mips/kernel/irq.c        |    6 +++---
 arch/mips/kernel/sync-r4k.c   |   24 ++++++++++++------------
 arch/mips/sgi-ip27/ip27-nmi.c |    6 +++---
 arch/sparc/kernel/smp_64.c    |   12 ++++++------
 arch/sparc/kernel/traps_64.c  |   14 +++++++-------
 arch/sparc/mm/init_64.c       |   10 +++++-----
 8 files changed, 45 insertions(+), 45 deletions(-)

commit 1bdf7ec39027ffd7c3099b78ff20c39295448b34
Merge: 995a168 38ee86c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Aug 30 19:23:36 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 38ee86c05df0f8db582df8776b9f23f317d42bbb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Aug 30 19:23:11 2013 -0400

    Update to pax-linux-3.10.10-test22.patch:
    - fixed !REFCOUNT/mips compilation, by Corey Minyard <cminyard@mvista.com>
    - fixed a few more format strings

 arch/mips/include/asm/atomic.h          |   20 ++++++++++++++++----
 drivers/md/bcache/super.c               |    2 +-
 drivers/net/wireless/iwlwifi/dvm/main.c |    3 +--
 drivers/pci/hotplug/pciehp_hpc.c        |    2 +-
 drivers/platform/x86/wmi.c              |    2 +-
 drivers/scsi/sd.c                       |    2 +-
 drivers/vfio/vfio.c                     |    4 ++--
 fs/ntfs/super.c                         |    6 +++---
 include/linux/workqueue.h               |    6 +++---
 net/mac80211/main.c                     |    2 +-
 sound/pci/hda/hda_codec.c               |    8 ++------
 11 files changed, 32 insertions(+), 25 deletions(-)

commit 995a16841e2097c3a9dfc652e856469679c4a0ba
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Aug 30 17:11:11 2013 -0400

    fix compilation with GRKERNSEC_DENYUSB as reported by slashbeast

 grsecurity/grsec_sysctl.c |    7 ++++---
 1 files changed, 4 insertions(+), 3 deletions(-)

commit 8ba1cc35ec5216383369ddf3ef2cde5e4aaacb57
Merge: be2497c 1052971
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Aug 29 20:44:29 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        include/linux/sched.h

commit 10529710192fe7f7d42ad7bb1dfef2143cca8ad2
Merge: e902dad 8bf3379
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Aug 29 20:39:50 2013 -0400

    Update to pax-linux-3.10.10-test21.patch
    
    Merge branch 'linux-3.10.y' into pax-test
    
    Conflicts:
        arch/x86/kernel/sys_x86_64.c
        arch/x86/mm/mmap.c
        include/linux/sched.h

commit be2497c1b629a5ad604a8b0ec265ef5d801c7de8
Merge: 081c22b e902dad
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Aug 28 20:52:44 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit e902dad6b609a176f58c1b9393b3a98f14bd4b74
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Aug 28 20:51:21 2013 -0400

    Update to pax-linux-3.10.9-test21.patch:
    - removed unnecessary type cast in do_PrefetchAbort, noticed by spender
    - since pax_report_refcount_overflow disables preemption inside, no need to do it explicitly in do_ov
    - fixed a REFCOUNT false positive in UHID
    - inspired by Dan Carpenter's recent fix (http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=909bd5926d474e275599094acad986af79671ac9)
      Emese Revfy wrote a gcc plugin to find other instances of the same error, here's the fallout
      (come to the 10th H2HC if you want to learn about the magic behind this and other plugins):
      - icmpv6_filter: no memory corruption, probably just some logical error in the caller
      - dccp_new/dccp_packet/dccp_error: probably remote kernel stack overflow (12 byte network data overwriting a local ptr variable)
      - gigaset_brkchars: causes DMA on the kernel stack, some archs don't like it (more of this is to come)
      - isdn_ioctl/IIOCDBGVAR: kernel heap address leak (by design), restricted to CAP_SYS_RAWIO now
      - __dwc3_gadget_ep_enable: probably forgotten memset, seems harmless
      - lowpan_header_create: leaks 3 bytes of a kernel heap address over the network

 arch/arm/mm/fault.c                        |    2 +-
 arch/mips/kernel/traps.c                   |    2 --
 drivers/hid/uhid.c                         |    6 +++---
 drivers/isdn/gigaset/usb-gigaset.c         |    2 +-
 drivers/isdn/i4l/isdn_common.c             |    2 ++
 drivers/net/wireless/hostap/hostap_ioctl.c |    4 ++--
 drivers/usb/dwc3/gadget.c                  |    2 --
 net/ieee802154/6lowpan.c                   |    2 +-
 net/ipv6/raw.c                             |    2 +-
 net/netfilter/nf_conntrack_proto_dccp.c    |    6 +++---
 10 files changed, 14 insertions(+), 16 deletions(-)

commit 081c22b436d4d4ac8c9ef7c3f3b9587cfb02d804
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Aug 28 20:42:39 2013 -0400

    add export of gr_handle_new_usb()

 grsecurity/grsec_usb.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 2e708ca9984ef74536d1d9b1d4e6e73d27561ed6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Aug 28 19:24:47 2013 -0400

    Add new GRKERNSEC_DENYUSB feature that I've been sitting on for a bit
    Kees' recent findings are motivation enough to publish it

 drivers/usb/core/hub.c     |    5 +++++
 grsecurity/Kconfig         |   20 ++++++++++++++++++++
 grsecurity/Makefile        |    3 ++-
 grsecurity/grsec_init.c    |    1 +
 grsecurity/grsec_sysctl.c  |   11 +++++++++++
 grsecurity/grsec_usb.c     |   13 +++++++++++++
 include/linux/grinternal.h |    1 +
 include/linux/grsecurity.h |    2 ++
 8 files changed, 55 insertions(+), 1 deletions(-)

commit 8044382257ec75a03f3d784ce048ef14e94b90ca
Author: Kees Cook <keescook@chromium.org>
Date:   Wed Aug 14 09:35:07 2013 -0700

    HID: zeroplus: validate output report details
    
    The zeroplus HID driver was not checking the size of allocated values
    in fields it used. A HID device could send a malicious output report
    that would cause the driver to write beyond the output report allocation
    during initialization, causing a heap overflow:
    
    [ 1442.728680] usb 1-1: New USB device found, idVendor=0c12, idProduct=0005
    ...
    [ 1466.243173] BUG kmalloc-192 (Tainted: G        W   ): Redzone overwritten
    
    CVE-2013-2889
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org

 drivers/hid/hid-zpff.c |   14 ++------------
 1 files changed, 2 insertions(+), 12 deletions(-)

commit 1ead832874dde8c45c3d4c8c704f2cd7ad6a328f
Author: Kees Cook <keescook@chromium.org>
Date:   Wed Aug 14 14:36:15 2013 -0700

    HID: provide a helper for validating hid reports
    
    Many drivers need to validate the characteristics of their HID report
    during initialization to avoid misusing the reports. This adds a common
    helper to perform validation of the report, its field count, and the
    value count within the fields.
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org

 drivers/hid/hid-core.c |   50 ++++++++++++++++++++++++++++++++++++++++++++++++
 include/linux/hid.h    |    4 +++
 2 files changed, 54 insertions(+), 0 deletions(-)

commit 270ba9096ddecdc3cf6c4d76e6892184820116be
Author: Kees Cook <keescook@chromium.org>
Date:   Wed Aug 14 09:14:34 2013 -0700

    HID: steelseries: validate output report details
    
    A HID device could send a malicious output report that would cause the
    steelseries HID driver to write beyond the output report allocation
    during initialization, causing a heap overflow:
    
    [  167.981534] usb 1-1: New USB device found, idVendor=1038, idProduct=1410
    ...
    [  182.050547] BUG kmalloc-256 (Tainted: G        W   ): Redzone overwritten
    
    CVE-2013-2891
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org

 drivers/hid/hid-steelseries.c |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

commit 366e6cf394366e4bb2598e5d3763c6ca53fb7248
Author: Kees Cook <keescook@chromium.org>
Date:   Wed Aug 14 08:49:21 2013 -0700

    HID: pantherlord: validate output report details
    
    A HID device could send a malicious output report that would cause the
    pantherlord HID driver to write beyond the output report allocation
    during initialization, causing a heap overflow:
    
    [  310.939483] usb 1-1: New USB device found, idVendor=0e8f, idProduct=0003
    ...
    [  315.980774] BUG kmalloc-192 (Tainted: G        W   ): Redzone overwritten
    
    CVE-2013-2892
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org

 drivers/hid/hid-pl.c |   10 ++++++++--
 1 files changed, 8 insertions(+), 2 deletions(-)

commit 60115e8108e508060815bce5ef9504233c81898c
Author: Kees Cook <keescook@chromium.org>
Date:   Tue Aug 13 16:49:01 2013 -0700

    HID: LG: validate HID output report details
    
    A HID device could send a malicious output report that would cause the
    lg, lg3, and lg4 HID drivers to write beyond the output report allocation
    during an event, causing a heap overflow:
    
    [  325.245240] usb 1-1: New USB device found, idVendor=046d, idProduct=c287
    ...
    [  414.518960] BUG kmalloc-4096 (Not tainted): Redzone overwritten
    
    Additionally, while lg2 did correctly validate the report details, it was
    cleaned up and shortened.
    
    CVE-2013-2893
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org

 drivers/hid/hid-lg2ff.c |   19 +++----------------
 drivers/hid/hid-lg3ff.c |   29 ++++++-----------------------
 drivers/hid/hid-lg4ff.c |   20 +-------------------
 drivers/hid/hid-lgff.c  |   17 ++---------------
 4 files changed, 12 insertions(+), 73 deletions(-)

commit 1814f6ffbd0d5feccce1f03e8cc17882528e8a9f
Author: Kees Cook <keescook@chromium.org>
Date:   Thu Aug 15 23:21:23 2013 -0700

    HID: lenovo-tpkbd: validate output report details
    
    A HID device could send a malicious output report that would cause the
    lenovo-tpkbd HID driver to write just beyond the output report allocation
    during initialization, causing a heap overflow:
    
    [   76.109807] usb 1-1: New USB device found, idVendor=17ef, idProduct=6009
    ...
    [   80.462540] BUG kmalloc-192 (Tainted: G        W   ): Redzone overwritten
    
    CVE-2013-2894
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org

 drivers/hid/hid-lenovo-tpkbd.c |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

commit 38627769bb2b9a550e251b2caf1babda7566fb4a
Author: Kees Cook <keescook@chromium.org>
Date:   Thu Aug 15 23:45:03 2013 -0700

    HID: logitech-dj: validate output report details
    
    A HID device could send a malicious output report that would cause the
    logitech-dj HID driver to leak kernel memory contents to the device, or
    trigger a NULL dereference during initialization:
    
    [  304.424553] usb 1-1: New USB device found, idVendor=046d, idProduct=c52b
    ...
    [  304.780467] BUG: unable to handle kernel NULL pointer dereference at 0000000000000028
    [  304.781409] IP: [<ffffffff815d50aa>] logi_dj_recv_send_report.isra.11+0x1a/0x90
    
    CVE-2013-2895
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org

 drivers/hid/hid-logitech-dj.c |   12 ++++++++++--
 1 files changed, 10 insertions(+), 2 deletions(-)

commit db334388c9d3f95aeb6aacdcec72169b6edd6f07
Author: Kees Cook <keescook@chromium.org>
Date:   Fri Aug 16 00:18:15 2013 -0700

    HID: ntrig: validate feature report details
    
    A HID device could send a malicious feature report that would cause the
    ntrig HID driver to trigger a NULL dereference during initialization:
    
    [57383.031190] usb 3-1: New USB device found, idVendor=1b96, idProduct=0001
    ...
    [57383.315193] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
    [57383.315308] IP: [<ffffffffa08102de>] ntrig_probe+0x25e/0x420 [hid_ntrig]
    
    CVE-2013-2896
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org

 drivers/hid/hid-ntrig.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 86adcfe96ceefd7d64593a493abe07c155bb8f88
Author: Kees Cook <keescook@chromium.org>
Date:   Fri Aug 16 00:11:32 2013 -0700

    HID: multitouch: validate feature report details
    
    When working on report indexes, always validate that they are in bounds.
    Without this, a HID device could report a malicious feature report that
    could trick the driver into a heap overflow:
    
    [  634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500
    ...
    [  676.469629] BUG kmalloc-192 (Tainted: G        W   ): Redzone overwritten
    
    CVE-2013-2897
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org

 drivers/hid/hid-multitouch.c |   25 ++++++++++++++++++++-----
 1 files changed, 20 insertions(+), 5 deletions(-)

commit 813f51e0881e4ea6d221da828b1cced02ad9694d
Author: Kees Cook <keescook@chromium.org>
Date:   Fri Aug 16 08:12:45 2013 -0700

    HID: sensor-hub: validate feature report details
    
    A HID device could send a malicious feature report that would cause the
    sensor-hub HID driver to read past the end of heap allocation, leaking
    kernel memory contents to the caller.
    
    CVE-2013-2898
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org

 drivers/hid/hid-sensor-hub.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 6ed7d602e322c67adcfa3ebe79ca2c4a3376330c
Author: Kees Cook <keescook@chromium.org>
Date:   Fri Aug 16 08:05:10 2013 -0700

    HID: picolcd_core: validate output report details
    
    A HID device could send a malicious output report that would cause the
    picolcd HID driver to trigger a NULL dereference during attr file writing.
    
    CVE-2013-2899
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org

 drivers/hid/hid-picolcd_core.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 95e3cfb5a995dabe45b98cafb77e59d074de151f
Author: Kees Cook <keescook@chromium.org>
Date:   Fri Aug 16 08:09:54 2013 -0700

    HID: check for NULL field when setting values
    
    Defensively check that the field to be worked on is not NULL.
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org

 drivers/hid/hid-core.c |    7 ++++++-
 1 files changed, 6 insertions(+), 1 deletions(-)

commit 96a55ce1b2f3af376c400a02059174e79ce4399c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Aug 28 18:09:18 2013 -0400

    http://marc.info/?l=linux-input&m=137772180514608&q=raw
    
    From: Kees Cook <keescook@chromium.org>
    
    The "Report ID" field of a HID report is used to build indexes of
    reports. The kernel's index of these is limited to 256 entries, so any
    malicious device that sets a Report ID greater than 255 will trigger
    memory corruption on the host:
    
    [ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878
    [ 1347.156261] IP: [<ffffffff813e4da0>] hid_register_report+0x2a/0x8b
    
    CVE-2013-2888
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org
    ---
     drivers/hid/hid-core.c |   10 +++++++---
     include/linux/hid.h    |    4 +++-
     2 files changed, 10 insertions(+), 4 deletions(-)

 drivers/hid/hid-core.c |   10 +++++++---
 include/linux/hid.h    |    4 +++-
 2 files changed, 10 insertions(+), 4 deletions(-)

commit eb1106eef5f17bfda833ca3cf89e315919173257
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Fri Aug 9 12:52:31 2013 +0300

    Upstream commit: 909bd5926d474e275599094acad986af79671ac9
    
    Hostap: copying wrong data prism2_ioctl_giwaplist()
    
    We want the data stored in "addr" and "qual", but the extra ampersands
    mean we are copying stack data instead.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: John W. Linville <linville@tuxdriver.com>

 drivers/net/wireless/hostap/hostap_ioctl.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit b12fdddbc01b0d855dd56fa6fea6b4100aae7af4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Aug 28 17:01:21 2013 -0400

    fix typo in ipv6 backport

 net/ipv6/addrconf.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit b42367d45ce67de82c38c5c7cb6f4cf521cca2f4
Author: Andy Lutomirski <luto@amacapital.net>
Date:   Thu Aug 22 11:39:15 2013 -0700

    Upstream commit: d661684cf6820331feae71146c35da83d794467e
    
    net: Check the correct namespace when spoofing pid over SCM_RIGHTS
    
    This is a security bug.
    
    The follow-up will fix nsproxy to discourage this type of issue from
    happening again.
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Andy Lutomirski <luto@amacapital.net>
    Reviewed-by: "Eric W. Biederman" <ebiederm@xmission.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/core/scm.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 10b2e7e1f75d1da2e0bbe0bff04233ea2ec1bed9
Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
Date:   Fri Aug 16 13:02:27 2013 +0200

    Upstream commit: 4b08a8f1bd8cb4541c93ec170027b4d0782dab52
    
    ipv6: remove max_addresses check from ipv6_create_tempaddr
    
    Because of the max_addresses check attackers were able to disable privacy
    extensions on an interface by creating enough autoconfigured addresses:
    
    <http://seclists.org/oss-sec/2012/q4/292>
    
    But the check is not actually needed: max_addresses protects the
    kernel to install too many ipv6 addresses on an interface and guards
    addrconf_prefix_rcv to install further addresses as soon as this limit
    is reached. We only generate temporary addresses in direct response of
    a new address showing up. As soon as we filled up the maximum number of
    addresses of an interface, we stop installing more addresses and thus
    also stop generating more temp addresses.
    
    Even if the attacker tries to generate a lot of temporary addresses
    by announcing a prefix and removing it again (lifetime == 0) we won't
    install more temp addresses, because the temporary addresses do count
    to the maximum number of addresses, thus we would stop installing new
    autoconfigured addresses when the limit is reached.
    
    This patch fixes CVE-2013-0343 (but other layer-2 attacks are still
    possible).
    
    Thanks to Ding Tianhong to bring this topic up again.
    
    Cc: Ding Tianhong <dingtianhong@huawei.com>
    Cc: George Kargiotakis <kargig@void.gr>
    Cc: P J P <ppandit@redhat.com>
    Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
    Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Acked-by: Ding Tianhong <dingtianhong@huawei.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    
    Conflicts:
    
        net/ipv6/addrconf.c

 net/ipv6/addrconf.c |   10 ++++------
 1 files changed, 4 insertions(+), 6 deletions(-)

commit 8333e0981469a226a47d0142ff31090a48db95a4
Author: David Vrabel <david.vrabel@citrix.com>
Date:   Thu Aug 15 13:21:06 2013 +0100

    Upstream commit: 84ca7a8e45dafb49cd5ca90a343ba033e2885c17
    
    xen/events: initialize local per-cpu mask for all possible events
    
    The sizeof() argument in init_evtchn_cpu_bindings() is incorrect
    resulting in only the first 64 (or 32 in 32-bit guests) ports having
    their bindings being initialized to VCPU 0.
    
    In most cases this does not cause a problem as request_irq() will set
    the irq affinity which will set the correct local per-cpu mask.
    However, if the request_irq() is called on a VCPU other than 0, there
    is a window between the unmasking of the event and the affinity being
    set were an event may be lost because it is not locally unmasked on
    any VCPU. If request_irq() is called on VCPU 0 then local irqs are
    disabled during the window and the race does not occur.
    
    Fix this by initializing all NR_EVENT_CHANNEL bits in the local
    per-cpu masks.
    
    Signed-off-by: David Vrabel <david.vrabel@citrix.com>
    Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
    CC: stable@vger.kernel.org

 drivers/xen/events.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 2a9a83768433937a2b7a97001ba1627156c0efed
Author: Roland Dreier <roland@purestorage.com>
Date:   Mon Aug 5 17:55:01 2013 -0700

    Upstream commit: 35dc248383bbab0a7203fca4d722875bc81ef091
    
    [SCSI] sg: Fix user memory corruption when SG_IO is interrupted by a signal
    
    There is a nasty bug in the SCSI SG_IO ioctl that in some circumstances
    leads to one process writing data into the address space of some other
    random unrelated process if the ioctl is interrupted by a signal.
    What happens is the following:
    
     - A process issues an SG_IO ioctl with direction DXFER_FROM_DEV (ie the
       underlying SCSI command will transfer data from the SCSI device to
       the buffer provided in the ioctl)
    
     - Before the command finishes, a signal is sent to the process waiting
       in the ioctl.  This will end up waking up the sg_ioctl() code:
    
                result = wait_event_interruptible(sfp->read_wait,
                        (srp_done(sfp, srp) || sdp->detached));
    
       but neither srp_done() nor sdp->detached is true, so we end up just
       setting srp->orphan and returning to userspace:
    
                srp->orphan = 1;
                write_unlock_irq(&sfp->rq_list_lock);
                return result;  /* -ERESTARTSYS because signal hit process */
    
       At this point the original process is done with the ioctl and
       blithely goes ahead handling the signal, reissuing the ioctl, etc.
    
     - Eventually, the SCSI command issued by the first ioctl finishes and
       ends up in sg_rq_end_io().  At the end of that function, we run through:
    
        write_lock_irqsave(&sfp->rq_list_lock, iflags);
        if (unlikely(srp->orphan)) {
                if (sfp->keep_orphan)
                        srp->sg_io_owned = 0;
                else
                        done = 0;
        }
        srp->done = done;
        write_unlock_irqrestore(&sfp->rq_list_lock, iflags);
    
        if (likely(done)) {
                /* Now wake up any sg_read() that is waiting for this
                 * packet.
                 */
                wake_up_interruptible(&sfp->read_wait);
                kill_fasync(&sfp->async_qp, SIGPOLL, POLL_IN);
                kref_put(&sfp->f_ref, sg_remove_sfp);
        } else {
                INIT_WORK(&srp->ew.work, sg_rq_end_io_usercontext);
                schedule_work(&srp->ew.work);
        }
    
       Since srp->orphan *is* set, we set done to 0 (assuming the
       userspace app has not set keep_orphan via an SG_SET_KEEP_ORPHAN
       ioctl), and therefore we end up scheduling sg_rq_end_io_usercontext()
       to run in a workqueue.
    
     - In workqueue context we go through sg_rq_end_io_usercontext() ->
       sg_finish_rem_req() -> blk_rq_unmap_user() -> ... ->
       bio_uncopy_user() -> __bio_copy_iov() -> copy_to_user().
    
       The key point here is that we are doing copy_to_user() on a
       workqueue -- that is, we're on a kernel thread with current->mm
       equal to whatever random previous user process was scheduled before
       this kernel thread.  So we end up copying whatever data the SCSI
       command returned to the virtual address of the buffer passed into
       the original ioctl, but it's quite likely we do this copying into a
       different address space!
    
    As suggested by James Bottomley <James.Bottomley@hansenpartnership.com>,
    add a check for current->mm (which is NULL if we're on a kernel thread
    without a real userspace address space) in bio_uncopy_user(), and skip
    the copy if we're on a kernel thread.
    
    There's no reason that I can think of for any caller of bio_uncopy_user()
    to want to do copying on a kernel thread with a random active userspace
    address space.
    
    Huge thanks to Costa Sapuntzakis <costa@purestorage.com> for the
    original pointer to this bug in the sg code.
    
    Signed-off-by: Roland Dreier <roland@purestorage.com>
    Tested-by: David Milburn <dmilburn@redhat.com>
    Cc: Jens Axboe <axboe@kernel.dk>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: James Bottomley <JBottomley@Parallels.com>

 fs/bio.c |   20 +++++++++++++++-----
 1 files changed, 15 insertions(+), 5 deletions(-)

commit e6fe57dee152671afd618d6bc8cbf23155be6c34
Merge: cdc8f7d f2095a4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Aug 27 18:13:35 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        arch/arm/mm/fault.c
        security/Kconfig

commit f2095a4787f7d332e5919f0bd00f8de6021ad612
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Aug 27 18:08:23 2013 -0400

    Update to pax-linux-3.10.9-test20.patch:
    - removed unnecessary mark_sym_for_renaming calls from the gcc plugins, reported by Emese Revfy
    - made some KERNEXEC/UDEREF induced fault handling on arm more robust (IFAR isn't always set on v7), by Corey Minyard <cminyard@mvista.com>
    - converted some mips atomic accessor macros to functions in preparation of REFCOUNT support, by Corey Minyard <cminyard@mvista.com>
    - __copy_from_user_inatomic on amd64 will now return unsigned long like other userland accessors do
    - added REFCOUNT support for mips, by Corey Minyard <cminyard@mvista.com>
    - fixed arm compilation with UDEREF disabled, reported by fabled (http://forums.grsecurity.net/viewtopic.php?f=1&t=3720)
    - fixed early boot panic due to a INVCPID/PCID mismatch, reported by Patrick McLean (https://bugs.gentoo.org/show_bug.cgi?id=482010)

 arch/arm/mm/fault.c               |   11 +-
 arch/mips/include/asm/atomic.h    |  722 +++++++++++++++++++++++++++++++++++--
 arch/mips/kernel/traps.c          |   14 +-
 arch/x86/include/asm/tlbflush.h   |    4 +
 arch/x86/include/asm/uaccess_64.h |    2 +-
 fs/ntfs/file.c                    |    2 +-
 kernel/events/internal.h          |    4 +-
 kernel/events/uprobes.c           |    2 +-
 kernel/futex.c                    |    2 +-
 mm/filemap.c                      |    8 +-
 security/Kconfig                  |    2 +-
 tools/gcc/kernexec_plugin.c       |   18 +-
 tools/gcc/latent_entropy_plugin.c |   26 +-
 tools/gcc/size_overflow_plugin.c  |    3 +-
 14 files changed, 750 insertions(+), 70 deletions(-)

commit cdc8f7d7a0d09f5ccec1717d1378ac284b5bb4e9
Merge: 5a9ae57 745975e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Aug 26 20:27:33 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 745975e3b3b74b64e00e85778f9a22714d1274f2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Aug 26 20:26:33 2013 -0400

    Fix compilation when UDEREF is enabled and KERNEXEC is disabled,
    as reported by fabled on the forums:
    http://forums.grsecurity.net/viewtopic.php?f=1&t=3720

 arch/arm/include/asm/pgtable.h |    4 +---
 1 files changed, 1 insertions(+), 3 deletions(-)

commit 5a9ae577def10802fc8ad6957f05ce2a180dfa36
Merge: 486ec00 f68df21
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Aug 20 20:15:20 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit f68df215c8bf7fada2710c14b3f3a0ea53fd9e43
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Aug 20 20:14:50 2013 -0400

    Update to pax-linux-3.10.9-test18.patch:
    - fixed missing export of cpu_pgd, reported by Alexander Tsoy (https://bugs.gentoo.org/show_bug.cgi?id=481786)
    - fixed UDEREF regression on !PCID processors, reported by Alexander Tsoy (https://bugs.gentoo.org/show_bug.cgi?id=481790)
    - forward port to 3.10.9

 arch/x86/kernel/entry_64.S       |   18 +++++++++---------
 arch/x86/kernel/i386_ksyms_32.c  |    4 ++++
 arch/x86/kernel/x8664_ksyms_64.c |    4 ++++
 3 files changed, 17 insertions(+), 9 deletions(-)

commit 486ec00945b5dd8826f625e4af8995c5c8cb2a6f
Merge: f47a293 d8fed0e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Aug 20 20:12:47 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit d8fed0eba89a7607afe296c0caf17bc72311d6e9
Merge: f6ace8e 0a4b6d4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Aug 20 20:12:33 2013 -0400

    Merge branch 'linux-3.10.y' into pax-test

commit f47a293a1440da2a3e2c239d43d636e37ca74f10
Merge: f1e8ec7 f6ace8e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Aug 20 18:20:05 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        arch/arm/kernel/perf_event.c
        include/linux/sched.h

commit f6ace8e1804aadc296bec38b4c4a2d711b9e7c72
Merge: b4fa847 6f54059
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Aug 20 18:18:02 2013 -0400

    Update to pax-linux-3.10.8-test18.patch
    
    Merge branch 'linux-3.10.y' into pax-test
    
    Conflicts:
        arch/x86/kernel/sys_x86_64.c
        arch/x86/mm/mmap.c
        include/linux/sched.h

commit f1e8ec79b6019ca0aa6a6cdde5668c1bbd9f51ca
Merge: 6f88011 b4fa847
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Aug 20 18:05:12 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit b4fa84790ec760430818ab9b74a8b5acc6b40e63
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Aug 20 18:04:14 2013 -0400

    Update to pax-linux-3.10.7-test18.patch:
    - reverted constification of zcache, problem reported by Marcin Mirosław (https://bugs.gentoo.org/show_bug.cgi?id=481752)
    - fixed a UDEREF resume regression due to the constification of clone_pgd_mask
    - fixed suspend/resume regression due to the recent constification of mmu_cr4_features, reported by Mathias Krause

 arch/arm/kernel/process.c        |    2 +-
 arch/x86/include/asm/processor.h |   25 ++-----------------------
 arch/x86/kernel/cpu/common.c     |    4 ++++
 arch/x86/kernel/setup.c          |   36 ++++++++++++++++++++++++++++++++++++
 drivers/staging/zcache/tmem.c    |    4 ++--
 drivers/staging/zcache/tmem.h    |    6 ++----
 6 files changed, 47 insertions(+), 30 deletions(-)

commit 6f88011297cb3b1b79ff4d96f8a9b8e2ed5a025f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Aug 19 22:10:04 2013 -0400

    fix bad git merge (call to __cpu_disable_lazy_restore was duplicated)
    as reported by pipacs

 arch/x86/kernel/smpboot.c |    3 ---
 1 files changed, 0 insertions(+), 3 deletions(-)

commit 07f718e061bc4696b64a98ac1cf56e9ca1275dc3
Merge: 6eba999 5de93c8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Aug 18 22:03:19 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 5de93c8e2a86865f7a2d62dbcf8702dbf12494db
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Aug 18 22:02:47 2013 -0400

    Update to pax-linux-3.10.7-test15.patch:
    - fixed more PCID fallout, reported by spender, Negres and GBit (http://forums.grsecurity.net/viewtopic.php?f=3&t=3705)
    - fixed some new REFCOUNT false positives, caught by inspection

 arch/x86/kernel/cpu/common.c |    5 +++--
 arch/x86/kernel/entry_64.S   |   11 +++++++----
 fs/ceph/super.c              |    4 ++--
 mm/backing-dev.c             |    4 ++--
 4 files changed, 14 insertions(+), 10 deletions(-)

commit 94c119587c76723c1072237b98fff9886ccb7689
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Aug 18 20:49:39 2013 -0400

    fix pipacs' DEMORGAN typo

 arch/x86/include/asm/tlbflush.h |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 6eba999a3263c2ed3f7e87222a5c9c55315c7f00
Merge: df347f6 64a293e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Aug 18 18:13:04 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 64a293ebd17bf4a7ce6bd921ed879673e79fe128
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Aug 18 18:12:37 2013 -0400

    Update to pax-linux-3.10.7-test14.patch:
    - fixed compile error introduced by the previous PCID change
    - fixed timer_create kernel stack leak, reported by Roman Žilka (https://bugs.gentoo.org/show_bug.cgi?id=470214)

 arch/x86/include/asm/tlbflush.h |    2 +-
 kernel/posix-timers.c           |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

commit df347f6db6cc0aaa40406d8a8b7284b7c15bc685
Merge: d8efbc5 e11b314
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Aug 18 08:15:00 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit e11b314734c5b7317f5468be75305ad812e78c2b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Aug 18 08:14:26 2013 -0400

    Update to pax-linux-3.10.7-test13.patch:
    - always enable the use of PCID and INVPCID when available in the CPU
      - kvm guest kernels can use these features even if the host kernel lacks UDEREF

 arch/x86/include/asm/tlbflush.h |   69 ++++++++++++++++++++++----------------
 arch/x86/kernel/cpu/common.c    |   48 +++++++++++++++++----------
 2 files changed, 70 insertions(+), 47 deletions(-)

commit d8efbc54f5c8aba589d4d12eed9257a754a67de8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 17 12:00:20 2013 -0400

    make kallsyms_lookup_size_offset available to approved source files

 include/linux/kallsyms.h |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit 6c8feffa95ce2db280160015027b52bb41a344c8
Merge: dbf6930 0bb1c2b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 17 11:57:50 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 0bb1c2b2d9ba9a15fb504d47270499e8e2764106
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 17 11:56:43 2013 -0400

    Update to pax-linux-3.10.7-test12.patch:
    - fixed superfluous initializer in __native_flush_tlb_single, reported by Mathias Krause
    - fixed some arm compile problems

 arch/x86/include/asm/tlbflush.h      |    2 +-
 drivers/clocksource/bcm_kona_timer.c |    2 +-
 kernel/signal.c                      |    4 ++++
 3 files changed, 6 insertions(+), 2 deletions(-)

commit dbf69305ad4f8a037aae95af90f9201f556dcb48
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 17 11:18:09 2013 -0400

    allow use of kallsyms_lookup_name to approved source files

 include/linux/kallsyms.h |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit a566c5f4dec33f410678c257e95ab6726ce8e4f9
Merge: 68bd16f f562e3e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 17 10:35:02 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit f562e3ef7737ea8d80431a722479b36a12504ace
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 17 10:34:51 2013 -0400

    add uderef_64.c

 arch/x86/mm/uderef_64.c |   37 +++++++++++++++++++++++++++++++++++++
 1 files changed, 37 insertions(+), 0 deletions(-)

commit 68bd16fce3cf51c4c407e2ac6bc3db0629783622
Author: Asbjoern Sloth Toennesen <ast@fiberby.net>
Date:   Mon Aug 12 16:30:09 2013 +0000

    Upstream commit: 3e805ad288c524bb65aad3f1e004402223d3d504
    
    rtnetlink: rtnl_bridge_getlink: Call nlmsg_find_attr() with ifinfomsg header
    
    Fix the iproute2 command `bridge vlan show`, after switching from
    rtgenmsg to ifinfomsg.
    
    Let's start with a little history:
    
    Feb 20:   Vlad Yasevich got his VLAN-aware bridge patchset included in
              the 3.9 merge window.
              In the kernel commit 6cbdceeb, he added attribute support to
              bridge GETLINK requests sent with rtgenmsg.
    
    Mar 6th:  Vlad got this iproute2 reference implementation of the bridge
              vlan netlink interface accepted (iproute2 9eff0e5c)
    
    Apr 25th: iproute2 switched from using rtgenmsg to ifinfomsg (63338dca)
              http://patchwork.ozlabs.org/patch/239602/
              http://marc.info/?t=136680900700007
    
    Apr 28th: Linus released 3.9
    
    Apr 30th: Stephen released iproute2 3.9.0
    
    The `bridge vlan show` command haven't been working since the switch to
    ifinfomsg, or in a released version of iproute2. Since the kernel side
    only supports rtgenmsg, which iproute2 switched away from just prior to
    the iproute2 3.9.0 release.
    
    I haven't been able to find any documentation, about neither rtgenmsg
    nor ifinfomsg, and in which situation to use which, but kernel commit
    88c5b5ce seams to suggest that ifinfomsg should be used.
    
    Fixing this in kernel will break compatibility, but I doubt that anybody
    have been using it due to this bug in the user space reference
    implementation, at least not without noticing this bug. That said the
    functionality is still fully functional in 3.9, when reversing iproute2
    commit 63338dca.
    
    This could also be fixed in iproute2, but thats an ugly patch that would
    reintroduce rtgenmsg in iproute2, and from searching in netdev it seams
    like rtgenmsg usage is discouraged. I'm assuming that the only reason
    that Vlad implemented the kernel side to use rtgenmsg, was because
    iproute2 was using it at the time.
    
    Signed-off-by: Asbjoern Sloth Toennesen <ast@fiberby.net>
    Reviewed-by: Vlad Yasevich <vyasevich@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/core/rtnetlink.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 8c7bc5bafddddff55ed4687203a977e96f72540a
Author: Johannes Berg <johannes.berg@intel.com>
Date:   Tue Aug 13 09:04:05 2013 +0200

    Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db
    
    genetlink: fix family dump race
    
    When dumping generic netlink families, only the first dump call
    is locked with genl_lock(), which protects the list of families,
    and thus subsequent calls can access the data without locking,
    racing against family addition/removal. This can cause a crash.
    Fix it - the locking needs to be conditional because the first
    time around it's already locked.
    
    A similar bug was reported to me on an old kernel (3.4.47) but
    the exact scenario that happened there is no longer possible,
    on those kernels the first round wasn't locked either. Looking
    at the current code I found the race described above, which had
    also existed on the old kernel.
    
    Cc: stable@vger.kernel.org
    Reported-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/netlink/genetlink.c |    7 +++++++
 1 files changed, 7 insertions(+), 0 deletions(-)

commit 0aef405c4f269d1e35abb5393cee4e7d452ed4bb
Author: Daniel Borkmann <dborkman@redhat.com>
Date:   Fri Aug 9 16:25:21 2013 +0200

    Upstream commit: 771085d6bf3c52de29fc213e5bad07a82e57c23e
    
    net: sctp: sctp_transport_destroy{, _rcu}: fix potential pointer corruption
    
    Probably this one is quite unlikely to be triggered, but it's more safe
    to do the call_rcu() at the end after we have dropped the reference on
    the asoc and freed sctp packet chunks. The reason why is because in
    sctp_transport_destroy_rcu() the transport is being kfree()'d, and if
    we're unlucky enough we could run into corrupted pointers. Probably
    that's more of theoretical nature, but it's safer to have this simple fix.
    
    Introduced by commit 8c98653f ("sctp: sctp_close: fix release of bindings
    for deferred call_rcu's"). I also did the 8c98653f regression test and
    it's fine that way.
    
    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
    Acked-by: Vlad Yasevich <vyasevich@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/sctp/transport.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 3925eab5483946fd746575a46f97bee9d566bb77
Author: Stephane Grosjean <s.grosjean@peak-system.com>
Date:   Fri Aug 9 11:44:06 2013 +0200

    Upstream commit: 3c322a56b01695df15c70bfdc2d02e0ccd80654e
    
    can: pcan_usb: fix wrong memcpy() bytes length
    
    Fix possibly wrong memcpy() bytes length since some CAN records received from
    PCAN-USB could define a DLC field in range [9..15].
    In that case, the real DLC value MUST be used to move forward the record pointer
    but, only 8 bytes max. MUST be copied into the data field of the struct
    can_frame object of the skb given to the network core.
    
    Cc: linux-stable <stable@vger.kernel.org>
    Signed-off-by: Stephane Grosjean <s.grosjean@peak-system.com>
    Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/can/usb/peak_usb/pcan_usb.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit c1ac6642baae4a400d1f87115024d1bb1ef53598
Author: Linus Lüssing <linus.luessing@web.de>
Date:   Tue Aug 6 20:21:15 2013 +0200

    Upstream commit: 9d2c9488cedb666bc8206fbdcdc1575e0fbc5929
    
    batman-adv: fix potential kernel paging errors for unicast transmissions
    
    There are several functions which might reallocate skb data. Currently
    some places keep reusing their old ethhdr pointer regardless of whether
    they became invalid after such a reallocation or not. This potentially
    leads to kernel paging errors.
    
    This patch fixes these by refetching the ethdr pointer after the
    potential reallocations.
    
    Signed-off-by: Linus Lüssing <linus.luessing@web.de>
    Signed-off-by: Marek Lindner <lindner_marek@yahoo.de>
    Signed-off-by: Antonio Quartulli <ordex@autistici.org>

 net/batman-adv/bridge_loop_avoidance.c |    2 ++
 net/batman-adv/gateway_client.c        |   13 ++++++++++++-
 net/batman-adv/gateway_client.h        |    3 +--
 net/batman-adv/soft-interface.c        |    9 ++++++++-
 net/batman-adv/unicast.c               |   13 ++++++++++---
 5 files changed, 33 insertions(+), 7 deletions(-)

commit d11ebb55757d366b2e445dea5a96e3ef1b4d22eb
Author: Yuchung Cheng <ycheng@google.com>
Date:   Fri Aug 9 17:21:27 2013 -0700

    Upstream commit: 356d7d88e088687b6578ca64601b0a2c9d145296
    
    netfilter: nf_conntrack: fix tcp_in_window for Fast Open
    
    Currently the conntrack checks if the ending sequence of a packet
    falls within the observed receive window. However it does so even
    if it has not observe any packet from the remote yet and uses an
    uninitialized receive window (td_maxwin).
    
    If a connection uses Fast Open to send a SYN-data packet which is
    dropped afterward in the network. The subsequent SYNs retransmits
    will all fail this check and be discarded, leading to a connection
    timeout. This is because the SYN retransmit does not contain data
    payload so
    
    end == initial sequence number (isn) + 1
    sender->td_end == isn + syn_data_len
    receiver->td_maxwin == 0
    
    The fix is to only apply this check after td_maxwin is initialized.
    
    Reported-by: Michael Chan <mcfchan@stanford.edu>
    Signed-off-by: Yuchung Cheng <ycheng@google.com>
    Acked-by: Eric Dumazet <edumazet@google.com>
    Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

 net/netfilter/nf_conntrack_proto_tcp.c |   12 ++++++++----
 1 files changed, 8 insertions(+), 4 deletions(-)

commit 94462727d1f151aa2e3f7fbf0dedb19d8545d2ec
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Thu Aug 1 12:36:57 2013 +0300

    Upstream commit: e4d091d7bf787cd303383725b8071d0bae76f981
    
    netfilter: nfnetlink_{log,queue}: fix information leaks in netlink message
    
    These structs have a "_pad" member.  Also the "phw" structs have an 8
    byte "hw_addr[]" array but sometimes only the first 6 bytes are
    initialized.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

 net/netfilter/nfnetlink_log.c        |    6 +++++-
 net/netfilter/nfnetlink_queue_core.c |    5 ++++-
 2 files changed, 9 insertions(+), 2 deletions(-)

commit c5b469d0a0b480a8b2dcac9b4e6532c0ac17f81f
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date:   Thu Jul 25 10:46:46 2013 +0200

    Upstream commit: a206bcb3b02025b23137f3228109d72e0f835c05
    
    netfilter: xt_TCPOPTSTRIP: fix possible off by one access
    
    Fix a possible off by one access since optlen()
    touches opt[offset+1] unsafely when i == tcp_hdrlen(skb) - 1.
    
    This patch replaces tcp_hdrlen() by the local variable tcp_hdrlen
    that stores the TCP header length, to save some cycles.
    
    Reported-by: Julian Anastasov <ja@ssi.bg>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

 net/netfilter/xt_TCPOPTSTRIP.c |   10 ++++++----
 1 files changed, 6 insertions(+), 4 deletions(-)

commit 4634def261cf5f635bc60afe8a6ad436b3ec151e
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date:   Thu Jul 25 10:37:49 2013 +0200

    Upstream commit: 71ffe9c77dd7a2b62207953091efa8dafec958dd
    
    netfilter: xt_TCPMSS: fix handling of malformed TCP header and options
    
    Make sure the packet has enough room for the TCP header and
    that it is not malformed.
    
    While at it, store tcph->doff*4 in a variable, as it is used
    several times.
    
    This patch also fixes a possible off by one in case of malformed
    TCP options.
    
    Reported-by: Julian Anastasov <ja@ssi.bg>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

 net/netfilter/xt_TCPMSS.c |   28 ++++++++++++++++------------
 1 files changed, 16 insertions(+), 12 deletions(-)

commit dc552b7b377b8b0cba23513ee09a2341d6714ae8
Author: Dave Jones <davej@redhat.com>
Date:   Fri Aug 9 11:16:34 2013 -0700

    Upstream commit: d06f5187469eee1b2932c02fd093d113cfc60d5e
    
    8139cp: Fix skb leak in rx_status_loop failure path.
    
    Introduced in cf3c4c03060b688cbc389ebc5065ebcce5653e96
    ("8139cp: Add dma_mapping_error checking")
    
    Signed-off-by: Dave Jones <davej@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/ethernet/realtek/8139cp.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 227b279491a0bbcc70ca3654f34903282c378600
Author: Timo Teräs <timo.teras@iki.fi>
Date:   Tue Aug 6 13:45:43 2013 +0300

    Upstream commit: 77a482bdb2e68d13fae87541b341905ba70d572b
    
    ip_gre: fix ipgre_header to return correct offset
    
    Fix ipgre_header() (header_ops->create) to return the correct
    amount of bytes pushed. Most callers of dev_hard_header() seem
    to care only if it was success, but af_packet.c uses it as
    offset to the skb to copy from userspace only once. In practice
    this fixes packet socket sendto()/sendmsg() to gre tunnels.
    
    Regression introduced in c54419321455631079c7d6e60bc732dd0c5914c5
    ("GRE: Refactor GRE tunneling code.")
    
    Cc: Pravin B Shelar <pshelar@nicira.com>
    Signed-off-by: Timo Teräs <timo.teras@iki.fi>
    Acked-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/ip_gre.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 4b37d11c0ebb440d9335861ce8f1e690a34c10fb
Author: Eric Dumazet <edumazet@google.com>
Date:   Mon Aug 5 11:18:49 2013 -0700

    Upstream commit: aab515d7c32a34300312416c50314e755ea6f765
    
    fib_trie: remove potential out of bound access
    
    AddressSanitizer [1] dynamic checker pointed a potential
    out of bound access in leaf_walk_rcu()
    
    We could allocate one more slot in tnode_new() to leave the prefetch()
    in-place but it looks not worth the pain.
    
    Bug added in commit 82cfbb008572b ("[IPV4] fib_trie: iterator recode")
    
    [1] :
    https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerForKernel
    
    Reported-by: Andrey Konovalov <andreyknvl@google.com>
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Cc: Dmitry Vyukov <dvyukov@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/fib_trie.c |    5 +----
 1 files changed, 1 insertions(+), 4 deletions(-)

commit 3928184d65fdaf3eef446f0e6c5f305352c1fd02
Author: Daniel Borkmann <dborkman@redhat.com>
Date:   Mon Aug 5 12:49:35 2013 +0200

    Upstream commit: 7921895a5e852fc99de347bc0600659997de9298
    
    net: esp{4,6}: fix potential MTU calculation overflows
    
    Commit 91657eafb ("xfrm: take net hdr len into account for esp payload
    size calculation") introduced a possible interger overflow in
    esp{4,6}_get_mtu() handlers in case of x->props.mode equals
    XFRM_MODE_TUNNEL. Thus, the following expression will overflow
    
      unsigned int net_adj;
      ...
      <case ipv{4,6} XFRM_MODE_TUNNEL>
             net_adj = 0;
      ...
      return ((mtu - x->props.header_len - crypto_aead_authsize(esp->aead) -
               net_adj) & ~(align - 1)) + (net_adj - 2);
    
    where (net_adj - 2) would be evaluated as <foo> + (0 - 2) in an unsigned
    context. Fix it by simply removing brackets as those operations here
    do not need to have special precedence.
    
    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
    Cc: Benjamin Poirier <bpoirier@suse.de>
    Cc: Steffen Klassert <steffen.klassert@secunet.com>
    Acked-by: Benjamin Poirier <bpoirier@suse.de>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/esp4.c |    2 +-
 net/ipv6/esp6.c |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

commit f02bce292d1c2fe610be509c96593e70b3de387b
Author: Julia Lawall <Julia.Lawall@lip6.fr>
Date:   Mon Aug 5 16:47:38 2013 +0200

    Upstream commit: d9af2d67e490b48f0d36f448d34e7bab9425f142
    
    net/vmw_vsock/af_vsock.c: drop unneeded semicolon
    
    Drop the semicolon at the end of the list_for_each_entry loop header.
    
    Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/vmw_vsock/af_vsock.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 4b62f0cbc3f949056e8bbe0af036acfc20e8e049
Author: Tiger Yang <tiger.yang@oracle.com>
Date:   Tue Aug 13 16:00:58 2013 -0700

    Upstream commit: c7dd3392ad469e6ba125170ad29f881bed85b678
    
    ocfs2: fix NULL pointer dereference in ocfs2_duplicate_clusters_by_page
    
    Since ocfs2_cow_file_pos will invoke ocfs2_refcount_icow with a NULL as
    the struct file pointer, it finally result in a null pointer dereference
    in ocfs2_duplicate_clusters_by_page.
    
    This patch replace file pointer with inode pointer in
    cow_duplicate_clusters to fix this issue.
    
    [jeff.liu@oracle.com: rebased patch against linux-next tree]
    Signed-off-by: Tiger Yang <tiger.yang@oracle.com>
    Signed-off-by: Jie Liu <jeff.liu@oracle.com>
    Cc: Joel Becker <jlbec@evilplan.org>
    Cc: Mark Fasheh <mfasheh@suse.com>
    Acked-by: Tao Ma <tm@tao.ma>
    Tested-by: David Weber <wb@munzinger.de>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 fs/ocfs2/aops.c         |    2 +-
 fs/ocfs2/file.c         |    6 ++--
 fs/ocfs2/move_extents.c |    2 +-
 fs/ocfs2/refcounttree.c |   53 +++++++---------------------------------------
 fs/ocfs2/refcounttree.h |    6 ++--
 5 files changed, 16 insertions(+), 53 deletions(-)

commit 433bf493c7472435b328b2bc85b6e54f6dd3d0d3
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Thu Aug 15 15:52:57 2013 +0300

    Upstream commit: 15718ea0d844e4816dbd95d57a8a0e3e264ba90e
    
    tun: signedness bug in tun_get_user()
    
    The recent fix d9bf5f1309 "tun: compare with 0 instead of total_len" is
    not totally correct.  Because "len" and "sizeof()" are size_t type, that
    means they are never less than zero.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Acked-by: Michael S. Tsirkin <mst@redhat.com>
    Acked-by: Neil Horman <nhorman@tuxdriver.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/tun.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

commit 26ad267ddda451919357965a0cf271ca24d1bcf2
Author: Weiping Pan <wpan@redhat.com>
Date:   Tue Aug 13 21:46:56 2013 +0800

    Upstream commit: d9bf5f130946695063469749bfd190087b7fad39
    
    tun: compare with 0 instead of total_len
    
    Since we set "len = total_len" in the beginning of tun_get_user(),
    so we should compare the new len with 0, instead of total_len,
    or the if statement always returns false.
    
    Signed-off-by: Weiping Pan <wpan@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/tun.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 70023d3ea40fae8b6b6a142a7a5c3db0bcc283f9
Author: Guenter Roeck <linux@roeck-us.net>
Date:   Fri Aug 16 20:50:55 2013 -0700

    Upstream commit: 215b28a5308f3d332df2ee09ef11fda45d7e4a92
    
    s390: Fix broken build
    
    Fix this build error:
    
      In file included from fs/exec.c:61:0:
      arch/s390/include/asm/tlb.h:35:23: error: expected identifier or '(' before 'unsigned'
      arch/s390/include/asm/tlb.h:36:1: warning: no semicolon at end of struct or union [enabled by default]
      arch/s390/include/asm/tlb.h: In function 'tlb_gather_mmu':
      arch/s390/include/asm/tlb.h:57:5: error: 'struct mmu_gather' has no member named 'end'
    
    Broken due to commit 2b047252d0 ("Fix TLB gather virtual address range
    invalidation corner cases").
    
    Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Cc: stable@vger.kernel.org
    Signed-off-by: Guenter Roeck <linux@roeck-us.net>
    [ Oh well. We had build testing for ppc amd um, but no s390  - Linus ]
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 arch/s390/include/asm/tlb.h |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 4e57312c2de2a25ddb181d129dafbc0251062c33
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date:   Thu Aug 15 11:42:25 2013 -0700

    Upstream commit: 2b047252d087be7f2ba088b4933cd904f92e6fce
    
    Fix TLB gather virtual address range invalidation corner cases
    
    Ben Tebulin reported:
    
     "Since v3.7.2 on two independent machines a very specific Git
      repository fails in 9/10 cases on git-fsck due to an SHA1/memory
      failures.  This only occurs on a very specific repository and can be
      reproduced stably on two independent laptops.  Git mailing list ran
      out of ideas and for me this looks like some very exotic kernel issue"
    
    and bisected the failure to the backport of commit 53a59fc67f97 ("mm:
    limit mmu_gather batching to fix soft lockups on !CONFIG_PREEMPT").
    
    That commit itself is not actually buggy, but what it does is to make it
    much more likely to hit the partial TLB invalidation case, since it
    introduces a new case in tlb_next_batch() that previously only ever
    happened when running out of memory.
    
    The real bug is that the TLB gather virtual memory range setup is subtly
    buggered.  It was introduced in commit 597e1c3580b7 ("mm/mmu_gather:
    enable tlb flush range in generic mmu_gather"), and the range handling
    was already fixed at least once in commit e6c495a96ce0 ("mm: fix the TLB
    range flushed when __tlb_remove_page() runs out of slots"), but that fix
    was not complete.
    
    The problem with the TLB gather virtual address range is that it isn't
    set up by the initial tlb_gather_mmu() initialization (which didn't get
    the TLB range information), but it is set up ad-hoc later by the
    functions that actually flush the TLB.  And so any such case that forgot
    to update the TLB range entries would potentially miss TLB invalidates.
    
    Rather than try to figure out exactly which particular ad-hoc range
    setup was missing (I personally suspect it's the hugetlb case in
    zap_huge_pmd(), which didn't have the same logic as zap_pte_range()
    did), this patch just gets rid of the problem at the source: make the
    TLB range information available to tlb_gather_mmu(), and initialize it
    when initializing all the other tlb gather fields.
    
    This makes the patch larger, but conceptually much simpler.  And the end
    result is much more understandable; even if you want to play games with
    partial ranges when invalidating the TLB contents in chunks, now the
    range information is always there, and anybody who doesn't want to
    bother with it won't introduce subtle bugs.
    
    Ben verified that this fixes his problem.
    
    Reported-bisected-and-tested-by: Ben Tebulin <tebulin@googlemail.com>
    Build-testing-by: Stephen Rothwell <sfr@canb.auug.org.au>
    Build-testing-by: Richard Weinberger <richard.weinberger@gmail.com>
    Reviewed-by: Michal Hocko <mhocko@suse.cz>
    Acked-by: Peter Zijlstra <peterz@infradead.org>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 arch/arm/include/asm/tlb.h   |    7 +++++--
 arch/arm64/include/asm/tlb.h |    7 +++++--
 arch/ia64/include/asm/tlb.h  |    9 ++++++---
 arch/s390/include/asm/tlb.h  |    8 ++++++--
 arch/sh/include/asm/tlb.h    |    6 ++++--
 arch/um/include/asm/tlb.h    |    6 ++++--
 fs/exec.c                    |    4 ++--
 include/asm-generic/tlb.h    |    2 +-
 mm/hugetlb.c                 |    2 +-
 mm/memory.c                  |   36 +++++++++++++++++++++---------------
 mm/mmap.c                    |    4 ++--
 11 files changed, 57 insertions(+), 34 deletions(-)

commit 771ed01c6027772eca1a0df8de65043e7f0d94f8
Merge: 5568c80 ffceabf
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 17 09:11:41 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit ffceabfcc65c60109ba5fca694d78d4dc7047809
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 17 09:10:44 2013 -0400

    Update to pax-linux-3.10.7-test11.patch:
    - simplified some arm code
    - disabled preemption when calling show_regs, reported by Corey Minyard
    - added PCID based support for UDEREF on amd64 (blog will have more details)
      - requires Westmere/Sandy Bridge/Ivy Bridge/Haswell/etc
      - nopcid turns it off
      - by default a strong form of UDEREF is used under PCID
      - pax_weakuderef switches to the older, less secure UDEREF
      - fixed several bugs that would also have manifested under SMAP
      - INVPCID is used when available (Haswell)
    - added a few more return insn instrumentation in new amd64 crypto code

 Documentation/kernel-parameters.txt          |    7 +
 arch/arm/include/asm/uaccess.h               |    3 +
 arch/x86/crypto/blowfish-avx2-asm_64.S       |    6 +
 arch/x86/crypto/camellia-aesni-avx-asm_64.S  |   10 ++
 arch/x86/crypto/camellia-aesni-avx2-asm_64.S |   10 ++
 arch/x86/crypto/crc32c-pcl-intel-asm_64.S    |    2 +
 arch/x86/crypto/ghash-clmulni-intel_asm.S    |    5 +
 arch/x86/crypto/serpent-avx2-asm_64.S        |    9 ++
 arch/x86/crypto/sha256-avx-asm.S             |    2 +
 arch/x86/crypto/sha256-avx2-asm.S            |    2 +
 arch/x86/crypto/sha256-ssse3-asm.S           |    2 +
 arch/x86/crypto/sha512-avx-asm.S             |    2 +
 arch/x86/crypto/sha512-avx2-asm.S            |    2 +
 arch/x86/crypto/sha512-ssse3-asm.S           |    2 +
 arch/x86/crypto/twofish-avx2-asm_64.S        |    8 ++
 arch/x86/ia32/ia32_signal.c                  |    2 +-
 arch/x86/ia32/ia32entry.S                    |   24 ++++-
 arch/x86/include/asm/cpufeature.h            |    3 +-
 arch/x86/include/asm/fpu-internal.h          |    2 +
 arch/x86/include/asm/futex.h                 |    4 +
 arch/x86/include/asm/mmu_context.h           |   80 +++++++++++---
 arch/x86/include/asm/pgtable.h               |   10 +-
 arch/x86/include/asm/processor.h             |   15 +++-
 arch/x86/include/asm/segment.h               |    5 +-
 arch/x86/include/asm/smap.h                  |   64 +++++++++++-
 arch/x86/include/asm/tlbflush.h              |   63 +++++++++--
 arch/x86/include/asm/uaccess.h               |   18 +++-
 arch/x86/include/asm/xsave.h                 |    4 +
 arch/x86/kernel/cpu/common.c                 |   38 +++++++
 arch/x86/kernel/entry_32.S                   |    2 +-
 arch/x86/kernel/entry_64.S                   |  152 +++++++++++++++++++++++---
 arch/x86/kernel/head_32.S                    |    2 +-
 arch/x86/kernel/head_64.S                    |    8 +-
 arch/x86/kernel/process_64.c                 |    5 +
 arch/x86/kernel/setup.c                      |    8 +-
 arch/x86/kernel/signal.c                     |    4 +-
 arch/x86/kernel/smpboot.c                    |   15 ++-
 arch/x86/lib/copy_user_64.S                  |   50 +--------
 arch/x86/lib/copy_user_nocache_64.S          |    2 +
 arch/x86/lib/csum-wrappers_64.c              |   11 ++-
 arch/x86/lib/memcpy_64.S                     |    4 +-
 arch/x86/lib/memmove_64.S                    |    2 +-
 arch/x86/lib/memset_64.S                     |    4 +-
 arch/x86/lib/usercopy_64.c                   |    5 +-
 arch/x86/mm/Makefile                         |    4 +
 arch/x86/mm/fault.c                          |   29 ++++--
 arch/x86/mm/init.c                           |    7 +-
 arch/x86/mm/init_64.c                        |    9 ++-
 arch/x86/mm/pageattr.c                       |    2 +-
 arch/x86/mm/pgtable.c                        |    3 +
 arch/x86/platform/efi/efi_32.c               |    2 +-
 arch/x86/platform/efi/efi_64.c               |    2 +-
 arch/x86/realmode/rm/trampoline_64.S         |    1 +
 fs/exec.c                                    |    2 +
 include/asm-generic/uaccess.h                |    8 ++
 include/linux/compat.h                       |    1 +
 include/linux/preempt.h                      |   19 +++
 include/linux/signal.h                       |    1 +
 include/linux/smp.h                          |    2 +
 init/main.c                                  |   14 ++-
 kernel/signal.c                              |   16 +++
 security/Kconfig                             |    5 +
 tools/lib/lk/Makefile                        |    2 +-
 tools/perf/Makefile                          |    2 +-
 64 files changed, 673 insertions(+), 136 deletions(-)

commit 5568c8059e78d6d002815409df4e90c83b3b08a8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 17 08:58:34 2013 -0400

    Fix two harmless compiler warnings

 arch/arm/kernel/process.c |    4 ++--
 fs/exec.c                 |    2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

commit e4a41a3eef8c6bdebdbe273cc0fbe372bcb62806
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Aug 16 22:55:24 2013 -0400

    Upstream commit: c95eb3184ea1a3a2551df57190c81da695e2144b

 arch/arm/kernel/perf_event.c |    5 ++++-
 1 files changed, 4 insertions(+), 1 deletions(-)

commit 3637bc893b57a227b01852fe34685ab237285b10
Author: Stephen Boyd <sboyd@codeaurora.org>
Date:   Wed Aug 7 16:18:08 2013 -0700

    Upstream commit: b88a2595b6d8aedbd275c07dfa784657b4f757eb
    
    perf/arm: Fix armpmu_map_hw_event()
    
    Fix constraint check in armpmu_map_hw_event().
    
    Reported-and-tested-by: Vince Weaver <vincent.weaver@maine.edu>
    Cc: <stable@kernel.org>
    Signed-off-by: Ingo Molnar <mingo@kernel.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 arch/arm/kernel/perf_event.c |    7 ++++++-
 1 files changed, 6 insertions(+), 1 deletions(-)

commit 11802e1f961a088c39af58d1c1b14d861eedfb35
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Aug 16 22:53:30 2013 -0400

    More ARM backports

 arch/arm/kernel/entry-armv.S |    3 ++-
 arch/arm/kernel/fiq.c        |    8 ++------
 2 files changed, 4 insertions(+), 7 deletions(-)

commit bf89938c71ddbd6efb2c2e43bf4f3f99fef623ea
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Aug 16 22:46:01 2013 -0400

    Fix HIDESYM compatibility with kprobes, as reported by feandil at:
    http://forums.grsecurity.net/viewtopic.php?t=3701&p=13376#p13376

 include/linux/kallsyms.h |    2 +-
 kernel/kprobes.c         |    3 +++
 2 files changed, 4 insertions(+), 1 deletions(-)

commit 3d1cf88bbdbe4c0e83dd7d731ecaf1741209d6b7
Author: yonghua zheng <younghua.zheng@gmail.com>
Date:   Tue Aug 13 16:01:03 2013 -0700

    fs/proc/task_mmu.c: fix buffer overflow in add_page_map()
    
    Recently we met quite a lot of random kernel panic issues after enabling
    CONFIG_PROC_PAGE_MONITOR.  After debuggind we found this has something
    to do with following bug in pagemap:
    
    In struct pagemapread:
    
      struct pagemapread {
          int pos, len;
          pagemap_entry_t *buffer;
          bool v2;
      };
    
    pos is number of PM_ENTRY_BYTES in buffer, but len is the size of
    buffer, it is a mistake to compare pos and len in add_page_map() for
    checking buffer is full or not, and this can lead to buffer overflow and
    random kernel panic issue.
    
    Correct len to be total number of PM_ENTRY_BYTES in buffer.
    
    [akpm@linux-foundation.org: document pagemapread.pos and .len units, fix PM_ENTRY_BYTES definition]
    Signed-off-by: Yonghua Zheng <younghua.zheng@gmail.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    Conflicts:
    
        fs/proc/task_mmu.c

 fs/proc/task_mmu.c |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

commit 0a3dac834746de241c10d4978bf61b4f146ba89d
Merge: dc19474 e12de30
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Aug 16 17:39:01 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit e12de30aa6b575fc3c9f5cd098dd03623598cb33
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Aug 16 17:34:47 2013 -0400

    Update to pax-linux-3.10.7-test9.patch:
    - Emese fixed a size overflow false positive reported by Sven Vermeulen
    - fixed some arm compile problems reported by spender
    - added empty unchecked wrappers for local_t accessors on mips, by Corey Minyard <cminyard@mvista.com>
      eventually we'll have full REFCOUNT support on mips

 arch/arm/kernel/process.c     |    5 ++-
 arch/arm/mm/Kconfig           |    2 +-
 arch/arm/mm/fault.c           |    3 ++
 arch/mips/include/asm/local.h |   57 +++++++++++++++++++++++++++++++++++++++++
 mm/internal.h                 |    2 +-
 5 files changed, 65 insertions(+), 4 deletions(-)

commit dc19474d0ea6ea3c939544ae5f906067b1784a10
Merge: 51b78c0 82266f9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Aug 15 21:47:37 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 82266f90a3f87ab5017329fb539aebf94c42253a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Aug 15 21:14:47 2013 -0400

    Update to pax-linux-3.10.7-test9.patch

 arch/arm/kernel/process.c |    6 ++----
 1 files changed, 2 insertions(+), 4 deletions(-)

commit 51b78c06d1f41614f593cd36456b4af559e9d7fa
Merge: e32d904 cb77ead
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Aug 15 20:53:45 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        security/Kconfig

commit cb77ead0eccb5abb75f7e437a3725d0254558ccd
Merge: 13675b8 519be45
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Aug 15 20:50:47 2013 -0400

    Update to pax-linux-3.10.7-test8.patch
    
    Merge branch 'linux-3.10.y' into pax-test

commit e32d904b87292288e74e2637b900fd1115687b8e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 10 09:41:40 2013 -0400

    propagate the threadstack offset through to the topdown/bottomup allocators
    on sparc64 hugepages

 arch/sparc/mm/hugetlbpage.c |   12 ++++++++----
 1 files changed, 8 insertions(+), 4 deletions(-)

commit cefa30759f6c977fff5cc1634ecfbfe0ee44391c
Author: Oleg Nesterov <oleg@redhat.com>
Date:   Thu Aug 8 18:55:32 2013 +0200

    Upstream commit: 8742f229b635bf1c1c84a3dfe5e47c814c20b5c8
    
    another local DoS found in reaction to the one I reported,
    we don't allow unpriv user ns use so this doesn't matter much to us
    
    userns: limit the maximum depth of user_namespace->parent chain
    
    Ensure that user_namespace->parent chain can't grow too much.
    Currently we use the hardroded 32 as limit.
    
    Reported-by: Andy Lutomirski <luto@amacapital.net>
    Signed-off-by: Oleg Nesterov <oleg@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 include/linux/user_namespace.h |    1 +
 kernel/user_namespace.c        |    4 ++++
 2 files changed, 5 insertions(+), 0 deletions(-)

commit 223ac007ef18bf3a5095ba0a56675c1f16200149
Merge: 1c92de4 13675b8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Aug 8 20:45:24 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        security/Kconfig

commit 13675b848cf02bffd26924b2b84d927095bc253d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Aug 8 20:43:52 2013 -0400

    Update to pax-linux-3.10.5-test8.patch:
    - Emese fixed a size overflow false positive, reported by markusle (http://forums.grsecurity.net/viewtopic.php?f=3&t=3692)
    - fixed the use of PXN for 2-level pages tables on arm, by Corey Minyard <cminyard@mvista.com>
    - added PAGEEXEC/XI violation reporting on mips, by Corey Minyard <cminyard@mvista.com>

 arch/arm/include/asm/pgtable-2level.h |    4 +++-
 arch/arm/mm/proc-v7-2level.S          |    3 ---
 arch/mips/mm/fault.c                  |    8 ++++++++
 arch/x86/include/asm/processor.h      |    3 ++-
 include/linux/math64.h                |    2 +-
 security/Kconfig                      |    2 --
 6 files changed, 14 insertions(+), 8 deletions(-)

commit 1c92de4b8811c330af033c31d83c9c45e3d064b2
Merge: e65aa3d 1660f49
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Aug 5 18:50:45 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 1660f496848b8400d263f7920989dae15e72185a
Merge: 7f91ba1 dc51cd2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Aug 5 18:50:12 2013 -0400

    Update to pax-linux-3.10.5-test7.patch
    
    Merge branch 'linux-3.10.y' into pax-test
    
    Conflicts:
        arch/x86/kernel/head_64.S
        mm/mempolicy.c

commit e65aa3dd447115cb79b4815bc1ceac7b3cacef15
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Aug 5 17:58:42 2013 -0400

    Disable RANDKSTACK for a VirtualBox host as mentioned on the
    gentoo-hardened bugzilla:
    https://bugs.gentoo.org/show_bug.cgi?id=382793

 security/Kconfig |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 60d8cffd7740fd1d527790caf9a24a35d8c45858
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Tue Jul 30 13:23:39 2013 +0300

    Upstream commit: 8cb3b9c3642c0263d48f31d525bcee7170eedc20
    
    net_sched: info leak in atm_tc_dump_class()
    
    The "pvc" struct has a hole after pvc.sap_family which is not cleared.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Reviewed-by: Jiri Pirko <jiri@resnulli.us>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/sched/sch_atm.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 50d20ebce56b6e0b9622685930e007e46c7c04bb
Author: Daniel Borkmann <dborkman@redhat.com>
Date:   Fri Aug 2 11:32:43 2013 +0200

    Upstream commit: 446266b0c742a2c9ee8f0dce759a0117bce58a86
    
    net: rtm_to_ifaddr: free ifa if ifa_cacheinfo processing fails
    
    Commit 5c766d642 ("ipv4: introduce address lifetime") leaves the ifa
    resource that was allocated via inet_alloc_ifa() unfreed when returning
    the function with -EINVAL. Thus, free it first via inet_free_ifa().
    
    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
    Reviewed-by: Jiri Pirko <jiri@resnulli.us>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/devinet.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

commit 0acaba4eea12097cc59bc61a46ba1ef4a468b260
Author: Himanshu Madhani <himanshu.madhani@qlogic.com>
Date:   Fri Aug 2 23:15:56 2013 -0400

    Upstream commit: f91bbcb0b82186b4d5669021b142c263b66505e1
    
    qlcnic: Free up memory in error path.
    
    Signed-off-by: Himanshu Madhani <himanshu.madhani@qlogic.com>
    Signed-off-by: Shahed Shaikh <shahed.shaikh@qlogic.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/ethernet/qlogic/qlcnic/qlcnic_ctx.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

commit 3626ec32c8b24cb38b8db2a1b2f5430bd898408a
Author: Shahed Shaikh <shahed.shaikh@qlogic.com>
Date:   Fri Aug 2 23:15:54 2013 -0400

    Upstream commit: 4a99ab56cea66f9f67b9d07ace5cd40a336c8e6f
    
    qlcnic: Fix MAC address filter issue on 82xx adapter
    
    Driver was passing the address of a pointer instead of
    the pointer itself.
    
    Signed-off-by: Shahed Shaikh <shahed.shaikh@qlogic.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/ethernet/qlogic/qlcnic/qlcnic_io.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 5570df953d6c143e05f1d60d9c23210e60dbbe81
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Aug 5 17:26:40 2013 -0400

    Move user namespace capability check to shared create_user_ns code so we
    cover unshare() as well.
    
    Also kill a trivial 1-line, 22-character upstream kernel DoS, thanks to
    user namespaces!

 kernel/fork.c           |   17 -----------------
 kernel/user_namespace.c |   24 ++++++++++++++++++++++--
 2 files changed, 22 insertions(+), 19 deletions(-)

commit 97112fe30de4ca84e79c82ebfa2353b9c9988ca1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Aug 5 16:05:41 2013 -0400

    silence a warning on older gcc

 grsecurity/gracl.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit b8966a5d577e9220fbc63306eee978f819f24e2e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 3 08:31:08 2013 -0400

    we only care about mmaps of the beginning of an ELF, filter out
    all others as suggested by pipacs

 mm/mmap.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 8aea9fe5866dec3c847a34f743f343e18cf1cdcb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Aug 2 23:54:51 2013 -0400

    add include

 grsecurity/grsec_log.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit d48425ef8cb3761ab6130e52f1f8e401f5b5a295
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Aug 2 23:49:13 2013 -0400

    fix compilation

 include/linux/grinternal.h |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 1704c23fdc55b68f512dc9927940e72237f3f43e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Aug 2 23:34:35 2013 -0400

    Improve PaX reporting (tells when anon mapping is stack or heap)
    Remove textrel logging option, combine into rwx logging option
    Enhance RWX logging option to display when PT_GNU_STACK-enabled library
    is loaded under an MPROTECTed binary
    Enhance RWX mprotect logging to display stack/heap instead of just
    anon mapping

 fs/binfmt_elf.c            |   37 +++++++++++++++++++++++++++++++++++++
 fs/exec.c                  |    4 ++++
 grsecurity/Kconfig         |   21 +++++----------------
 grsecurity/grsec_init.c    |    4 ----
 grsecurity/grsec_log.c     |   14 ++++++++++++++
 grsecurity/grsec_pax.c     |   19 ++++++++++++++-----
 grsecurity/grsec_sysctl.c  |    9 ---------
 include/linux/binfmts.h    |    1 +
 include/linux/grinternal.h |    2 +-
 include/linux/grmsg.h      |    3 ++-
 include/linux/grsecurity.h |    3 ++-
 mm/mmap.c                  |    7 +++++++
 mm/mprotect.c              |    2 +-
 13 files changed, 88 insertions(+), 38 deletions(-)

commit faf81c100c8565524e21c9af780a0ad2ce3fd925
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Aug 1 18:52:02 2013 -0400

    add missing #define

 grsecurity/gracl.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit e87232d1fcb4da72df971cbc623aac6c9b3871a0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Aug 1 18:43:53 2013 -0400

    fix compilation for !COMPAT as reported on the forums

 grsecurity/gracl.c |  195 ++++++++++++++++++++++++++--------------------------
 1 files changed, 97 insertions(+), 98 deletions(-)

commit 65c9b9c6c42939dc55be1b8842e7c2e05733056c
Merge: 65019c9 7f91ba1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jul 31 17:47:31 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 65019c9bd05f860437071cbf00e2027fd2d68615
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jul 31 17:47:20 2013 -0400

    Revert "revert recent PaX change that causes boot failures with 32bit userland"
    
    This reverts commit 23278a1ee1c7738dd1e7005241394d32b82196e4.

 arch/x86/include/asm/processor.h |    4 ++--
 arch/x86/kernel/cpu/common.c     |    2 +-
 arch/x86/kernel/process_64.c     |    2 +-
 arch/x86/kernel/smpboot.c        |    2 +-
 arch/x86/xen/smp.c               |    2 +-
 5 files changed, 6 insertions(+), 6 deletions(-)

commit 7f91ba11122fcaa96fc2dca42bddcd5f8db3b945
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jul 31 17:46:00 2013 -0400

    Update to pax-linux-3.10.4-test7.patch:
    - added a few more missing format strings
    - added reporting of mismatched MPROTECT/EMUTRAMP flags between libraries and the main executable
    - reverted the recent amd64 kstack alignment fix, it'll be done the harder way another time
    - fixed a UDEREF/i386 regression, __get_user_8 would always fail

 arch/x86/include/asm/processor.h           |    4 +-
 arch/x86/kernel/cpu/common.c               |    2 +-
 arch/x86/kernel/dumpstack.c                |    2 +-
 arch/x86/kernel/process_64.c               |    2 +-
 arch/x86/kernel/reboot_fixups_32.c         |    2 +-
 arch/x86/kernel/smpboot.c                  |    2 +-
 arch/x86/lib/getuser.S                     |    4 +-
 arch/x86/xen/smp.c                         |    2 +-
 drivers/net/wireless/iwlwifi/dvm/debugfs.c |    8 ++--
 drivers/video/backlight/backlight.c        |    2 +-
 drivers/video/backlight/lcd.c              |    2 +-
 fs/binfmt_elf.c                            |   51 +++++++++++++++++++++++++---
 fs/exec.c                                  |   50 +++++++++++++--------------
 include/linux/sched.h                      |    2 +
 14 files changed, 88 insertions(+), 47 deletions(-)

commit 043130da54cb7cc8dc44e0ce889d426e889a0532
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jul 31 16:26:58 2013 -0400

    compile fix for !COMPAT as mentioned on forums

 grsecurity/gracl.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit ed0a195abd4e41c2449a020a53a19c74dc866d78
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 22:33:14 2013 -0400

    perform compat conversion of rlimit infinity

 grsecurity/gracl_compat.c |   10 ++++++++--
 1 files changed, 8 insertions(+), 2 deletions(-)

commit a99c1b9f31678c1c72a63bea65aed1b2d3205259
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 22:21:40 2013 -0400

    remove debugging

 grsecurity/gracl_compat.c |   44 +++++++++++---------------------------------
 1 files changed, 11 insertions(+), 33 deletions(-)

commit e75b3f504692b97960a7530ad0855d91441d79c0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 22:20:32 2013 -0400

    eliminate compat_dev_t

 include/linux/gracl_compat.h |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit e5abbaf95313066a724e1a843d4fc902a9a6450e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 22:13:22 2013 -0400

    fix compat rlimit size

 grsecurity/gracl_compat.c    |   68 +++++++++++++++++++++++++++++-------------
 include/linux/gracl_compat.h |    4 +-
 2 files changed, 49 insertions(+), 23 deletions(-)

commit 877d6c2f8b3518ff39601084560bb33c58d35a1f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 21:20:18 2013 -0400

    compile fix

 grsecurity/gracl.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit a2062eae8d1dc48d338480e599fedee2dc5e2f98
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 21:14:29 2013 -0400

    copy correct pointer size in new compat code

 grsecurity/gracl.c        |    8 ++++----
 grsecurity/gracl_compat.c |    4 ++--
 2 files changed, 6 insertions(+), 6 deletions(-)

commit 23278a1ee1c7738dd1e7005241394d32b82196e4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 19:48:58 2013 -0400

    revert recent PaX change that causes boot failures with 32bit userland

 arch/x86/include/asm/processor.h |    4 ++--
 arch/x86/kernel/cpu/common.c     |    2 +-
 arch/x86/kernel/process_64.c     |    2 +-
 arch/x86/kernel/smpboot.c        |    2 +-
 arch/x86/xen/smp.c               |    2 +-
 5 files changed, 6 insertions(+), 6 deletions(-)

commit ec27f71a813656fea8ab37faecb2b485fe99d08e
Merge: 3a11bcf 05f0a61
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 19:42:21 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 05f0a610373fa95df838f97c3fcfb59a3d79c5b8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 19:41:44 2013 -0400

    Update to pax-linux-3.10.4-test6.patch:
    - fixed some size_overflow false positives on i386 caused by __SC_LONG, reported by spender

 include/linux/syscalls.h |    8 ++++++--
 1 files changed, 6 insertions(+), 2 deletions(-)

commit 3a11bcfcc738ed5dbf0d56713db872ed36351a26
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 19:15:50 2013 -0400

    compile fix

 grsecurity/gracl_compat.c |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

commit 1dbd99b5cb0b6757eadf22309501e7fdd84f5de7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 19:12:46 2013 -0400

    remove BUILD_BUG_ONs

 grsecurity/gracl_compat.c |   20 --------------------
 1 files changed, 0 insertions(+), 20 deletions(-)

commit a283b21cbd77622383a1dcb1f7bf1080db3bae88
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 00:18:36 2013 -0400

    compile fixes

 grsecurity/gracl_compat.c    |    8 ++++----
 include/linux/gracl_compat.h |    2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

commit 8b744005f8bae565e24c1fd88af77e6e619b9434
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 00:16:42 2013 -0400

    compile fixes

 grsecurity/gracl.c        |    4 ++--
 grsecurity/gracl_compat.c |    2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

commit 5cd86afa393bf9bf38c2e9063191709ac2beff2c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 00:13:51 2013 -0400

    compile fixes

 grsecurity/gracl.c |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

commit b93b829afcc98b6108b18d99ff63c53642d0b951
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 00:11:03 2013 -0400

    compile fixes

 grsecurity/gracl_compat.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit 7da096415fa633c4ad2b1f74bd43d3a58a63b5c0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 00:08:21 2013 -0400

    more compile fixes

 grsecurity/gracl.c |   28 ++++++++++++++--------------
 1 files changed, 14 insertions(+), 14 deletions(-)

commit 6c1fd80e19f1449b6895f1ed77f23f1245470b3b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jul 29 23:59:50 2013 -0400

    more compile fixes

 grsecurity/gracl.c |   10 +++++++++-
 1 files changed, 9 insertions(+), 1 deletions(-)

commit 89dda536f276dd4bb55fa0f9ea8980ac8b750d29
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jul 29 23:56:47 2013 -0400

    additional compile fixes

 grsecurity/gracl.c |   59 +++++++++++++++++++++++++++++++++++++++++++--------
 1 files changed, 49 insertions(+), 10 deletions(-)

commit ac695a081d1124fb28bec46814535d34c5e40611
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jul 29 23:47:15 2013 -0400

    fix typo

 grsecurity/gracl.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit d95dd21a8d6d00c5cf34fee3f45dd914b6da6093
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jul 29 23:46:59 2013 -0400

    compile fixes

 grsecurity/gracl.c |   53 ++++++++++++++++++++++++++++++++++++++-------------
 1 files changed, 39 insertions(+), 14 deletions(-)

commit 82631f451cc7432b6c5578cf8d24155473feb25c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jul 29 23:22:44 2013 -0400

    Initial commit of compat RBAC loading
    Permits 32bit gradm to load policy for a 64bit kernel
    
    Also removed code duplication for copying strings into the kernel
    
    Work performed as part of sponsorship

 grsecurity/Makefile          |    4 +
 grsecurity/gracl.c           |  315 +++++++++++++++++++++++-------------------
 grsecurity/gracl_compat.c    |  270 ++++++++++++++++++++++++++++++++++++
 include/linux/gracl_compat.h |  156 +++++++++++++++++++++
 4 files changed, 603 insertions(+), 142 deletions(-)

commit 84c4a433dfb096e4a1162ee5e68025122c70b421
Merge: c9d3ed3 9fe5897
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jul 29 17:08:56 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 9fe58978938e357642885866ca48090a7753d403
Merge: 8f693ad 6f7bb6b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jul 29 17:08:43 2013 -0400

    Merge branch 'linux-3.10.y' into pax-test

commit c9d3ed33c5370bbacfadf86f6a1566828a3d7775
Merge: d5e5bfd 8f693ad
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 28 10:03:08 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 8f693ade9b3e448f92706d34148b00a087637f70
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 28 10:02:16 2013 -0400

    Update to pax-linux-3.10.3-test5.patch:
    - fixed amd64 kstack alignment (caught by some crazy codegen by clang/llvm)
    - fixed handling of faulting userland accesses for UDEREF/arm, from spender
    - updated the size overflow hash table, from Emese

 arch/arm/kernel/entry-armv.S      |    3 +-
 arch/x86/include/asm/processor.h  |    4 +-
 arch/x86/kernel/cpu/common.c      |    2 +-
 arch/x86/kernel/process_64.c      |    2 +-
 arch/x86/kernel/smpboot.c         |    2 +-
 arch/x86/xen/smp.c                |    2 +-
 tools/gcc/size_overflow_hash.data |  553 +++++++++++++++++++++++++++++++++----
 7 files changed, 513 insertions(+), 55 deletions(-)

commit d5e5bfd6ecc1fc7e86d070df8eb0ce8d0643c558
Merge: 19e077b 8a8a0d0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 25 21:05:18 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 8a8a0d0b22a86bf65302d03bb6732e42bc0a2e56
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 25 21:04:09 2013 -0400

    Update to pax-linux-3.10.3-test4.patch:
    - introduced per-slab object sanitization, contributed by Mathias Krause and secunet.
      this is finer grained sanitization than the existing per-page based approach (which
      is still done) at a somewhat higher performance cost. the pax_sanitize_slab command
      line option can be used to enable/disable it on boot (it's enabled by default when
      CONFIG_PAX_MEMORY_SANITIZE is enabled).

 Documentation/kernel-parameters.txt |    4 ++++
 fs/buffer.c                         |    2 +-
 fs/dcache.c                         |    3 ++-
 include/linux/slab.h                |    7 +++++++
 include/linux/slab_def.h            |    4 ++++
 kernel/fork.c                       |    2 +-
 mm/rmap.c                           |    6 ++++--
 mm/slab.c                           |   27 +++++++++++++++++++++++++++
 mm/slab.h                           |   12 +++++++++++-
 mm/slab_common.c                    |   14 ++++++++++++++
 mm/slob.c                           |    5 +++++
 mm/slub.c                           |   11 +++++++++++
 net/core/skbuff.c                   |    6 ++++--
 security/Kconfig                    |   23 +++++++++++++++++------
 14 files changed, 112 insertions(+), 14 deletions(-)

commit 19e077bfff54ca211d0142c07cb6dd88069a390c
Merge: 960ec51 c8f7f51
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 25 19:53:34 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit c8f7f51591207b82530214300e86277028919286
Merge: d5142e3 81a4648
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 25 19:52:29 2013 -0400

    Update to pax-linux-3.10.3-test3.patch:
    - fixed some compile issues reported by Michael Tremer and spender
    - fixed an i386 regression with the lower address space gap on i386, reported by cnu
    
    Merge branch 'linux-3.10.y' into pax-test
    
    Conflicts:
        kernel/time/tick-broadcast.c

commit 960ec51ab2142544fbae563d4fd5744775408965
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Sat Jul 20 03:13:55 2013 +0400

    Upstream commit: acfec9a5a892f98461f52ed5770de99a3e571ae2
    
    livelock avoidance in sget()
    
    Eric Sandeen has found a nasty livelock in sget() - take a mount(2) about
    to fail.  The superblock is on ->fs_supers, ->s_umount is held exclusive,
    ->s_active is 1.  Along comes two more processes, trying to mount the same
    thing; sget() in each is picking that superblock, bumping ->s_count and
    trying to grab ->s_umount.  ->s_active is 3 now.  Original mount(2)
    finally gets to deactivate_locked_super() on failure; ->s_active is 2,
    superblock is still ->fs_supers because shutdown will *not* happen until
    ->s_active hits 0.  ->s_umount is dropped and now we have two processes
    chasing each other:
    s_active = 2, A acquired ->s_umount, B blocked
    A sees that the damn thing is stillborn, does deactivate_locked_super()
    s_active = 1, A drops ->s_umount, B gets it
    A restarts the search and finds the same superblock.  And bumps it ->s_active.
    s_active = 2, B holds ->s_umount, A blocked on trying to get it
    ... and we are in the earlier situation with A and B switched places.
    
    The root cause, of course, is that ->s_active should not grow until we'd
    got MS_BORN.  Then failing ->mount() will have deactivate_locked_super()
    shut the damn thing down.  Fortunately, it's easy to do - the key point
    is that grab_super() is called only for superblocks currently on ->fs_supers,
    so it can bump ->s_count and grab ->s_umount first, then check MS_BORN and
    bump ->s_active; we must never increment ->s_count for superblocks past
    ->kill_sb(), but grab_super() is never called for those.
    
    The bug is pretty old; we would've caught it by now, if not for accidental
    exclusion between sget() for block filesystems; the things like cgroup or
    e.g. mtd-based filesystems don't have anything of that sort, so they get
    bitten.  The right way to deal with that is obviously to fix sget()...
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

 fs/super.c |   25 ++++++++++---------------
 1 files changed, 10 insertions(+), 15 deletions(-)

commit 3540cebbbfa4aef94527ad3e0e49097848147fb9
Merge: ab95b58 d5142e3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 21 22:47:46 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit d5142e31785f8c32c7338c51fcc27313bdd4a84e
Merge: f36ae8c 0f4a56e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 21 22:47:34 2013 -0400

    Merge branch 'linux-3.10.y' into pax-test

commit ab95b5842899d61ff5c30f4582e72029b3155be8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 21 22:28:40 2013 -0400

    compile fix with constification reported by Michael Tremer

 drivers/gpu/host1x/drm/dc.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 817cd2d1e7a55720326599dd8f542578eef30927
Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
Date:   Fri Jul 12 23:46:33 2013 +0200

    Upstream commit: 307f2fb95e9b96b3577916e73d92e104f8f26494
    
    ipv6: only static routes qualify for equal cost multipathing
    
    Static routes in this case are non-expiring routes which did not get
    configured by autoconf or by icmpv6 redirects.
    
    To make sure we actually get an ecmp route while searching for the first
    one in this fib6_node's leafs, also make sure it matches the ecmp route
    assumptions.
    
    v2:
    a) Removed RTF_EXPIRE check in dst.from chain. The check of RTF_ADDRCONF
       already ensures that this route, even if added again without
       RTF_EXPIRES (in case of a RA announcement with infinite timeout),
       does not cause the rt6i_nsiblings logic to go wrong if a later RA
       updates the expiration time later.
    
    v3:
    a) Allow RTF_EXPIRES routes to enter the ecmp route set. We have to do so,
       because an pmtu event could update the RTF_EXPIRES flag and we would
       not count this route, if another route joins this set. We now filter
       only for RTF_GATEWAY|RTF_ADDRCONF|RTF_DYNAMIC, which are flags that
       don't get changed after rt6_info construction.
    
    Cc: Nicolas Dichtel <nicolas.dichtel@6wind.com>
    Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv6/ip6_fib.c |   15 +++++++++++----
 1 files changed, 11 insertions(+), 4 deletions(-)

commit 77db8196d51b043e2e2d124094da101b0f01bccb
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Fri Jul 12 09:39:03 2013 +0300

    Upstream commit: b2781e1021525649c0b33fffd005ef219da33926
    
    svcrdma: underflow issue in decode_write_list()
    
    My static checker marks everything from ntohl() as untrusted and it
    complains we could have an underflow problem doing:
    
        return (u32 *)&ary->wc_array[nchunks];
    
    Also on 32 bit systems the upper bound check could overflow.
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: J. Bruce Fields <bfields@redhat.com>

 net/sunrpc/xprtrdma/svc_rdma_marshal.c |   20 ++++++++++++++------
 1 files changed, 14 insertions(+), 6 deletions(-)

commit 926473317fd7953137ef97835edd36dabc584b01
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jul 17 21:29:02 2013 -0400

    add missing asm/pgtable.h include, reported by Michael Tremer

 drivers/clk/socfpga/clk.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit c592ae0001b31932ef1491784dfa374058797c66
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 16 20:40:24 2013 -0400

    allow viewing of ecryptfs version under SYSFS_RESTRICT

 fs/sysfs/dir.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 36db325ef3b07ea8cdb47f549e706e5d71398e14
Merge: 9c96441 f36ae8c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 14 19:23:13 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit f36ae8c741ae32b1caff10825be12c327792c925
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 14 19:22:15 2013 -0400

    Update to pax-linux-3.10-test2.patch:
    - spender fixed a compile regression in a recent arm/UDEREF change, reported by Michael Tremer
    - spender fixed arm/KERNEXEC for v5 and older CPUs, reported by Michael Tremer
    - spender fixed a new CONSTIFY victim on arm, reported by Michael Tremer
    - spender fixed an madvise regression, reported by Peter Keel
    - spender fixed a SLAB regression, reported by Thorsten (http://forums.grsecurity.net/viewtopic.php?f=3&t=3614) and Jens (http://forums.grsecurity.net/viewtopic.php?f=1&t=3616)
    - fixed a headers_install regression, reported by Mathias Krause
    - fixed a SLOB compile regression, reported by Mathias Krause

 arch/arm/include/asm/uaccess.h |    4 ++--
 arch/arm/mm/mmu.c              |   15 +++++++++++++--
 drivers/clk/socfpga/clk.c      |    6 ++++--
 mm/madvise.c                   |    4 ++--
 mm/slab.c                      |    4 ++--
 mm/slob.c                      |    4 ++--
 scripts/headers_install.sh     |    2 +-
 7 files changed, 26 insertions(+), 13 deletions(-)

commit 9c9644156a49637050741d9165df79174e59b0ef
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 14 19:19:54 2013 -0400

    Fix sparc64 compilation, reported by Blake Self

 arch/sparc/kernel/sys_sparc_64.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 7bcd3db081454768542c3d741bcf32cd61a50cf5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 14 11:49:17 2013 -0400

    Update PaX fix, just return the error

 mm/madvise.c |   15 +++++++--------
 1 files changed, 7 insertions(+), 8 deletions(-)

commit a10e377d0eddd37e8a3665b135e546ab03d9d171
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 14 11:36:00 2013 -0400

    Fix madvise oops reported by Peter Keel

 mm/madvise.c |   11 ++++++-----
 1 files changed, 6 insertions(+), 5 deletions(-)

commit 08c5adca34d408772255b313f90d82c250c1d967
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 14 11:26:34 2013 -0400

    don't make high vector mapping non-present on old ARM architectures, no
    point in emulating some vector entries when the processor doesn't even support XN

 arch/arm/mm/mmu.c |    7 +++++--
 1 files changed, 5 insertions(+), 2 deletions(-)

commit 2b40781d4197a89a003616af584884e36361c5b2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 14 09:51:58 2013 -0400

    Temporary compile fix for code incorrectly modifying const data
    Wrap a cast version of the code with open/close
    
    Thanks to Michael Tremer for the report

 drivers/clk/socfpga/clk.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

commit a8258c1b4098c396cd4ea719e20858182feac1c1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 14 09:41:16 2013 -0400

    Fix missing right parens in pipacs' "improvement" of my ARM code ;)
    Thanks to Michael Tremer for reporting

 arch/arm/include/asm/uaccess.h |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 8542e1e973be7cc9a009d2ada8033576b2890e6f
Merge: 86f446e 2577f8e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jul 13 20:46:58 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        mm/memcontrol.c

commit 2577f8e4ec41efb347706a59c6838de20f0c90da
Merge: 75a36f0 cb5d8be
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jul 13 20:43:42 2013 -0400

    Merge branch 'linux-3.10.y' into pax-test
    
    Conflicts:
        crypto/algapi.c
        drivers/block/nbd.c

commit 86f446e9d5c6b475d2e9360cc04f4361ad1b19b8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jul 12 23:02:11 2013 -0400

    we always want the vector page to be noaccess for userland
    therefore, when kernexec is disabled, instead of L_PTE_USER | L_PTE_RDONLY
    which turns into supervisor rwx, userland rx, we instead omit that entirely,
    leaving it as supervisor rwx only
    
    Fixes booting on ARMv5 and earlier, which need to write directly
    to the high vector mapping via set_tls when context switching
    
    Thanks to Michael Tremer for the bugreport

 arch/arm/mm/mmu.c |   12 ++++++++++--
 1 files changed, 10 insertions(+), 2 deletions(-)

commit 90cd0827eef656ec884f19c977873fefe2f2e47d
Author: Cong Wang <amwang@redhat.com>
Date:   Sat Jun 29 12:02:59 2013 +0800

    Upstream commit: 6c734fb8592f6768170e48e7102cb2f0a1bb9759
    
    gre: fix a regression in ioctl
    
    When testing GRE tunnel, I got:
    
     # ip tunnel show
     get tunnel gre0 failed: Invalid argument
     get tunnel gre1 failed: Invalid argument
    
    This is a regression introduced by commit c54419321455631079c7d
    ("GRE: Refactor GRE tunneling code.") because previously we
    only check the parameters for SIOCADDTUNNEL and SIOCCHGTUNNEL,
    after that commit, the check is moved for all commands.
    
    So, just check for SIOCADDTUNNEL and SIOCCHGTUNNEL.
    
    After this patch I got:
    
     # ip tunnel show
     gre0: gre/ip  remote any  local any  ttl inherit  nopmtudisc
     gre1: gre/ip  remote 192.168.122.101  local 192.168.122.45  ttl inherit
    
    Cc: Pravin B Shelar <pshelar@nicira.com>
    Cc: "David S. Miller" <davem@davemloft.net>
    Signed-off-by: Cong Wang <amwang@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/ip_gre.c |    9 +++++----
 1 files changed, 5 insertions(+), 4 deletions(-)

commit 50d4e90ec8da630eac8840da9c53b8738a2f98b5
Author: Cong Wang <amwang@redhat.com>
Date:   Sat Jun 29 13:00:57 2013 +0800

    Upstream commit: ab6c7a0a43c2eaafa57583822b619b22637b49c7
    
    vti: remove duplicated code to fix a memory leak
    
    vti module allocates dev->tstats twice: in vti_fb_tunnel_init()
    and in vti_tunnel_init(), this lead to a memory leak of
    dev->tstats.
    
    Just remove the duplicated operations in vti_fb_tunnel_init().
    
    (candidate for -stable)
    
    Cc: Stephen Hemminger <stephen@networkplumber.org>
    Cc: Saurabh Mohan <saurabh.mohan@vyatta.com>
    Cc: "David S. Miller" <davem@davemloft.net>
    Signed-off-by: Cong Wang <amwang@redhat.com>
    Acked-by: Stephen Hemminger <stephen@networkplumber.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/ip_vti.c |    7 -------
 1 files changed, 0 insertions(+), 7 deletions(-)

commit af9e57897a8fab9bbeceb984bd0aeaedb36aefcd
Author: Michal Schmidt <mschmidt@redhat.com>
Date:   Mon Jul 1 17:23:05 2013 +0200

    Upstream commit: 058eec4116935c5640299913e1e0715e87ec622a
    
    bnx2x: remove zeroing of dump data buffer
    
    There is no need to initialize the dump data with zeros.
    data is allocated with vzalloc, so it's already zero-filled.
    
    More importantly, the memset is harmful, because dump->len (the length
    requested by userspace) can be bigger than the allocated buffer (whose
    size is determined by asking the driver's .get_dump_flag method).
    
    Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 .../net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c    |    2 --
 1 files changed, 0 insertions(+), 2 deletions(-)

commit c771072b72c261f9bddd6734dca6979c1b96e7df
Author: Michal Schmidt <mschmidt@redhat.com>
Date:   Mon Jul 1 17:23:06 2013 +0200

    Upstream commit: 5bb680d6cbe36de9d7ba12b05f845c91a8692318
    
    bnx2x: fix dump flag handling
    
    bnx2x interprets the dump flag as an index of a register preset.
    It is important to validate the index to avoid out of bounds
    memory accesses.
    
    Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 .../net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c    |    3 +++
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c   |    2 ++
 2 files changed, 5 insertions(+), 0 deletions(-)

commit aed315c8fad9b2044143b46b239574b1b72135ce
Author: Michal Schmidt <mschmidt@redhat.com>
Date:   Mon Jul 1 17:23:30 2013 +0200

    Upstream commit: c590b5e2f05b5e98e614382582b7ae4cddb37599
    
    ethtool: make .get_dump_data() harder to misuse by drivers
    
    As the patch "bnx2x: remove zeroing of dump data buffer" showed,
    it is too easy implement .get_dump_data incorrectly in a driver.
    
    Let's make sure drivers cannot get confused by userspace requesting
    a too big dump.
    
    Also WARN if the driver sets dump->len to something weird and make
    sure the length reported to userspace is the actual length of data
    copied to userspace.
    
    Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
    Reviewed-by: Ben Hutchings <ben@decadent.org.uk>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/core/ethtool.c |   21 ++++++++++++++++++++-
 1 files changed, 20 insertions(+), 1 deletions(-)

commit 5c57991e66216e386dcc875d34c33f0edd038569
Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Date:   Tue Jul 2 09:02:07 2013 +0800

    Upstream commit: e1558a93b61962710733dc8c11a2bc765607f1cd
    
    l2tp: add missing .owner to struct pppox_proto
    
    Add missing .owner of struct pppox_proto. This prevents the
    module from being removed from underneath its users.
    
    Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/l2tp/l2tp_ppp.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 4613b8adae32cc774bb727d2ec71f3d0bd7ff1c4
Author: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Date:   Sun Jun 30 14:37:11 2013 +1000

    Upstream commit: 7cc47d139f9a815a91bd9e7377063238c69a0423
    
    cxgb3: Missing rtnl lock in error recovery
    
    When exercising error injection on IBM pseries machine, I hit the
    following warning:
    
    [  251.450043] RTAS: event: 89, Type: Platform Error, Severity: 2
    [  253.549822] cxgb3 0006:01:00.0: enabling device (0140 -> 0142)
    [  253.713560] cxgb3 0006:01:00.0: adapter recovering, PEX ERR 0x100
    [  254.895437] RTNL: assertion failed at net/core/dev.c (2031)
    [  254.895467] CPU: 6 PID: 5449 Comm: eehd Tainted: G        W    3.10.0-rc7-00157-gea461ab #19
    [  254.895474] Call Trace:
    [  254.895483] [c000000fac56f7d0] [c000000000014dcc] .show_stack+0x7c/0x1f0 (unreliable)
    [  254.895493] [c000000fac56f8a0] [c0000000007ba318] .dump_stack+0x28/0x3c
    [  254.895500] [c000000fac56f910] [c0000000006c0384] .netif_set_real_num_tx_queues+0x224/0x230
    [  254.895515] [c000000fac56f9b0] [d00000000ef35510] .cxgb_open+0x80/0x3f0 [cxgb3]
    [  254.895525] [c000000fac56fa50] [d00000000ef35914] .t3_resume_ports+0x94/0x100 [cxgb3]
    [  254.895533] [c000000fac56fae0] [c00000000005fc8c] .eeh_report_resume+0x8c/0xd0
    [  254.895539] [c000000fac56fb60] [c00000000005e9fc] .eeh_pe_dev_traverse+0x9c/0x190
    [  254.895545] [c000000fac56fc10] [c000000000060000] .eeh_handle_event+0x110/0x330
    [  254.895551] [c000000fac56fca0] [c000000000060350] .eeh_event_handler+0x130/0x1a0
    [  254.895558] [c000000fac56fd30] [c0000000000ad758] .kthread+0xe8/0xf0
    [  254.895566] [c000000fac56fe30] [c00000000000a05c] .ret_from_kernel_thread+0x5c/0x80
    
    It appears that t3_resume_ports() is called with the rtnl_lock held from
    the fatal error task but not from the PCI error callbacks. This fixes it.
    
    Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit ea8f4222cddf3250dbcfc7db0437ebf74c352370
Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
Date:   Mon Jul 1 20:21:30 2013 +0200

    Upstream commit: 8822b64a0fa64a5dd1dfcf837c5b0be83f8c05d1
    
    ipv6: call udp_push_pending_frames when uncorking a socket with AF_INET pending data
    
    We accidentally call down to ip6_push_pending_frames when uncorking
    pending AF_INET data on a ipv6 socket. This results in the following
    splat (from Dave Jones):
    
    skbuff: skb_under_panic: text:ffffffff816765f6 len:48 put:40 head:ffff88013deb6df0 data:ffff88013deb6dec tail:0x2c end:0xc0 dev:<NULL>
    ------------[ cut here ]------------
    kernel BUG at net/core/skbuff.c:126!
    invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
    Modules linked in: dccp_ipv4 dccp 8021q garp bridge stp dlci mpoa snd_seq_dummy sctp fuse hidp tun bnep nfnetlink scsi_transport_iscsi rfcomm can_raw can_bcm af_802154 appletalk caif_socket can caif ipt_ULOG x25 rose af_key pppoe pppox ipx phonet irda llc2 ppp_generic slhc p8023 psnap p8022 llc crc_ccitt atm bluetooth
    +netrom ax25 nfc rfkill rds af_rxrpc coretemp hwmon kvm_intel kvm crc32c_intel snd_hda_codec_realtek ghash_clmulni_intel microcode pcspkr snd_hda_codec_hdmi snd_hda_intel snd_hda_codec snd_hwdep usb_debug snd_seq snd_seq_device snd_pcm e1000e snd_page_alloc snd_timer ptp snd pps_core soundcore xfs libcrc32c
    CPU: 2 PID: 8095 Comm: trinity-child2 Not tainted 3.10.0-rc7+ #37
    task: ffff8801f52c2520 ti: ffff8801e6430000 task.ti: ffff8801e6430000
    RIP: 0010:[<ffffffff816e759c>]  [<ffffffff816e759c>] skb_panic+0x63/0x65
    RSP: 0018:ffff8801e6431de8  EFLAGS: 00010282
    RAX: 0000000000000086 RBX: ffff8802353d3cc0 RCX: 0000000000000006
    RDX: 0000000000003b90 RSI: ffff8801f52c2ca0 RDI: ffff8801f52c2520
    RBP: ffff8801e6431e08 R08: 0000000000000000 R09: 0000000000000000
    R10: 0000000000000001 R11: 0000000000000001 R12: ffff88022ea0c800
    R13: ffff88022ea0cdf8 R14: ffff8802353ecb40 R15: ffffffff81cc7800
    FS:  00007f5720a10740(0000) GS:ffff880244c00000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 0000000005862000 CR3: 000000022843c000 CR4: 00000000001407e0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
    Stack:
     ffff88013deb6dec 000000000000002c 00000000000000c0 ffffffff81a3f6e4
     ffff8801e6431e18 ffffffff8159a9aa ffff8801e6431e90 ffffffff816765f6
     ffffffff810b756b 0000000700000002 ffff8801e6431e40 0000fea9292aa8c0
    Call Trace:
     [<ffffffff8159a9aa>] skb_push+0x3a/0x40
     [<ffffffff816765f6>] ip6_push_pending_frames+0x1f6/0x4d0
     [<ffffffff810b756b>] ? mark_held_locks+0xbb/0x140
     [<ffffffff81694919>] udp_v6_push_pending_frames+0x2b9/0x3d0
     [<ffffffff81694660>] ? udplite_getfrag+0x20/0x20
     [<ffffffff8162092a>] udp_lib_setsockopt+0x1aa/0x1f0
     [<ffffffff811cc5e7>] ? fget_light+0x387/0x4f0
     [<ffffffff816958a4>] udpv6_setsockopt+0x34/0x40
     [<ffffffff815949f4>] sock_common_setsockopt+0x14/0x20
     [<ffffffff81593c31>] SyS_setsockopt+0x71/0xd0
     [<ffffffff816f5d54>] tracesys+0xdd/0xe2
    Code: 00 00 48 89 44 24 10 8b 87 d8 00 00 00 48 89 44 24 08 48 8b 87 e8 00 00 00 48 c7 c7 c0 04 aa 81 48 89 04 24 31 c0 e8 e1 7e ff ff <0f> 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 55
    RIP  [<ffffffff816e759c>] skb_panic+0x63/0x65
     RSP <ffff8801e6431de8>
    
    This patch adds a check if the pending data is of address family AF_INET
    and directly calls udp_push_ending_frames from udp_v6_push_pending_frames
    if that is the case.
    
    This bug was found by Dave Jones with trinity.
    
    (Also move the initialization of fl6 below the AF_INET check, even if
    not strictly necessary.)
    
    Cc: Dave Jones <davej@redhat.com>
    Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
    Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 include/net/udp.h |    1 +
 net/ipv4/udp.c    |    3 ++-
 net/ipv6/udp.c    |    7 ++++++-
 3 files changed, 9 insertions(+), 2 deletions(-)

commit cd83094a85d9bbd5a67332156407d53cf8835432
Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
Date:   Tue Jul 2 08:04:05 2013 +0200

    Upstream commit: 75a493e60ac4bbe2e977e7129d6d8cbb0dd236be
    
    ipv6: ip6_append_data_mtu did not care about pmtudisc and frag_size
    
    If the socket had an IPV6_MTU value set, ip6_append_data_mtu lost track
    of this when appending the second frame on a corked socket. This results
    in the following splat:
    
    [37598.993962] ------------[ cut here ]------------
    [37598.994008] kernel BUG at net/core/skbuff.c:2064!
    [37598.994008] invalid opcode: 0000 [#1] SMP
    [37598.994008] Modules linked in: tcp_lp uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_core videodev media vfat fat usb_storage fuse ebtable_nat xt_CHECKSUM bridge stp llc ipt_MASQUERADE nf_conntrack_netbios_ns nf_conntrack_broadcast ip6table_mangle ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 iptable_nat
    +nf_nat_ipv4 nf_nat iptable_mangle nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ebtable_filter ebtables ip6table_filter ip6_tables be2iscsi iscsi_boot_sysfs bnx2i cnic uio cxgb4i cxgb4 cxgb3i cxgb3 mdio libcxgbi ib_iser rdma_cm ib_addr iw_cm ib_cm ib_sa ib_mad ib_core iscsi_tcp libiscsi_tcp libiscsi
    +scsi_transport_iscsi rfcomm bnep iTCO_wdt iTCO_vendor_support snd_hda_codec_conexant arc4 iwldvm mac80211 snd_hda_intel acpi_cpufreq mperf coretemp snd_hda_codec microcode cdc_wdm cdc_acm
    [37598.994008]  snd_hwdep cdc_ether snd_seq snd_seq_device usbnet mii joydev btusb snd_pcm bluetooth i2c_i801 e1000e lpc_ich mfd_core ptp iwlwifi pps_core snd_page_alloc mei cfg80211 snd_timer thinkpad_acpi snd tpm_tis soundcore rfkill tpm tpm_bios vhost_net tun macvtap macvlan kvm_intel kvm uinput binfmt_misc
    +dm_crypt i915 i2c_algo_bit drm_kms_helper drm i2c_core wmi video
    [37598.994008] CPU 0
    [37598.994008] Pid: 27320, comm: t2 Not tainted 3.9.6-200.fc18.x86_64 #1 LENOVO 27744PG/27744PG
    [37598.994008] RIP: 0010:[<ffffffff815443a5>]  [<ffffffff815443a5>] skb_copy_and_csum_bits+0x325/0x330
    [37598.994008] RSP: 0018:ffff88003670da18  EFLAGS: 00010202
    [37598.994008] RAX: ffff88018105c018 RBX: 0000000000000004 RCX: 00000000000006c0
    [37598.994008] RDX: ffff88018105a6c0 RSI: ffff88018105a000 RDI: ffff8801e1b0aa00
    [37598.994008] RBP: ffff88003670da78 R08: 0000000000000000 R09: ffff88018105c040
    [37598.994008] R10: ffff8801e1b0aa00 R11: 0000000000000000 R12: 000000000000fff8
    [37598.994008] R13: 00000000000004fc R14: 00000000ffff0504 R15: 0000000000000000
    [37598.994008] FS:  00007f28eea59740(0000) GS:ffff88023bc00000(0000) knlGS:0000000000000000
    [37598.994008] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
    [37598.994008] CR2: 0000003d935789e0 CR3: 00000000365cb000 CR4: 00000000000407f0
    [37598.994008] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    [37598.994008] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
    [37598.994008] Process t2 (pid: 27320, threadinfo ffff88003670c000, task ffff88022c162ee0)
    [37598.994008] Stack:
    [37598.994008]  ffff88022e098a00 ffff88020f973fc0 0000000000000008 00000000000004c8
    [37598.994008]  ffff88020f973fc0 00000000000004c4 ffff88003670da78 ffff8801e1b0a200
    [37598.994008]  0000000000000018 00000000000004c8 ffff88020f973fc0 00000000000004c4
    [37598.994008] Call Trace:
    [37598.994008]  [<ffffffff815fc21f>] ip6_append_data+0xccf/0xfe0
    [37598.994008]  [<ffffffff8158d9f0>] ? ip_copy_metadata+0x1a0/0x1a0
    [37598.994008]  [<ffffffff81661f66>] ? _raw_spin_lock_bh+0x16/0x40
    [37598.994008]  [<ffffffff8161548d>] udpv6_sendmsg+0x1ed/0xc10
    [37598.994008]  [<ffffffff812a2845>] ? sock_has_perm+0x75/0x90
    [37598.994008]  [<ffffffff815c3693>] inet_sendmsg+0x63/0xb0
    [37598.994008]  [<ffffffff812a2973>] ? selinux_socket_sendmsg+0x23/0x30
    [37598.994008]  [<ffffffff8153a450>] sock_sendmsg+0xb0/0xe0
    [37598.994008]  [<ffffffff810135d1>] ? __switch_to+0x181/0x4a0
    [37598.994008]  [<ffffffff8153d97d>] sys_sendto+0x12d/0x180
    [37598.994008]  [<ffffffff810dfb64>] ? __audit_syscall_entry+0x94/0xf0
    [37598.994008]  [<ffffffff81020ed1>] ? syscall_trace_enter+0x231/0x240
    [37598.994008]  [<ffffffff8166a7e7>] tracesys+0xdd/0xe2
    [37598.994008] Code: fe 07 00 00 48 c7 c7 04 28 a6 81 89 45 a0 4c 89 4d b8 44 89 5d a8 e8 1b ac b1 ff 44 8b 5d a8 4c 8b 4d b8 8b 45 a0 e9 cf fe ff ff <0f> 0b 66 0f 1f 84 00 00 00 00 00 66 66 66 66 90 55 48 89 e5 48
    [37598.994008] RIP  [<ffffffff815443a5>] skb_copy_and_csum_bits+0x325/0x330
    [37598.994008]  RSP <ffff88003670da18>
    [37599.007323] ---[ end trace d69f6a17f8ac8eee ]---
    
    While there, also check if path mtu discovery is activated for this
    socket. The logic was adapted from ip6_append_data when first writing
    on the corked socket.
    
    This bug was introduced with commit
    0c1833797a5a6ec23ea9261d979aa18078720b74 ("ipv6: fix incorrect ipsec
    fragment").
    
    v2:
    a) Replace IPV6_PMTU_DISC_DO with IPV6_PMTUDISC_PROBE.
    b) Don't pass ipv6_pinfo to ip6_append_data_mtu (suggestion by Gao
       feng, thanks!).
    c) Change mtu to unsigned int, else we get a warning about
       non-matching types because of the min()-macro type-check.
    
    Acked-by: Gao feng <gaofeng@cn.fujitsu.com>
    Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
    Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv6/ip6_output.c |   16 ++++++++++------
 1 files changed, 10 insertions(+), 6 deletions(-)

commit 23151ca7ca80e58d2616dac7be9fd62943c9a72c
Author: Michael S. Tsirkin <mst@redhat.com>
Date:   Sun Jul 7 14:26:53 2013 +0300

    Upstream commit: dd7633ecd553a5e304d349aa6f8eb8a0417098c5
    
    vhost-net: fix use-after-free in vhost_net_flush
    
    vhost_net_ubuf_put_and_wait has a confusing name:
    it will actually also free it's argument.
    Thus since commit 1280c27f8e29acf4af2da914e80ec27c3dbd5c01
        "vhost-net: flush outstanding DMAs on memory change"
    vhost_net_flush tries to use the argument after passing it
    to vhost_net_ubuf_put_and_wait, this results
    in use after free.
    To fix, don't free the argument in vhost_net_ubuf_put_and_wait,
    add an new API for callers that want to free ubufs.
    
    Acked-by: Asias He <asias@redhat.com>
    Acked-by: Jason Wang <jasowang@redhat.com>
    Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/vhost/net.c |    9 +++++++--
 1 files changed, 7 insertions(+), 2 deletions(-)

commit 088806db74ac2f08c106202bc5498585a9ee529f
Author: Michal Hocko <mhocko@suse.cz>
Date:   Mon Jul 8 16:00:29 2013 -0700

    Upstream commit: f37a96914d1aea10fed8d9af10251f0b9caea31b
    
    memcg, kmem: fix reference count handling on the error path
    
    mem_cgroup_css_online calls mem_cgroup_put if memcg_init_kmem fails.
    This is not correct because only memcg_propagate_kmem takes an
    additional reference while mem_cgroup_sockets_init is allowed to fail as
    well (although no current implementation fails) but it doesn't take any
    reference.  This all suggests that it should be memcg_propagate_kmem
    that should clean up after itself so this patch moves mem_cgroup_put
    over there.
    
    Unfortunately this is not that easy (as pointed out by Li Zefan) because
    memcg_kmem_mark_dead marks the group dead (KMEM_ACCOUNTED_DEAD) if it is
    marked active (KMEM_ACCOUNTED_ACTIVE) which is the case even if
    memcg_propagate_kmem fails so the additional reference is dropped in
    that case in kmem_cgroup_destroy which means that the reference would be
    dropped two times.
    
    The easiest way then would be to simply remove mem_cgrroup_put from
    mem_cgroup_css_online and rely on kmem_cgroup_destroy doing the right
    thing.
    
    Signed-off-by: Michal Hocko <mhocko@suse.cz>
    Signed-off-by: Li Zefan <lizefan@huawei.com>
    Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
    Cc: Hugh Dickins <hughd@google.com>
    Cc: Tejun Heo <tj@kernel.org>
    Cc: Glauber Costa <glommer@openvz.org>
    Cc: Johannes Weiner <hannes@cmpxchg.org>
    Cc: <stable@vger.kernel.org>        [3.8]
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 mm/memcontrol.c |    8 --------
 1 files changed, 0 insertions(+), 8 deletions(-)

commit 08bfb6e700d13886ed722c2236e1ec10f03a95df
Author: Michal Hocko <mhocko@suse.cz>
Date:   Mon Jul 8 16:00:27 2013 -0700

    Upstream commit: fa460c2d37870e0a6f94c70e8b76d05ca11b6db0
    
    Revert "memcg: avoid dangling reference count in creation failure"
    
    This reverts commit e4715f01be697a.
    
    mem_cgroup_put is hierarchy aware so mem_cgroup_put(memcg) already drops
    an additional reference from all parents so the additional
    mem_cgrroup_put(parent) potentially causes use-after-free.
    
    Signed-off-by: Michal Hocko <mhocko@suse.cz>
    Signed-off-by: Li Zefan <lizefan@huawei.com>
    Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
    Cc: Hugh Dickins <hughd@google.com>
    Cc: Tejun Heo <tj@kernel.org>
    Cc: Glauber Costa <glommer@openvz.org>
    Cc: Johannes Weiner <hannes@cmpxchg.org>
    Cc: <stable@vger.kernel.org>        [3.9+]
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 mm/memcontrol.c |    2 --
 1 files changed, 0 insertions(+), 2 deletions(-)

commit 3267ec559f48327a1836eccecd53215afc5810d0
Author: Tyler Hicks <tyhicks@canonical.com>
Date:   Thu Jun 20 13:13:59 2013 -0700

    Upstream commit: 2cb33cac622afde897aa02d3dcd9fbba8bae839e
    
    libceph: Fix NULL pointer dereference in auth client code
    
    A malicious monitor can craft an auth reply message that could cause a
    NULL function pointer dereference in the client's kernel.
    
    To prevent this, the auth_none protocol handler needs an empty
    ceph_auth_client_ops->build_request() function.
    
    CVE-2013-1059
    
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Reported-by: Chanam Park <chanam.park@hkpco.kr>
    Reviewed-by: Seth Arnold <seth.arnold@canonical.com>
    Reviewed-by: Sage Weil <sage@inktank.com>
    Cc: stable@vger.kernel.org

 net/ceph/auth_none.c |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

commit cdfeb4049e7cb38702215b2c356ce0407974ac79
Author: Eric Paris <eparis@redhat.com>
Date:   Wed Jul 3 15:08:29 2013 -0700

    Upstream commit: b57922b6c76c3ee401bb32fd3f298409dd6e6a53
    
    fork: reorder permissions when violating number of processes limits
    
    When a task is attempting to violate the RLIMIT_NPROC limit we have a
    check to see if the task is sufficiently priviledged.  The check first
    looks at CAP_SYS_ADMIN, then CAP_SYS_RESOURCE, then if the task is uid=0.
    
    A result is that tasks which are allowed by the uid=0 check are first
    checked against the security subsystem.  This results in the security
    subsystem auditting a denial for sys_admin and sys_resource and then the
    task passing the uid=0 check.
    
    This patch rearranges the code to first check uid=0, since if we pass that
    we shouldn't hit the security system at all.  We then check sys_resource,
    since it is the smallest capability which will solve the problem.  Lastly
    we check the fallback everything cap_sysadmin.  We don't want to give this
    capability many places since it is so powerful.
    
    This will eliminate many of the false positive/needless denial messages we
    get when a root task tries to violate the nproc limit.  (note that
    kthreads count against root, so on a sufficiently large machine we can
    actually get past the default limits before any userspace tasks are
    launched.)
    
    Signed-off-by: Eric Paris <eparis@redhat.com>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 kernel/fork.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 08c87e049c8a50707908785d950fd48c334f4c09
Author: Chen Gang <gang.chen@asianux.com>
Date:   Sat Jun 22 13:26:09 2013 +0800

    Upstream commit: f118e9abddfae94d7ef88858159d7556e1c2f7f6
    
    arch: sparc: kernel: check the memory length before use strcpy().
    
    For the related next strcpy(), the destination length is less than 512,
    but the source maximize length may be 'OPROMMAXPARAM' (4096) which is
    more than 512.
    
    One work flow may:
      openprom_sunos_ioctl() ->  if (cmd == OPROMSETOPT)
        getstrings() ->  will alloc buffer with size 'OPROMMAXPARAM'.
        opromsetopt() ->  devide the buffer into 'var' and 'value'
          of_set_property() -> pass
            prom_setprop() -> pass
              ldom_set_var()
    
    And do not mind the additional 4 alignment buffer increasing, since
    'sizeof(pkt) - sizeof(pkt.header)' is 4 alignment at least.
    
    Signed-off-by: Chen Gang <gang.chen@asianux.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 arch/sparc/kernel/ds.c |   10 ++++++++++
 1 files changed, 10 insertions(+), 0 deletions(-)

commit 0f5d7e1171c65a8d4e9186b3656e1206121efb13
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jul 12 20:38:45 2013 -0400

    Fix SLAB boot errors due to PAX_USERCOPY reported on the forums
    
    Unlike slub, slab can initally create two of the kmalloc_caches
    which will be used later for generic kmallocs of their particular
    aligned size (since the later loop in the unified allocator code
    skips any already-existing kmalloc_caches)

 mm/slab.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 7afc9d07a4c0a676aa5c4ac2b30882f60be6bae3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 9 22:04:59 2013 -0400

    compile fixes

 fs/exec.c |    2 +-
 mm/mmap.c |    4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

commit e2d027c7e0f106be683c0c72482b8285daefcbe6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 9 20:58:40 2013 -0400

    commit successful merges

 Documentation/kernel-parameters.txt                |    4 +
 Makefile                                           |    8 +-
 arch/alpha/include/asm/cache.h                     |    4 +-
 arch/alpha/kernel/osf_sys.c                        |   12 +-
 arch/arm/include/asm/thread_info.h                 |    3 +-
 arch/arm/kernel/ptrace.c                           |    9 +
 arch/arm/kernel/traps.c                            |    7 +-
 arch/arm/mm/fault.c                                |   29 +-
 arch/arm/mm/mmap.c                                 |    8 +-
 arch/avr32/include/asm/cache.h                     |    4 +-
 arch/blackfin/include/asm/cache.h                  |    3 +-
 arch/cris/include/arch-v10/arch/cache.h            |    3 +-
 arch/cris/include/arch-v32/arch/cache.h            |    3 +-
 arch/frv/include/asm/cache.h                       |    3 +-
 arch/frv/mm/elf-fdpic.c                            |    4 +-
 arch/hexagon/include/asm/cache.h                   |    6 +-
 arch/ia64/include/asm/cache.h                      |    3 +-
 arch/ia64/kernel/sys_ia64.c                        |    2 +
 arch/ia64/mm/hugetlbpage.c                         |    2 +
 arch/m32r/include/asm/cache.h                      |    4 +-
 arch/m68k/include/asm/cache.h                      |    4 +-
 arch/metag/mm/hugetlbpage.c                        |    1 +
 arch/microblaze/include/asm/cache.h                |    3 +-
 arch/mips/include/asm/cache.h                      |    3 +-
 arch/mips/include/asm/thread_info.h                |    9 +-
 arch/mips/kernel/ptrace.c                          |    9 +
 arch/mips/kernel/scall32-o32.S                     |    2 +-
 arch/mips/kernel/scall64-64.S                      |    2 +-
 arch/mips/kernel/scall64-n32.S                     |    2 +-
 arch/mips/kernel/scall64-o32.S                     |    2 +-
 arch/mips/mm/mmap.c                                |    4 +-
 arch/mn10300/proc-mn103e010/include/proc/cache.h   |    4 +-
 arch/mn10300/proc-mn2ws0050/include/proc/cache.h   |    4 +-
 arch/openrisc/include/asm/cache.h                  |    4 +-
 arch/parisc/include/asm/cache.h                    |    5 +-
 arch/parisc/kernel/sys_parisc.c                    |   17 +-
 arch/powerpc/include/asm/cache.h                   |    3 +-
 arch/powerpc/kernel/process.c                      |   10 +-
 arch/powerpc/kernel/ptrace.c                       |   14 +
 arch/powerpc/kernel/traps.c                        |    5 +
 arch/s390/include/asm/cache.h                      |    4 +-
 arch/score/include/asm/cache.h                     |    4 +-
 arch/sh/include/asm/cache.h                        |    3 +-
 arch/sh/mm/mmap.c                                  |    6 +-
 arch/sparc/include/asm/cache.h                     |    4 +-
 arch/sparc/include/asm/thread_info_64.h            |    9 +-
 arch/sparc/kernel/process_32.c                     |    6 +-
 arch/sparc/kernel/process_64.c                     |    4 +-
 arch/sparc/kernel/ptrace_64.c                      |   14 +
 arch/sparc/kernel/sys_sparc_64.c                   |    8 +-
 arch/sparc/kernel/syscalls.S                       |    8 +-
 arch/sparc/kernel/traps_32.c                       |    8 +-
 arch/sparc/kernel/traps_64.c                       |   28 +-
 arch/sparc/kernel/unaligned_64.c                   |    2 +-
 arch/sparc/mm/fault_64.c                           |    2 +-
 arch/sparc/mm/hugetlbpage.c                        |    3 +-
 arch/tile/include/asm/cache.h                      |    3 +-
 arch/tile/mm/hugetlbpage.c                         |    2 +
 arch/um/defconfig                                  |    1 -
 arch/um/include/asm/cache.h                        |    3 +-
 arch/unicore32/include/asm/cache.h                 |    6 +-
 arch/x86/Kconfig                                   |    5 +-
 arch/x86/ia32/ia32_aout.c                          |    2 +
 arch/x86/include/asm/thread_info.h                 |    8 +-
 arch/x86/kernel/dumpstack.c                        |    8 +
 arch/x86/kernel/entry_32.S                         |    2 +-
 arch/x86/kernel/entry_64.S                         |    2 +-
 arch/x86/kernel/ioport.c                           |   13 +
 arch/x86/kernel/ptrace.c                           |   14 +
 arch/x86/kernel/signal.c                           |    9 +-
 arch/x86/kernel/smpboot.c                          |    3 +
 arch/x86/kernel/sys_i386_32.c                      |    9 +-
 arch/x86/kernel/sys_x86_64.c                       |    8 +-
 arch/x86/kernel/verify_cpu.S                       |    1 +
 arch/x86/kernel/vm86_32.c                          |    1 +
 arch/x86/mm/fault.c                                |   12 +-
 arch/x86/mm/hugetlbpage.c                          |   15 +-
 arch/x86/mm/init.c                                 |   66 +-
 arch/x86/net/bpf_jit_comp.c                        |  129 +-
 arch/xtensa/variants/dc232b/include/variant/core.h |    2 +-
 arch/xtensa/variants/fsf/include/variant/core.h    |    3 +-
 arch/xtensa/variants/s6000/include/variant/core.h  |    3 +-
 drivers/block/cciss.c                              |    2 +
 drivers/block/cpqarray.c                           |    1 +
 drivers/cdrom/cdrom.c                              |    4 +-
 drivers/char/Kconfig                               |    4 +-
 drivers/char/genrtc.c                              |    1 +
 drivers/char/mem.c                                 |   17 +
 drivers/char/mwave/tp3780i.c                       |    1 +
 drivers/char/random.c                              |   12 +
 drivers/gpu/drm/drm_info.c                         |    4 +
 drivers/hid/hid-wiimote-debug.c                    |    2 +-
 drivers/media/radio/radio-cadet.c                  |    2 +-
 drivers/message/fusion/mptbase.c                   |    9 +
 drivers/net/bonding/bond_main.c                    |    2 +-
 drivers/net/phy/mdio-bitbang.c                     |    1 +
 drivers/net/wireless/zd1211rw/zd_usb.c             |    2 +-
 drivers/pci/proc.c                                 |    9 +
 drivers/rtc/rtc-dev.c                              |    3 +
 drivers/tty/sysrq.c                                |    2 +-
 drivers/tty/vt/keyboard.c                          |   22 +-
 drivers/video/logo/logo_linux_clut224.ppm          | 2721 ++++++++------------
 drivers/xen/xenfs/xenstored.c                      |    5 +
 fs/attr.c                                          |    1 +
 fs/autofs4/waitq.c                                 |    9 +
 fs/binfmt_aout.c                                   |    7 +
 fs/binfmt_elf.c                                    |    8 +-
 fs/btrfs/ioctl.c                                   |    6 +-
 fs/compat.c                                        |   20 +-
 fs/coredump.c                                      |    9 +-
 fs/debugfs/inode.c                                 |    4 +
 fs/exec.c                                          |  184 ++-
 fs/ext2/balloc.c                                   |    4 +-
 fs/ext3/balloc.c                                   |    4 +-
 fs/ext4/resize.c                                   |   17 +-
 fs/fcntl.c                                         |    5 +
 fs/file.c                                          |    4 +
 fs/filesystems.c                                   |    4 +
 fs/fs_struct.c                                     |   13 +-
 fs/hugetlbfs/inode.c                               |    5 +-
 fs/namei.c                                         |  234 ++-
 fs/namespace.c                                     |   16 +
 fs/notify/fanotify/fanotify_user.c                 |    1 +
 fs/open.c                                          |   38 +
 fs/proc/Kconfig                                    |   10 +-
 fs/proc/array.c                                    |   59 +-
 fs/proc/base.c                                     |  168 ++-
 fs/proc/cmdline.c                                  |    4 +
 fs/proc/devices.c                                  |    4 +
 fs/proc/fd.c                                       |   17 +-
 fs/proc/inode.c                                    |    4 +
 fs/proc/kcore.c                                    |    3 +
 fs/proc/proc_net.c                                 |   12 +
 fs/proc/proc_sysctl.c                              |   43 +-
 fs/proc/root.c                                     |    8 +
 fs/proc/task_mmu.c                                 |   75 +-
 fs/readdir.c                                       |   19 +
 fs/select.c                                        |    2 +
 fs/seq_file.c                                      |   12 +-
 fs/stat.c                                          |   19 +-
 fs/sysfs/dir.c                                     |   12 +
 fs/utimes.c                                        |    7 +
 fs/xattr.c                                         |   19 +-
 include/linux/capability.h                         |    5 +
 include/linux/cred.h                               |    3 +
 include/linux/fs.h                                 |   10 +
 include/linux/fsnotify.h                           |    6 +
 include/linux/kallsyms.h                           |   14 +-
 include/linux/kmod.h                               |    2 +
 include/linux/mm.h                                 |    1 +
 include/linux/perf_event.h                         |   13 +-
 include/linux/printk.h                             |    3 +-
 include/linux/sched.h                              |   24 +-
 include/linux/security.h                           |    1 +
 include/linux/seq_file.h                           |    3 +
 include/linux/shm.h                                |    4 +
 include/linux/skbuff.h                             |    3 +
 include/linux/slab.h                               |    9 -
 include/linux/sysctl.h                             |    2 +
 include/linux/thread_info.h                        |    2 +
 include/linux/uidgid.h                             |    5 +
 include/linux/vermagic.h                           |    9 +-
 include/uapi/linux/personality.h                   |    1 +
 init/Kconfig                                       |    3 +-
 init/main.c                                        |   14 +
 ipc/mqueue.c                                       |    1 +
 ipc/shm.c                                          |   28 +
 kernel/capability.c                                |   39 +-
 kernel/cgroup.c                                    |    2 +-
 kernel/compat.c                                    |    1 +
 kernel/configs.c                                   |   11 +
 kernel/cred.c                                      |  110 +-
 kernel/events/core.c                               |   14 +-
 kernel/exit.c                                      |   10 +-
 kernel/fork.c                                      |   41 +-
 kernel/futex.c                                     |    1 +
 kernel/kallsyms.c                                  |    9 +
 kernel/kcmp.c                                      |    4 +
 kernel/kmod.c                                      |   64 +-
 kernel/kprobes.c                                   |    4 +-
 kernel/ksysfs.c                                    |    2 +
 kernel/lockdep_proc.c                              |   10 +-
 kernel/module.c                                    |   81 +-
 kernel/panic.c                                     |    2 +-
 kernel/pid.c                                       |   19 +-
 kernel/posix-timers.c                              |    7 +
 kernel/printk.c                                    |    5 +
 kernel/ptrace.c                                    |   20 +-
 kernel/resource.c                                  |   10 +
 kernel/sched/core.c                                |    6 +-
 kernel/signal.c                                    |   37 +-
 kernel/sys.c                                       |   45 +-
 kernel/sysctl.c                                    |   70 +-
 kernel/taskstats.c                                 |    6 +
 kernel/time.c                                      |    5 +
 kernel/time/timekeeping.c                          |    1 +
 kernel/time/timer_list.c                           |   12 +
 kernel/time/timer_stats.c                          |   10 +-
 lib/Kconfig.debug                                  |    5 +-
 lib/is_single_threaded.c                           |    3 +
 mm/Kconfig                                         |    4 +-
 mm/filemap.c                                       |    1 +
 mm/kmemleak.c                                      |    4 +-
 mm/mempolicy.c                                     |   12 +-
 mm/migrate.c                                       |    3 +-
 mm/mlock.c                                         |    3 +
 mm/mmap.c                                          |   63 +-
 mm/mprotect.c                                      |    8 +
 mm/process_vm_access.c                             |    6 +
 mm/slab.c                                          |    2 +-
 mm/slub.c                                          |   14 +-
 mm/vmalloc.c                                       |    4 +
 mm/vmstat.c                                        |   18 +-
 net/core/dev_ioctl.c                               |    4 +
 net/core/sock_diag.c                               |    7 +
 net/ipv4/inet_hashtables.c                         |    5 +
 net/ipv4/ip_sockglue.c                             |    3 +-
 net/ipv4/tcp_input.c                               |    4 +-
 net/ipv4/tcp_ipv4.c                                |   24 +-
 net/ipv4/tcp_minisocks.c                           |    9 +-
 net/ipv4/tcp_timer.c                               |   11 +
 net/ipv4/udp.c                                     |   24 +
 net/ipv6/tcp_ipv6.c                                |   23 +-
 net/ipv6/udp.c                                     |    4 +
 net/netfilter/Kconfig                              |   10 +
 net/netfilter/Makefile                             |    1 +
 net/netfilter/nf_conntrack_core.c                  |    8 +
 net/netrom/af_netrom.c                             |    1 -
 net/phonet/af_phonet.c                             |    2 +-
 net/sctp/proc.c                                    |    3 +-
 net/socket.c                                       |   66 +-
 net/sysctl_net.c                                   |    2 +-
 net/unix/af_unix.c                                 |   31 +-
 security/Kconfig                                   |  343 +++-
 security/apparmor/Kconfig                          |    9 +
 security/apparmor/apparmorfs.c                     |  231 ++
 security/commoncap.c                               |   29 +
 security/min_addr.c                                |    2 +
 security/security.c                                |    2 -
 security/selinux/hooks.c                           |    2 -
 security/tomoyo/mount.c                            |    4 +
 security/yama/Kconfig                              |    2 +-
 242 files changed, 4385 insertions(+), 2042 deletions(-)

commit 043a378c0f72ed92cc30182c48abce39867ac93f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 9 20:57:40 2013 -0400

    Commit merge of new files and rejected patches

 arch/arm/include/asm/thread_info.h     |    6 +-
 arch/arm/kernel/process.c              |    4 +-
 arch/powerpc/include/asm/thread_info.h |    7 +-
 arch/powerpc/mm/slice.c                |    2 +-
 arch/sparc/kernel/process_64.c         |    4 +-
 arch/x86/kernel/vm86_32.c              |   15 +
 fs/coredump.c                          |    1 +
 fs/ext4/balloc.c                       |    4 +-
 fs/namei.c                             |    7 +
 fs/namespace.c                         |    8 +
 fs/pipe.c                              |    2 +-
 fs/proc/inode.c                        |   13 +
 fs/proc/internal.h                     |    3 +
 grsecurity/Kconfig                     | 1054 +++++++++
 grsecurity/Makefile                    |   38 +
 grsecurity/gracl.c                     | 4073 ++++++++++++++++++++++++++++++++
 grsecurity/gracl_alloc.c               |  105 +
 grsecurity/gracl_cap.c                 |  110 +
 grsecurity/gracl_fs.c                  |  431 ++++
 grsecurity/gracl_ip.c                  |  387 +++
 grsecurity/gracl_learn.c               |  207 ++
 grsecurity/gracl_res.c                 |   68 +
 grsecurity/gracl_segv.c                |  305 +++
 grsecurity/gracl_shm.c                 |   40 +
 grsecurity/grsec_chdir.c               |   19 +
 grsecurity/grsec_chroot.c              |  370 +++
 grsecurity/grsec_disabled.c            |  434 ++++
 grsecurity/grsec_exec.c                |  187 ++
 grsecurity/grsec_fifo.c                |   24 +
 grsecurity/grsec_fork.c                |   23 +
 grsecurity/grsec_init.c                |  283 +++
 grsecurity/grsec_link.c                |   58 +
 grsecurity/grsec_log.c                 |  326 +++
 grsecurity/grsec_mem.c                 |   40 +
 grsecurity/grsec_mount.c               |   62 +
 grsecurity/grsec_pax.c                 |   36 +
 grsecurity/grsec_ptrace.c              |   30 +
 grsecurity/grsec_sig.c                 |  246 ++
 grsecurity/grsec_sock.c                |  244 ++
 grsecurity/grsec_sysctl.c              |  469 ++++
 grsecurity/grsec_time.c                |   16 +
 grsecurity/grsec_tpe.c                 |   73 +
 grsecurity/grsum.c                     |   61 +
 include/linux/gracl.h                  |  319 +++
 include/linux/gralloc.h                |    9 +
 include/linux/grdefs.h                 |  140 ++
 include/linux/grinternal.h             |  227 ++
 include/linux/grmsg.h                  |  112 +
 include/linux/grsecurity.h             |  241 ++
 include/linux/grsock.h                 |   19 +
 include/linux/netfilter/xt_gradm.h     |    9 +
 include/linux/proc_fs.h                |   13 +
 include/linux/sched.h                  |   48 +-
 include/trace/events/fs.h              |   53 +
 kernel/kmod.c                          |    7 +-
 kernel/panic.c                         |    2 +-
 kernel/posix-timers.c                  |    1 +
 kernel/time/timekeeping.c              |    2 +
 lib/Kconfig.debug                      |    2 +-
 lib/vsprintf.c                         |   31 +
 localversion-grsec                     |    1 +
 mm/mmap.c                              |   13 +-
 mm/shmem.c                             |    2 +-
 net/core/net-procfs.c                  |    5 +
 net/ipv6/udp.c                         |    3 +
 net/netfilter/xt_gradm.c               |   51 +
 66 files changed, 11184 insertions(+), 21 deletions(-)

commit 75a36f058b5abbc82f9b94ba5576eef4b40cd5d6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 9 17:35:47 2013 -0400

    Initial import of pax-linux-3.10-test1.patch

 Documentation/dontdiff                             |   46 +-
 Documentation/kernel-parameters.txt                |   12 +
 Makefile                                           |  100 +-
 arch/alpha/include/asm/atomic.h                    |   10 +
 arch/alpha/include/asm/elf.h                       |    7 +
 arch/alpha/include/asm/pgalloc.h                   |    6 +
 arch/alpha/include/asm/pgtable.h                   |   11 +
 arch/alpha/kernel/module.c                         |    2 +-
 arch/alpha/kernel/osf_sys.c                        |    8 +-
 arch/alpha/mm/fault.c                              |  141 +-
 arch/arm/Kconfig                                   |    2 +-
 arch/arm/include/asm/atomic.h                      |  444 ++-
 arch/arm/include/asm/cache.h                       |    5 +-
 arch/arm/include/asm/cacheflush.h                  |    2 +-
 arch/arm/include/asm/checksum.h                    |   14 +-
 arch/arm/include/asm/cmpxchg.h                     |    2 +
 arch/arm/include/asm/domain.h                      |   33 +-
 arch/arm/include/asm/elf.h                         |   13 +-
 arch/arm/include/asm/fncpy.h                       |    2 +
 arch/arm/include/asm/futex.h                       |   10 +
 arch/arm/include/asm/kmap_types.h                  |    2 +-
 arch/arm/include/asm/mach/dma.h                    |    2 +-
 arch/arm/include/asm/mach/map.h                    |    7 +-
 arch/arm/include/asm/outercache.h                  |    2 +-
 arch/arm/include/asm/page.h                        |    2 +-
 arch/arm/include/asm/pgalloc.h                     |   22 +-
 arch/arm/include/asm/pgtable-2level-hwdef.h        |    5 +
 arch/arm/include/asm/pgtable-2level.h              |    1 +
 arch/arm/include/asm/pgtable-3level-hwdef.h        |    2 +
 arch/arm/include/asm/pgtable-3level.h              |    2 +
 arch/arm/include/asm/pgtable.h                     |   56 +-
 arch/arm/include/asm/proc-fns.h                    |    2 +-
 arch/arm/include/asm/processor.h                   |    5 +-
 arch/arm/include/asm/psci.h                        |    2 +-
 arch/arm/include/asm/smp.h                         |    2 +-
 arch/arm/include/asm/thread_info.h                 |    6 +-
 arch/arm/include/asm/uaccess.h                     |   92 +-
 arch/arm/include/uapi/asm/ptrace.h                 |    2 +-
 arch/arm/kernel/armksyms.c                         |    8 +-
 arch/arm/kernel/entry-armv.S                       |  107 +-
 arch/arm/kernel/entry-common.S                     |   41 +-
 arch/arm/kernel/entry-header.S                     |   60 +
 arch/arm/kernel/fiq.c                              |    2 +
 arch/arm/kernel/head.S                             |    6 +-
 arch/arm/kernel/hw_breakpoint.c                    |    2 +-
 arch/arm/kernel/module.c                           |   29 +-
 arch/arm/kernel/patch.c                            |    2 +
 arch/arm/kernel/perf_event_cpu.c                   |    2 +-
 arch/arm/kernel/process.c                          |   14 +-
 arch/arm/kernel/psci.c                             |    2 +-
 arch/arm/kernel/setup.c                            |   22 +-
 arch/arm/kernel/signal.c                           |   24 +-
 arch/arm/kernel/smp.c                              |    2 +-
 arch/arm/kernel/traps.c                            |   15 +-
 arch/arm/kernel/vmlinux.lds.S                      |   22 +-
 arch/arm/lib/clear_user.S                          |    6 +-
 arch/arm/lib/copy_from_user.S                      |    6 +-
 arch/arm/lib/copy_page.S                           |    1 +
 arch/arm/lib/copy_to_user.S                        |    6 +-
 arch/arm/lib/csumpartialcopyuser.S                 |    4 +-
 arch/arm/lib/delay.c                               |    2 +-
 arch/arm/lib/uaccess_with_memcpy.c                 |    2 +-
 arch/arm/mach-kirkwood/common.c                    |   19 +-
 arch/arm/mach-omap2/board-n8x0.c                   |    2 +-
 arch/arm/mach-omap2/gpmc.c                         |   22 +-
 arch/arm/mach-omap2/omap-wakeupgen.c               |    2 +-
 arch/arm/mach-omap2/omap_device.c                  |    4 +-
 arch/arm/mach-omap2/omap_device.h                  |    4 +-
 arch/arm/mach-omap2/omap_hwmod.c                   |    4 +-
 arch/arm/mach-omap2/wd_timer.c                     |    6 +-
 arch/arm/mach-tegra/cpuidle-tegra20.c              |    2 +-
 arch/arm/mach-ux500/setup.h                        |    7 -
 arch/arm/mm/Kconfig                                |    3 +-
 arch/arm/mm/alignment.c                            |    8 +
 arch/arm/mm/fault.c                                |   91 +
 arch/arm/mm/fault.h                                |   12 +
 arch/arm/mm/init.c                                 |   41 +
 arch/arm/mm/ioremap.c                              |    4 +-
 arch/arm/mm/mmap.c                                 |   30 +-
 arch/arm/mm/mmu.c                                  |  187 +-
 arch/arm/mm/proc-v7-2level.S                       |    3 +
 arch/arm/plat-omap/sram.c                          |    2 +
 arch/arm/plat-samsung/include/plat/dma-ops.h       |    2 +-
 arch/arm64/kernel/debug-monitors.c                 |    2 +-
 arch/arm64/kernel/hw_breakpoint.c                  |    2 +-
 arch/avr32/include/asm/elf.h                       |    8 +-
 arch/avr32/include/asm/kmap_types.h                |    4 +-
 arch/avr32/mm/fault.c                              |   27 +
 arch/frv/include/asm/atomic.h                      |   10 +
 arch/frv/include/asm/kmap_types.h                  |    2 +-
 arch/frv/mm/elf-fdpic.c                            |    3 +-
 arch/ia64/include/asm/atomic.h                     |   10 +
 arch/ia64/include/asm/elf.h                        |    7 +
 arch/ia64/include/asm/pgalloc.h                    |   12 +
 arch/ia64/include/asm/pgtable.h                    |   13 +-
 arch/ia64/include/asm/spinlock.h                   |    2 +-
 arch/ia64/include/asm/uaccess.h                    |   26 +-
 arch/ia64/kernel/err_inject.c                      |    2 +-
 arch/ia64/kernel/mca.c                             |    2 +-
 arch/ia64/kernel/module.c                          |   48 +-
 arch/ia64/kernel/palinfo.c                         |    2 +-
 arch/ia64/kernel/salinfo.c                         |    2 +-
 arch/ia64/kernel/sys_ia64.c                        |    7 +
 arch/ia64/kernel/topology.c                        |    2 +-
 arch/ia64/kernel/vmlinux.lds.S                     |    2 +-
 arch/ia64/mm/fault.c                               |   32 +-
 arch/ia64/mm/init.c                                |   13 +
 arch/m32r/lib/usercopy.c                           |    6 +
 arch/mips/include/asm/atomic.h                     |   14 +
 arch/mips/include/asm/elf.h                        |   11 +-
 arch/mips/include/asm/exec.h                       |    2 +-
 arch/mips/include/asm/page.h                       |    2 +-
 arch/mips/include/asm/pgalloc.h                    |    5 +
 arch/mips/kernel/binfmt_elfn32.c                   |    7 +
 arch/mips/kernel/binfmt_elfo32.c                   |    7 +
 arch/mips/kernel/process.c                         |   12 -
 arch/mips/mm/fault.c                               |   17 +
 arch/mips/mm/mmap.c                                |   51 +-
 arch/parisc/include/asm/atomic.h                   |   10 +
 arch/parisc/include/asm/elf.h                      |    7 +
 arch/parisc/include/asm/pgalloc.h                  |    6 +
 arch/parisc/include/asm/pgtable.h                  |   11 +
 arch/parisc/include/asm/uaccess.h                  |    4 +-
 arch/parisc/kernel/module.c                        |   50 +-
 arch/parisc/kernel/sys_parisc.c                    |    9 +-
 arch/parisc/kernel/traps.c                         |    4 +-
 arch/parisc/mm/fault.c                             |  140 +-
 arch/powerpc/include/asm/atomic.h                  |   10 +
 arch/powerpc/include/asm/elf.h                     |   19 +-
 arch/powerpc/include/asm/exec.h                    |    2 +-
 arch/powerpc/include/asm/kmap_types.h              |    2 +-
 arch/powerpc/include/asm/mman.h                    |    2 +-
 arch/powerpc/include/asm/page.h                    |    8 +-
 arch/powerpc/include/asm/page_64.h                 |    7 +-
 arch/powerpc/include/asm/pgalloc-64.h              |    7 +
 arch/powerpc/include/asm/pgtable.h                 |    1 +
 arch/powerpc/include/asm/pte-hash32.h              |    1 +
 arch/powerpc/include/asm/reg.h                     |    1 +
 arch/powerpc/include/asm/smp.h                     |    2 +-
 arch/powerpc/include/asm/uaccess.h                 |  140 +-
 arch/powerpc/kernel/exceptions-64e.S               |    4 +-
 arch/powerpc/kernel/exceptions-64s.S               |    2 +-
 arch/powerpc/kernel/module_32.c                    |   13 +-
 arch/powerpc/kernel/process.c                      |   55 -
 arch/powerpc/kernel/signal_32.c                    |    2 +-
 arch/powerpc/kernel/signal_64.c                    |    2 +-
 arch/powerpc/kernel/sysfs.c                        |    2 +-
 arch/powerpc/kernel/vdso.c                         |    5 +-
 arch/powerpc/lib/usercopy_64.c                     |   18 -
 arch/powerpc/mm/fault.c                            |   54 +-
 arch/powerpc/mm/mmap_64.c                          |   16 +
 arch/powerpc/mm/mmu_context_nohash.c               |    2 +-
 arch/powerpc/mm/numa.c                             |    2 +-
 arch/powerpc/mm/slice.c                            |   13 +-
 arch/powerpc/platforms/cell/spufs/file.c           |    4 +-
 arch/powerpc/platforms/powermac/smp.c              |    2 +-
 arch/s390/include/asm/atomic.h                     |   10 +
 arch/s390/include/asm/elf.h                        |   13 +-
 arch/s390/include/asm/exec.h                       |    2 +-
 arch/s390/include/asm/uaccess.h                    |   15 +-
 arch/s390/kernel/module.c                          |   22 +-
 arch/s390/kernel/process.c                         |   36 -
 arch/s390/mm/mmap.c                                |   24 +
 arch/score/include/asm/exec.h                      |    2 +-
 arch/score/kernel/process.c                        |    5 -
 arch/sh/kernel/cpu/sh4a/smp-shx3.c                 |    2 +-
 arch/sh/mm/mmap.c                                  |   22 +-
 arch/sparc/include/asm/atomic_64.h                 |  106 +-
 arch/sparc/include/asm/cache.h                     |    2 +-
 arch/sparc/include/asm/elf_32.h                    |    7 +
 arch/sparc/include/asm/elf_64.h                    |    7 +
 arch/sparc/include/asm/pgalloc_32.h                |    1 +
 arch/sparc/include/asm/pgalloc_64.h                |    1 +
 arch/sparc/include/asm/pgtable_32.h                |   15 +-
 arch/sparc/include/asm/pgtsrmmu.h                  |    5 +
 arch/sparc/include/asm/spinlock_64.h               |   35 +-
 arch/sparc/include/asm/thread_info_32.h            |    2 +
 arch/sparc/include/asm/thread_info_64.h            |    2 +
 arch/sparc/include/asm/uaccess.h                   |    1 +
 arch/sparc/include/asm/uaccess_32.h                |   27 +-
 arch/sparc/include/asm/uaccess_64.h                |   19 +-
 arch/sparc/kernel/Makefile                         |    2 +-
 arch/sparc/kernel/prom_common.c                    |    2 +-
 arch/sparc/kernel/sys_sparc_32.c                   |    2 +-
 arch/sparc/kernel/sys_sparc_64.c                   |   48 +-
 arch/sparc/kernel/sysfs.c                          |    2 +-
 arch/sparc/kernel/traps_64.c                       |   13 +-
 arch/sparc/lib/Makefile                            |    2 +-
 arch/sparc/lib/atomic_64.S                         |  136 +-
 arch/sparc/lib/ksyms.c                             |    6 +
 arch/sparc/mm/Makefile                             |    2 +-
 arch/sparc/mm/fault_32.c                           |  292 +
 arch/sparc/mm/fault_64.c                           |  486 ++
 arch/sparc/mm/hugetlbpage.c                        |   21 +-
 arch/tile/include/asm/atomic_64.h                  |   10 +
 arch/tile/include/asm/uaccess.h                    |    4 +-
 arch/um/Makefile                                   |    4 +
 arch/um/include/asm/kmap_types.h                   |    2 +-
 arch/um/include/asm/page.h                         |    3 +
 arch/um/include/asm/pgtable-3level.h               |    1 +
 arch/um/kernel/process.c                           |   16 -
 arch/x86/Kconfig                                   |   10 +-
 arch/x86/Kconfig.cpu                               |    6 +-
 arch/x86/Kconfig.debug                             |    4 +-
 arch/x86/Makefile                                  |   10 +
 arch/x86/boot/Makefile                             |    3 +
 arch/x86/boot/bitops.h                             |    4 +-
 arch/x86/boot/boot.h                               |    4 +-
 arch/x86/boot/compressed/Makefile                  |    3 +
 arch/x86/boot/compressed/eboot.c                   |    2 -
 arch/x86/boot/compressed/efi_stub_32.S             |   16 +-
 arch/x86/boot/compressed/head_32.S                 |    7 +-
 arch/x86/boot/compressed/head_64.S                 |    8 +-
 arch/x86/boot/compressed/misc.c                    |    4 +-
 arch/x86/boot/cpucheck.c                           |   28 +-
 arch/x86/boot/header.S                             |    6 +-
 arch/x86/boot/memory.c                             |    2 +-
 arch/x86/boot/video-vesa.c                         |    1 +
 arch/x86/boot/video.c                              |    2 +-
 arch/x86/crypto/aes-x86_64-asm_64.S                |    4 +
 arch/x86/crypto/aesni-intel_asm.S                  |   22 +
 arch/x86/crypto/blowfish-x86_64-asm_64.S           |    7 +
 arch/x86/crypto/camellia-x86_64-asm_64.S           |    7 +
 arch/x86/crypto/cast5-avx-x86_64-asm_64.S          |    7 +
 arch/x86/crypto/cast6-avx-x86_64-asm_64.S          |    9 +
 arch/x86/crypto/salsa20-x86_64-asm_64.S            |    4 +
 arch/x86/crypto/serpent-avx-x86_64-asm_64.S        |    9 +
 arch/x86/crypto/serpent-sse2-x86_64-asm_64.S       |    4 +
 arch/x86/crypto/sha1_ssse3_asm.S                   |    2 +
 arch/x86/crypto/twofish-avx-x86_64-asm_64.S        |    9 +
 arch/x86/crypto/twofish-x86_64-asm_64-3way.S       |    4 +
 arch/x86/crypto/twofish-x86_64-asm_64.S            |    3 +
 arch/x86/ia32/ia32_signal.c                        |   14 +-
 arch/x86/ia32/ia32entry.S                          |  141 +-
 arch/x86/ia32/sys_ia32.c                           |    4 +-
 arch/x86/include/asm/alternative-asm.h             |   39 +
 arch/x86/include/asm/alternative.h                 |    4 +-
 arch/x86/include/asm/apic.h                        |    2 +-
 arch/x86/include/asm/apm.h                         |    4 +-
 arch/x86/include/asm/atomic.h                      |  307 +-
 arch/x86/include/asm/atomic64_32.h                 |  100 +
 arch/x86/include/asm/atomic64_64.h                 |  202 +-
 arch/x86/include/asm/bitops.h                      |    4 +-
 arch/x86/include/asm/boot.h                        |    7 +-
 arch/x86/include/asm/cache.h                       |    5 +-
 arch/x86/include/asm/cacheflush.h                  |    2 +-
 arch/x86/include/asm/checksum_32.h                 |   12 +-
 arch/x86/include/asm/cmpxchg.h                     |   35 +
 arch/x86/include/asm/compat.h                      |    2 +-
 arch/x86/include/asm/cpufeature.h                  |    4 +-
 arch/x86/include/asm/desc.h                        |   67 +-
 arch/x86/include/asm/desc_defs.h                   |    6 +
 arch/x86/include/asm/div64.h                       |    2 +-
 arch/x86/include/asm/elf.h                         |   31 +-
 arch/x86/include/asm/emergency-restart.h           |    2 +-
 arch/x86/include/asm/fpu-internal.h                |    6 +-
 arch/x86/include/asm/futex.h                       |   16 +-
 arch/x86/include/asm/hw_irq.h                      |    4 +-
 arch/x86/include/asm/i8259.h                       |    2 +-
 arch/x86/include/asm/io.h                          |   21 +-
 arch/x86/include/asm/irqflags.h                    |    5 +
 arch/x86/include/asm/kprobes.h                     |    9 +-
 arch/x86/include/asm/local.h                       |  142 +-
 arch/x86/include/asm/mman.h                        |   15 +
 arch/x86/include/asm/mmu.h                         |   16 +-
 arch/x86/include/asm/mmu_context.h                 |   76 +-
 arch/x86/include/asm/module.h                      |   17 +-
 arch/x86/include/asm/nmi.h                         |    6 +-
 arch/x86/include/asm/page.h                        |    1 +
 arch/x86/include/asm/page_64.h                     |    4 +-
 arch/x86/include/asm/paravirt.h                    |   46 +-
 arch/x86/include/asm/paravirt_types.h              |   17 +-
 arch/x86/include/asm/pgalloc.h                     |   23 +
 arch/x86/include/asm/pgtable-2level.h              |    2 +
 arch/x86/include/asm/pgtable-3level.h              |    4 +
 arch/x86/include/asm/pgtable.h                     |  122 +-
 arch/x86/include/asm/pgtable_32.h                  |   14 +-
 arch/x86/include/asm/pgtable_32_types.h            |   15 +-
 arch/x86/include/asm/pgtable_64.h                  |   19 +-
 arch/x86/include/asm/pgtable_64_types.h            |    5 +
 arch/x86/include/asm/pgtable_types.h               |   36 +-
 arch/x86/include/asm/processor.h                   |   39 +-
 arch/x86/include/asm/ptrace.h                      |   26 +-
 arch/x86/include/asm/realmode.h                    |    4 +-
 arch/x86/include/asm/reboot.h                      |   10 +-
 arch/x86/include/asm/rwsem.h                       |   60 +-
 arch/x86/include/asm/segment.h                     |   24 +-
 arch/x86/include/asm/smp.h                         |   14 +-
 arch/x86/include/asm/spinlock.h                    |   36 +-
 arch/x86/include/asm/stackprotector.h              |    4 +-
 arch/x86/include/asm/stacktrace.h                  |   32 +-
 arch/x86/include/asm/switch_to.h                   |    4 +-
 arch/x86/include/asm/thread_info.h                 |   83 +-
 arch/x86/include/asm/uaccess.h                     |   96 +-
 arch/x86/include/asm/uaccess_32.h                  |  106 +-
 arch/x86/include/asm/uaccess_64.h                  |  232 +-
 arch/x86/include/asm/word-at-a-time.h              |    2 +-
 arch/x86/include/asm/x86_init.h                    |   10 +-
 arch/x86/include/asm/xsave.h                       |   10 +-
 arch/x86/include/uapi/asm/e820.h                   |    2 +-
 arch/x86/kernel/Makefile                           |    2 +-
 arch/x86/kernel/acpi/boot.c                        |    4 +-
 arch/x86/kernel/acpi/sleep.c                       |    4 +
 arch/x86/kernel/acpi/wakeup_32.S                   |    6 +-
 arch/x86/kernel/alternative.c                      |   65 +-
 arch/x86/kernel/apic/apic.c                        |    4 +-
 arch/x86/kernel/apic/apic_flat_64.c                |    4 +-
 arch/x86/kernel/apic/apic_noop.c                   |    2 +-
 arch/x86/kernel/apic/bigsmp_32.c                   |    2 +-
 arch/x86/kernel/apic/es7000_32.c                   |    5 +-
 arch/x86/kernel/apic/io_apic.c                     |    8 +-
 arch/x86/kernel/apic/numaq_32.c                    |    3 +-
 arch/x86/kernel/apic/probe_32.c                    |    2 +-
 arch/x86/kernel/apic/summit_32.c                   |    2 +-
 arch/x86/kernel/apic/x2apic_cluster.c              |    4 +-
 arch/x86/kernel/apic/x2apic_phys.c                 |    2 +-
 arch/x86/kernel/apic/x2apic_uv_x.c                 |    2 +-
 arch/x86/kernel/apm_32.c                           |   19 +-
 arch/x86/kernel/asm-offsets.c                      |   20 +
 arch/x86/kernel/asm-offsets_64.c                   |    1 +
 arch/x86/kernel/cpu/Makefile                       |    4 -
 arch/x86/kernel/cpu/amd.c                          |    2 +-
 arch/x86/kernel/cpu/common.c                       |   75 +-
 arch/x86/kernel/cpu/intel_cacheinfo.c              |   50 +-
 arch/x86/kernel/cpu/mcheck/mce.c                   |   33 +-
 arch/x86/kernel/cpu/mcheck/p5.c                    |    3 +
 arch/x86/kernel/cpu/mcheck/therm_throt.c           |    2 +-
 arch/x86/kernel/cpu/mcheck/winchip.c               |    3 +
 arch/x86/kernel/cpu/mtrr/main.c                    |    2 +-
 arch/x86/kernel/cpu/mtrr/mtrr.h                    |    2 +-
 arch/x86/kernel/cpu/perf_event.c                   |    8 +-
 arch/x86/kernel/cpu/perf_event_intel.c             |    6 +-
 arch/x86/kernel/cpu/perf_event_intel_uncore.c      |    4 +-
 arch/x86/kernel/cpu/perf_event_intel_uncore.h      |    2 +-
 arch/x86/kernel/cpuid.c                            |    2 +-
 arch/x86/kernel/crash.c                            |    4 +-
 arch/x86/kernel/crash_dump_64.c                    |    2 +-
 arch/x86/kernel/doublefault_32.c                   |    8 +-
 arch/x86/kernel/dumpstack.c                        |   28 +-
 arch/x86/kernel/dumpstack_32.c                     |   34 +-
 arch/x86/kernel/dumpstack_64.c                     |   61 +-
 arch/x86/kernel/e820.c                             |    4 +-
 arch/x86/kernel/early_printk.c                     |    1 +
 arch/x86/kernel/entry_32.S                         |  354 +-
 arch/x86/kernel/entry_64.S                         |  548 ++-
 arch/x86/kernel/ftrace.c                           |   14 +-
 arch/x86/kernel/head64.c                           |   13 +-
 arch/x86/kernel/head_32.S                          |  237 +-
 arch/x86/kernel/head_64.S                          |  143 +-
 arch/x86/kernel/i386_ksyms_32.c                    |    8 +
 arch/x86/kernel/i387.c                             |    2 +-
 arch/x86/kernel/i8259.c                            |   10 +-
 arch/x86/kernel/io_delay.c                         |    2 +-
 arch/x86/kernel/ioport.c                           |    2 +-
 arch/x86/kernel/irq.c                              |    8 +-
 arch/x86/kernel/irq_32.c                           |   69 +-
 arch/x86/kernel/irq_64.c                           |    2 +-
 arch/x86/kernel/kdebugfs.c                         |    2 +-
 arch/x86/kernel/kgdb.c                             |   25 +-
 arch/x86/kernel/kprobes/core.c                     |   30 +-
 arch/x86/kernel/kprobes/opt.c                      |   16 +-
 arch/x86/kernel/kvm.c                              |    2 +-
 arch/x86/kernel/ldt.c                              |   31 +-
 arch/x86/kernel/machine_kexec_32.c                 |    6 +-
 arch/x86/kernel/microcode_core.c                   |    2 +-
 arch/x86/kernel/microcode_intel.c                  |    4 +-
 arch/x86/kernel/module.c                           |   76 +-
 arch/x86/kernel/msr.c                              |    2 +-
 arch/x86/kernel/nmi.c                              |   19 +-
 arch/x86/kernel/nmi_selftest.c                     |    4 +-
 arch/x86/kernel/paravirt-spinlocks.c               |    2 +-
 arch/x86/kernel/paravirt.c                         |   43 +-
 arch/x86/kernel/pci-calgary_64.c                   |    2 +-
 arch/x86/kernel/pci-iommu_table.c                  |    2 +-
 arch/x86/kernel/pci-swiotlb.c                      |    2 +-
 arch/x86/kernel/process.c                          |   55 +-
 arch/x86/kernel/process_32.c                       |   29 +-
 arch/x86/kernel/process_64.c                       |   15 +-
 arch/x86/kernel/ptrace.c                           |   25 +-
 arch/x86/kernel/pvclock.c                          |    8 +-
 arch/x86/kernel/reboot.c                           |   44 +-
 arch/x86/kernel/relocate_kernel_64.S               |    2 +
 arch/x86/kernel/setup.c                            |   21 +-
 arch/x86/kernel/setup_percpu.c                     |   29 +-
 arch/x86/kernel/signal.c                           |   15 +-
 arch/x86/kernel/smp.c                              |    2 +-
 arch/x86/kernel/smpboot.c                          |   15 +-
 arch/x86/kernel/step.c                             |   10 +-
 arch/x86/kernel/sys_i386_32.c                      |  184 +
 arch/x86/kernel/sys_x86_64.c                       |   22 +-
 arch/x86/kernel/tboot.c                            |   14 +-
 arch/x86/kernel/time.c                             |   10 +-
 arch/x86/kernel/tls.c                              |    7 +-
 arch/x86/kernel/traps.c                            |   64 +-
 arch/x86/kernel/uprobes.c                          |    4 +-
 arch/x86/kernel/vm86_32.c                          |    6 +-
 arch/x86/kernel/vmlinux.lds.S                      |  148 +-
 arch/x86/kernel/vsyscall_64.c                      |   12 +-
 arch/x86/kernel/x8664_ksyms_64.c                   |    2 -
 arch/x86/kernel/x86_init.c                         |    8 +-
 arch/x86/kernel/xsave.c                            |    2 +
 arch/x86/kvm/cpuid.c                               |   21 +-
 arch/x86/kvm/emulate.c                             |    4 +-
 arch/x86/kvm/lapic.c                               |    2 +-
 arch/x86/kvm/paging_tmpl.h                         |    2 +-
 arch/x86/kvm/svm.c                                 |    8 +
 arch/x86/kvm/vmx.c                                 |   61 +-
 arch/x86/kvm/x86.c                                 |    8 +-
 arch/x86/lguest/boot.c                             |    3 +-
 arch/x86/lib/atomic64_386_32.S                     |  164 +
 arch/x86/lib/atomic64_cx8_32.S                     |  103 +-
 arch/x86/lib/checksum_32.S                         |  100 +-
 arch/x86/lib/clear_page_64.S                       |    5 +-
 arch/x86/lib/cmpxchg16b_emu.S                      |    2 +
 arch/x86/lib/copy_page_64.S                        |   24 +-
 arch/x86/lib/copy_user_64.S                        |   47 +-
 arch/x86/lib/copy_user_nocache_64.S                |   20 +-
 arch/x86/lib/csum-copy_64.S                        |    2 +
 arch/x86/lib/csum-wrappers_64.c                    |    4 +-
 arch/x86/lib/getuser.S                             |   70 +-
 arch/x86/lib/insn.c                                |    6 +-
 arch/x86/lib/iomap_copy_64.S                       |    2 +
 arch/x86/lib/memcpy_64.S                           |   18 +-
 arch/x86/lib/memmove_64.S                          |   34 +-
 arch/x86/lib/memset_64.S                           |    7 +-
 arch/x86/lib/mmx_32.c                              |  243 +-
 arch/x86/lib/msr-reg.S                             |   18 +-
 arch/x86/lib/putuser.S                             |   90 +-
 arch/x86/lib/rwlock.S                              |   42 +
 arch/x86/lib/rwsem.S                               |    6 +-
 arch/x86/lib/thunk_64.S                            |    2 +
 arch/x86/lib/usercopy_32.c                         |  363 +-
 arch/x86/lib/usercopy_64.c                         |   13 +-
 arch/x86/mm/extable.c                              |   25 +-
 arch/x86/mm/fault.c                                |  556 ++-
 arch/x86/mm/gup.c                                  |    2 +-
 arch/x86/mm/highmem_32.c                           |    4 +
 arch/x86/mm/hugetlbpage.c                          |   30 +-
 arch/x86/mm/init.c                                 |   98 +-
 arch/x86/mm/init_32.c                              |  113 +-
 arch/x86/mm/init_64.c                              |   38 +-
 arch/x86/mm/iomap_32.c                             |    4 +
 arch/x86/mm/ioremap.c                              |   15 +-
 arch/x86/mm/kmemcheck/kmemcheck.c                  |    4 +-
 arch/x86/mm/mmap.c                                 |   41 +-
 arch/x86/mm/mmio-mod.c                             |   10 +-
 arch/x86/mm/numa.c                                 |    2 +-
 arch/x86/mm/pageattr-test.c                        |    2 +-
 arch/x86/mm/pageattr.c                             |   33 +-
 arch/x86/mm/pat.c                                  |   12 +-
 arch/x86/mm/pat_rbtree.c                           |    2 +-
 arch/x86/mm/pf_in.c                                |   10 +-
 arch/x86/mm/pgtable.c                              |  137 +-
 arch/x86/mm/pgtable_32.c                           |    3 +
 arch/x86/mm/physaddr.c                             |    4 +-
 arch/x86/mm/setup_nx.c                             |    7 +
 arch/x86/mm/tlb.c                                  |    4 +
 arch/x86/net/bpf_jit.S                             |   14 +
 arch/x86/net/bpf_jit_comp.c                        |   37 +-
 arch/x86/oprofile/backtrace.c                      |    8 +-
 arch/x86/oprofile/nmi_int.c                        |    8 +-
 arch/x86/oprofile/op_model_amd.c                   |    8 +-
 arch/x86/oprofile/op_model_ppro.c                  |    7 +-
 arch/x86/oprofile/op_x86_model.h                   |    2 +-
 arch/x86/pci/amd_bus.c                             |    2 +-
 arch/x86/pci/irq.c                                 |    8 +-
 arch/x86/pci/mrst.c                                |    4 +-
 arch/x86/pci/pcbios.c                              |  144 +-
 arch/x86/platform/efi/efi_32.c                     |   24 +
 arch/x86/platform/efi/efi_64.c                     |   10 +
 arch/x86/platform/efi/efi_stub_32.S                |   64 +-
 arch/x86/platform/efi/efi_stub_64.S                |    8 +
 arch/x86/platform/mrst/mrst.c                      |    6 +-
 arch/x86/platform/olpc/olpc_dt.c                   |    2 +-
 arch/x86/power/cpu.c                               |   11 +-
 arch/x86/realmode/init.c                           |   10 +-
 arch/x86/realmode/rm/Makefile                      |    3 +
 arch/x86/realmode/rm/header.S                      |    4 +-
 arch/x86/realmode/rm/trampoline_32.S               |   12 +-
 arch/x86/realmode/rm/trampoline_64.S               |    2 +-
 arch/x86/tools/Makefile                            |    2 +-
 arch/x86/tools/relocs.c                            |   94 +-
 arch/x86/um/tls_32.c                               |    2 +-
 arch/x86/vdso/Makefile                             |    2 +-
 arch/x86/vdso/vdso32-setup.c                       |   23 +-
 arch/x86/vdso/vma.c                                |   29 +-
 arch/x86/xen/enlighten.c                           |   47 +-
 arch/x86/xen/mmu.c                                 |    9 +
 arch/x86/xen/smp.c                                 |   18 +-
 arch/x86/xen/xen-asm_32.S                          |   12 +-
 arch/x86/xen/xen-head.S                            |   11 +
 arch/x86/xen/xen-ops.h                             |    2 -
 block/blk-iopoll.c                                 |    4 +-
 block/blk-map.c                                    |    2 +-
 block/blk-softirq.c                                |    4 +-
 block/bsg.c                                        |   12 +-
 block/compat_ioctl.c                               |    2 +-
 block/genhd.c                                      |   11 +-
 block/partitions/efi.c                             |    8 +-
 block/scsi_ioctl.c                                 |   27 +-
 crypto/algapi.c                                    |    2 +-
 crypto/cryptd.c                                    |    4 +-
 crypto/pcrypt.c                                    |    6 +-
 drivers/acpi/apei/apei-internal.h                  |    2 +-
 drivers/acpi/apei/cper.c                           |    8 +-
 drivers/acpi/bgrt.c                                |    6 +-
 drivers/acpi/blacklist.c                           |    4 +-
 drivers/acpi/ec_sys.c                              |   12 +-
 drivers/acpi/processor_idle.c                      |    2 +-
 drivers/acpi/sysfs.c                               |    4 +-
 drivers/ata/libahci.c                              |    2 +-
 drivers/ata/libata-core.c                          |    8 +-
 drivers/ata/pata_arasan_cf.c                       |    4 +-
 drivers/atm/adummy.c                               |    2 +-
 drivers/atm/ambassador.c                           |    8 +-
 drivers/atm/atmtcp.c                               |   14 +-
 drivers/atm/eni.c                                  |   10 +-
 drivers/atm/firestream.c                           |    8 +-
 drivers/atm/fore200e.c                             |   14 +-
 drivers/atm/he.c                                   |   18 +-
 drivers/atm/horizon.c                              |    4 +-
 drivers/atm/idt77252.c                             |   36 +-
 drivers/atm/iphase.c                               |   34 +-
 drivers/atm/lanai.c                                |   12 +-
 drivers/atm/nicstar.c                              |   46 +-
 drivers/atm/solos-pci.c                            |    4 +-
 drivers/atm/suni.c                                 |    4 +-
 drivers/atm/uPD98402.c                             |   16 +-
 drivers/atm/zatm.c                                 |    6 +-
 drivers/base/attribute_container.c                 |    2 +-
 drivers/base/bus.c                                 |    4 +-
 drivers/base/devtmpfs.c                            |    8 +-
 drivers/base/node.c                                |    2 +-
 drivers/base/power/domain.c                        |    4 +-
 drivers/base/power/sysfs.c                         |    2 +-
 drivers/base/power/wakeup.c                        |    8 +-
 drivers/base/syscore.c                             |    4 +-
 drivers/block/cciss.c                              |   28 +-
 drivers/block/cciss.h                              |    2 +-
 drivers/block/cpqarray.c                           |   28 +-
 drivers/block/cpqarray.h                           |    2 +-
 drivers/block/drbd/drbd_int.h                      |    6 +-
 drivers/block/drbd/drbd_main.c                     |    8 +-
 drivers/block/drbd/drbd_receiver.c                 |   22 +-
 drivers/block/loop.c                               |    2 +-
 drivers/block/nbd.c                                |    2 +-
 drivers/block/pktcdvd.c                            |    2 +-
 drivers/cdrom/cdrom.c                              |   11 +-
 drivers/cdrom/gdrom.c                              |    1 -
 drivers/char/agp/compat_ioctl.c                    |    2 +-
 drivers/char/agp/frontend.c                        |    4 +-
 drivers/char/hpet.c                                |    2 +-
 drivers/char/hw_random/intel-rng.c                 |    2 +-
 drivers/char/ipmi/ipmi_msghandler.c                |    8 +-
 drivers/char/ipmi/ipmi_si_intf.c                   |    8 +-
 drivers/char/mem.c                                 |   45 +-
 drivers/char/nvram.c                               |    2 +-
 drivers/char/pcmcia/synclink_cs.c                  |   18 +-
 drivers/char/random.c                              |   10 +-
 drivers/char/sonypi.c                              |    9 +-
 drivers/char/tpm/tpm_acpi.c                        |    3 +-
 drivers/char/tpm/tpm_eventlog.c                    |    7 +-
 drivers/char/virtio_console.c                      |    4 +-
 drivers/clk/clk-composite.c                        |    2 +-
 drivers/clocksource/arm_arch_timer.c               |    2 +-
 drivers/clocksource/metag_generic.c                |    2 +-
 drivers/cpufreq/acpi-cpufreq.c                     |   20 +-
 drivers/cpufreq/cpufreq.c                          |    9 +-
 drivers/cpufreq/cpufreq_governor.c                 |    6 +-
 drivers/cpufreq/cpufreq_governor.h                 |    2 +-
 drivers/cpufreq/cpufreq_ondemand.c                 |    8 +-
 drivers/cpufreq/cpufreq_stats.c                    |    2 +-
 drivers/cpufreq/p4-clockmod.c                      |   12 +-
 drivers/cpufreq/sparc-us3-cpufreq.c                |   69 +-
 drivers/cpufreq/speedstep-centrino.c               |    7 +-
 drivers/cpuidle/cpuidle.c                          |    2 +-
 drivers/cpuidle/governor.c                         |    4 +-
 drivers/cpuidle/sysfs.c                            |    2 +-
 drivers/devfreq/devfreq.c                          |    6 +-
 drivers/dma/sh/shdma.c                             |    2 +-
 drivers/edac/edac_mc_sysfs.c                       |   12 +-
 drivers/edac/edac_pci_sysfs.c                      |   22 +-
 drivers/edac/mce_amd.h                             |    2 +-
 drivers/firewire/core-card.c                       |    2 +-
 drivers/firewire/core-device.c                     |    2 +-
 drivers/firewire/core-transaction.c                |    1 +
 drivers/firewire/core.h                            |    1 +
 drivers/firmware/dmi-id.c                          |    2 +-
 drivers/firmware/dmi_scan.c                        |    7 +-
 drivers/firmware/efi/efi.c                         |   12 +-
 drivers/firmware/efi/efivars.c                     |    2 +-
 drivers/firmware/google/memconsole.c               |    4 +-
 drivers/gpio/gpio-ich.c                            |    2 +-
 drivers/gpio/gpio-vr41xx.c                         |    2 +-
 drivers/gpu/drm/drm_crtc_helper.c                  |    2 +-
 drivers/gpu/drm/drm_drv.c                          |    6 +-
 drivers/gpu/drm/drm_fops.c                         |   18 +-
 drivers/gpu/drm/drm_global.c                       |   14 +-
 drivers/gpu/drm/drm_info.c                         |   14 +-
 drivers/gpu/drm/drm_ioc32.c                        |   13 +-
 drivers/gpu/drm/drm_ioctl.c                        |    2 +-
 drivers/gpu/drm/drm_lock.c                         |    4 +-
 drivers/gpu/drm/drm_stub.c                         |    2 +-
 drivers/gpu/drm/drm_sysfs.c                        |    2 +-
 drivers/gpu/drm/i810/i810_dma.c                    |    8 +-
 drivers/gpu/drm/i810/i810_drv.h                    |    4 +-
 drivers/gpu/drm/i915/i915_debugfs.c                |    2 +-
 drivers/gpu/drm/i915/i915_dma.c                    |    2 +-
 drivers/gpu/drm/i915/i915_drv.h                    |    4 +-
 drivers/gpu/drm/i915/i915_gem_execbuffer.c         |    4 +-
 drivers/gpu/drm/i915/i915_ioc32.c                  |   11 +-
 drivers/gpu/drm/i915/i915_irq.c                    |   22 +-
 drivers/gpu/drm/i915/intel_display.c               |   26 +-
 drivers/gpu/drm/mga/mga_drv.h                      |    4 +-
 drivers/gpu/drm/mga/mga_ioc32.c                    |   11 +-
 drivers/gpu/drm/mga/mga_irq.c                      |    8 +-
 drivers/gpu/drm/nouveau/nouveau_bios.c             |    2 +-
 drivers/gpu/drm/nouveau/nouveau_drm.h              |    2 +-
 drivers/gpu/drm/nouveau/nouveau_gem.c              |    4 +-
 drivers/gpu/drm/nouveau/nouveau_ioc32.c            |    2 +-
 drivers/gpu/drm/nouveau/nouveau_vga.c              |    2 +-
 drivers/gpu/drm/qxl/qxl_ttm.c                      |   38 +-
 drivers/gpu/drm/r128/r128_cce.c                    |    2 +-
 drivers/gpu/drm/r128/r128_drv.h                    |    4 +-
 drivers/gpu/drm/r128/r128_ioc32.c                  |   11 +-
 drivers/gpu/drm/r128/r128_irq.c                    |    4 +-
 drivers/gpu/drm/r128/r128_state.c                  |    4 +-
 drivers/gpu/drm/radeon/mkregtable.c                |    4 +-
 drivers/gpu/drm/radeon/radeon_device.c             |    2 +-
 drivers/gpu/drm/radeon/radeon_drv.h                |    2 +-
 drivers/gpu/drm/radeon/radeon_ioc32.c              |   13 +-
 drivers/gpu/drm/radeon/radeon_irq.c                |    6 +-
 drivers/gpu/drm/radeon/radeon_state.c              |    4 +-
 drivers/gpu/drm/radeon/radeon_ttm.c                |   57 +-
 drivers/gpu/drm/radeon/rs690.c                     |    4 +-
 drivers/gpu/drm/ttm/ttm_memory.c                   |    4 +-
 drivers/gpu/drm/ttm/ttm_page_alloc.c               |    4 +-
 drivers/gpu/drm/udl/udl_fb.c                       |    1 -
 drivers/gpu/drm/via/via_drv.h                      |    4 +-
 drivers/gpu/drm/via/via_irq.c                      |   18 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_drv.h                |    2 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c               |    8 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c              |    4 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_irq.c                |    4 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_marker.c             |    2 +-
 drivers/hid/hid-core.c                             |    4 +-
 drivers/hv/channel.c                               |    4 +-
 drivers/hv/hv.c                                    |    2 +-
 drivers/hv/hyperv_vmbus.h                          |    2 +-
 drivers/hv/vmbus_drv.c                             |    4 +-
 drivers/hwmon/acpi_power_meter.c                   |    4 +-
 drivers/hwmon/applesmc.c                           |    2 +-
 drivers/hwmon/asus_atk0110.c                       |   10 +-
 drivers/hwmon/coretemp.c                           |    2 +-
 drivers/hwmon/ibmaem.c                             |    2 +-
 drivers/hwmon/iio_hwmon.c                          |    2 +-
 drivers/hwmon/pmbus/pmbus_core.c                   |   10 +-
 drivers/hwmon/sht15.c                              |   12 +-
 drivers/hwmon/via-cputemp.c                        |    2 +-
 drivers/i2c/busses/i2c-amd756-s4882.c              |    2 +-
 drivers/i2c/busses/i2c-nforce2-s4985.c             |    2 +-
 drivers/i2c/i2c-dev.c                              |    2 +-
 drivers/ide/ide-cd.c                               |    2 +-
 drivers/iio/industrialio-core.c                    |    2 +-
 drivers/infiniband/core/cm.c                       |   32 +-
 drivers/infiniband/core/fmr_pool.c                 |   20 +-
 drivers/infiniband/hw/cxgb4/mem.c                  |    4 +-
 drivers/infiniband/hw/ipath/ipath_rc.c             |    6 +-
 drivers/infiniband/hw/ipath/ipath_ruc.c            |    6 +-
 drivers/infiniband/hw/mthca/mthca_cmd.c            |    2 +-
 drivers/infiniband/hw/mthca/mthca_mr.c             |    2 +-
 drivers/infiniband/hw/nes/nes.c                    |    4 +-
 drivers/infiniband/hw/nes/nes.h                    |   40 +-
 drivers/infiniband/hw/nes/nes_cm.c                 |   62 +-
 drivers/infiniband/hw/nes/nes_mgt.c                |    8 +-
 drivers/infiniband/hw/nes/nes_nic.c                |   40 +-
 drivers/infiniband/hw/nes/nes_verbs.c              |   10 +-
 drivers/infiniband/hw/qib/qib.h                    |    1 +
 drivers/input/gameport/gameport.c                  |    4 +-
 drivers/input/input.c                              |    4 +-
 drivers/input/joystick/sidewinder.c                |    1 +
 drivers/input/joystick/xpad.c                      |    4 +-
 drivers/input/mouse/psmouse.h                      |    2 +-
 drivers/input/mousedev.c                           |    2 +-
 drivers/input/serio/serio.c                        |    4 +-
 drivers/iommu/iommu.c                              |    2 +-
 drivers/iommu/irq_remapping.c                      |   12 +-
 drivers/irqchip/irq-gic.c                          |    4 +-
 drivers/isdn/capi/capi.c                           |   10 +-
 drivers/isdn/gigaset/interface.c                   |    8 +-
 drivers/isdn/hardware/avm/b1.c                     |    4 +-
 drivers/isdn/i4l/isdn_tty.c                        |   22 +-
 drivers/isdn/icn/icn.c                             |    2 +-
 drivers/leds/leds-clevo-mail.c                     |    2 +-
 drivers/leds/leds-ss4200.c                         |    2 +-
 drivers/lguest/core.c                              |   10 +-
 drivers/lguest/page_tables.c                       |    2 +-
 drivers/lguest/x86/core.c                          |   12 +-
 drivers/lguest/x86/switcher_32.S                   |   27 +-
 drivers/md/bcache/closure.h                        |    2 +-
 drivers/md/bitmap.c                                |    2 +-
 drivers/md/dm-ioctl.c                              |    2 +-
 drivers/md/dm-raid1.c                              |   16 +-
 drivers/md/dm-stripe.c                             |   10 +-
 drivers/md/dm-table.c                              |    2 +-
 drivers/md/dm-thin-metadata.c                      |    4 +-
 drivers/md/dm.c                                    |   16 +-
 drivers/md/md.c                                    |   26 +-
 drivers/md/md.h                                    |    6 +-
 drivers/md/persistent-data/dm-space-map.h          |    1 +
 drivers/md/raid1.c                                 |    4 +-
 drivers/md/raid10.c                                |   16 +-
 drivers/md/raid5.c                                 |   10 +-
 drivers/media/dvb-core/dvbdev.c                    |    2 +-
 drivers/media/dvb-frontends/dib3000.h              |    2 +-
 drivers/media/pci/cx88/cx88-video.c                |    6 +-
 drivers/media/platform/omap/omap_vout.c            |   11 +-
 drivers/media/platform/s5p-tv/mixer.h              |    2 +-
 drivers/media/platform/s5p-tv/mixer_grp_layer.c    |    2 +-
 drivers/media/platform/s5p-tv/mixer_reg.c          |    2 +-
 drivers/media/platform/s5p-tv/mixer_video.c        |   24 +-
 drivers/media/platform/s5p-tv/mixer_vp_layer.c     |    2 +-
 drivers/media/radio/radio-cadet.c                  |    2 +
 drivers/media/usb/dvb-usb/cxusb.c                  |    2 +-
 drivers/media/usb/dvb-usb/dw2102.c                 |    2 +-
 drivers/media/v4l2-core/v4l2-compat-ioctl32.c      |    6 +-
 drivers/media/v4l2-core/v4l2-ioctl.c               |   11 +-
 drivers/message/fusion/mptsas.c                    |   34 +-
 drivers/message/fusion/mptscsih.c                  |   19 +-
 drivers/message/i2o/i2o_proc.c                     |   51 +-
 drivers/message/i2o/iop.c                          |    8 +-
 drivers/mfd/janz-cmodio.c                          |    1 +
 drivers/mfd/twl4030-irq.c                          |    9 +-
 drivers/mfd/twl6030-irq.c                          |   10 +-
 drivers/misc/c2port/core.c                         |    4 +-
 drivers/misc/kgdbts.c                              |    4 +-
 drivers/misc/lis3lv02d/lis3lv02d.c                 |    8 +-
 drivers/misc/lis3lv02d/lis3lv02d.h                 |    2 +-
 drivers/misc/sgi-gru/gruhandles.c                  |    4 +-
 drivers/misc/sgi-gru/gruprocfs.c                   |    8 +-
 drivers/misc/sgi-gru/grutables.h                   |  154 +-
 drivers/misc/sgi-xp/xp.h                           |    2 +-
 drivers/misc/sgi-xp/xpc.h                          |    3 +-
 drivers/misc/sgi-xp/xpc_main.c                     |    4 +-
 drivers/mmc/core/mmc_ops.c                         |    2 +-
 drivers/mmc/host/dw_mmc.h                          |    2 +-
 drivers/mmc/host/sdhci-s3c.c                       |    8 +-
 drivers/mtd/nand/denali.c                          |    1 +
 drivers/mtd/nftlmount.c                            |    1 +
 drivers/mtd/sm_ftl.c                               |    2 +-
 drivers/net/bonding/bond_main.c                    |    2 +-
 drivers/net/ethernet/8390/ax88796.c                |    4 +-
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h    |    2 +-
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c     |   11 +-
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h     |    3 +-
 drivers/net/ethernet/broadcom/tg3.h                |    1 +
 drivers/net/ethernet/chelsio/cxgb3/l2t.h           |    2 +-
 drivers/net/ethernet/dec/tulip/de4x5.c             |    4 +-
 drivers/net/ethernet/emulex/benet/be_main.c        |    2 +-
 drivers/net/ethernet/faraday/ftgmac100.c           |    2 +
 drivers/net/ethernet/faraday/ftmac100.c            |    2 +
 drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c       |    2 +-
 drivers/net/ethernet/neterion/vxge/vxge-config.c   |    7 +-
 .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c  |    4 +-
 .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c  |   12 +-
 drivers/net/ethernet/realtek/r8169.c               |    8 +-
 drivers/net/ethernet/sfc/ptp.c                     |    2 +-
 drivers/net/ethernet/stmicro/stmmac/mmc_core.c     |    4 +-
 drivers/net/hyperv/hyperv_net.h                    |    2 +-
 drivers/net/hyperv/rndis_filter.c                  |    4 +-
 drivers/net/ieee802154/fakehard.c                  |    2 +-
 drivers/net/macvlan.c                              |   18 +-
 drivers/net/macvtap.c                              |    2 +-
 drivers/net/ppp/ppp_generic.c                      |    4 +-
 drivers/net/slip/slhc.c                            |    2 +-
 drivers/net/team/team.c                            |    2 +-
 drivers/net/tun.c                                  |    5 +-
 drivers/net/usb/hso.c                              |   23 +-
 drivers/net/vxlan.c                                |    2 +-
 drivers/net/wireless/at76c50x-usb.c                |    2 +-
 drivers/net/wireless/ath/ath9k/ar9002_mac.c        |   30 +-
 drivers/net/wireless/ath/ath9k/ar9003_mac.c        |   58 +-
 drivers/net/wireless/ath/ath9k/hw.h                |    4 +-
 drivers/net/wireless/iwlegacy/3945-mac.c           |    4 +-
 drivers/net/wireless/iwlwifi/dvm/debugfs.c         |   26 +-
 drivers/net/wireless/iwlwifi/pcie/trans.c          |    4 +-
 drivers/net/wireless/mac80211_hwsim.c              |   32 +-
 drivers/net/wireless/rndis_wlan.c                  |    2 +-
 drivers/net/wireless/rt2x00/rt2x00.h               |    2 +-
 drivers/net/wireless/rt2x00/rt2x00queue.c          |    4 +-
 drivers/net/wireless/ti/wl1251/sdio.c              |   12 +-
 drivers/net/wireless/ti/wl12xx/main.c              |    8 +-
 drivers/net/wireless/ti/wl18xx/main.c              |    6 +-
 drivers/oprofile/buffer_sync.c                     |    8 +-
 drivers/oprofile/event_buffer.c                    |    2 +-
 drivers/oprofile/oprof.c                           |    2 +-
 drivers/oprofile/oprofile_files.c                  |    2 +-
 drivers/oprofile/oprofile_stats.c                  |   10 +-
 drivers/oprofile/oprofile_stats.h                  |   10 +-
 drivers/oprofile/oprofilefs.c                      |    2 +-
 drivers/oprofile/timer_int.c                       |    2 +-
 drivers/parport/procfs.c                           |    4 +-
 drivers/pci/hotplug/acpiphp_ibm.c                  |    4 +-
 drivers/pci/hotplug/cpcihp_generic.c               |    6 +-
 drivers/pci/hotplug/cpcihp_zt5550.c                |   14 +-
 drivers/pci/hotplug/cpqphp_nvram.c                 |    4 +
 drivers/pci/hotplug/pci_hotplug_core.c             |    6 +-
 drivers/pci/hotplug/pciehp_core.c                  |    2 +-
 drivers/pci/pci-sysfs.c                            |    6 +-
 drivers/pci/pci.h                                  |    2 +-
 drivers/pci/pcie/aspm.c                            |    6 +-
 drivers/pci/probe.c                                |    2 +-
 drivers/platform/x86/chromeos_laptop.c             |    2 +-
 drivers/platform/x86/msi-laptop.c                  |   14 +-
 drivers/platform/x86/sony-laptop.c                 |    2 +-
 drivers/platform/x86/thinkpad_acpi.c               |   70 +-
 drivers/pnp/pnpbios/bioscalls.c                    |   14 +-
 drivers/pnp/resource.c                             |    4 +-
 drivers/power/pda_power.c                          |    7 +-
 drivers/power/power_supply.h                       |    4 +-
 drivers/power/power_supply_core.c                  |    7 +-
 drivers/power/power_supply_sysfs.c                 |    6 +-
 drivers/regulator/max8660.c                        |    6 +-
 drivers/regulator/max8973-regulator.c              |    8 +-
 drivers/regulator/mc13892-regulator.c              |    6 +-
 drivers/rtc/rtc-cmos.c                             |    4 +-
 drivers/rtc/rtc-ds1307.c                           |    2 +-
 drivers/rtc/rtc-m48t59.c                           |    4 +-
 drivers/scsi/bfa/bfa_fcpim.h                       |    2 +-
 drivers/scsi/bfa/bfa_ioc.h                         |    4 +-
 drivers/scsi/hosts.c                               |    4 +-
 drivers/scsi/hpsa.c                                |   30 +-
 drivers/scsi/hpsa.h                                |    2 +-
 drivers/scsi/libfc/fc_exch.c                       |   50 +-
 drivers/scsi/libsas/sas_ata.c                      |    2 +-
 drivers/scsi/lpfc/lpfc.h                           |    8 +-
 drivers/scsi/lpfc/lpfc_debugfs.c                   |   18 +-
 drivers/scsi/lpfc/lpfc_init.c                      |    6 +-
 drivers/scsi/lpfc/lpfc_scsi.c                      |   16 +-
 drivers/scsi/pmcraid.c                             |   20 +-
 drivers/scsi/pmcraid.h                             |    8 +-
 drivers/scsi/qla2xxx/qla_attr.c                    |    4 +-
 drivers/scsi/qla2xxx/qla_gbl.h                     |    4 +-
 drivers/scsi/qla2xxx/qla_os.c                      |    6 +-
 drivers/scsi/qla4xxx/ql4_def.h                     |    2 +-
 drivers/scsi/qla4xxx/ql4_os.c                      |    6 +-
 drivers/scsi/scsi.c                                |    2 +-
 drivers/scsi/scsi_lib.c                            |    6 +-
 drivers/scsi/scsi_sysfs.c                          |    2 +-
 drivers/scsi/scsi_tgt_lib.c                        |    2 +-
 drivers/scsi/scsi_transport_fc.c                   |    8 +-
 drivers/scsi/scsi_transport_iscsi.c                |    6 +-
 drivers/scsi/scsi_transport_srp.c                  |    6 +-
 drivers/scsi/sd.c                                  |    2 +-
 drivers/scsi/sg.c                                  |    2 +-
 drivers/spi/spi.c                                  |    2 +-
 drivers/staging/media/solo6x10/solo6x10-core.c     |    2 +-
 drivers/staging/octeon/ethernet-rx.c               |   12 +-
 drivers/staging/octeon/ethernet.c                  |    8 +-
 drivers/staging/rtl8712/rtl871x_io.h               |    2 +-
 drivers/staging/sbe-2t3e3/netdev.c                 |    2 +-
 drivers/staging/usbip/vhci.h                       |    2 +-
 drivers/staging/usbip/vhci_hcd.c                   |    6 +-
 drivers/staging/usbip/vhci_rx.c                    |    2 +-
 drivers/staging/vt6655/hostap.c                    |    7 +-
 drivers/staging/vt6656/hostap.c                    |    7 +-
 drivers/staging/zcache/tmem.c                      |    4 +-
 drivers/staging/zcache/tmem.h                      |    2 +
 drivers/target/target_core_device.c                |    2 +-
 drivers/target/target_core_transport.c             |    2 +-
 drivers/tty/cyclades.c                             |    6 +-
 drivers/tty/hvc/hvc_console.c                      |   14 +-
 drivers/tty/hvc/hvcs.c                             |   21 +-
 drivers/tty/ipwireless/tty.c                       |   27 +-
 drivers/tty/moxa.c                                 |    2 +-
 drivers/tty/n_gsm.c                                |    4 +-
 drivers/tty/n_tty.c                                |    3 +-
 drivers/tty/pty.c                                  |    4 +-
 drivers/tty/rocket.c                               |    6 +-
 drivers/tty/serial/kgdboc.c                        |   32 +-
 drivers/tty/serial/samsung.c                       |    9 +-
 drivers/tty/serial/serial_core.c                   |    8 +-
 drivers/tty/synclink.c                             |   34 +-
 drivers/tty/synclink_gt.c                          |   28 +-
 drivers/tty/synclinkmp.c                           |   34 +-
 drivers/tty/tty_io.c                               |    2 +-
 drivers/tty/tty_ldisc.c                            |   10 +-
 drivers/tty/tty_port.c                             |   22 +-
 drivers/uio/uio.c                                  |   21 +-
 drivers/usb/atm/cxacru.c                           |    2 +-
 drivers/usb/atm/usbatm.c                           |   24 +-
 drivers/usb/core/devices.c                         |    6 +-
 drivers/usb/core/hcd.c                             |    4 +-
 drivers/usb/core/message.c                         |    2 +-
 drivers/usb/core/sysfs.c                           |    2 +-
 drivers/usb/core/usb.c                             |    2 +-
 drivers/usb/early/ehci-dbgp.c                      |   16 +-
 drivers/usb/gadget/u_serial.c                      |   22 +-
 drivers/usb/serial/console.c                       |    6 +-
 drivers/usb/storage/usb.h                          |    2 +-
 drivers/usb/wusbcore/wa-hc.h                       |    4 +-
 drivers/usb/wusbcore/wa-xfer.c                     |    2 +-
 drivers/vhost/vringh.c                             |    2 +-
 drivers/video/aty/aty128fb.c                       |    2 +-
 drivers/video/aty/atyfb_base.c                     |    8 +-
 drivers/video/aty/mach64_cursor.c                  |    5 +-
 drivers/video/backlight/kb3886_bl.c                |    2 +-
 drivers/video/fb_defio.c                           |    6 +-
 drivers/video/fbcmap.c                             |    3 +-
 drivers/video/fbmem.c                              |    6 +-
 drivers/video/i810/i810_accel.c                    |    1 +
 drivers/video/mb862xx/mb862xxfb_accel.c            |   16 +-
 drivers/video/nvidia/nvidia.c                      |   27 +-
 drivers/video/output.c                             |    2 +-
 drivers/video/s1d13xxxfb.c                         |    6 +-
 drivers/video/smscufx.c                            |    4 +-
 drivers/video/udlfb.c                              |   36 +-
 drivers/video/uvesafb.c                            |   53 +-
 drivers/video/vesafb.c                             |   58 +-
 drivers/video/via/via_clock.h                      |    2 +-
 fs/9p/vfs_addr.c                                   |    2 +-
 fs/9p/vfs_inode.c                                  |    2 +-
 fs/Kconfig.binfmt                                  |    2 +-
 fs/aio.c                                           |   12 +-
 fs/autofs4/waitq.c                                 |    2 +-
 fs/befs/endian.h                                   |    4 +-
 fs/befs/linuxvfs.c                                 |    2 +-
 fs/binfmt_aout.c                                   |   23 +-
 fs/binfmt_elf.c                                    |  607 ++-
 fs/binfmt_flat.c                                   |    6 +
 fs/bio.c                                           |    6 +-
 fs/block_dev.c                                     |    2 +-
 fs/btrfs/ctree.c                                   |    9 +-
 fs/btrfs/super.c                                   |    2 +-
 fs/cachefiles/bind.c                               |    6 +-
 fs/cachefiles/daemon.c                             |    8 +-
 fs/cachefiles/internal.h                           |   12 +-
 fs/cachefiles/namei.c                              |    2 +-
 fs/cachefiles/proc.c                               |   12 +-
 fs/cachefiles/rdwr.c                               |    2 +-
 fs/ceph/dir.c                                      |    2 +-
 fs/cifs/cifs_debug.c                               |   12 +-
 fs/cifs/cifsfs.c                                   |    8 +-
 fs/cifs/cifsglob.h                                 |   54 +-
 fs/cifs/link.c                                     |    2 +-
 fs/cifs/misc.c                                     |    4 +-
 fs/cifs/smb1ops.c                                  |   80 +-
 fs/cifs/smb2ops.c                                  |   84 +-
 fs/cifs/smb2pdu.c                                  |    3 +-
 fs/coda/cache.c                                    |   10 +-
 fs/compat.c                                        |    6 +-
 fs/compat_binfmt_elf.c                             |    2 +
 fs/compat_ioctl.c                                  |   12 +-
 fs/configfs/dir.c                                  |   10 +-
 fs/coredump.c                                      |   24 +-
 fs/dcache.c                                        |    2 +-
 fs/ecryptfs/inode.c                                |    4 +-
 fs/ecryptfs/miscdev.c                              |    2 +-
 fs/exec.c                                          |  362 ++-
 fs/ext4/ext4.h                                     |   20 +-
 fs/ext4/mballoc.c                                  |   44 +-
 fs/ext4/mmp.c                                      |    2 +-
 fs/ext4/super.c                                    |    4 +-
 fs/fhandle.c                                       |    3 +-
 fs/fs_struct.c                                     |    8 +-
 fs/fscache/cookie.c                                |   36 +-
 fs/fscache/internal.h                              |  196 +-
 fs/fscache/object.c                                |   28 +-
 fs/fscache/operation.c                             |   30 +-
 fs/fscache/page.c                                  |  110 +-
 fs/fscache/stats.c                                 |  344 +-
 fs/fuse/cuse.c                                     |   10 +-
 fs/fuse/dev.c                                      |    4 +-
 fs/fuse/dir.c                                      |    2 +-
 fs/gfs2/inode.c                                    |    2 +-
 fs/hugetlbfs/inode.c                               |   13 +-
 fs/inode.c                                         |    4 +-
 fs/jffs2/erase.c                                   |    3 +-
 fs/jffs2/wbuf.c                                    |    3 +-
 fs/jfs/super.c                                     |    2 +-
 fs/libfs.c                                         |   10 +-
 fs/lockd/clntproc.c                                |    4 +-
 fs/lockd/svc.c                                     |    2 +-
 fs/locks.c                                         |    8 +-
 fs/namei.c                                         |   15 +-
 fs/namespace.c                                     |   10 +-
 fs/nfs/callback.c                                  |    4 +-
 fs/nfs/callback_xdr.c                              |    2 +-
 fs/nfs/inode.c                                     |    6 +-
 fs/nfs/nfs4state.c                                 |    2 +-
 fs/nfsd/nfs4proc.c                                 |    2 +-
 fs/nfsd/nfs4xdr.c                                  |    6 +-
 fs/nfsd/nfscache.c                                 |    9 +-
 fs/nfsd/vfs.c                                      |    6 +-
 fs/nls/nls_base.c                                  |   18 +-
 fs/nls/nls_euc-jp.c                                |    6 +-
 fs/nls/nls_koi8-ru.c                               |    6 +-
 fs/notify/fanotify/fanotify_user.c                 |    4 +-
 fs/notify/notification.c                           |    4 +-
 fs/ntfs/dir.c                                      |    2 +-
 fs/ntfs/file.c                                     |    4 +-
 fs/ocfs2/localalloc.c                              |    2 +-
 fs/ocfs2/ocfs2.h                                   |   10 +-
 fs/ocfs2/suballoc.c                                |   12 +-
 fs/ocfs2/super.c                                   |   20 +-
 fs/pipe.c                                          |   61 +-
 fs/proc/array.c                                    |   20 +
 fs/proc/base.c                                     |    4 +-
 fs/proc/kcore.c                                    |   32 +-
 fs/proc/meminfo.c                                  |    2 +-
 fs/proc/nommu.c                                    |    2 +-
 fs/proc/proc_sysctl.c                              |   18 +-
 fs/proc/self.c                                     |    2 +-
 fs/proc/task_mmu.c                                 |   39 +-
 fs/proc/task_nommu.c                               |    4 +-
 fs/proc/vmcore.c                                   |   12 +-
 fs/qnx6/qnx6.h                                     |    4 +-
 fs/quota/netlink.c                                 |    4 +-
 fs/read_write.c                                    |    2 +-
 fs/readdir.c                                       |    2 +-
 fs/reiserfs/do_balan.c                             |    2 +-
 fs/reiserfs/procfs.c                               |    2 +-
 fs/reiserfs/reiserfs.h                             |    4 +-
 fs/seq_file.c                                      |    2 +-
 fs/splice.c                                        |   40 +-
 fs/sysfs/bin.c                                     |    6 +-
 fs/sysfs/dir.c                                     |    2 +-
 fs/sysfs/file.c                                    |   10 +-
 fs/sysfs/symlink.c                                 |    2 +-
 fs/sysv/sysv.h                                     |    2 +-
 fs/ubifs/io.c                                      |    2 +-
 fs/udf/misc.c                                      |    2 +-
 fs/ufs/swab.h                                      |    4 +-
 fs/xattr.c                                         |   21 +
 fs/xattr_acl.c                                     |    4 +-
 fs/xfs/xfs_bmap.c                                  |    2 +-
 fs/xfs/xfs_dir2_sf.c                               |   10 +-
 fs/xfs/xfs_ioctl.c                                 |    2 +-
 fs/xfs/xfs_iops.c                                  |    2 +-
 include/asm-generic/4level-fixup.h                 |    2 +
 include/asm-generic/atomic-long.h                  |  210 +
 include/asm-generic/atomic.h                       |    2 +-
 include/asm-generic/atomic64.h                     |   12 +
 include/asm-generic/cache.h                        |    4 +-
 include/asm-generic/emergency-restart.h            |    2 +-
 include/asm-generic/kmap_types.h                   |    4 +-
 include/asm-generic/local.h                        |   13 +
 include/asm-generic/pgtable-nopmd.h                |   18 +-
 include/asm-generic/pgtable-nopud.h                |   15 +-
 include/asm-generic/pgtable.h                      |    8 +
 include/asm-generic/vmlinux.lds.h                  |   10 +-
 include/crypto/algapi.h                            |    2 +-
 include/drm/drmP.h                                 |   17 +-
 include/drm/drm_crtc_helper.h                      |    2 +-
 include/drm/ttm/ttm_memory.h                       |    2 +-
 include/keys/asymmetric-subtype.h                  |    2 +-
 include/linux/atmdev.h                             |    4 +-
 include/linux/binfmts.h                            |    3 +-
 include/linux/blkdev.h                             |    2 +-
 include/linux/blktrace_api.h                       |    2 +-
 include/linux/cache.h                              |    4 +
 include/linux/cdrom.h                              |    1 -
 include/linux/cleancache.h                         |    2 +-
 include/linux/clk-provider.h                       |    1 +
 include/linux/compat.h                             |    4 +-
 include/linux/compiler-gcc4.h                      |   20 +
 include/linux/compiler.h                           |   65 +-
 include/linux/completion.h                         |    6 +-
 include/linux/configfs.h                           |    2 +-
 include/linux/cpu.h                                |    2 +-
 include/linux/cpufreq.h                            |    3 +-
 include/linux/cpuidle.h                            |    5 +-
 include/linux/cpumask.h                            |   12 +-
 include/linux/crypto.h                             |    6 +-
 include/linux/ctype.h                              |    2 +-
 include/linux/decompress/mm.h                      |    2 +-
 include/linux/devfreq.h                            |    2 +-
 include/linux/device.h                             |    7 +-
 include/linux/dma-mapping.h                        |    2 +-
 include/linux/dmaengine.h                          |    4 +-
 include/linux/efi.h                                |    1 +
 include/linux/elf.h                                |    2 +
 include/linux/err.h                                |    4 +-
 include/linux/extcon.h                             |    2 +-
 include/linux/fb.h                                 |    2 +-
 include/linux/filter.h                             |    4 +
 include/linux/frontswap.h                          |    2 +-
 include/linux/fs.h                                 |    3 +-
 include/linux/fs_struct.h                          |    2 +-
 include/linux/fscache-cache.h                      |    4 +-
 include/linux/fscache.h                            |    2 +-
 include/linux/fsnotify.h                           |    2 +-
 include/linux/genhd.h                              |    2 +-
 include/linux/genl_magic_func.h                    |    2 +-
 include/linux/gfp.h                                |   12 +-
 include/linux/highmem.h                            |   12 +
 include/linux/hwmon-sysfs.h                        |    5 +-
 include/linux/i2c.h                                |    1 +
 include/linux/i2o.h                                |    2 +-
 include/linux/if_pppox.h                           |    2 +-
 include/linux/init.h                               |   33 +-
 include/linux/init_task.h                          |    7 +
 include/linux/interrupt.h                          |    8 +-
 include/linux/iommu.h                              |    2 +-
 include/linux/ioport.h                             |    2 +-
 include/linux/irq.h                                |    3 +-
 include/linux/irqchip/arm-gic.h                    |    4 +-
 include/linux/key-type.h                           |    2 +-
 include/linux/kgdb.h                               |    6 +-
 include/linux/kobject.h                            |    3 +-
 include/linux/kobject_ns.h                         |    2 +-
 include/linux/kref.h                               |    2 +-
 include/linux/kvm_host.h                           |    4 +-
 include/linux/libata.h                             |    2 +-
 include/linux/list.h                               |   15 +
 include/linux/math64.h                             |    6 +-
 include/linux/mm.h                                 |  116 +-
 include/linux/mm_types.h                           |   20 +
 include/linux/mmiotrace.h                          |    4 +-
 include/linux/mmzone.h                             |    2 +-
 include/linux/mod_devicetable.h                    |    6 +-
 include/linux/module.h                             |   60 +-
 include/linux/moduleloader.h                       |   16 +
 include/linux/moduleparam.h                        |    4 +-
 include/linux/namei.h                              |    6 +-
 include/linux/net.h                                |    2 +-
 include/linux/netdevice.h                          |    3 +-
 include/linux/netfilter.h                          |    2 +-
 include/linux/netfilter/ipset/ip_set.h             |    2 +-
 include/linux/netfilter/nfnetlink.h                |    2 +-
 include/linux/nls.h                                |    2 +-
 include/linux/notifier.h                           |    3 +-
 include/linux/oprofile.h                           |    4 +-
 include/linux/pci_hotplug.h                        |    3 +-
 include/linux/perf_event.h                         |   12 +-
 include/linux/pipe_fs_i.h                          |    8 +-
 include/linux/platform_data/usb-ehci-s5p.h         |    2 +-
 include/linux/platform_data/usb-ohci-exynos.h      |    2 +-
 include/linux/pm_domain.h                          |    2 +-
 include/linux/pm_runtime.h                         |    2 +-
 include/linux/pnp.h                                |    2 +-
 include/linux/poison.h                             |    4 +-
 include/linux/power/smartreflex.h                  |    2 +-
 include/linux/ppp-comp.h                           |    2 +-
 include/linux/proc_ns.h                            |    2 +-
 include/linux/random.h                             |    5 +
 include/linux/rculist.h                            |   16 +
 include/linux/reboot.h                             |   14 +-
 include/linux/regset.h                             |    3 +-
 include/linux/relay.h                              |    2 +-
 include/linux/rio.h                                |    2 +-
 include/linux/rmap.h                               |    4 +-
 include/linux/sched.h                              |   65 +-
 include/linux/sched/sysctl.h                       |    1 +
 include/linux/seq_file.h                           |    1 +
 include/linux/skbuff.h                             |   12 +-
 include/linux/slab.h                               |   42 +-
 include/linux/slab_def.h                           |   28 +-
 include/linux/slob_def.h                           |    4 +-
 include/linux/slub_def.h                           |    8 +-
 include/linux/sock_diag.h                          |    2 +-
 include/linux/sonet.h                              |    2 +-
 include/linux/sunrpc/addr.h                        |    8 +-
 include/linux/sunrpc/clnt.h                        |    2 +-
 include/linux/sunrpc/svc.h                         |    2 +-
 include/linux/sunrpc/svc_rdma.h                    |   18 +-
 include/linux/sunrpc/svcauth.h                     |    2 +-
 include/linux/swiotlb.h                            |    3 +-
 include/linux/syscalls.h                           |   10 +-
 include/linux/syscore_ops.h                        |    2 +-
 include/linux/sysctl.h                             |    6 +-
 include/linux/sysfs.h                              |   10 +-
 include/linux/sysrq.h                              |    3 +-
 include/linux/thread_info.h                        |    7 +
 include/linux/tty.h                                |    4 +-
 include/linux/tty_driver.h                         |    2 +-
 include/linux/tty_ldisc.h                          |    2 +-
 include/linux/types.h                              |   16 +
 include/linux/uaccess.h                            |    6 +-
 include/linux/unaligned/access_ok.h                |   24 +-
 include/linux/usb.h                                |    4 +-
 include/linux/usb/renesas_usbhs.h                  |    2 +-
 include/linux/vermagic.h                           |   21 +-
 include/linux/vmalloc.h                            |   11 +-
 include/linux/vmstat.h                             |   20 +-
 include/linux/xattr.h                              |    5 +-
 include/linux/zlib.h                               |    3 +-
 include/media/v4l2-dev.h                           |    2 +-
 include/net/9p/transport.h                         |    2 +-
 include/net/bluetooth/l2cap.h                      |    2 +-
 include/net/caif/cfctrl.h                          |    6 +-
 include/net/flow.h                                 |    2 +-
 include/net/genetlink.h                            |    2 +-
 include/net/gro_cells.h                            |    2 +-
 include/net/inet_connection_sock.h                 |    2 +-
 include/net/inetpeer.h                             |    8 +-
 include/net/ip.h                                   |    2 +-
 include/net/ip_fib.h                               |    2 +-
 include/net/ip_vs.h                                |    8 +-
 include/net/irda/ircomm_tty.h                      |    1 +
 include/net/iucv/af_iucv.h                         |    2 +-
 include/net/llc_c_ac.h                             |    2 +-
 include/net/llc_c_ev.h                             |    4 +-
 include/net/llc_c_st.h                             |    2 +-
 include/net/llc_s_ac.h                             |    2 +-
 include/net/llc_s_st.h                             |    2 +-
 include/net/mac80211.h                             |    2 +-
 include/net/neighbour.h                            |    2 +-
 include/net/net_namespace.h                        |   12 +-
 include/net/netdma.h                               |    2 +-
 include/net/netlink.h                              |    2 +-
 include/net/netns/conntrack.h                      |    6 +-
 include/net/netns/ipv4.h                           |    2 +-
 include/net/netns/ipv6.h                           |    2 +-
 include/net/protocol.h                             |    4 +-
 include/net/rtnetlink.h                            |    2 +-
 include/net/sctp/sctp.h                            |    6 +-
 include/net/sctp/sm.h                              |    4 +-
 include/net/sctp/structs.h                         |    2 +-
 include/net/sock.h                                 |    6 +-
 include/net/tcp.h                                  |    8 +-
 include/net/xfrm.h                                 |    8 +-
 include/rdma/iw_cm.h                               |    2 +-
 include/scsi/libfc.h                               |    3 +-
 include/scsi/scsi_device.h                         |    6 +-
 include/scsi/scsi_transport_fc.h                   |    3 +-
 include/sound/compress_driver.h                    |    2 +-
 include/sound/soc.h                                |    4 +-
 include/target/target_core_base.h                  |    2 +-
 include/trace/events/irq.h                         |    4 +-
 include/uapi/linux/a.out.h                         |    8 +
 include/uapi/linux/byteorder/little_endian.h       |   28 +-
 include/uapi/linux/elf.h                           |   28 +
 include/uapi/linux/screen_info.h                   |    3 +-
 include/uapi/linux/swab.h                          |    6 +-
 include/uapi/linux/sysctl.h                        |    6 +-
 include/uapi/linux/xattr.h                         |    4 +
 include/video/udlfb.h                              |    8 +-
 include/video/uvesafb.h                            |    1 +
 init/Kconfig                                       |    2 +-
 init/Makefile                                      |    3 +
 init/do_mounts.c                                   |   14 +-
 init/do_mounts.h                                   |    8 +-
 init/do_mounts_initrd.c                            |   30 +-
 init/do_mounts_md.c                                |    6 +-
 init/init_task.c                                   |    4 +
 init/initramfs.c                                   |   42 +-
 init/main.c                                        |   83 +-
 ipc/ipc_sysctl.c                                   |   10 +-
 ipc/mq_sysctl.c                                    |    2 +-
 ipc/msg.c                                          |   11 +-
 ipc/sem.c                                          |   11 +-
 ipc/shm.c                                          |   17 +-
 kernel/acct.c                                      |    2 +-
 kernel/audit.c                                     |    8 +-
 kernel/auditfilter.c                               |    2 +-
 kernel/auditsc.c                                   |    4 +-
 kernel/capability.c                                |    3 +
 kernel/compat.c                                    |   38 +-
 kernel/debug/debug_core.c                          |   16 +-
 kernel/debug/kdb/kdb_main.c                        |    4 +-
 kernel/events/core.c                               |   30 +-
 kernel/events/internal.h                           |   10 +-
 kernel/exit.c                                      |    4 +-
 kernel/fork.c                                      |  167 +-
 kernel/futex.c                                     |    9 +
 kernel/futex_compat.c                              |    2 +-
 kernel/gcov/base.c                                 |    7 +-
 kernel/hrtimer.c                                   |    4 +-
 kernel/irq_work.c                                  |    7 +-
 kernel/jump_label.c                                |    5 +
 kernel/kallsyms.c                                  |   39 +-
 kernel/kexec.c                                     |    3 +-
 kernel/kmod.c                                      |    4 +-
 kernel/kprobes.c                                   |    8 +-
 kernel/ksysfs.c                                    |    2 +-
 kernel/lockdep.c                                   |    7 +-
 kernel/module.c                                    |  337 +-
 kernel/mutex-debug.c                               |   12 +-
 kernel/mutex-debug.h                               |    4 +-
 kernel/mutex.c                                     |   11 +-
 kernel/notifier.c                                  |   17 +-
 kernel/panic.c                                     |    3 +-
 kernel/pid.c                                       |    2 +-
 kernel/pid_namespace.c                             |    2 +-
 kernel/posix-cpu-timers.c                          |    4 +-
 kernel/posix-timers.c                              |   22 +-
 kernel/power/process.c                             |   12 +-
 kernel/profile.c                                   |   14 +-
 kernel/ptrace.c                                    |    8 +-
 kernel/rcupdate.c                                  |    4 +-
 kernel/rcutiny.c                                   |    4 +-
 kernel/rcutiny_plugin.h                            |    2 +-
 kernel/rcutorture.c                                |   56 +-
 kernel/rcutree.c                                   |   76 +-
 kernel/rcutree.h                                   |   24 +-
 kernel/rcutree_plugin.h                            |   20 +-
 kernel/rcutree_trace.c                             |   22 +-
 kernel/rtmutex-tester.c                            |   24 +-
 kernel/sched/auto_group.c                          |    4 +-
 kernel/sched/core.c                                |   51 +-
 kernel/sched/fair.c                                |    4 +-
 kernel/sched/sched.h                               |    2 +-
 kernel/signal.c                                    |   12 +-
 kernel/smp.c                                       |    2 +-
 kernel/smpboot.c                                   |    4 +-
 kernel/softirq.c                                   |   18 +-
 kernel/srcu.c                                      |    4 +-
 kernel/sys.c                                       |   10 +-
 kernel/sysctl.c                                    |   39 +-
 kernel/time.c                                      |    2 +-
 kernel/time/alarmtimer.c                           |    2 +-
 kernel/time/tick-broadcast.c                       |    2 +-
 kernel/time/timer_stats.c                          |   10 +-
 kernel/timer.c                                     |    6 +-
 kernel/trace/blktrace.c                            |    6 +-
 kernel/trace/ftrace.c                              |   18 +-
 kernel/trace/ring_buffer.c                         |   76 +-
 kernel/trace/trace.c                               |    2 +-
 kernel/trace/trace.h                               |    2 +-
 kernel/trace/trace_events.c                        |   25 +-
 kernel/trace/trace_mmiotrace.c                     |    8 +-
 kernel/trace/trace_output.c                        |   12 +-
 kernel/trace/trace_stack.c                         |    2 +-
 kernel/user_namespace.c                            |    2 +-
 kernel/utsname_sysctl.c                            |    2 +-
 kernel/watchdog.c                                  |    2 +-
 kernel/workqueue.c                                 |    2 +-
 lib/Kconfig.debug                                  |    8 +-
 lib/Makefile                                       |    2 +-
 lib/bitmap.c                                       |    8 +-
 lib/bug.c                                          |    2 +
 lib/debugobjects.c                                 |    2 +-
 lib/devres.c                                       |    4 +-
 lib/div64.c                                        |    4 +-
 lib/dma-debug.c                                    |    4 +-
 lib/inflate.c                                      |    2 +-
 lib/ioremap.c                                      |    4 +-
 lib/kobject.c                                      |    6 +-
 lib/list_debug.c                                   |  126 +-
 lib/radix-tree.c                                   |    2 +-
 lib/strncpy_from_user.c                            |    2 +-
 lib/strnlen_user.c                                 |    2 +-
 lib/swiotlb.c                                      |    2 +-
 lib/usercopy.c                                     |    6 +
 lib/vsprintf.c                                     |   12 +-
 mm/Kconfig                                         |    6 +-
 mm/backing-dev.c                                   |    4 +-
 mm/filemap.c                                       |    2 +-
 mm/fremap.c                                        |    5 +
 mm/highmem.c                                       |    7 +-
 mm/hugetlb.c                                       |   70 +-
 mm/internal.h                                      |    1 +
 mm/maccess.c                                       |    4 +-
 mm/madvise.c                                       |   41 +
 mm/memory-failure.c                                |   26 +-
 mm/memory.c                                        |  424 ++-
 mm/mempolicy.c                                     |   26 +
 mm/mlock.c                                         |   15 +-
 mm/mmap.c                                          |  606 ++-
 mm/mprotect.c                                      |  139 +-
 mm/mremap.c                                        |   44 +-
 mm/nommu.c                                         |   21 +-
 mm/page-writeback.c                                |    4 +-
 mm/page_alloc.c                                    |   41 +-
 mm/page_io.c                                       |    2 +-
 mm/percpu.c                                        |    2 +-
 mm/process_vm_access.c                             |   14 +-
 mm/rmap.c                                          |   38 +-
 mm/shmem.c                                         |   19 +-
 mm/slab.c                                          |   79 +-
 mm/slab.h                                          |    5 +-
 mm/slab_common.c                                   |   46 +-
 mm/slob.c                                          |  201 +-
 mm/slub.c                                          |   79 +-
 mm/sparse-vmemmap.c                                |    4 +-
 mm/sparse.c                                        |    2 +-
 mm/swap.c                                          |    3 +
 mm/swapfile.c                                      |   12 +-
 mm/util.c                                          |    6 +
 mm/vmalloc.c                                       |   77 +-
 mm/vmstat.c                                        |   12 +-
 net/8021q/vlan.c                                   |    5 +-
 net/9p/mod.c                                       |    4 +-
 net/9p/trans_fd.c                                  |    2 +-
 net/atm/atm_misc.c                                 |    8 +-
 net/atm/lec.h                                      |    2 +-
 net/atm/proc.c                                     |    6 +-
 net/atm/resources.c                                |    4 +-
 net/ax25/sysctl_net_ax25.c                         |    2 +-
 net/batman-adv/bat_iv_ogm.c                        |    8 +-
 net/batman-adv/hard-interface.c                    |    4 +-
 net/batman-adv/soft-interface.c                    |    4 +-
 net/batman-adv/types.h                             |    6 +-
 net/batman-adv/unicast.c                           |    2 +-
 net/bluetooth/hci_core.c                           |    8 +-
 net/bluetooth/hci_sock.c                           |    2 +-
 net/bluetooth/l2cap_core.c                         |    6 +-
 net/bluetooth/l2cap_sock.c                         |   12 +-
 net/bluetooth/rfcomm/sock.c                        |    4 +-
 net/bluetooth/rfcomm/tty.c                         |   10 +-
 net/bridge/netfilter/ebtables.c                    |    6 +-
 net/caif/cfctrl.c                                  |   11 +-
 net/can/af_can.c                                   |    2 +-
 net/can/gw.c                                       |    6 +-
 net/compat.c                                       |   34 +-
 net/core/datagram.c                                |    2 +-
 net/core/dev.c                                     |   16 +-
 net/core/flow.c                                    |    8 +-
 net/core/iovec.c                                   |    4 +-
 net/core/neighbour.c                               |    2 +-
 net/core/net-sysfs.c                               |    2 +-
 net/core/net_namespace.c                           |    8 +-
 net/core/rtnetlink.c                               |   13 +-
 net/core/scm.c                                     |    8 +-
 net/core/sock.c                                    |   24 +-
 net/core/sock_diag.c                               |    9 +-
 net/core/sysctl_net_core.c                         |   18 +-
 net/decnet/af_decnet.c                             |    1 +
 net/decnet/sysctl_net_decnet.c                     |    4 +-
 net/ipv4/af_inet.c                                 |    8 +-
 net/ipv4/ah4.c                                     |    2 +-
 net/ipv4/devinet.c                                 |   18 +-
 net/ipv4/esp4.c                                    |    2 +-
 net/ipv4/fib_frontend.c                            |    6 +-
 net/ipv4/fib_semantics.c                           |    2 +-
 net/ipv4/inet_connection_sock.c                    |    2 +-
 net/ipv4/inetpeer.c                                |    4 +-
 net/ipv4/ip_fragment.c                             |   15 +-
 net/ipv4/ip_gre.c                                  |    6 +-
 net/ipv4/ip_sockglue.c                             |    2 +-
 net/ipv4/ip_vti.c                                  |    4 +-
 net/ipv4/ipcomp.c                                  |    2 +-
 net/ipv4/ipconfig.c                                |    6 +-
 net/ipv4/ipip.c                                    |    4 +-
 net/ipv4/netfilter/arp_tables.c                    |   12 +-
 net/ipv4/netfilter/ip_tables.c                     |   12 +-
 net/ipv4/ping.c                                    |    2 +-
 net/ipv4/raw.c                                     |   14 +-
 net/ipv4/route.c                                   |   18 +-
 net/ipv4/sysctl_net_ipv4.c                         |   45 +-
 net/ipv4/tcp_input.c                               |    2 +-
 net/ipv4/tcp_probe.c                               |    2 +-
 net/ipv4/udp.c                                     |   10 +-
 net/ipv4/xfrm4_policy.c                            |   14 +-
 net/ipv6/addrconf.c                                |   12 +-
 net/ipv6/icmp.c                                    |    2 +-
 net/ipv6/ip6_gre.c                                 |    8 +-
 net/ipv6/ip6_tunnel.c                              |    4 +-
 net/ipv6/ipv6_sockglue.c                           |    2 +-
 net/ipv6/netfilter/ip6_tables.c                    |   12 +-
 net/ipv6/netfilter/nf_conntrack_reasm.c            |   14 +-
 net/ipv6/raw.c                                     |   19 +-
 net/ipv6/reassembly.c                              |   13 +-
 net/ipv6/route.c                                   |    2 +-
 net/ipv6/sit.c                                     |    4 +-
 net/ipv6/sysctl_net_ipv6.c                         |    2 +-
 net/ipv6/udp.c                                     |    8 +-
 net/ipv6/xfrm6_policy.c                            |   13 +-
 net/irda/ircomm/ircomm_tty.c                       |   18 +-
 net/iucv/af_iucv.c                                 |    4 +-
 net/iucv/iucv.c                                    |    2 +-
 net/key/af_key.c                                   |    4 +-
 net/mac80211/cfg.c                                 |    8 +-
 net/mac80211/ieee80211_i.h                         |    3 +-
 net/mac80211/iface.c                               |   16 +-
 net/mac80211/main.c                                |    2 +-
 net/mac80211/pm.c                                  |    6 +-
 net/mac80211/rate.c                                |    2 +-
 net/mac80211/rc80211_pid_debugfs.c                 |    2 +-
 net/mac80211/util.c                                |    4 +-
 net/netfilter/ipset/ip_set_core.c                  |    2 +-
 net/netfilter/ipvs/ip_vs_conn.c                    |    6 +-
 net/netfilter/ipvs/ip_vs_core.c                    |    4 +-
 net/netfilter/ipvs/ip_vs_ctl.c                     |   14 +-
 net/netfilter/ipvs/ip_vs_lblc.c                    |    2 +-
 net/netfilter/ipvs/ip_vs_lblcr.c                   |    2 +-
 net/netfilter/ipvs/ip_vs_sync.c                    |    6 +-
 net/netfilter/ipvs/ip_vs_xmit.c                    |    4 +-
 net/netfilter/nf_conntrack_acct.c                  |    2 +-
 net/netfilter/nf_conntrack_ecache.c                |    2 +-
 net/netfilter/nf_conntrack_helper.c                |    2 +-
 net/netfilter/nf_conntrack_proto.c                 |    2 +-
 net/netfilter/nf_conntrack_proto_dccp.c            |    4 +-
 net/netfilter/nf_conntrack_standalone.c            |    2 +-
 net/netfilter/nf_conntrack_timestamp.c             |    2 +-
 net/netfilter/nf_log.c                             |   10 +-
 net/netfilter/nf_sockopt.c                         |    4 +-
 net/netfilter/nfnetlink_log.c                      |    4 +-
 net/netfilter/xt_statistic.c                       |    8 +-
 net/netlink/af_netlink.c                           |    4 +-
 net/netlink/genetlink.c                            |   16 +-
 net/packet/af_packet.c                             |   12 +-
 net/phonet/pep.c                                   |    6 +-
 net/phonet/socket.c                                |    2 +-
 net/phonet/sysctl.c                                |    2 +-
 net/rds/cong.c                                     |    6 +-
 net/rds/ib.h                                       |    2 +-
 net/rds/ib_cm.c                                    |    2 +-
 net/rds/ib_recv.c                                  |    4 +-
 net/rds/iw.h                                       |    2 +-
 net/rds/iw_cm.c                                    |    2 +-
 net/rds/iw_recv.c                                  |    4 +-
 net/rds/rds.h                                      |    2 +-
 net/rds/tcp.c                                      |    2 +-
 net/rds/tcp_send.c                                 |    2 +-
 net/rxrpc/af_rxrpc.c                               |    2 +-
 net/rxrpc/ar-ack.c                                 |   14 +-
 net/rxrpc/ar-call.c                                |    2 +-
 net/rxrpc/ar-connection.c                          |    2 +-
 net/rxrpc/ar-connevent.c                           |    2 +-
 net/rxrpc/ar-input.c                               |    4 +-
 net/rxrpc/ar-internal.h                            |    8 +-
 net/rxrpc/ar-local.c                               |    2 +-
 net/rxrpc/ar-output.c                              |    4 +-
 net/rxrpc/ar-peer.c                                |    2 +-
 net/rxrpc/ar-proc.c                                |    4 +-
 net/rxrpc/ar-transport.c                           |    2 +-
 net/rxrpc/rxkad.c                                  |    4 +-
 net/sctp/ipv6.c                                    |    6 +-
 net/sctp/protocol.c                                |   10 +-
 net/sctp/sm_sideeffect.c                           |    2 +-
 net/sctp/socket.c                                  |   21 +-
 net/sctp/sysctl.c                                  |    4 +-
 net/socket.c                                       |   18 +-
 net/sunrpc/clnt.c                                  |    4 +-
 net/sunrpc/sched.c                                 |    4 +-
 net/sunrpc/svc.c                                   |    6 +-
 net/sunrpc/xprtrdma/svc_rdma.c                     |   38 +-
 net/sunrpc/xprtrdma/svc_rdma_recvfrom.c            |    6 +-
 net/sunrpc/xprtrdma/svc_rdma_sendto.c              |    2 +-
 net/sunrpc/xprtrdma/svc_rdma_transport.c           |   10 +-
 net/tipc/link.c                                    |    6 +-
 net/tipc/msg.c                                     |    2 +-
 net/tipc/subscr.c                                  |    2 +-
 net/unix/sysctl_net_unix.c                         |    2 +-
 net/wireless/wext-core.c                           |   19 +-
 net/xfrm/xfrm_policy.c                             |   27 +-
 net/xfrm/xfrm_state.c                              |   29 +-
 net/xfrm/xfrm_sysctl.c                             |    2 +-
 scripts/Makefile.build                             |    2 +-
 scripts/Makefile.clean                             |    3 +-
 scripts/Makefile.host                              |   28 +-
 scripts/basic/fixdep.c                             |   12 +-
 scripts/gcc-plugin.sh                              |   17 +
 scripts/headers_install.sh                         |    1 +
 scripts/link-vmlinux.sh                            |    2 +-
 scripts/mod/file2alias.c                           |   14 +-
 scripts/mod/modpost.c                              |   25 +-
 scripts/mod/modpost.h                              |    6 +-
 scripts/mod/sumversion.c                           |    2 +-
 scripts/package/builddeb                           |    1 +
 scripts/pnmtologo.c                                |    6 +-
 scripts/sortextable.h                              |    6 +-
 security/Kconfig                                   |  676 +++-
 security/apparmor/lsm.c                            |    2 +-
 security/integrity/ima/ima.h                       |    4 +-
 security/integrity/ima/ima_api.c                   |    2 +-
 security/integrity/ima/ima_fs.c                    |    4 +-
 security/integrity/ima/ima_queue.c                 |    2 +-
 security/keys/compat.c                             |    2 +-
 security/keys/internal.h                           |    2 +-
 security/keys/key.c                                |   18 +-
 security/keys/keyctl.c                             |    8 +-
 security/keys/keyring.c                            |    6 +-
 security/security.c                                |    9 +-
 security/selinux/hooks.c                           |    2 +-
 security/selinux/include/xfrm.h                    |    2 +-
 security/smack/smack_lsm.c                         |    2 +-
 security/tomoyo/tomoyo.c                           |    2 +-
 security/yama/yama_lsm.c                           |   22 +-
 sound/aoa/codecs/onyx.c                            |    7 +-
 sound/aoa/codecs/onyx.h                            |    1 +
 sound/core/oss/pcm_oss.c                           |   18 +-
 sound/core/pcm_compat.c                            |    2 +-
 sound/core/pcm_native.c                            |    4 +-
 sound/core/seq/seq_device.c                        |    8 +-
 sound/core/sound.c                                 |    2 +-
 sound/drivers/mts64.c                              |   14 +-
 sound/drivers/opl4/opl4_lib.c                      |    2 +-
 sound/drivers/portman2x4.c                         |    3 +-
 sound/firewire/amdtp.c                             |    4 +-
 sound/firewire/amdtp.h                             |    2 +-
 sound/firewire/isight.c                            |   10 +-
 sound/firewire/scs1x.c                             |    8 +-
 sound/oss/sb_audio.c                               |    2 +-
 sound/oss/swarm_cs4297a.c                          |    6 +-
 sound/pci/ymfpci/ymfpci.h                          |    2 +-
 sound/pci/ymfpci/ymfpci_main.c                     |   12 +-
 sound/soc/fsl/fsl_ssi.c                            |    2 +-
 sound/sound_core.c                                 |    2 +-
 tools/gcc/.gitignore                               |    1 +
 tools/gcc/Makefile                                 |   45 +
 tools/gcc/checker_plugin.c                         |  172 +
 tools/gcc/colorize_plugin.c                        |  151 +
 tools/gcc/constify_plugin.c                        |  560 ++
 tools/gcc/generate_size_overflow_hash.sh           |   94 +
 tools/gcc/kallocstat_plugin.c                      |  170 +
 tools/gcc/kernexec_plugin.c                        |  465 ++
 tools/gcc/latent_entropy_plugin.c                  |  327 ++
 tools/gcc/size_overflow_hash.data                  | 5893 ++++++++++++++++++++
 tools/gcc/size_overflow_plugin.c                   | 2114 +++++++
 tools/gcc/stackleak_plugin.c                       |  327 ++
 tools/gcc/structleak_plugin.c                      |  277 +
 tools/perf/util/include/asm/alternative-asm.h      |    3 +
 tools/perf/util/include/linux/compiler.h           |    8 +
 virt/kvm/kvm_main.c                                |   32 +-
 1607 files changed, 30734 insertions(+), 7318 deletions(-)
commit a00016a11e35e91aec8e2d9b6ec4c6fbb11d6d2b
Merge: 0949bd4 fc53d63
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 22 19:03:44 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit fc53d6338964741b368070ec5c935bc579b8c2a6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 22 19:02:45 2012 -0400

    Update to pax-linux-3.2.12-test33.patch

commit 0949bd46a6455b308f66ad7c993bfee62412db35
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 22 16:56:09 2012 -0400

    Use current_umask() instead of current->fs->umask

commit 22f6432d0fe733619cfcb523782ed7d80c46d645
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 21 19:42:42 2012 -0400

    compile fix

commit 0cad49d6b8fbb32395da924c1665a1110a9a9eef
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 21 19:34:56 2012 -0400

    Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain
    uses of domains with particular hash collisions

commit 47fc52e0a068a29d6cca2f809daf0679cba33c44
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 20:25:49 2012 -0400

    zero kernel_role

commit b00953b43c69238d181d21121ef1577c988d5f6b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 19:29:34 2012 -0400

    zero real_root after releasing it

commit 0b3ab73ce5d34a2c3206955cd65eddd6bdfd32a1
Merge: b724f59 273f98e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 19:11:26 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit 273f98e58cdac555d3b5dce5c1ca168349f95878
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 19:10:52 2012 -0400

    Temporary workaround for (most) size_overflow plugin false-positives
    Increase randomization for brk-managed heap to 21 bits
    Update to pax-linux-3.2.12-test32.patch

commit b724f59125304460c2af8bd4b02921993afbb5d3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 18:58:53 2012 -0400

    compile fix

commit 329f1a9d0f137d0a973316c53bbec18a6eeecd4f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 18:52:23 2012 -0400

    Require default and kernel role

commit a7c5c4f55bdd61cfcd0fb1be7a67160429409878
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 18:47:28 2012 -0400

    Allow policies without special roles
    don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles)

commit 402ec3d24d66d38403dc543c84851f5e72d39e22
Merge: 8e012dc f14661a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 19 18:06:59 2012 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        fs/namei.c

commit f14661aaf202155c97f66626cea0269017bb7775
Merge: eae671f 058b017
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 19 18:05:44 2012 -0400

    Merge branch 'linux-3.2.y' into pax-test

commit 8e012dcf7a50b7cde34c2cec93ecedd049123b75
Author: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
Date:   Fri Mar 16 17:08:39 2012 -0700

    nilfs2: fix NULL pointer dereference in nilfs_load_super_block()
    
    According to the report from Slicky Devil, nilfs caused kernel oops at
    nilfs_load_super_block function during mount after he shrank the
    partition without resizing the filesystem:
    
     BUG: unable to handle kernel NULL pointer dereference at 00000048
     IP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2]
     *pde = 00000000
     Oops: 0000 [#1] PREEMPT SMP
     ...
     Call Trace:
      [<d0d7a87b>] init_nilfs+0x4b/0x2e0 [nilfs2]
      [<d0d6f707>] nilfs_mount+0x447/0x5b0 [nilfs2]
      [<c0226636>] mount_fs+0x36/0x180
      [<c023d961>] vfs_kern_mount+0x51/0xa0
      [<c023ddae>] do_kern_mount+0x3e/0xe0
      [<c023f189>] do_mount+0x169/0x700
      [<c023fa9b>] sys_mount+0x6b/0xa0
      [<c04abd1f>] sysenter_do_call+0x12/0x28
     Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43
     20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72
     48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00
     EIP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc
     CR2: 0000000000000048
    
    This turned out due to a defect in an error path which runs if the
    calculated location of the secondary super block was invalid.
    
    This patch fixes it and eliminates the reported oops.
    
    Reported-by: Slicky Devil <slicky.dvl@gmail.com>
    Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
    Tested-by: Slicky Devil <slicky.dvl@gmail.com>
    Cc: <stable@vger.kernel.org>        [2.6.30+]
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 8067d7f69bf27dc08057a771cf125e71e4575bf2
Author: Haogang Chen <haogangchen@gmail.com>
Date:   Fri Mar 16 17:08:38 2012 -0700

    nilfs2: clamp ns_r_segments_percentage to [1, 99]
    
    ns_r_segments_percentage is read from the disk.  Bogus or malicious
    value could cause integer overflow and malfunction due to meaningless
    disk usage calculation.  This patch reports error when mounting such
    bogus volumes.
    
    Signed-off-by: Haogang Chen <haogangchen@gmail.com>
    Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit e1a90645643f9b0194a5984ec8febd06360d5c8b
Author: Eric Dumazet <eric.dumazet@gmail.com>
Date:   Sat Mar 10 09:20:21 2012 +0000

    tcp: fix syncookie regression
    
    commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit())
    added a serious regression on synflood handling.
    
    Simon Kirby discovered a successful connection was delayed by 20 seconds
    before being responsive.
    
    In my tests, I discovered that xmit frames were lost, and needed ~4
    retransmits and a socket dst rebuild before being really sent.
    
    In case of syncookie initiated connection, we use a different path to
    initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared.
    
    As ip_queue_xmit() now depends on inet flow being setup, fix this by
    copying the temp flowi4 we use in cookie_v4_check().
    
    Reported-by: Simon Kirby <sim@netnation.com>
    Bisected-by: Simon Kirby <sim@netnation.com>
    Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
    Tested-by: Eric Dumazet <eric.dumazet@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 06c6c8628bf38b08b4d97f4c55cde9fdecfb5d65
Author: Stanislav Kinsbursky <skinsbursky@parallels.com>
Date:   Mon Mar 12 02:59:41 2012 +0000

    tun: don't hold network namespace by tun sockets
    
    v3: added previously removed sock_put() to the tun_release() callback, because
    sk_release_kernel() doesn't drop the socket reference.
    
    v2: sk_release_kernel() used for socket release. Dummy tun_release() is
    required for sk_release_kernel() ---> sock_release() ---> sock->ops->release()
    call.
    
    TUN was designed to destroy it's socket on network namesapce shutdown. But this
    will never happen for persistent device, because it's socket holds network
    namespace.
    This patch removes of holding network namespace by TUN socket and replaces it
    by creating socket in init_net and then changing it's net it to desired one. On
    shutdown socket is moved back to init_net prior to final put.
    
    Signed-off-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 46ae7374bd387c58d673a9e58852a9fd31042c5c
Author: Tyler Hicks <tyhicks@canonical.com>
Date:   Mon Dec 12 10:02:30 2011 -0600

    vfs: Correctly set the dir i_mutex lockdep class
    
    9a7aa12f3911853a introduced additional logic around setting the i_mutex
    lockdep class for directory inodes. The idea was that some filesystems
    may want their own special lockdep class for different directory
    inodes and calling unlock_new_inode() should not clobber one of
    those special classes.
    
    I believe that the added conditional, around the *negated* return value
    of lockdep_match_class(), caused directory inodes to be placed in the
    wrong lockdep class.
    
    inode_init_always() sets the i_mutex lockdep class with i_mutex_key for
    all inodes. If the filesystem did not change the class during inode
    initialization, then the conditional mentioned above was false and the
    directory inode was incorrectly left in the non-directory lockdep class.
    If the filesystem did set a special lockdep class, then the conditional
    mentioned above was true and that class was clobbered with
    i_mutex_dir_key.
    
    This patch removes the negation from the conditional so that the i_mutex
    lockdep class is properly set for directory inodes. Special classes are
    preserved and directory inodes with unmodified classes are set with
    i_mutex_dir_key.
    
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Reviewed-by: Jan Kara <jack@suse.cz>
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

commit 603590b0d2eca61ce26499eac9c563bc567a18c9
Author: Jan Kara <jack@suse.cz>
Date:   Mon Feb 20 17:54:00 2012 +0100

    udf: Fix deadlock in udf_release_file()
    
    udf_release_file() can be called from munmap() path with mmap_sem held.  Thus
    we cannot take i_mutex there because that ranks above mmap_sem. Luckily,
    i_mutex is not needed in udf_release_file() anymore since protection by
    i_data_sem is enough to protect from races with write and truncate.
    
    Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
    Reviewed-by: Namjae Jeon <linkinjeon@gmail.com>
    Signed-off-by: Jan Kara <jack@suse.cz>
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

commit ca79ab9034f3c2f7e3f65c35e0d9ed3ecea529bf
Author: Miklos Szeredi <mszeredi@suse.cz>
Date:   Tue Mar 6 13:56:33 2012 +0100

    vfs: fix double put after complete_walk()
    
    complete_walk() already puts nd->path, no need to do it again at cleanup time.
    
    This would result in Oopses if triggered, apparently the codepath is not too
    well exercised.
    
    Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
    CC: stable@vger.kernel.org
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

commit 13885ba2b18400f3ef6540497d30f1af896605e5
Author: Miklos Szeredi <mszeredi@suse.cz>
Date:   Tue Mar 6 13:56:34 2012 +0100

    vfs: fix return value from do_last()
    
    complete_walk() returns either ECHILD or ESTALE.  do_last() turns this into
    ECHILD unconditionally.  If not in RCU mode, this error will reach userspace
    which is complete nonsense.
    
    Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
    CC: stable@vger.kernel.org
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    
    Conflicts:
    
        fs/namei.c

commit f5ab7572c99ffb58953eb1070622307e904c3b7f
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Sat Mar 10 17:07:28 2012 -0500

    restore smp_mb() in unlock_new_inode()
    
    wait_on_inode() doesn't have ->i_lock
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

commit f3e758cd08e3881982d4b78eb72fe8a1ead6b872
Author: David S. Miller <davem@davemloft.net>
Date:   Tue Mar 13 18:19:51 2012 -0700

    sparc32: Add -Av8 to assembler command line.
    
    Newer version of binutils are more strict about specifying the
    correct options to enable certain classes of instructions.
    
    The sparc32 build is done for v7 in order to support sun4c systems
    which lack hardware integer multiply and divide instructions.
    
    So we have to pass -Av8 when building the assembler routines that
    use these instructions and get patched into the kernel when we find
    out that we have a v8 capable cpu.
    
    Reported-by: Paul Gortmaker <paul.gortmaker@windriver.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 66276ec78b2a971d2e704e5ef963cdc8b6a049a4
Author: Thomas Gleixner <tglx@linutronix.de>
Date:   Fri Mar 9 20:55:10 2012 +0100

    x86: Derandom delay_tsc for 64 bit
    
    Commit f0fbf0abc093 ("x86: integrate delay functions") converted
    delay_tsc() into a random delay generator for 64 bit.  The reason is
    that it merged the mostly identical versions of delay_32.c and
    delay_64.c.  Though the subtle difference of the result was:
    
     static void delay_tsc(unsigned long loops)
     {
    -   unsigned bclock, now;
    +   unsigned long bclock, now;
    
    Now the function uses rdtscl() which returns the lower 32bit of the
    TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64
    bit this fails when the lower 32bit are close to wrap around when
    bclock is read, because the following check
    
           if ((now - bclock) >= loops)
                        break;
    
    evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0
    because the unsigned long (now - bclock) of these values results in
    0xffffffff00000001 which is definitely larger than the loops
    value. That explains Tvortkos observation:
    
    "Because I am seeing udelay(500) (_occasionally_) being short, and
     that by delaying for some duration between 0us (yep) and 491us."
    
    Make those variables explicitely u32 again, so this works for both 32
    and 64 bit.
    
    Reported-by: Tvrtko Ursulin <tvrtko.ursulin@onelan.co.uk>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Cc: stable@vger.kernel.org # >= 2.6.27
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 2d0ddb60f5031bdf79b4d51225f9f2d5856255bf
Author: Al Viro <viro@ZenIV.linux.org.uk>
Date:   Thu Mar 8 17:51:19 2012 +0000

    aio: fix the "too late munmap()" race
    
    Current code has put_ioctx() called asynchronously from aio_fput_routine();
    that's done *after* we have killed the request that used to pin ioctx,
    so there's nothing to stop io_destroy() waiting in wait_for_all_aios()
    from progressing.  As the result, we can end up with async call of
    put_ioctx() being the last one and possibly happening during exit_mmap()
    or elf_core_dump(), neither of which expects stray munmap() being done
    to them...
    
    We do need to prevent _freeing_ ioctx until aio_fput_routine() is done
    with that, but that's all we care about - neither io_destroy() nor
    exit_aio() will progress past wait_for_all_aios() until aio_fput_routine()
    does really_put_req(), so the ioctx teardown won't be done until then
    and we don't care about the contents of ioctx past that point.
    
    Since actual freeing of these suckers is RCU-delayed, we don't need to
    bump ioctx refcount when request goes into list for async removal.
    All we need is rcu_read_lock held just over the ->ctx_lock-protected
    area in aio_fput_routine().
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
    Acked-by: Benjamin LaHaise <bcrl@kvack.org>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 002124c055afbf09b52226af65621999e8316448
Author: Al Viro <viro@ZenIV.linux.org.uk>
Date:   Wed Mar 7 05:16:35 2012 +0000

    aio: fix io_setup/io_destroy race
    
    Have ioctx_alloc() return an extra reference, so that caller would drop it
    on success and not bother with re-grabbing it on failure exit.  The current
    code is obviously broken - io_destroy() from another thread that managed
    to guess the address io_setup() would've returned would free ioctx right
    under us; gets especially interesting if aio_context_t * we pass to
    io_setup() points to PROT_READ mapping, so put_user() fails and we end
    up doing io_destroy() on kioctx another thread has just got freed...
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Acked-by: Benjamin LaHaise <bcrl@kvack.org>
    Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit a1cd2719b8ed8e40dbd98c87713ac23a2169f6d8
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Thu Mar 15 15:17:12 2012 -0700

    drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode
    
    strict_strtoul() writes a long but ->gamma_mode only has space to store an
    int, so on 64 bit systems we end up scribbling over ->gamma_table_count as
    well.  I've changed it to use kstrtouint() instead.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Acked-by: Inki Dae <inki.dae@samsung.com>
    Signed-off-by: Florian Tobias Schandinat <FlorianSchandinat@gmx.de>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit cf83f735a5571f4341ee6eab947a1f7d833cea6e
Merge: e4b05b6 eae671f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 16 21:04:27 2012 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        security/Kconfig

commit eae671fafe93f04685c04a089cc13efebc05d600
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 16 20:58:01 2012 -0400

    Update to pax-linux-3.2.11-test31.patch
    Introduction of the size_overflow plugin from Emese Revfy
    Many thanks to Emese for her hard work :)

commit e4b05b65c645c412eceb9c950ee7b4771627e6b1
Merge: e55aa68 258c015
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 15 20:59:19 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit 258c0159fa6dd5044ca984eeaad57bb6e21bacea
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 15 20:59:05 2012 -0400

    fix ARM compilation

commit e55aa68f4bb20e75cd7423123aa612c2a69590c0
Merge: 8f95ea9 55b7573
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 14 19:33:41 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit 55b7573f6c2f3be26fb39c7bd6a9d742d02811ca
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 14 19:33:15 2012 -0400

    Update to pax-linux-3.2.10-test28.patch

commit 8f95ea9f718c293794a1f6bdd2a5f5f336f7bd64
Merge: c8786a2 886ac5e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 13 17:38:13 2012 -0400

    Merge branch 'pax-test' into grsec-test
    
    Greets and thanks to snq for his assistance in testing/debugging REFCOUNT on ARM :)

commit 886ac5eeb1835e87cf7398b8aae9e9ba6b36bf77
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 13 17:37:44 2012 -0400

    Update to pax-linux-3.2.10-test26.patch

commit c8786a2abed5e5327f68efa520c04db99bb6a63a
Merge: 219c982 c061fcf
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 13 17:25:06 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit c061fcfa6b78f3774800821144d8ac2d94d7da3e
Merge: 89373d2 3f4b3b2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 13 17:25:02 2012 -0400

    Merge branch 'linux-3.2.y' into pax-test

commit 219c982a05abe47be4ea7d749e1b408e0cb86f1f
Merge: 54e19a3 89373d2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 12 17:23:57 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit 89373d2abafb9bda97f78bdb157d1d05cf21e008
Merge: a778588 7459f11
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 12 17:23:49 2012 -0400

    Merge branch 'linux-3.2.y' into pax-test

commit 54e19a3979978fca902b14ae25125f26fbbbc7a7
Merge: c4650f1 a778588
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 12 16:51:25 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit a778588c9d1b75c48c1f09aac98c1b28bd87a749
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 12 16:51:12 2012 -0400

    Update to pax-linux-3.2.9-test24.patch

commit c4650f14b13f84735fe3de06a1f3ff5776473eff
Merge: fb2abee 1015790
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 11 21:08:28 2012 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        security/Kconfig

commit 101579028a736c224e590c7e12a7357018c424e1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 11 21:07:27 2012 -0400

    Update to pax-linux-3.2.9-test22.patch

commit fb2abee4b9b49f5f18342a8cdf7aa3ba2b7c9100
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 11 11:02:17 2012 -0400

    Allow 4096 CPUs

commit 96bae28cbe6a41d48e3b56e5904814096e956000
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 11 10:25:58 2012 -0400

    Use a per-cpu 48-bit counter instead of a global atomic64
    Initialize each counter to have the cpu number in the lower 16 bits
    instead of incrementing the counter each time by 1, perform the increments
    above the cpu number so that wrapping/exhausting the counter doesn't corrupt
    any state
    idea from PaX Team

commit b975688101da6e966aebb1bc6b8c5c5983974f9c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 10 20:33:12 2012 -0500

    Special vnsec edition! :)
    Further reduce argv/env allowance for suid/sgid apps to 512KB
    Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap)
    Clear 3GB personality on suid/sgid binaries
    Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64)
      with the main purpose of throwing off program stack -> arg/env alignment
    Update documentation

commit e5cfa902c4e891d11dd2086543d2555aa0c27d33
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 10 19:54:47 2012 -0500

    Resolve skbuff.h warnings that turn into errors during compilation in
    the grsecurity directory with -Werror

commit 2023210ad43a944033fcacc660ce410888f562ee
Merge: ece4383 5f66adf
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 9 19:48:01 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 5f66adf72f83730a07bc79a2fab56afed6dbbd0e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 9 19:47:06 2012 -0500

    Add colorize plugin

commit ece4383e5e91c92d138c4df84225a70b552f4d69
Merge: a366d0e ab4a5a1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 9 17:56:46 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit ab4a5a1a67289c3585e2ff8aa64ecece7bd17eea
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 9 17:56:26 2012 -0500

    Update to pax-linux-3.2.9-test21.patch

commit a366d0ed963ce93fce10121c1100989d5f064e75
Author: Mikulas Patocka <mpatocka@redhat.com>
Date:   Sun Mar 4 19:52:03 2012 -0500

    mm: fix find_vma_prev
    
    Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory
    management on PA-RISC.
    
    After application of the patch, programs that allocate big arrays on the
    stack crash with segfault, for example, this will crash if compiled
    without optimization:
    
      int main()
      {
        char array[200000];
        array[199999] = 0;
        return 0;
      }
    
    The reason is that PA-RISC has up-growing stack and the stack is usually
    the last memory area.  In the above example, a page fault happens above
    the stack.
    
    Previously, if we passed too high address to find_vma_prev, it returned
    NULL and stored the last VMA in *pprev.  After "simplify find_vma_prev"
    change, it stores NULL in *pprev.  Consequently, the stack area is not
    found and it is not expanded, as it used to be before the change.
    
    This patch restores the old behavior and makes it return the last VMA in
    *pprev if the requested address is higher than address of any other VMA.
    
    Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
    Acked-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 9cd8dd4d56051099f11563f72fcd91cd0ce19604
Author: Hugh Dickins <hughd@google.com>
Date:   Tue Mar 6 12:28:52 2012 -0800

    mmap: EINVAL not ENOMEM when rejecting VM_GROWS
    
    Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP
    from shared anonymous: hoist the file case's -EINVAL up for both.
    
    Signed-off-by: Hugh Dickins <hughd@google.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 97745dce6c87f9d9ca5b4be9bd4c2fc1684ca04c
Author: Al Viro <viro@ZenIV.linux.org.uk>
Date:   Mon Mar 5 06:38:42 2012 +0000

    aout: move setup_arg_pages() prior to reading/mapping the binary
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 3b20ce55ae8cffee43cb4afdf5be438b5ac4fef0
Author: Jan Beulich <JBeulich@suse.com>
Date:   Mon Mar 5 16:49:24 2012 +0000

    vsprintf: make %pV handling compatible with kasprintf()
    
    kasprintf() (and potentially other functions that I didn't run across so
    far) want to evaluate argument lists twice.  Caring to do so for the
    primary list is obviously their job, but they can't reasonably be
    expected to check the format string for instances of %pV, which however
    need special handling too: On architectures like x86-64 (as opposed to
    e.g.  ix86), using the same argument list twice doesn't produce the
    expected results, as an internally managed cursor gets updated during
    the first run.
    
    Fix the problem by always acting on a copy of the original list when
    handling %pV.
    
    Signed-off-by: Jan Beulich <jbeulich@suse.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 4146896ab9674f51d4909f3a52bc7fe80f04e4cb
Author: Al Viro <viro@ZenIV.linux.org.uk>
Date:   Mon Mar 5 06:39:47 2012 +0000

    VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit a831bd53764695ea680cc1fa3c98759a610ed2ac
Author: Christian König <deathsimple@vodafone.de>
Date:   Tue Feb 28 23:19:20 2012 +0100

    drm/radeon: fix uninitialized variable
    
    Without this fix the driver randomly treats
    textures as arrays and I'm really wondering
    why gcc isn't complaining about it.
    
    Signed-off-by: Christian König <deathsimple@vodafone.de>
    Reviewed-by: Jerome Glisse <jglisse@redhat.com>
    Signed-off-by: Dave Airlie <airlied@redhat.com>

commit aa2cd55f97f3cc03bdd895b6e8ba99619ee69dfc
Author: H. Peter Anvin <hpa@zytor.com>
Date:   Fri Mar 2 10:43:48 2012 -0800

    regset: Prevent null pointer reference on readonly regsets
    
    The regset common infrastructure assumed that regsets would always
    have .get and .set methods, but not necessarily .active methods.
    Unfortunately people have since written regsets without .set methods.
    
    Rather than putting in stub functions everywhere, handle regsets with
    null .get or .set methods explicitly.
    
    Signed-off-by: H. Peter Anvin <hpa@zytor.com>
    Reviewed-by: Oleg Nesterov <oleg@redhat.com>
    Acked-by: Roland McGrath <roland@hack.frob.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 072ddd99401c79b53c6bf6bff9deb93022124c79
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 5 18:12:57 2012 -0500

    Fix compiler errors reported on forums

commit 1606774b48af24e6f99d99c624c0e447d4b66474
Merge: 3127bd5 4ca2ffd
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 5 17:31:35 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 4ca2ffd9da024f4ba2d0cb6245ba1b2726169452
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 5 17:31:21 2012 -0500

    Update to pax-linux-3.2.9-test20.patch

commit 3127bd581a292966b1057c7433219dac188c3720
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 2 21:30:37 2012 -0500

    Fix memory leak on logged exec_id check failure in /proc/pid/statm
    Thanks to Djalal Harouni for the report

commit d9f1a3be0e97e0632f97379322712d8deeb3ce23
Merge: 0a56be8 9aa8288
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 2 18:38:22 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 9aa8288a09e6e03ce37c08136b26bff17a093b5c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 2 18:37:43 2012 -0500

    Update to pax-linux-3.2.9-test19.patch

commit 0a56be884bbd7ce733cac0b879c45383494d73b0
Merge: 9e66745 3f5c52a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 1 20:18:01 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 3f5c52aba100b3bb252980f9d363aafde52da1a2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 1 20:16:56 2012 -0500

    Update to pax-linux-3.2.9-test18.patch

commit ae53ec231d12719a36bf871f8c5841020ed692ee
Merge: b255baf 44fb317
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 1 20:15:31 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test

commit 9e667456c03eadea2f305be761abe4de9a5877a3
Merge: 5e4e200 b255baf
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 27 20:53:59 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit b255baf50365d39b406f43aab2c64745607baaa2
Merge: 340ce90 1de504e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 27 20:53:29 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test
    Update to pax-linux-3.2.8-test17.patch
    
    Conflicts:
        arch/x86/include/asm/i387.h
        arch/x86/kernel/process_32.c
        arch/x86/kernel/traps.c

commit 5e4e200ac530452884b625cb75de240e1e98c731
Merge: 44306d7 340ce90
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 27 18:02:13 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 340ce90d98a043fa8e4ed9ffc229d4c1f86e2fec
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 27 18:01:48 2012 -0500

    Update to pax-linux-3.2.7-test17.patch

commit 44306d7b3097f77e73040dd25f4f6750751bae7a
Merge: 29d0b07 521c411
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 26 19:04:15 2012 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        Makefile

commit 521c411bb4ca66ce01146fde8bac9dd22414076d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 26 19:03:33 2012 -0500

    Update to pax-linux-3.2.7-test16.patch

commit 29d0b07290bb9a10cdfcc3c30058e16265330dea
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 26 17:12:44 2012 -0500

    fix typo

commit 344f6d84e5d3fdc6ec40a078fc2f5861d340b2ef
Merge: f45b3be caa8f83
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 20:59:27 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit caa8f83456c4d0b204beefffaa1d1993f2348d08
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 20:59:12 2012 -0500

    Update to pax-linux-3.2.7-test15.patch

commit f45b3be34a345502a302e736af9a65742ddef7cb
Merge: 62f35fd 9f1309b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 11:40:15 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 9f1309b0b935e3b30fc87a9e3009b84cf943ef47
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 11:39:57 2012 -0500

    Update to pax-linux-3.2.7-test14.patch

commit 62f35fdbecc58f2988fe13638d907b87a15776bb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 09:08:55 2012 -0500

    We could log on attempted exploits of writing /proc/self/mem, but the current
    log function declares the access a read, so just swap the ordering for now

commit 066ee8f9c26f1549b4ad893508777b549c8d4b79
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 08:46:14 2012 -0500

    Log /proc/pid/mem attempts

commit 674471e581893a94d475acac3e3c4496209b3ac9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 08:15:00 2012 -0500

    Make use of f_version for protecting /proc file structs (fine since we're not a directory
    or seq_file)

commit eab42cfdd237ffcdd8ec24bedecc275a3a9e987f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 24 20:02:19 2012 -0500

    Fix ia64 compilation

commit 50dfea412fd395e0183c2ade368efa525d38b267
Merge: 12db845 4c6f99b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 24 19:00:53 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 4c6f99bf338e03966356b147d0360cb3b522a44f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 24 19:00:36 2012 -0500

    (6:57:09 PM) pipacs: but you can be proactive
    (Fix other-arch atomic64/REFCOUNT compilation failures)

commit 12db8453f6bb0a756f369c9151668ba1249bc478
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 23 21:10:12 2012 -0500

    Remove unnecessary copies, as suggested by solar

commit cc02cab84368467ea03cb35f861a8a7092d91ab4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 23 20:59:35 2012 -0500

    Make global_exec_counter static, as suggested by solar

commit e642091a475ebb3a30e81f85e7751233d0c2af43
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 23 19:00:26 2012 -0500

    sync with stable tree

commit 6df09c3d8e371905b7b8fe90c4188f23614c6be5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 23 18:48:47 2012 -0500

    Remove unneeded gr_acl_handle_fchmod, as the code is shared now by gr_acl_handle_chmod
    Remove handling of old kludge in chmod/fchmod

commit 815cb62f2ca7b58efc39778b3a855feb675ab56c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 23 18:18:49 2012 -0500

    Apply umask checks to chmod/fchmod as well, as requested by sponsor
    Union the enforced umask with the existing one to produce minimal privilege
    Change umask type to u16

commit 0e7668c6abbdbcd3f7f9759e3994d6f4bc9953f0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 22 18:16:11 2012 -0500

    Add per-role umask enforcement to RBAC, requested by a sponsor

commit ad5ac943fe58199f1cc475912a39edb157acb77b
Merge: dda0bb5 41722e3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 20 20:04:42 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 41722e342e116d95f3d3556d66c97c888d752d39
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 20 20:04:00 2012 -0500

    Merge changes from pax-linux-3.2.7-test12.patch, fixes KVM incompatibility with
    KERNEXEC plugin

commit dda0bb57137846a476a866c60db2681aaf6052c0
Merge: 4fd554e d70927a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 20 20:01:41 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit d70927afec977d489a54c106a3c3ddc32e953050
Merge: 1daebf1 9d0231c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 20 20:01:33 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test

commit 4fd554e3a097b22c5049fcdc423897477deff5ef
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 20 09:17:57 2012 -0500

    Fix wrong logic on capability checks for switching roles, broke policies
    Thanks to Richard Kojedzinszky for reporting

commit 12f97d52ac603f24344f8d71569c412a307e9422
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 21:20:10 2012 -0500

    sparc64 compile fix

commit 07af3d8e76a6a47ce1836e5b20ed8c0f879c8201
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 18:38:32 2012 -0500

    Update configuration help and name for GRKERNSEC_PROC_MEMMAP

commit 5ced6f8def06c2176b40b5fa07345fc723dc4dcb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 18:18:01 2012 -0500

    optimize the check a bit

commit 03159050f64989be44ae03be769cbed62a7cd2e5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 18:00:45 2012 -0500

    smile VUPEN :D
    (limit argv+env to 1MB for suid/sgid binaries)

commit dd759d8800d225a397e4de49fe729c7d601298d2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 17:49:33 2012 -0500

    Address Space Protection -> Memory Protections (suggested on IRC for consistency)

commit 4de635bda8ebfb85312e3bf851bdbff93de400da
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 17:45:06 2012 -0500

    Change the long long type for exec_id to the proper u64

commit 4feb07e7cb64b3d0f0f8cca1aef70bc725cae6fa
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Thu Feb 9 00:46:47 2012 +0000

    isdn: type bug in isdn_net_header()
    
    We use len to store the return value from eth_header().  eth_header()
    can return -ETH_HLEN (-14).  We want to pass this back instead of
    truncating it to 65522 and returning that.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Acked-by: Neil Horman <nhorman@tuxdriver.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 134ac8545b47f0f27d550ea6e1edb3a1ed7a9748
Author: Heiko Carstens <heiko.carstens@de.ibm.com>
Date:   Sat Feb 4 10:47:10 2012 +0100

    exec: fix use-after-free bug in setup_new_exec()
    
    Setting the task name is done within setup_new_exec() by accessing
    bprm->filename. However this happens after flush_old_exec().
    This may result in a use after free bug, flush_old_exec() may
    "complete" vfork_done, which will wake up the parent which in turn
    may free the passed in filename.
    To fix this add a new tcomm field in struct linux_binprm which
    contains the now early generated task name until it is used.
    
    Fixes this bug on s390:
    
      Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000
      Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818)
      Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374)
      Call Trace:
      ([<0000000000282e2c>] setup_new_exec+0x38/0x374)
       [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4
       [<0000000000280a42>] search_binary_handler+0x38e/0x5bc
       [<0000000000282b6c>] do_execve_common+0x410/0x514
       [<0000000000282cb6>] do_execve+0x46/0x58
       [<00000000005bce58>] kernel_execve+0x28/0x70
       [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140
       [<00000000005bc8da>] kernel_thread_starter+0x6/0xc
       [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc
      Last Breaking-Event-Address:
       [<00000000002830f0>] setup_new_exec+0x2fc/0x374
    
      Kernel panic - not syncing: Fatal exception: panic_on_oops
    
    Reported-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
    Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit d758ee9f5230893dabb5aab737b3109684bde196
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Fri Feb 10 09:03:58 2012 +0100

    relay: prevent integer overflow in relay_open()
    
    "subbuf_size" and "n_subbufs" come from the user and they need to be
    capped to prevent an integer overflow.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Cc: stable@kernel.org
    Signed-off-by: Jens Axboe <axboe@kernel.dk>

commit 40ed7b34848b8e0d7bf9a3fc21a7c75ce1ae507c
Merge: b1baadf 1daebf1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 13 17:47:04 2012 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        fs/proc/base.c

commit 1daebf1d623fe5b0efdd329f78562eb7078bc772
Merge: 1413df2 c2db2e2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 13 17:45:54 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test

commit b1baadf5047ab67cf61cd20bf58c6afb09c37c7d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 12 16:44:05 2012 -0500

    add missing declaration

commit 3981059c35e8463002517935c28f3d74b8e3703c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 12 16:36:04 2012 -0500

    Require CAP_SETUID/CAP_SETGID in a subject in order to change roles
    in addition to existing checks (this handles the setresuid ruid = euid case)

commit 0beab03263c773f463412c350ad9064b44b6ede0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 12 16:13:40 2012 -0500

    Revert setreuid changes when RBAC is enabled, breaks freeradius
    I'll fix the learning issue Lavish reported a different way through
    gradm modifications
    
    This reverts commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111.

commit 0c61cb1cfbbfec7d07647268c922d51434d22621
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 11 14:22:46 2012 -0500

    copy exec_id on fork

commit 000c08e0890630086b2ed04084050ed856a7ec31
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 10 20:00:36 2012 -0500

    compile fix

commit 54b8c8f54484e5ee18040657827158bc4b63bccc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 10 19:19:52 2012 -0500

    Introduce enhancement to CONFIG_GRKERNSEC_PROC_MEMMAP
    denies reading of sensitive /proc/pid entries where the file descriptor
    was opened in a different task than the one performing the read

commit dd19579049186e2648b9ae5e42af04cfda7ab2dc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 10 17:43:24 2012 -0500

    Remove duplicate signal check

commit 6ff60c34155bb73a4eec7bbfe6f59e9d35e1c0c6
Merge: 4eba97e 1413df2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 8 19:24:34 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 1413df258d4664d928b876ffb57e1bdc1ccd06f6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 8 19:24:08 2012 -0500

    Merge changes from pax-linux-3.2.4-test11.patch

commit 4eba97eda7f7d25b7ab6ad5c9de094545e749044
Merge: 0e058dd 8dd90a2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 6 17:50:12 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 8dd90a21adfeefd86134d1fedf77b958bc59eaa3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 6 17:49:07 2012 -0500

    Merge changes from pax-linux-3.2.4-test10.patch, fixes BPF JIT double-free

commit a6b5dfed0937a0eb386b4b519a387f8e8177ffdc
Merge: 7e4169c 6133971
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 6 17:48:57 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test

commit 0e058dd6d14e0c67c44dd332a871f1fe1bb06095
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 5 19:24:45 2012 -0500

    We now allow configurations with no PaX markings, giving the system no way to override the defaults

commit 9afb0110287e31c3c56d861b4927f64f8dbd7857
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 5 10:01:23 2012 -0500

    Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory

commit a6a0ad24a5f7bef90236d94c1bdfe21d291fc834
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 4 21:01:16 2012 -0500

    Improve security of ptrace-based monitoring/sandboxing
    See:
    http://article.gmane.org/gmane.linux.kernel.lsm/15156

commit ca4ca5a1027b41f9528794e52a53ce9c47926101
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 20:42:55 2012 -0500

    fix typo

commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 20:25:38 2012 -0500

    Reported by lavish on IRC:
    If a suid/sgid binary did not learn any setuid/setgid call during learning,
    we would not any CAP_SETUID/CAP_SETGID capability to the task, nor
    any restrictions on uid/gid changes.  uid and gid can however be changed
    within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to
    euid/egid.
    
    My fix:
    POSIX doesn't specify whether unprivileged users can perform the above
    setresuid/setresgid as an unprivileged user, though Linux has historically
    permitted them.  Modify this behavior when RBAC is enabled to require
    CAP_SETUID/CAP_SETGID for these operations.
    
    Thanks to Lavish for the report!
    
    Conflicts:
    
        kernel/sys.c

commit e55be1f30908f1ad4450cb0558cde71ff5c7247f
Merge: ba586eb 7e4169c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 20:10:21 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 7e4169c6c880ec9641f1178c88545913c8a21e1f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 20:10:05 2012 -0500

    Merge changes from pax-linux-3.2.4-test9.patch

commit ba586ebbcd0ed781e38a99c580a757a00347c6eb
Author: Christopher Yeoh <cyeoh@au1.ibm.com>
Date:   Thu Feb 2 11:34:09 2012 +1030

    Fix race in process_vm_rw_core
    
    This fixes the race in process_vm_core found by Oleg (see
    
      http://article.gmane.org/gmane.linux.kernel/1235667/
    
    for details).
    
    This has been updated since I last sent it as the creation of the new
    mm_access() function did almost exactly the same thing as parts of the
    previous version of this patch did.
    
    In order to use mm_access() even when /proc isn't enabled, we move it to
    kernel/fork.c where other related process mm access functions already
    are.
    
    Signed-off-by: Chris Yeoh <yeohc@au1.ibm.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    Conflicts:
    
        fs/proc/base.c
        mm/process_vm_access.c

commit b9194d60fb9fe579f5c34817ed822abde18939a0
Author: Oleg Nesterov <oleg@redhat.com>
Date:   Tue Jan 31 17:15:11 2012 +0100

    proc: make sure mem_open() doesn't pin the target's memory
    
    Once /proc/pid/mem is opened, the memory can't be released until
    mem_release() even if its owner exits.
    
    Change mem_open() to do atomic_inc(mm_count) + mmput(), this only
    pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count)
    before access_remote_vm(), this verifies that this mm is still alive.
    
    I am not sure what should mem_rw() return if atomic_inc_not_zero()
    fails. With this patch it returns zero to match the "mm == NULL" case,
    may be it should return -EINVAL like it did before e268337d.
    
    Perhaps it makes sense to add the additional fatal_signal_pending()
    check into the main loop, to ensure we do not hold this memory if
    the target task was oom-killed.
    
    Cc: stable@kernel.org
    Signed-off-by: Oleg Nesterov <oleg@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit d4500134f9363bc79556e0e7a1fd811cd8552cc4
Author: Oleg Nesterov <oleg@redhat.com>
Date:   Tue Jan 31 17:14:38 2012 +0100

    proc: mem_release() should check mm != NULL
    
    mem_release() can hit mm == NULL, add the necessary check.
    
    Cc: stable@kernel.org
    Signed-off-by: Oleg Nesterov <oleg@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 5d1c11221a86f233fdbb232312a561f85d0a3a05
Author: Oleg Nesterov <oleg@redhat.com>
Date:   Tue Jan 31 17:14:54 2012 +0100

    note: redisabled mem_write
    
    proc: unify mem_read() and mem_write()
    
    No functional changes, cleanup and preparation.
    
    mem_read() and mem_write() are very similar. Move this code into the
    new common helper, mem_rw(), which takes the additional "int write"
    argument.
    
    Cc: stable@kernel.org
    Signed-off-by: Oleg Nesterov <oleg@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    Conflicts:
    
        fs/proc/base.c

commit af966b421d9f55ab7e1a8b2741beba44b22bc2e0
Merge: 3903f01 01fee18
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 19:50:40 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 01fee1851aef26b898ccba5312cabf1f919b74cb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 19:49:46 2012 -0500

    Merge changes from pax-linux-3.2.4-test8.patch

commit c2490ddbfc3f5dd664dd0e1b8575856c3be01879
Merge: 201c0db 141936c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 19:49:01 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test

commit 3903f0172ecadf7a575ba3535402a1506133640a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jan 30 23:26:44 2012 -0500

    Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT
    
    We'll whitelist required directories for compatibility instead of requiring
    that people disable the feature entirely if they use SELinux, fuse, etc
    
    Conflicts:
    
        fs/sysfs/mount.c

commit e3618feaa7e63807f1b88c199882075b3ec9bd05
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 29 01:12:19 2012 -0500

    perform RBAC check if TPE is on but match fails, matches previous behavior

commit 627b7fe22799a86e2f81a74f0e0c53474bec3100
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jan 28 13:17:06 2012 -0500

    log more information about the reason for a TPE denial for novice users, requested by a sponsor

commit efefd67008cbad8a8591e2484410966a300a39a5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:58:53 2012 -0500

    merge upstream sha512 changes

commit 8a79280377db78fb2091fe01eddb9e24f75d9fe1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:49:07 2012 -0500

    drop lock on error in xfs_readlink
    
    http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0

commit aa5f2f63e37f426bf2211c5fb8f7bc70de14f08a
Author: Li Wang <liwang@nudt.edu.cn>
Date:   Thu Jan 19 09:44:36 2012 +0800

    eCryptfs: Infinite loop due to overflow in ecryptfs_write()
    
    ecryptfs_write() can enter an infinite loop when truncating a file to a
    size larger than 4G. This only happens on architectures where size_t is
    represented by 32 bits.
    
    This was caused by a size_t overflow due to it incorrectly being used to
    store the result of a calculation which uses potentially large values of
    type loff_t.
    
    [tyhicks@canonical.com: rewrite subject and commit message]
    Signed-off-by: Li Wang <liwang@nudt.edu.cn>
    Signed-off-by: Yunchuan Wen <wenyunchuan@kylinos.com.cn>
    Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>

commit a7607747d0f74f357d78bb796d70635dd05f46e8
Author: Tyler Hicks <tyhicks@canonical.com>
Date:   Thu Jan 19 20:33:44 2012 -0600

    eCryptfs: Check inode changes in setattr
    
    Most filesystems call inode_change_ok() very early in ->setattr(), but
    eCryptfs didn't call it at all. It allowed the lower filesystem to make
    the call in its ->setattr() function. Then, eCryptfs would copy the
    appropriate inode attributes from the lower inode to the eCryptfs inode.
    
    This patch changes that and actually calls inode_change_ok() on the
    eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call
    would happen earlier in ecryptfs_setattr(), but there are some possible
    inode initialization steps that must happen first.
    
    Since the call was already being made on the lower inode, the change in
    functionality should be minimal, except for the case of a file extending
    truncate call. In that case, inode_newsize_ok() was never being
    called on the eCryptfs inode. Rather than inode_newsize_ok() catching
    maximum file size errors early on, eCryptfs would encrypt zeroed pages
    and write them to the lower filesystem until the lower filesystem's
    write path caught the error in generic_write_checks(). This patch
    introduces a new function, called ecryptfs_inode_newsize_ok(), which
    checks if the new lower file size is within the appropriate limits when
    the truncate operation will be growing the lower file.
    
    In summary this change prevents eCryptfs truncate operations (and the
    resulting page encryptions), which would exceed the lower filesystem
    limits or FSIZE rlimits, from ever starting.
    
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Reviewed-by: Li Wang <liwang@nudt.edu.cn>
    Cc: <stable@vger.kernel.org>

commit 0d96f190a39505254ace4e9330219aaeda9b64e3
Author: Tyler Hicks <tyhicks@canonical.com>
Date:   Wed Jan 18 18:30:04 2012 -0600

    eCryptfs: Make truncate path killable
    
    ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a
    page, zeroes out the appropriate portions, and then encrypts the page
    before writing it to the lower filesystem. It was unkillable and due to
    the lack of sparse file support could result in tying up a large portion
    of system resources, while encrypting pages of zeros, with no way for
    the truncate operation to be stopped from userspace.
    
    This patch adds the ability for ecryptfs_write() to detect a pending
    fatal signal and return as gracefully as possible. The intent is to
    leave the lower file in a useable state, while still allowing a user to
    break out of the encryption loop. If a pending fatal signal is detected,
    the eCryptfs inode size is updated to reflect the modified inode size
    and then -EINTR is returned.
    
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Cc: <stable@vger.kernel.org>

commit a02d0d2516b9e92edffeb8fca87462bca49c1f6f
Author: Tyler Hicks <tyhicks@canonical.com>
Date:   Tue Jan 24 10:02:22 2012 -0600

    eCryptfs: Fix oops when printing debug info in extent crypto functions
    
    If pages passed to the eCryptfs extent-based crypto functions are not
    mapped and the module parameter ecryptfs_verbosity=1 was specified at
    loading time, a NULL pointer dereference will occur.
    
    Note that this wouldn't happen on a production system, as you wouldn't
    pass ecryptfs_verbosity=1 on a production system. It leaks private
    information to the system logs and is for debugging only.
    
    The debugging info printed in these messages is no longer very useful
    and rather than doing a kmap() in these debugging paths, it will be
    better to simply remove the debugging paths completely.
    
    https://launchpad.net/bugs/913651
    
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Reported-by: Daniel DeFreez
    Cc: <stable@vger.kernel.org>

commit b1c44d3054dc7f293b2e0a98c0e9e5e03e01f04c
Author: Tyler Hicks <tyhicks@canonical.com>
Date:   Thu Jan 12 11:30:44 2012 +0100

    eCryptfs: Sanitize write counts of /dev/ecryptfs
    
    A malicious count value specified when writing to /dev/ecryptfs may
    result in a a very large kernel memory allocation.
    
    This patch peeks at the specified packet payload size, adds that to the
    size of the packet headers and compares the result with the write count
    value. The resulting maximum memory allocation size is approximately 532
    bytes.
    
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Reported-by: Sasha Levin <levinsasha928@gmail.com>
    Cc: <stable@vger.kernel.org>

commit 96dcb7282d323813181a1791f51c0ab7696b675b
Merge: 6c09fa5 201c0db
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:44:15 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 201c0dbf177527367676028151e36d340923f033
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:43:24 2012 -0500

    Merge changes from pax-linux-3.2.2-test6.patch, fixes 0 order vmalloc allocation errors
    on loading modules with empty sections

commit 6c09fa566a7c29f00556ca12f343f2db91c4f42b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:42:13 2012 -0500

    compile fix

commit 917ae526b4fcec2b3e1afefa13de9dff7d8a5423
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:39:28 2012 -0500

    use LSM flags instead of duplicating checks

commit 0cf3be2ea2ae43c9dd4933fb26c0429041b8acb8
Merge: 44b9f11 558718b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 18:56:23 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 558718b2217beff69edf60f34a6f9893d910e9ac
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 18:56:04 2012 -0500

    Merge changes from pax-linux-3.2.2-test6.patch

commit 44b9f1132b2de7cbf5f57525fe0f7f9fb0a76507
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 18:53:55 2012 -0500

    don't increase the size of task_struct when unnecessary
    change ptrace_readexec log message

commit a9c9626e054adb885883aa64f85506852894dd33
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 18:16:28 2012 -0500

    Update documentation for CONFIG_GRKERNSEC_PTRACE_READEXEC --
    the protection applies to all unreadable binaries.

commit 98fdf4ab69eba7a72efb2054295daafdbbc2fb8f
Merge: 7b3f3af 05a1349
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 25 20:52:09 2012 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        block/scsi_ioctl.c
        drivers/scsi/sd.c
        fs/proc/base.c

commit 05a134966efb9cb9346ad3422888969ffc79ac1d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 25 20:47:36 2012 -0500

    Resync with pax-linux-3.2.2-test5.patch

commit 5ecaafd81b229aeeb5656df36f9c8da86307f82a
Merge: c6d443d 3499d64
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 25 20:45:16 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test (and pax-linux-3.2.2-test5.patch)
    
    Conflicts:
        ipc/shm.c

commit 7b3f3afd7444613c759d68ff8c2efaebfae3bab1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 24 19:42:01 2012 -0500

    Add two new features, one is automatic by enabling CONFIG_GRKERNSEC
    (may be changed if it breaks some userland), the other has its own
    config option
    
    First feature requires CAP_SYS_ADMIN to write to any sysctl entry via
    the syscall or /proc/sys.
    
    Second feature requires read access to a suid/sgid binary in order
    to ptrace it, preventing infoleaking of binaries in situations where
    the admin has specified 4711 or 2711 perms.  Feature has been
    given the config option CONFIG_GRKERNSEC_PTRACE_READEXEC and
    a sysctl entry of ptrace_readexec

commit 11a7bb25c411c9dccfdca5718639b4becdffd388
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 22 14:37:10 2012 -0500

    Compilation fixes

commit cd400e21c7c352baba47d6f375297a7847afb33a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 22 14:20:27 2012 -0500

    Initial port of grsecurity 2.2.2 for Linux 3.2.1
    Note that the new syscalls added to this kernel for remote process read/write
    are subject to ptrace hardening/other relevant RBAC features
    /proc/slabinfo is S_IRUSR via mainline now, so I made slab_allocators S_IRUSR by default
    as well
    pax_track_stack has been removed from support for this kernel -- if you're running this kernel
    you should be using a version of gcc with plugin support

commit c6d443d1270f455c56a4ffe0f1dd3d3e7ec12a2f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 22 11:47:31 2012 -0500

    Import pax-linux-3.2.1-test5.patch
commit bfd7db842f835f9837cd43644459b3a95b0b488d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 22 11:02:02 2012 -0500

    Allow processes to access others' /proc/pid/maps files (subject to the normal modification of data)
    instead of returning -EACCES
    thanks to Wraith from irc for the report

commit 873ac13576506cd48ddb527c2540f274e249da50
Merge: 34083dd 8a44fcc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 20 18:04:02 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 8a44fcc90cf3368003dc84e1ed013b2e4248c9b2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 20 18:02:15 2012 -0500

    Merge the diff between pax-linux-3.2.1-test4.patch and pax-linux-3.2.1-test5.patch
    Denies executable shared memory when MPROTECT is active
    Fixes ia32 emulation crash on 64bit host introduced in a recent patch

commit 34083ddf5c0b2b1c0f5e9f7d9e32ddcba223446b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jan 19 20:23:14 2012 -0500

    Introduce new GRKERNSEC_SETXID implementation
    We're not able to change the credentials of other threads in the process until at most
    one syscall after the first thread does it, since we mark the threads as needing rescheduling
    and such work occurs on syscall exit.
    This does however ensure that we're only modifying the current task's credentials
    which upholds RCU expectations
    
    Many thanks to corsac for testing

commit 5f900ad54d3992a4e1cda88273acc2f897a42e71
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jan 19 17:42:48 2012 -0500

    Simplify backport

commit f02e444f7b2fb286f99d3b4031ff4e44a4606c37
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jan 19 17:08:16 2012 -0500

    Commit the latest silent fix for a local privilege escalation from Linus
    Also disable writing to /proc/pid/mem
    http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc

commit 814d38c72b1ee3338294576a05af4f6ca9cffa6c
Merge: 0394a3f 7e6299b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 18 20:22:09 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 7e6299b4733c082dde930375dd207b63237751ec
Merge: 83555fb 9bb1282
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 18 20:21:37 2012 -0500

    Merge branch 'linux-3.1.y' into pax-test

commit 0394a3f36c6195dcaf22e265c94d11bb7338c6f7
Author: Jesper Juhl <jj@chaosbits.net>
Date:   Sun Jan 8 22:44:29 2012 +0100

    audit: always follow va_copy() with va_end()
    
    A call to va_copy() should always be followed by a call to va_end() in
    the same function.  In kernel/autit.c::audit_log_vformat() this is not
    always done.  This patch makes sure va_end() is always called.
    
    Signed-off-by: Jesper Juhl <jj@chaosbits.net>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: Eric Paris <eparis@redhat.com>
    Cc: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit fcbb39319e88bfdf70efe3931cf80a9f23b1a4d9
Author: Andi Kleen <ak@linux.intel.com>
Date:   Thu Jan 12 17:20:30 2012 -0800

    panic: don't print redundant backtraces on oops
    
    When an oops causes a panic and panic prints another backtrace it's pretty
    common to have the original oops data be scrolled away on a 80x50 screen.
    
    The second backtrace is quite redundant and not needed anyways.
    
    So don't print the panic backtrace when oops_in_progress is true.
    
    [akpm@linux-foundation.org: add comment]
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
    Cc: Michael Holzheu <holzheu@linux.vnet.ibm.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 22e4717d04333e2aff6d5d1b2c1b16045f367a1f
Author: Miklos Szeredi <mszeredi@suse.cz>
Date:   Thu Jan 12 17:59:46 2012 +0100

    fsnotify: don't BUG in fsnotify_destroy_mark()
    
    Removing the parent of a watched file results in "kernel BUG at
    fs/notify/mark.c:139".
    
    To reproduce
    
      add "-w /tmp/audit/dir/watched_file" to audit.rules
      rm -rf /tmp/audit/dir
    
    This is caused by fsnotify_destroy_mark() being called without an
    extra reference taken by the caller.
    
    Reported by Francesco Cosoleto here:
    
      https://bugzilla.novell.com/show_bug.cgi?id=689860
    
    Fix by removing the BUG_ON and adding a comment about not accessing mark after
    the iput.
    
    Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
    CC: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 1a90cff66ed00cd57bf00a990d13e95060fa362c
Author: Paolo Bonzini <pbonzini@redhat.com>
Date:   Thu Jan 12 16:01:28 2012 +0100

    block: fail SCSI passthrough ioctls on partition devices
    
    Linux allows executing the SG_IO ioctl on a partition or LVM volume, and
    will pass the command to the underlying block device.  This is
    well-known, but it is also a large security problem when (via Unix
    permissions, ACLs, SELinux or a combination thereof) a program or user
    needs to be granted access only to part of the disk.
    
    This patch lets partitions forward a small set of harmless ioctls;
    others are logged with printk so that we can see which ioctls are
    actually sent.  In my tests only CDROM_GET_CAPABILITY actually occurred.
    Of course it was being sent to a (partition on a) hard disk, so it would
    have failed with ENOTTY and the patch isn't changing anything in
    practice.  Still, I'm treating it specially to avoid spamming the logs.
    
    In principle, this restriction should include programs running with
    CAP_SYS_RAWIO.  If for example I let a program access /dev/sda2 and
    /dev/sdb, it still should not be able to read/write outside the
    boundaries of /dev/sda2 independent of the capabilities.  However, for
    now programs with CAP_SYS_RAWIO will still be allowed to send the
    ioctls.  Their actions will still be logged.
    
    This patch does not affect the non-libata IDE driver.  That driver
    however already tests for bd != bd->bd_contains before issuing some
    ioctl; it could be restricted further to forbid these ioctls even for
    programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO.
    
    Cc: linux-scsi@vger.kernel.org
    Cc: Jens Axboe <axboe@kernel.dk>
    Cc: James Bottomley <JBottomley@parallels.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    [ Make it also print the command name when warning - Linus ]
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit b41a1178caa15bd7d6d5b36c04c7b1ead05717e2
Author: Paolo Bonzini <pbonzini@redhat.com>
Date:   Thu Jan 12 16:01:27 2012 +0100

    block: add and use scsi_blk_cmd_ioctl
    
    Introduce a wrapper around scsi_cmd_ioctl that takes a block device.
    
    The function will then be enhanced to detect partition block devices
    and, in that case, subject the ioctls to whitelisting.
    
    Cc: linux-scsi@vger.kernel.org
    Cc: Jens Axboe <axboe@kernel.dk>
    Cc: James Bottomley <JBottomley@parallels.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 97a79814903fc350e1d13704ea31528a42705401
Author: Kees Cook <keescook@chromium.org>
Date:   Sat Jan 7 10:41:04 2012 -0800

    audit: treat s_id as an untrusted string
    
    The use of s_id should go through the untrusted string path, just to be
    extra careful.
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Acked-by: Mimi Zohar <zohar@us.ibm.com>
    Signed-off-by: Eric Paris <eparis@redhat.com>

commit 2d3f39e9dd73f26a8248fd4442f110d983c5b419
Author: Xi Wang <xi.wang@gmail.com>
Date:   Tue Dec 20 18:39:41 2011 -0500

    audit: fix signedness bug in audit_log_execve_info()
    
    In the loop, a size_t "len" is used to hold the return value of
    audit_log_single_execve_arg(), which returns -1 on error.  In that
    case the error handling (len <= 0) will be bypassed since "len" is
    unsigned, and the loop continues with (p += len) being wrapped.
    Change the type of "len" to signed int to fix the error handling.
    
        size_t len;
        ...
        for (...) {
                len = audit_log_single_execve_arg(...);
                if (len <= 0)
                        break;
                p += len;
        }
    
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Signed-off-by: Eric Paris <eparis@redhat.com>

commit 1b3dc2ea3204fb22b9d0d30b2b7953991f5be594
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Tue Jan 17 03:28:51 2012 -0300

    [media] ds3000: using logical && instead of bitwise &
    
    The intent here was to test if the FE_HAS_LOCK was set.  The current
    test is equivalent to "if (status) { ..."
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>

commit 36522330dc59d2fc70c042f3f081d75c32b6259a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jan 16 13:10:38 2012 -0500

    Ignore the 0 signal for protected task RBAC checks

commit d513acd55f7a683f6e146a4f570cdb63300479ab
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jan 16 11:56:13 2012 -0500

    whitespace cleanup

commit ced261c4b82818c700aff8487f647f6f3e5b5122
Merge: d48751f 83555fb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 13 20:12:54 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 83555fb431e5be6c0e09687ff3bdc583f0caf9d9
Merge: fcd8129 93dad39
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 13 20:12:43 2012 -0500

    Merge branch 'linux-3.1.y' into pax-test

commit d48751f3919ae855fda0ff6c149db82442329253
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 11 19:05:47 2012 -0500

    Call our own set_user when forcing change to new id

commit 26d9d497f6b926bc1699980aa18c360a3d3c52a0
Merge: e6578ff fcd8129
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 10 16:00:10 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit fcd8129277601f2e2d5a2066120cf8b2472d7d1f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 10 15:58:43 2012 -0500

    Merge changes from pax-linux-3.1.8-test23.patch

commit e6578ff3e7629c432ed9b99bde6af2a1c00279b5
Merge: 8859ec3 a120549
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 21:45:56 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit a12054967a77090de1caa07c41e694a77db4e237
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 21:45:30 2012 -0500

    Merge changes from pax-linux-3.1.8-test22.patch

commit 8859ec32f9815c274df65448f9f2960176c380d3
Merge: a5016b4 ddd4114
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 21:26:08 2012 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        fs/binfmt_elf.c
        security/Kconfig

commit ddd41147e158a79704983a409b7433eba797cf66
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 21:12:42 2012 -0500

    Resync with PaX patch (whitespace difference)

commit 29e569df8205c5f0e043fe4803aa984406c8b118
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 21:09:47 2012 -0500

    Merge changes from pax-linux-3.1.8-test21.patch

commit a5016b4f9c09c337b17e063a7f369af1e86d944d
Merge: 0124c92 04231d5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 18:52:20 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 04231d52dc8d0d6788a6bc6709dc046d3eb37097
Merge: 7bdddeb a919904
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 18:51:50 2012 -0500

    Merge branch 'linux-3.1.y' into pax-test
    
    Conflicts:
        include/net/flow.h

commit 0124c9264234c450904a0a5fa2f8c608ab8e3796
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 18:33:05 2012 -0500

    Make GRKERNSEC_SETXID option compatible with credential debugging

commit 69919c6da7cf8a781439da15b597a7d6bc9b3abe
Author: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Date:   Wed Dec 28 15:57:11 2011 -0800

    mm/mempolicy.c: refix mbind_range() vma issue
    
    commit 8aacc9f550 ("mm/mempolicy.c: fix pgoff in mbind vma merge") is the
    slightly incorrect fix.
    
    Why? Think following case.
    
    1. map 4 pages of a file at offset 0
    
       [0123]
    
    2. map 2 pages just after the first mapping of the same file but with
       page offset 2
    
       [0123][23]
    
    3. mbind() 2 pages from the first mapping at offset 2.
       mbind_range() should treat new vma is,
    
       [0123][23]
         |23|
         mbind vma
    
       but it does
    
       [0123][23]
         |01|
         mbind vma
    
       Oops. then, it makes wrong vma merge and splitting ([01][0123] or similar).
    
    This patch fixes it.
    
    [testcase]
      test result - before the patch
    
        case4: 126: test failed. expect '2,4', actual '2,2,2'
                case5: passed
        case6: passed
        case7: passed
        case8: passed
        case_n: 246: test failed. expect '4,2', actual '1,4'
    
        ------------[ cut here ]------------
        kernel BUG at mm/filemap.c:135!
        invalid opcode: 0000 [#4] SMP DEBUG_PAGEALLOC
    
        (snip long bug on messages)
    
      test result - after the patch
    
        case4: passed
                case5: passed
        case6: passed
        case7: passed
        case8: passed
        case_n: passed
    
      source:  mbind_vma_test.c
    ============================================================
     #include <numaif.h>
     #include <numa.h>
     #include <sys/mman.h>
     #include <stdio.h>
     #include <unistd.h>
     #include <stdlib.h>
     #include <string.h>
    
    static unsigned long pagesize;
    void* mmap_addr;
    struct bitmask *nmask;
    char buf[1024];
    FILE *file;
    char retbuf[10240] = "";
    int mapped_fd;
    
    char *rubysrc = "ruby -e '\
      pid = %d; \
      vstart = 0x%llx; \
      vend = 0x%llx; \
      s = `pmap -q #{pid}`; \
      rary = []; \
      s.each_line {|line|; \
        ary=line.split(\" \"); \
        addr = ary[0].to_i(16); \
        if(vstart <= addr && addr < vend) then \
          rary.push(ary[1].to_i()/4); \
        end; \
      }; \
      print rary.join(\",\"); \
    '";
    
    void init(void)
    {
        void* addr;
        char buf[128];
    
        nmask = numa_allocate_nodemask();
        numa_bitmask_setbit(nmask, 0);
    
        pagesize = getpagesize();
    
        sprintf(buf, "%s", "mbind_vma_XXXXXX");
        mapped_fd = mkstemp(buf);
        if (mapped_fd == -1)
                perror("mkstemp "), exit(1);
        unlink(buf);
    
        if (lseek(mapped_fd, pagesize*8, SEEK_SET) < 0)
                perror("lseek "), exit(1);
        if (write(mapped_fd, "\0", 1) < 0)
                perror("write "), exit(1);
    
        addr = mmap(NULL, pagesize*8, PROT_NONE,
                    MAP_SHARED, mapped_fd, 0);
        if (addr == MAP_FAILED)
                perror("mmap "), exit(1);
    
        if (mprotect(addr+pagesize, pagesize*6, PROT_READ|PROT_WRITE) < 0)
                perror("mprotect "), exit(1);
    
        mmap_addr = addr + pagesize;
    
        /* make page populate */
        memset(mmap_addr, 0, pagesize*6);
    }
    
    void fin(void)
    {
        void* addr = mmap_addr - pagesize;
        munmap(addr, pagesize*8);
    
        memset(buf, 0, sizeof(buf));
        memset(retbuf, 0, sizeof(retbuf));
    }
    
    void mem_bind(int index, int len)
    {
        int err;
    
        err = mbind(mmap_addr+pagesize*index, pagesize*len,
                    MPOL_BIND, nmask->maskp, nmask->size, 0);
        if (err)
                perror("mbind "), exit(err);
    }
    
    void mem_interleave(int index, int len)
    {
        int err;
    
        err = mbind(mmap_addr+pagesize*index, pagesize*len,
                    MPOL_INTERLEAVE, nmask->maskp, nmask->size, 0);
        if (err)
                perror("mbind "), exit(err);
    }
    
    void mem_unbind(int index, int len)
    {
        int err;
    
        err = mbind(mmap_addr+pagesize*index, pagesize*len,
                    MPOL_DEFAULT, NULL, 0, 0);
        if (err)
                perror("mbind "), exit(err);
    }
    
    void Assert(char *expected, char *value, char *name, int line)
    {
        if (strcmp(expected, value) == 0) {
                fprintf(stderr, "%s: passed\n", name);
                return;
        }
        else {
                fprintf(stderr, "%s: %d: test failed. expect '%s', actual '%s'\n",
                        name, line,
                        expected, value);
    //          exit(1);
        }
    }
    
    /*
          AAAA
        PPPPPPNNNNNN
        might become
        PPNNNNNNNNNN
        case 4 below
    */
    void case4(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        mem_bind(0, 4);
        mem_unbind(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("2,4", retbuf, "case4", __LINE__);
    
        fin();
    }
    
    /*
           AAAA
     PPPPPPNNNNNN
     might become
     PPPPPPPPPPNN
     case 5 below
    */
    void case5(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        mem_bind(0, 2);
        mem_bind(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("4,2", retbuf, "case5", __LINE__);
    
        fin();
    }
    
    /*
            AAAA
        PPPPNNNNXXXX
        might become
        PPPPPPPPPPPP 6
    */
    void case6(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        mem_bind(0, 2);
        mem_bind(4, 2);
        mem_bind(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("6", retbuf, "case6", __LINE__);
    
        fin();
    }
    
    /*
        AAAA
    PPPPNNNNXXXX
    might become
    PPPPPPPPXXXX 7
    */
    void case7(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        mem_bind(0, 2);
        mem_interleave(4, 2);
        mem_bind(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("4,2", retbuf, "case7", __LINE__);
    
        fin();
    }
    
    /*
        AAAA
    PPPPNNNNXXXX
    might become
    PPPPNNNNNNNN 8
    */
    void case8(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        mem_bind(0, 2);
        mem_interleave(4, 2);
        mem_interleave(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("2,4", retbuf, "case8", __LINE__);
    
        fin();
    }
    
    void case_n(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        /* make redundunt mappings [0][1234][34][7] */
        mmap(mmap_addr + pagesize*4, pagesize*2, PROT_READ|PROT_WRITE,
             MAP_FIXED|MAP_SHARED, mapped_fd, pagesize*3);
    
        /* Expect to do nothing. */
        mem_unbind(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("4,2", retbuf, "case_n", __LINE__);
    
        fin();
    }
    
    int main(int argc, char** argv)
    {
        case4();
        case5();
        case6();
        case7();
        case8();
        case_n();
    
        return 0;
    }
    =============================================================
    
    Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
    Acked-by: Johannes Weiner <hannes@cmpxchg.org>
    Cc: Minchan Kim <minchan.kim@gmail.com>
    Cc: Caspar Zhang <caspar@casparzhang.com>
    Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
    Cc: Christoph Lameter <cl@linux.com>
    Cc: Hugh Dickins <hugh.dickins@tiscali.co.uk>
    Cc: Mel Gorman <mel@csn.ul.ie>
    Cc: Lee Schermerhorn <lee.schermerhorn@hp.com>
    Cc: <stable@vger.kernel.org>                [3.1.x]
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit f3a1082005781777086df235049f8c0b7efe524e
Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Date:   Tue Dec 27 22:32:41 2011 -0500

    packet: fix possible dev refcnt leak when bind fail
    
    If bind is fail when bind is called after set PACKET_FANOUT
    sock option, the dev refcnt will leak.
    
    Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 915f8b08dac68839dc7204ee81cf9852fda16d24
Author: Haogang Chen <haogangchen@gmail.com>
Date:   Mon Dec 19 17:11:56 2011 -0800

    nilfs2: potential integer overflow in nilfs_ioctl_clean_segments()
    
    There is a potential integer overflow in nilfs_ioctl_clean_segments().
    When a large argv[n].v_nmembs is passed from the userspace, the subsequent
    call to vmalloc() will allocate a buffer smaller than expected, which
    leads to out-of-bound access in nilfs_ioctl_move_blocks() and
    lfs_clean_segments().
    
    The following check does not prevent the overflow because nsegs is also
    controlled by the userspace and could be very large.
    
                if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment)
                        goto out_free;
    
    This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and
    returns -EINVAL when overflow.
    
    Signed-off-by: Haogang Chen <haogangchen@gmail.com>
    Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 006afb6eb7a7398edc0068c3a7b9510ffaf80f72
Author: Kautuk Consul <consul.kautuk@gmail.com>
Date:   Mon Dec 19 17:12:04 2011 -0800

    mm/vmalloc.c: remove static declaration of va from __get_vm_area_node
    
    Static storage is not required for the struct vmap_area in
    __get_vm_area_node.
    
    Removing "static" to store this variable on the stack instead.
    
    Signed-off-by: Kautuk Consul <consul.kautuk@gmail.com>
    Acked-by: David Rientjes <rientjes@google.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 461ecdf221edb089e5fa0d5563e1688cd0a36f66
Author: Michel Lespinasse <walken@google.com>
Date:   Mon Dec 19 17:12:06 2011 -0800

    binary_sysctl(): fix memory leak
    
    binary_sysctl() calls sysctl_getname() which allocates from names_cache
    slab usin __getname()
    
    The matching function to free the name is __putname(), and not putname()
    which should be used only to match getname() allocations.
    
    This is because when auditing is enabled, putname() calls audit_putname
    *instead* (not in addition) to __putname().  Then, if a syscall is in
    progress, audit_putname does not release the name - instead, it expects
    the name to get released when the syscall completes, but that will happen
    only if audit_getname() was called previously, i.e.  if the name was
    allocated with getname() rather than the naked __getname().  So,
    __getname() followed by putname() ends up leaking memory.
    
    Signed-off-by: Michel Lespinasse <walken@google.com>
    Acked-by: Al Viro <viro@zeniv.linux.org.uk>
    Cc: Christoph Hellwig <hch@infradead.org>
    Cc: Eric Paris <eparis@redhat.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 0a2cd3ef50c0bae70d59c74a77db0455d26fde56
Author: Sean Hefty <sean.hefty@intel.com>
Date:   Tue Dec 6 21:17:11 2011 +0000

    RDMA/cma: Verify private data length
    
    private_data_len is defined as a u8.  If the user specifies a large
    private_data size (> 220 bytes), we will calculate a total length that
    exceeds 255, resulting in private_data_len wrapping back to 0.  This
    can lead to overwriting random kernel memory.  Avoid this by verifying
    that the resulting size fits into a u8.
    
    Reported-by: B. Thery <benjamin.thery@bull.net>
    Addresses: <http://bugs.openfabrics.org/bugzilla/show_bug.cgi?id=2335>
    Signed-off-by: Sean Hefty <sean.hefty@intel.com>
    Signed-off-by: Roland Dreier <roland@purestorage.com>

commit 6b618c54aaec99078629ec5b9575cb7d6fc31176
Author: Xi Wang <xi.wang@gmail.com>
Date:   Sun Dec 11 23:40:56 2011 -0800

    Input: cma3000_d0x - fix signedness bug in cma3000_thread_irq()
    
    The error check (intr_status < 0) didn't work because intr_status is
    a u8.  Change its type to signed int.
    
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Signed-off-by: Dmitry Torokhov <dtor@mail.ru>

commit e27f34e383d7863b2528a63b81b23db09781f6b6
Author: Xi Wang <xi.wang@gmail.com>
Date:   Fri Dec 16 12:44:15 2011 +0000

    sctp: fix incorrect overflow check on autoclose
    
    Commit 8ffd3208 voids the previous patches f6778aab and 810c0719 for
    limiting the autoclose value.  If userspace passes in -1 on 32-bit
    platform, the overflow check didn't work and autoclose would be set
    to 0xffffffff.
    
    This patch defines a max_autoclose (in seconds) for limiting the value
    and exposes it through sysctl, with the following intentions.
    
    1) Avoid overflowing autoclose * HZ.
    
    2) Keep the default autoclose bound consistent across 32- and 64-bit
       platforms (INT_MAX / HZ in this patch).
    
    3) Keep the autoclose value consistent between setsockopt() and
       getsockopt() calls.
    
    Suggested-by: Vlad Yasevich <vladislav.yasevich@hp.com>
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 8ebdfaad2f46ff0ac9fef9858e436bcc712a1ac8
Author: Xi Wang <xi.wang@gmail.com>
Date:   Wed Dec 21 05:18:33 2011 -0500

    vmwgfx: fix incorrect VRAM size check in vmw_kms_fb_create()
    
    Commit e133e737 didn't correctly fix the integer overflow issue.
    
    -   unsigned int required_size;
    +   u64 required_size;
        ...
        required_size = mode_cmd->pitch * mode_cmd->height;
    -   if (unlikely(required_size > dev_priv->vram_size)) {
    +   if (unlikely(required_size > (u64) dev_priv->vram_size)) {
    
    Note that both pitch and height are u32.  Their product is still u32 and
    would overflow before being assigned to required_size.  A correct way is
    to convert pitch and height to u64 before the multiplication.
    
        required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height;
    
    This patch calls the existing vmw_kms_validate_mode_vram() for
    validation.
    
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Reviewed-and-tested-by: Thomas Hellstrom <thellstrom@vmware.com>
    Signed-off-by: Dave Airlie <airlied@redhat.com>
    
    Conflicts:
    
        drivers/gpu/drm/vmwgfx/vmwgfx_kms.c

commit eb8f0bd01fb994c9abc77dc84729794cd841753d
Author: Xi Wang <xi.wang@gmail.com>
Date:   Thu Dec 22 13:35:22 2011 +0000

    rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt()
    
    Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will
    cause a kernel oops due to insufficient bounds checking.
    
        if (count > 1<<30) {
                /* Enforce a limit to prevent overflow */
                return -EINVAL;
        }
        count = roundup_pow_of_two(count);
        table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count));
    
    Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as:
    
        ... + (count * sizeof(struct rps_dev_flow))
    
    where sizeof(struct rps_dev_flow) is 8.  (1 << 30) * 8 will overflow
    32 bits.
    
    This patch replaces the magic number (1 << 30) with a symbolic bound.
    
    Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 648188958672024b616c42c1f6c98c8cfc85619d
Author: Xi Wang <xi.wang@gmail.com>
Date:   Fri Dec 30 10:40:17 2011 -0500

    netfilter: ctnetlink: fix timeout calculation
    
    The sanity check (timeout < 0) never works; the dividend is unsigned
    and so is the division, which should have been a signed division.
    
        long timeout = (ct->timeout.expires - jiffies) / HZ;
        if (timeout < 0)
                timeout = 0;
    
    This patch converts the time values to signed for the division.
    
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

commit ab03a0973cee73f88655ff4981812ad316a6cd59
Merge: 76f82df 7bdddeb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 3 17:42:50 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 7bdddebd9d274a344a1c57a561152160c9e9a32a
Merge: 3e59cb5 55cc81a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 3 17:42:36 2012 -0500

    Merge branch 'linux-3.1.y' into pax-test

commit 76f82df18ba181687f454426fa9ced7a92b2ac1f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 22 20:15:02 2011 -0500

    Only further restrict futex targeting another process -- our modified
    permission check also happened to allow a case where a process retaining
    uid 0 could issue futex syscalls against other uid 0 tasks, despite the euid
    being non-zero (reported on forums by ben_w)

commit 6b235a4450a5fea41663ec35fa0608988b6078c6
Merge: 97c16f0 3e59cb5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 22 19:11:06 2011 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        fs/hfs/btree.c

commit 3e59cb503d4ca6ce0954b8d3eb508cf7d1a31f50
Merge: 285eb4e c26f60b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 22 19:09:57 2011 -0500

    Merge branch 'linux-3.1.y' into pax-test
    
    Conflicts:
        arch/x86/kernel/process.c

commit 97c16f0fcff592160c1787bd1c56ae7ad070ac17
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Dec 19 21:54:01 2011 -0500

    Add new option: "Enforce consistent multithreaded privileges"

commit 7d125a16a5245b2bafc9184b8f93e864394ba1cb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Dec 7 19:58:31 2011 -0500

    Remove harmless duplicate code -- exec_file would be null already so the
    second check would never pass.

commit 4e3304e94aa72737810bc50169519af157dce4ce
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Dec 7 19:50:39 2011 -0500

    Revert back to (possibly?) undocumented /proc/pid behavior that gdb
    depended on for attaching to a thread.  Entries exist in /proc for
    threads, but are not visible in a readdir.

commit 1bd899335f23815cfe8deac44c6b346398f3b95e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 18:03:28 2011 -0500

    Put the already-walked path if in RCU-walk mode

commit ec7ae36b7159f10649709779443a988662965d66
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 17:35:21 2011 -0500

    Fix memory leak introduced by recent (unpublished) commit
    75ab998b94a29d464518d6d501bdde3fbfcbfa14

commit 1e2318a8ea2e67eaf17236be374b5da8a5ba5e04
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 13:56:10 2011 -0500

    Explicitly check size copied to userland in override_release to silence gcc

commit c30a85d0fff67e0724e726febb934c0b6fa01c6c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 13:54:02 2011 -0500

    Initialize variable to silence erroneous gcc warning

commit 2cf8e7a3bf4e97b2cd3de9ebc453bc505dc7eb78
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 13:47:47 2011 -0500

    Future-proof other potential RCU-aware locations where we can log.

commit 0c904e8c7ea0338c47c7ae825e093a152dc8f8a8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 13:02:54 2011 -0500

    Fix freeze reported by 'vs' on the forums.  Bug occurred due to
    MAY_NOT_BLOCK added to Linux 3.1.  Our logging code, when a capability used
    in generic_permission() was in the task's effective set but disallowed by
    RBAC, would block when acquiring locks resulting in the freeze.
    
    Also update the ordering of checks so that CAP_DAC_READ_SEARCH isn't logged
    as being required when CAP_DAC_OVERRIDE is present (consistent with
    older patches).

commit ab694e5eccfbc369baa593ebc1269d1908cf16dc
Author: Xi Wang <xi.wang@gmail.com>
Date:   Tue Nov 29 09:26:30 2011 +0000

    sctp: better integer overflow check in sctp_auth_create_key()
    
    The check from commit 30c2235c is incomplete and cannot prevent
    cases like key_len = 0x80000000 (INT_MAX + 1).  In that case, the
    left-hand side of the check (INT_MAX - key_len), which is unsigned,
    becomes 0xffffffff (UINT_MAX) and bypasses the check.
    
    However this shouldn't be a security issue.  The function is called
    from the following two code paths:
    
     1) setsockopt()
    
     2) sctp_auth_asoc_set_secret()
    
    In case (1), sca_keylength is never going to exceed 65535 since it's
    bounded by a u16 from the user API.  As such, the key length will
    never overflow.
    
    In case (2), sca_keylength is computed based on the user key (1 short)
    and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still
    will not overflow.
    
    In other words, this overflow check is not really necessary.  Just
    make it more correct.
    
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Cc: Vlad Yasevich <vladislav.yasevich@hp.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit e565e28c3635a1d50f80541fbf6b606d742fec76
Author: Josh Boyer <jwboyer@redhat.com>
Date:   Fri Aug 19 14:50:26 2011 -0400

    fs/minix: Verify bitmap block counts before mounting
    
    Newer versions of MINIX can create filesystems that allocate an extra
    bitmap block.  Mounting of this succeeds, but doing a statfs call will
    result in an oops in count_free because of a negative number being used
    for the bh index.
    
    Avoid this by verifying the number of allocated blocks at mount time,
    erroring out if there are not enough and make statfs ignore the extras
    if there are too many.
    
    This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792
    
    Signed-off-by: Josh Boyer <jwboyer@redhat.com>
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

commit 6e134e398ec1a3f428261680e83df4319e64bed9
Author: Julia Lawall <julia@diku.dk>
Date:   Tue Nov 15 14:53:11 2011 -0800

    drivers/gpu/vga/vgaarb.c: add missing kfree
    
    kbuf is a buffer that is local to this function, so all of the error paths
    leaving the function should release it.
    
    Signed-off-by: Julia Lawall <julia@diku.dk>
    Cc: Jesper Juhl <jj@chaosbits.net>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Dave Airlie <airlied@redhat.com>

commit 2b9057b321e36860e8d63985b5c4e496f254b717
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Dec 3 21:33:28 2011 -0500

    Import changes between pax-linux-3.1.4-test18.patch and grsecurity-2.2.2-3.1.4-201112021740.patch

commit 5dfe6091dca281a456eaff5e7b4692d768a05cfd
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Dec 3 21:29:37 2011 -0500

    Import pax-linux-3.1.4-test18.patch

commit 285eb4ea45d853ae00426b3315a61c1368080dad
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Dec 10 18:33:46 2011 -0500

    Import changes from pax-linux-3.1.5-test20.patch

commit a6bda918fc90ec1d5c387e978d147ad2044153f1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 8 20:55:54 2011 -0500

    Import changes from pax-linux-3.1.4-test19.patch

commit e6d987bdb782b280f882cc20055e3d9cb28ad3a5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Dec 3 21:29:37 2011 -0500

    Import pax-linux-3.1.4-test18.patch
commit d92091aac493a547d85ddf1b98bd9aaa8c7112a5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 4 23:05:14 2013 -0400

    always enforce a non-zero gap for RAND_THREADSTACK

 mm/mmap.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 40d67e38a42d4e94b43b3d7400addc662b9857dc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 4 16:09:28 2013 -0400

    fix up file comparisons

 grsecurity/gracl_segv.c    |    2 +-
 grsecurity/grsec_sig.c     |    4 ++--
 include/linux/grinternal.h |   12 ++++++++++++
 3 files changed, 15 insertions(+), 3 deletions(-)

commit a1fff2c95162314626dd96bec71d951a8c1c4708
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 4 15:33:18 2013 -0400

    fix suid binary matching

 grsecurity/grsec_sig.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 00131c458eea5200971c8fc326e90fdb6c2d0baa
Merge: 37b97a9 47beb61
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 4 15:02:31 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 47beb61be9d430ab3fdb79a3b1e2099b4cfcf798
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 4 15:01:37 2013 -0400

    Update to pax-linux-3.9.9-test13.patch:
    - hopefully fixed the EFI boot regression (https://bugs.gentoo.org/show_bug.cgi?id=471626)
    - fixed some arm compilation issues (http://forums.grsecurity.net/viewtopic.php?f=1&t=3586 and http://forums.grsecurity.net/viewtopic.php?f=1&t=3587)

 arch/arm/include/asm/uaccess.h |   20 ++++++++++----------
 arch/arm/kernel/armksyms.c     |    2 +-
 arch/arm/kernel/entry-armv.S   |    4 ++--
 arch/arm/mm/Kconfig            |    2 +-
 arch/x86/ia32/ia32entry.S      |    4 ++--
 arch/x86/include/asm/page.h    |    1 +
 arch/x86/kernel/entry_32.S     |    4 ++--
 arch/x86/kernel/entry_64.S     |    8 ++++----
 arch/x86/kernel/head64.c       |   12 ++++++------
 arch/x86/kernel/head_64.S      |   16 ++++++++++++----
 arch/x86/mm/init.c             |    8 ++++++++
 arch/x86/mm/init_32.c          |    6 ------
 arch/x86/mm/init_64.c          |    6 ------
 arch/x86/platform/efi/efi_32.c |    5 +++++
 arch/x86/platform/efi/efi_64.c |   10 ++++++++++
 15 files changed, 64 insertions(+), 44 deletions(-)

commit 89085d2d0643813a62f23d1199a335dc1e129bc0
Merge: 963af7f 0adf2e7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 4 14:55:44 2013 -0400

    Merge branch 'linux-3.9.y' into pax-test

commit 37b97a95e97badc79cc8b6e092f0f94ac24e4ae4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 4 13:46:02 2013 -0400

    fix typo

 grsecurity/gracl.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 32538dba4959a290a1de81a7f8eeaba99f952aa6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 4 13:29:51 2013 -0400

    update log arguments

 grsecurity/grsec_sig.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 5c7ee197d6ecb3ec9b3b9588d2b0cb8541d9fa71
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 4 13:20:23 2013 -0400

    Update logging of suid exec ban
    
    Conflicts:
    
        grsecurity/grsec_sig.c

 grsecurity/grsec_sig.c |    3 +--
 include/linux/grmsg.h  |    1 +
 2 files changed, 2 insertions(+), 2 deletions(-)

commit ef808866c070aa1901bd2224521baaf5d145a3a7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 4 12:58:33 2013 -0400

    Additional improvements to the user banning code:
    
    Separate the kernel-bruteforcing case from the suid bruteforcing case
    In the suid bruteforcing case, only kill existing copies of the bruteforced
    binary.  Instead of preventing all future execs by this user, prevent them
    from executing any suid/sgid binaries for the next 15 minutes.
    
    Kernel case is mostly unchanged from before, except the task trying to change
    real uid to the banned user will be terminated instead of failing the setuid
    call.
    
    Configuration help has been updated to reflect the new changes.

 fs/exec.c                  |   13 +++++---
 grsecurity/Kconfig         |    5 ++-
 grsecurity/gracl.c         |    6 ++--
 grsecurity/grsec_sig.c     |   76 ++++++++++++++++++++++++++------------------
 include/linux/grsecurity.h |    1 -
 include/linux/sched.h      |    9 +++--
 6 files changed, 65 insertions(+), 45 deletions(-)

commit 0f0b6c9d67d429364621b8784ef4a048b7e40736
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jul 3 16:14:09 2013 -0400

    fix renamed export of csum_partial_copy_from_user, as reported by fabled
    on the forums

 arch/arm/kernel/armksyms.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 318235973c2a548c3d25562645d6b69f66e85934
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jul 3 16:09:16 2013 -0400

    make CPU_USE_DOMAINS depend on !PAX_MEMORY_UDEREF, fixes compile error
    reported on the forums by fabled

 arch/arm/mm/Kconfig |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit b569a7f60fab7a522d8c142765c8b847bbce8a1e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jul 3 15:53:12 2013 -0400

    Revise the user ban code to kill the process issuing a banned
    set*id instead of returning an error.  For the sake of keeping
    unified user banning between the suid and kernel bruteforce case,
    we will apply this killing to the suid bruteforce case, despite
    a check just at exec time (that already existed) being sufficient.
    
    Returning an error could enable exploitation of the "failure to check
    setuid return value" case which was recently effectively closed
    upstream, albeit in a rare situation with a suitable binary and
    two colluding users.
    
    Many thanks to stealth for reviewing the user ban code.

 grsecurity/gracl.c     |    4 ++--
 grsecurity/grsec_sig.c |   16 +++++++++++++---
 2 files changed, 15 insertions(+), 5 deletions(-)

commit 4a0808a0aa34bf3692f9ade0f11f6fbe30418c4f
Author: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
Date:   Fri Jun 28 14:15:15 2013 +0300

    Upstream commit: 605c912bb843c024b1ed173dc427cd5c08e5d54d
    
    UBIFS: fix a horrid bug
    
    Al Viro pointed me to the fact that '->readdir()' and '->llseek()' have no
    mutual exclusion, which means the 'ubifs_dir_llseek()' can be run while we are
    in the middle of 'ubifs_readdir()'.
    
    This means that 'file->private_data' can be freed while 'ubifs_readdir()' uses
    it, and this is a very bad bug: not only 'ubifs_readdir()' can return garbage,
    but this may corrupt memory and lead to all kinds of problems like crashes an
    security holes.
    
    This patch fixes the problem by using the 'file->f_version' field, which
    '->llseek()' always unconditionally sets to zero. We set it to 1 in
    'ubifs_readdir()' and whenever we detect that it became 0, we know there was a
    seek and it is time to clear the state saved in 'file->private_data'.
    
    I tested this patch by writing a user-space program which runds readdir and
    seek in parallell. I could easily crash the kernel without these patches, but
    could not crash it with these patches.
    
    Cc: stable@vger.kernel.org
    Reported-by: Al Viro <viro@zeniv.linux.org.uk>
    Tested-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
    Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

 fs/ubifs/dir.c |   30 +++++++++++++++++++++++++++---
 1 files changed, 27 insertions(+), 3 deletions(-)

commit c22280b85088978bd8b45bd23096879459b48008
Author: Stephane Eranian <eranian@google.com>
Date:   Thu Jun 20 11:36:28 2013 +0200

    Upstream commit: 2976b10f05bd7f6dab9f9e7524451ddfed656a89
    
    perf: Disable monitoring on setuid processes for regular users
    
    There was a a bug in setup_new_exec(), whereby
    the test to disabled perf monitoring was not
    correct because the new credentials for the
    process were not yet committed and therefore
    the get_dumpable() test was never firing.
    
    The patch fixes the problem by moving the
    perf_event test until after the credentials
    are committed.
    
    Signed-off-by: Stephane Eranian <eranian@google.com>
    Tested-by: Jiri Olsa <jolsa@redhat.com>
    Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
    Cc: <stable@kernel.org>
    Signed-off-by: Ingo Molnar <mingo@kernel.org>

 fs/exec.c |   16 +++++++++-------
 1 files changed, 9 insertions(+), 7 deletions(-)

commit 16e6a61c34ae5ed0fbfa9151b24dc6a751cca7c0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jun 29 13:10:02 2013 -0400

    on context switch, make sure we switch DACR when domain support and
    KERNEXEC is disabled but UDEREF is enabled

 arch/arm/kernel/entry-armv.S |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 08d017fa51370921694ce087b28c96fec92993d4
Author: Michael S. Tsirkin <mst@redhat.com>
Date:   Sun Jun 23 17:26:58 2013 +0300

    Upstream commit: 4c7ab054ab4f5d63625508ed6f8a607184cae7c2
    
    macvtap: fix recovery from gup errors
    
    get user pages might fail partially in macvtap zero copy
    mode. To recover we need to put all pages that we got,
    but code used a wrong index resulting in double-free
    errors.
    
    Reported-by: Brad Hubbard <bhubbard@redhat.com>
    Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
    Acked-by: Jason Wang <jasowang@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/macvtap.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

commit 8118c60e6478b9d0687c2aa7779e45ac7859b1be
Author: Michael S. Tsirkin <mst@redhat.com>
Date:   Sun Jun 23 17:19:03 2013 +0300

    Upstream commit: 7e24bfbe43b545b1689a5f134ed83645b9e34b86
    
    tun: fix recovery from gup errors
    
    get user pages might fail partially in tun zero copy
    mode. To recover we need to put all pages that we got,
    but code used a wrong index resulting in double-free
    errors.
    
    Reported-by: Brad Hubbard <bhubbard@redhat.com>
    Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
    Acked-by: Jason Wang <jasowang@redhat.com>
    Acked-by: Neil Horman <nhorman@tuxdriver.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/tun.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

commit c71e53d3b87fba6f7ba29a440d4c835f03aadf28
Author: Balazs Peter Odor <balazs@obiserver.hu>
Date:   Sat Jun 22 19:24:43 2013 +0200

    Upstream commit: 5aed93875cd88502f04a0d4517b8a2d89a849773
    
    netfilter: nf_nat_sip: fix mangling
    
    In (b20ab9c netfilter: nf_ct_helper: better logging for dropped packets)
    there were some missing brackets around the logging information, thus
    always returning drop.
    
    Closes https://bugzilla.kernel.org/show_bug.cgi?id=60061
    
    Signed-off-by: Balazs Peter Odor <balazs@obiserver.hu>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

 net/netfilter/nf_nat_sip.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 87c18924aecb841586b8972fabb20c5b75ca2fc9
Author: Anderson Lizardo <anderson.lizardo@openbossa.org>
Date:   Sun Jun 2 16:30:40 2013 -0400

    Upstream commit: 300b962e5244a1ea010df7e88595faa0085b461d
    
    Bluetooth: Fix crash in l2cap_build_cmd() with small MTU
    
    If a too small MTU value is set with ioctl(HCISETACLMTU) or by a bogus
    controller, memory corruption happens due to a memcpy() call with
    negative length.
    
    Fix this crash on either incoming or outgoing connections with a MTU
    smaller than L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE:
    
    [   46.885433] BUG: unable to handle kernel paging request at f56ad000
    [   46.888037] IP: [<c03d94cd>] memcpy+0x1d/0x40
    [   46.888037] *pdpt = 0000000000ac3001 *pde = 00000000373f8067 *pte = 80000000356ad060
    [   46.888037] Oops: 0002 [#1] SMP DEBUG_PAGEALLOC
    [   46.888037] Modules linked in: hci_vhci bluetooth virtio_balloon i2c_piix4 uhci_hcd usbcore usb_common
    [   46.888037] CPU: 0 PID: 1044 Comm: kworker/u3:0 Not tainted 3.10.0-rc1+ #12
    [   46.888037] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007
    [   46.888037] Workqueue: hci0 hci_rx_work [bluetooth]
    [   46.888037] task: f59b15b0 ti: f55c4000 task.ti: f55c4000
    [   46.888037] EIP: 0060:[<c03d94cd>] EFLAGS: 00010212 CPU: 0
    [   46.888037] EIP is at memcpy+0x1d/0x40
    [   46.888037] EAX: f56ac1c0 EBX: fffffff8 ECX: 3ffffc6e EDX: f55c5cf2
    [   46.888037] ESI: f55c6b32 EDI: f56ad000 EBP: f55c5c68 ESP: f55c5c5c
    [   46.888037]  DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
    [   46.888037] CR0: 8005003b CR2: f56ad000 CR3: 3557d000 CR4: 000006f0
    [   46.888037] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
    [   46.888037] DR6: ffff0ff0 DR7: 00000400
    [   46.888037] Stack:
    [   46.888037]  fffffff8 00000010 00000003 f55c5cac f8c6a54c ffffffff f8c69eb2 00000000
    [   46.888037]  f4783cdc f57f0070 f759c590 1001c580 00000003 0200000a 00000000 f5a88560
    [   46.888037]  f5ba2600 f5a88560 00000041 00000000 f55c5d90 f8c6f4c7 00000008 f55c5cf2
    [   46.888037] Call Trace:
    [   46.888037]  [<f8c6a54c>] l2cap_send_cmd+0x1cc/0x230 [bluetooth]
    [   46.888037]  [<f8c69eb2>] ? l2cap_global_chan_by_psm+0x152/0x1a0 [bluetooth]
    [   46.888037]  [<f8c6f4c7>] l2cap_connect+0x3f7/0x540 [bluetooth]
    [   46.888037]  [<c019b37b>] ? trace_hardirqs_off+0xb/0x10
    [   46.888037]  [<c01a0ff8>] ? mark_held_locks+0x68/0x110
    [   46.888037]  [<c064ad20>] ? mutex_lock_nested+0x280/0x360
    [   46.888037]  [<c064b9d9>] ? __mutex_unlock_slowpath+0xa9/0x150
    [   46.888037]  [<c01a118c>] ? trace_hardirqs_on_caller+0xec/0x1b0
    [   46.888037]  [<c064ad08>] ? mutex_lock_nested+0x268/0x360
    [   46.888037]  [<c01a125b>] ? trace_hardirqs_on+0xb/0x10
    [   46.888037]  [<f8c72f8d>] l2cap_recv_frame+0xb2d/0x1d30 [bluetooth]
    [   46.888037]  [<c01a0ff8>] ? mark_held_locks+0x68/0x110
    [   46.888037]  [<c064b9d9>] ? __mutex_unlock_slowpath+0xa9/0x150
    [   46.888037]  [<c01a118c>] ? trace_hardirqs_on_caller+0xec/0x1b0
    [   46.888037]  [<f8c754f1>] l2cap_recv_acldata+0x2a1/0x320 [bluetooth]
    [   46.888037]  [<f8c491d8>] hci_rx_work+0x518/0x810 [bluetooth]
    [   46.888037]  [<f8c48df2>] ? hci_rx_work+0x132/0x810 [bluetooth]
    [   46.888037]  [<c0158979>] process_one_work+0x1a9/0x600
    [   46.888037]  [<c01588fb>] ? process_one_work+0x12b/0x600
    [   46.888037]  [<c015922e>] ? worker_thread+0x19e/0x320
    [   46.888037]  [<c015922e>] ? worker_thread+0x19e/0x320
    [   46.888037]  [<c0159187>] worker_thread+0xf7/0x320
    [   46.888037]  [<c0159090>] ? rescuer_thread+0x290/0x290
    [   46.888037]  [<c01602f8>] kthread+0xa8/0xb0
    [   46.888037]  [<c0656777>] ret_from_kernel_thread+0x1b/0x28
    [   46.888037]  [<c0160250>] ? flush_kthread_worker+0x120/0x120
    [   46.888037] Code: c3 90 8d 74 26 00 e8 63 fc ff ff eb e8 90 55 89 e5 83 ec 0c 89 5d f4 89 75 f8 89 7d fc 3e 8d 74 26 00 89 cb 89 c7 c1 e9 02 89 d6 <f3> a5 89 d9 83 e1 03 74 02 f3 a4 8b 5d f4 8b 75 f8 8b 7d fc 89
    [   46.888037] EIP: [<c03d94cd>] memcpy+0x1d/0x40 SS:ESP 0068:f55c5c5c
    [   46.888037] CR2: 00000000f56ad000
    [   46.888037] ---[ end trace 0217c1f4d78714a9 ]---
    
    Signed-off-by: Anderson Lizardo <anderson.lizardo@openbossa.org>
    Cc: stable@vger.kernel.org
    Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
    Signed-off-by: John W. Linville <linville@tuxdriver.com>

 net/bluetooth/l2cap_core.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit b0471b6c1160858fc646d8e94628fd1299f61692
Author: Jaganath Kanakkassery <jaganath.k@samsung.com>
Date:   Fri Jun 21 19:55:11 2013 +0530

    Upstream commit: 3f6fa3d489e127ca5a5b298eabac3ff5dbe0e112
    
    Bluetooth: Fix invalid length check in l2cap_information_rsp()
    
    The length check is invalid since the length varies with type of
    info response.
    
    This was introduced by the commit cb3b3152b2f5939d67005cff841a1ca748b19888
    
    Because of this, l2cap info rsp is not handled and command reject is sent.
    
    > ACL data: handle 11 flags 0x02 dlen 16
            L2CAP(s): Info rsp: type 2 result 0
              Extended feature mask 0x00b8
                Enhanced Retransmission mode
                Streaming mode
                FCS Option
                Fixed Channels
    < ACL data: handle 11 flags 0x00 dlen 10
            L2CAP(s): Command rej: reason 0
              Command not understood
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Jaganath Kanakkassery <jaganath.k@samsung.com>
    Signed-off-by: Chan-Yeol Park <chanyeol.park@samsung.com>
    Acked-by: Johan Hedberg <johan.hedberg@intel.com>
    Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>

 net/bluetooth/l2cap_core.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 4184af98c360d825e638b268b1a9847232e8d299
Author: Eric Dumazet <edumazet@google.com>
Date:   Wed Jun 26 04:15:07 2013 -0700

    Upstream commit: a963a37d384d71ad43b3e9e79d68d42fbe0901f3
    
    ipv6: ip6_sk_dst_check() must not assume ipv6 dst
    
    It's possible to use AF_INET6 sockets and to connect to an IPv4
    destination. After this, socket dst cache is a pointer to a rtable,
    not rt6_info.
    
    ip6_sk_dst_check() should check the socket dst cache is IPv6, or else
    various corruptions/crashes can happen.
    
    Dave Jones can reproduce immediate crash with
    trinity -q -l off -n -c sendmsg -c connect
    
    With help from Hannes Frederic Sowa
    
    Reported-by: Dave Jones <davej@redhat.com>
    Reported-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv6/ip6_output.c |    8 +++++++-
 1 files changed, 7 insertions(+), 1 deletions(-)

commit a9909c4993e8547ebeeafc4a4f5ff8570a941eb2
Author: Zefan Li <lizefan@huawei.com>
Date:   Wed Jun 26 15:29:54 2013 +0800

    Upstream commit: 11eb2645cbf38a08ae491bf6c602eea900ec0bb5
    
    dlci: acquire rtnl_lock before calling __dev_get_by_name()
    
    Otherwise the net device returned can be freed at anytime.
    
    Signed-off-by: Li Zefan <lizefan@huawei.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/wan/dlci.c |   14 +++++++++-----
 1 files changed, 9 insertions(+), 5 deletions(-)

commit 1fe6f23c9acd14d832d056909ff326bde418e645
Author: Zefan Li <lizefan@huawei.com>
Date:   Wed Jun 26 15:31:58 2013 +0800

    Upstream commit: 578a1310f2592ba90c5674bca21c1dbd1adf3f0a
    
    dlci: validate the net device in dlci_del()
    
    We triggered an oops while running trinity with 3.4 kernel:
    
    BUG: unable to handle kernel paging request at 0000000100000d07
    IP: [<ffffffffa0109738>] dlci_ioctl+0xd8/0x2d4 [dlci]
    PGD 640c0d067 PUD 0
    Oops: 0000 [#1] PREEMPT SMP
    CPU 3
    ...
    Pid: 7302, comm: trinity-child3 Not tainted 3.4.24.09+ 40 Huawei Technologies Co., Ltd. Tecal RH2285          /BC11BTSA
    RIP: 0010:[<ffffffffa0109738>]  [<ffffffffa0109738>] dlci_ioctl+0xd8/0x2d4 [dlci]
    ...
    Call Trace:
      [<ffffffff8137c5c3>] sock_ioctl+0x153/0x280
      [<ffffffff81195494>] do_vfs_ioctl+0xa4/0x5e0
      [<ffffffff8118354a>] ? fget_light+0x3ea/0x490
      [<ffffffff81195a1f>] sys_ioctl+0x4f/0x80
      [<ffffffff81478b69>] system_call_fastpath+0x16/0x1b
    ...
    
    It's because the net device is not a dlci device.
    
    Reported-by: Li Jinyue <lijinyue@huawei.com>
    Signed-off-by: Li Zefan <lizefan@huawei.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/wan/dlci.c |   12 ++++++++++++
 1 files changed, 12 insertions(+), 0 deletions(-)

commit 4d4464407611527ef6b6b5475cfcab6121b3da66
Merge: 59571a9 963af7f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jun 27 18:54:52 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 963af7f7f591759b731ce6325ceb583a72fcf423
Merge: c51e25a 55db48a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jun 27 18:54:42 2013 -0400

    Merge branch 'linux-3.9.y' into pax-test

commit 59571a9db7485f530a1e865a13cacc4c991ec41f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jun 26 18:39:08 2013 -0400

    From: Mathias Krause <minipli@googlemail.com>
    To: Steffen Klassert <steffen.klassert@secunet.com>,
            "David S. Miller" <davem@davemloft.net>
    Cc: Mathias Krause <minipli@googlemail.com>, netdev@vger.kernel.org,
            Herbert Xu <herbert@gondor.apana.org.au>
    Subject: [PATCH] af_key: fix info leaks in notify messages
    
    key_notify_sa_flush() and key_notify_policy_flush() miss to initialize
    the sadb_msg_reserved member of the broadcasted message and thereby
    leak 2 bytes of heap memory to listeners. Fix that.
    
    Signed-off-by: Mathias Krause <minipli@googlemail.com>
    Cc: Steffen Klassert <steffen.klassert@secunet.com>
    Cc: "David S. Miller" <davem@davemloft.net>
    Cc: Herbert Xu <herbert@gondor.apana.org.au>

 net/key/af_key.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit e1dd9fb168b3597f15fd5bd4bc88a7dd4cce5fd9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jun 26 18:33:06 2013 -0400

    update rand_threadstack code to continue the search for a gap if the first
    choice doesn't have enough space, instead of returning ENOMEM

 mm/mmap.c |   17 ++++++++++-------
 1 files changed, 10 insertions(+), 7 deletions(-)

commit 87020d4a4d83038d65ff1fd519938840f6888b9e
Merge: 2682346 c51e25a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jun 26 18:25:32 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit c51e25a23f30a1198076bd085f19b2073caf164d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jun 26 18:24:54 2013 -0400

    Update to pax-linux-3.9.7-test12.patch:
    - fixed a regression on PARAVIRT/amd64 kernels
    - simplified the recent vm_unmapped_area_info based change

 arch/x86/kernel/entry_64.S |    8 ++++----
 mm/mmap.c                  |   22 ++++++++++++----------
 2 files changed, 16 insertions(+), 14 deletions(-)

commit 26823469a08e59cb67bea18d448d9e8c65f82e08
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jun 25 21:26:51 2013 -0400

    re-enable GRKERNSEC_RAND_THREADSTACK now that the generic PaX
    vm_unmapped_area code is complete

 arch/x86/kernel/sys_i386_32.c |    5 +++++
 grsecurity/Kconfig            |    2 +-
 mm/mmap.c                     |   11 ++++++++++-
 3 files changed, 16 insertions(+), 2 deletions(-)

commit bcd93cc348a8faba1716f5cc137a48f25d6a67e7
Merge: e58fe8c c4e0704
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jun 25 19:08:52 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        arch/x86/kernel/sys_i386_32.c

commit c4e07040c2c32c9eb2b093e5ae6e5bb050cb7511
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jun 25 19:05:39 2013 -0400

    Update to pax-linux-3.9.7-test11.patch:
    - fixed some fallout from the recent executable vmalloc changes (http://forums.grsecurity.net/viewtopic.php?t=3562#p13111)
    - moved the PaX specific heap-stack gap check code over to the vm_unmapped_area_info based infrastructure
    - fixed the recent nested nmi related fixes some more
    - fixed a regression in kernel memory initialization on relocatable i386 kernels
    - empty_zero_page can be read-only on amd64 as well

 arch/arm/mm/mmap.c            |    6 --
 arch/x86/kernel/entry_64.S    |    8 +--
 arch/x86/kernel/head_64.S     |    1 -
 arch/x86/kernel/setup.c       |    2 +-
 arch/x86/kernel/sys_i386_32.c |  160 ++++++++++++----------------------------
 drivers/lguest/core.c         |    2 +-
 include/linux/mm.h            |    6 +-
 include/linux/vmalloc.h       |    2 +-
 mm/mmap.c                     |   30 +++++++-
 9 files changed, 83 insertions(+), 134 deletions(-)

commit e58fe8c43f6ee7047ac830ebfa9a70626b7ed11d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jun 23 14:37:14 2013 -0400

    second compile fix, reported by forsaken on forums

 include/linux/vmalloc.h |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 0ee10d89b09b56b46bc242ce760a1d9598276e2f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jun 23 14:36:35 2013 -0400

    compile fix, reported by KDE on forums

 kernel/printk.c |    7 -------
 1 files changed, 0 insertions(+), 7 deletions(-)

commit 1fc9a5e2e267205d28302e1e86ca0da434561111
Author: Ben Hutchings <ben@decadent.org.uk>
Date:   Sun Jun 16 21:27:12 2013 +0100

    Upstream commit: b8cb62f82103083a6e8fa5470bfe634a2c06514d
    
    x86/efi: Fix dummy variable buffer allocation
    
    1. Check for allocation failure
    2. Clear the buffer contents, as they may actually be written to flash
    3. Don't leak the buffer
    
    Compile-tested only.
    
    [ Tested successfully on my buggy ASUS machine - Matt ]
    
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
    Cc: stable@vger.kernel.org
    Signed-off-by: Matt Fleming <matt.fleming@intel.com>

 arch/x86/platform/efi/efi.c |    7 ++++++-
 1 files changed, 6 insertions(+), 1 deletions(-)

commit 83e15c8baaa620d8c777e84aa037b4302f0487c5
Author: Dave Kleikamp <dave.kleikamp@oracle.com>
Date:   Tue Jun 18 09:05:36 2013 -0500

    Upstream commit: 23a01138efe216f8084cfaa74b0b90dd4b097441
    
    sparc: tsb must be flushed before tlb
    
    This fixes a race where a cpu may re-load a tlb from a stale tsb right
    after it has been flushed by a remote function call.
    
    I still see some instability when stressing the system with parallel
    kernel builds while creating memory pressure by writing to
    /proc/sys/vm/nr_hugepages, but this patch improves the stability
    significantly.
    
    Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
    Acked-by: Bob Picco <bob.picco@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 arch/sparc/mm/tlb.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit d93b62f6485db9aadda34322a6867868db07f56f
Merge: 4ef62f5 71d83e9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jun 21 16:52:55 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        security/Kconfig

commit 71d83e97c936563913bcfb5a25c45b2021a331eb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jun 21 16:48:42 2013 -0400

    Update to pax-linux-3.9.7-test10.patch:
    - fixed a few format string problems uncovered by -Wformat-nonliteral
    - another attempt at fixing the nested nmi/cr0.wp problem
    - fixed vmalloc when used for allocating executable memory on non-modular kernels, reported by Lorand Kelemen (https://bugs.gentoo.org/show_bug.cgi?id=473866)
    - worked around an intentional gcc overflow in nfscache that tripped up the size overflow plugin (https://bugs.gentoo.org/show_bug.cgi?id=472274)
    - fixed a locking issue with track_exec_limit reported by spender
    - hunger reported a size overflow event in kobj_map that turned out to be a real bug, fix by Tejun Heo (https://patchwork.kernel.org/patch/2676631/)

 Documentation/dontdiff                  |    1 +
 arch/x86/boot/compressed/efi_stub_32.S  |   16 ++-----
 arch/x86/kernel/cpu/mcheck/mce.c        |    2 +-
 arch/x86/kernel/e820.c                  |    4 +-
 arch/x86/kernel/entry_64.S              |   74 ++++++++++++++++++------------
 arch/x86/kernel/vmlinux.lds.S           |    2 +-
 block/genhd.c                           |   11 +++--
 crypto/algapi.c                         |    2 +-
 crypto/pcrypt.c                         |    6 +-
 drivers/base/attribute_container.c      |    2 +-
 drivers/base/power/sysfs.c              |    2 +-
 drivers/block/nbd.c                     |    2 +-
 drivers/cdrom/cdrom.c                   |    2 +-
 drivers/char/hw_random/intel-rng.c      |    2 +-
 drivers/char/mem.c                      |    2 +-
 drivers/devfreq/devfreq.c               |    2 +-
 drivers/gpu/drm/drm_encoder_slave.c     |    6 +--
 drivers/gpu/drm/drm_sysfs.c             |    2 +-
 drivers/gpu/drm/ttm/ttm_memory.c        |    4 +-
 drivers/iommu/irq_remapping.c           |    2 +-
 drivers/video/output.c                  |    2 +-
 fs/ext4/mmp.c                           |    2 +-
 fs/ext4/super.c                         |    2 +-
 fs/lockd/svc.c                          |    2 +-
 fs/nfs/callback.c                       |    4 +-
 fs/nfs/nfs4state.c                      |    2 +-
 fs/nfsd/nfscache.c                      |    3 +-
 init/initramfs.c                        |    2 +-
 kernel/rcutree.c                        |    2 +-
 lib/kobject.c                           |    2 +-
 mm/backing-dev.c                        |    4 +-
 mm/mmap.c                               |    4 +-
 mm/slub.c                               |    2 +-
 mm/vmalloc.c                            |   15 +++----
 net/bluetooth/hci_core.c                |    8 ++--
 net/netfilter/nf_conntrack_proto_dccp.c |    4 +-
 net/sunrpc/svc.c                        |    2 +-
 security/Kconfig                        |   15 +++---
 sound/core/sound.c                      |    2 +-
 sound/sound_core.c                      |    2 +-
 40 files changed, 116 insertions(+), 111 deletions(-)

commit 4ef62f52ab23ed87aaf0106be3eddf2019bc7d2c
Merge: 39efd8f 256eff7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jun 21 16:45:15 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        kernel/printk.c

commit 256eff7a817d5faa18cd56fb97cc8c25112ec0a6
Merge: e6e3059 485f25f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jun 20 22:14:24 2013 -0400

    Merge branch 'linux-3.9.y' into pax-test

commit 39efd8f4b9573d1ce31f47cdbea00b6c12054d4d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jun 18 17:20:18 2013 -0400

    add apparmor compat patch

 security/apparmor/Kconfig      |    9 ++
 security/apparmor/apparmorfs.c |  231 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 240 insertions(+), 0 deletions(-)

commit 49bee3c5341687504669bf62becf4a419a226ba0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jun 17 18:48:04 2013 -0400

    Revert "Upstream commit: cf7df378aa4ff7da3a44769b7ff6e9eef1a9f3db"
    
    This reverts commit 066d9226bc6c569d5f420c978b758e0bddd23444.

 kernel/sys.c |   29 +++--------------------------
 1 files changed, 3 insertions(+), 26 deletions(-)

commit bece88b4276babb2039a3e4f3e3b0cdeb8cd8328
Author: Al Viro <viro@ZenIV.linux.org.uk>
Date:   Sun Jun 16 18:06:06 2013 +0100

    Upstream commit: 8177a9d79c0e942dcac3312f15585d0344d505a5
    
    lseek(fd, n, SEEK_END) does *not* go to eof - n
    
    When you copy some code, you are supposed to read it.  If nothing else,
    there's a chance to spot and fix an obvious bug instead of sharing it...
    
    X-Song: "I Got It From Agnes", by Tom Lehrer
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    [ Tom Lehrer? You're dating yourself, Al ]
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 drivers/net/ethernet/brocade/bna/bnad_debugfs.c |    2 +-
 drivers/scsi/bfa/bfad_debugfs.c                 |    2 +-
 drivers/scsi/fnic/fnic_debugfs.c                |    2 +-
 drivers/scsi/lpfc/lpfc_debugfs.c                |    2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

commit 5a450f1c46f0c84379518aee878993d3f4a331b6
Author: Theodore Ts'o <tytso@mit.edu>
Date:   Thu Jun 6 11:14:31 2013 -0400

    Upstream commit: 40c87e7a5404861cef33f6ced9809525a5ee2c50
    
    ext4: verify group number in verify_group_input() before using it
    
    Check the group number for sanity earilier, before calling routines
    such as ext4_bg_has_super() or ext4_group_overhead_blocks().
    
    Reported-by: Jonathan Salwan <jonathan.salwan@gmail.com>
    Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>

 fs/ext4/resize.c |   17 +++++++++++------
 1 files changed, 11 insertions(+), 6 deletions(-)

commit e2700ce1305cc746d2d9000392f00d96fdf28fb8
Author: Neil Horman <nhorman@tuxdriver.com>
Date:   Wed Jun 12 14:26:44 2013 -0400

    Upstream commit: c5c7774d7eb4397891edca9ebdf750ba90977a69
    
    sctp: fully initialize sctp_outq in sctp_outq_init
    
    In commit 2f94aabd9f6c925d77aecb3ff020f1cc12ed8f86
    (refactor sctp_outq_teardown to insure proper re-initalization)
    we modified sctp_outq_teardown to use sctp_outq_init to fully re-initalize the
    outq structure.  Steve West recently asked me why I removed the q->error = 0
    initalization from sctp_outq_teardown.  I did so because I was operating under
    the impression that sctp_outq_init would properly initalize that value for us,
    but it doesn't.  sctp_outq_init operates under the assumption that the outq
    struct is all 0's (as it is when called from sctp_association_init), but using
    it in __sctp_outq_teardown violates that assumption. We should do a memset in
    sctp_outq_init to ensure that the entire structure is in a known state there
    instead.
    
    Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
    Reported-by: "West, Steve (NSN - US/Fort Worth)" <steve.west@nsn.com>
    CC: Vlad Yasevich <vyasevich@gmail.com>
    CC: netdev@vger.kernel.org
    CC: davem@davemloft.net
    Acked-by: Vlad Yasevich <vyasevich@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    
    Conflicts:
    
        net/sctp/outqueue.c

 net/sctp/outqueue.c |    8 ++------
 1 files changed, 2 insertions(+), 6 deletions(-)

commit e13515ad7a9c7634599a105b2527752e527a905d
Author: Saurabh Mohan <saurabh@vyatta.com>
Date:   Mon Jun 10 17:45:10 2013 -0700

    Upstream commit: baafc77b32f647daa7c45825f7af8cdd55d00817
    
    net/ipv4: ip_vti clear skb cb before tunneling.
    
    If users apply shaper to vti tunnel then it will cause a kernel crash. The
    problem seems to be due to the vti_tunnel_xmit function not clearing
    skb->opt field before passing the packet to xfrm tunneling code.
    
    Signed-off-by: Saurabh Mohan <saurabh@vyatta.com>
    Acked-by: Stephen Hemminger <stephen@networkplumber.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/ip_vti.c |    3 +--
 1 files changed, 1 insertions(+), 2 deletions(-)

commit e63056a252ed6fc0f16ab158d7c34cb57bd762e4
Author: Guillaume Nault <g.nault@alphalink.fr>
Date:   Wed Jun 12 16:07:36 2013 +0200

    Upstream commit: a6f79d0f26704214b5b702bbac525cb72997f984
    
    l2tp: Fix sendmsg() return value
    
    PPPoL2TP sockets should comply with the standard send*() return values
    (i.e. return number of bytes sent instead of 0 upon success).
    
    Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/l2tp/l2tp_ppp.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit af361b412e816e894fb42ddff7a0545b7def64c0
Author: Guillaume Nault <g.nault@alphalink.fr>
Date:   Wed Jun 12 16:07:23 2013 +0200

    Upstream commit: 55b92b7a11690bc377b5d373872a6b650ae88e64
    
    l2tp: Fix PPP header erasure and memory leak
    
    Copy user data after PPP framing header. This prevents erasure of the
    added PPP header and avoids leaking two bytes of uninitialised memory
    at the end of skb's data buffer.
    
    Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/l2tp/l2tp_ppp.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 1f43aca088c35dda35abf76e08544e534c71fed4
Author: Daniel Borkmann <dborkman@redhat.com>
Date:   Wed Jun 12 16:02:27 2013 +0200

    Upstream commit: 2dc85bf323515e59e15dfa858d1472bb25cad0fe
    
    packet: packet_getname_spkt: make sure string is always 0-terminated
    
    uaddr->sa_data is exactly of size 14, which is hard-coded here and
    passed as a size argument to strncpy(). A device name can be of size
    IFNAMSIZ (== 16), meaning we might leave the destination string
    unterminated. Thus, use strlcpy() and also sizeof() while we're
    at it. We need to memset the data area beforehand, since strlcpy
    does not padd the remaining buffer with zeroes for user space, so
    that we do not possibly leak anything.
    
    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/packet/af_packet.c |    5 ++---
 1 files changed, 2 insertions(+), 3 deletions(-)

commit d0ae62fae5528bf2a393377f50b8dd9888d1e49f
Author: Andy Lutomirski <luto@amacapital.net>
Date:   Wed Jun 5 19:38:26 2013 +0000

    Upstream commit: a7526eb5d06b0084ef12d7b168d008fcf516caab
    
    net: Unbreak compat_sys_{send,recv}msg
    
    I broke them in this commit:
    
        commit 1be374a0518a288147c6a7398792583200a67261
        Author: Andy Lutomirski <luto@amacapital.net>
        Date:   Wed May 22 14:07:44 2013 -0700
    
            net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg
    
    This patch adds __sys_sendmsg and __sys_sendmsg as common helpers that accept
    MSG_CMSG_COMPAT and blocks MSG_CMSG_COMPAT at the syscall entrypoints.  It
    also reverts some unnecessary checks in sys_socketcall.
    
    Apparently I was suffering from underscore blindness the first time around.
    
    Signed-off-by: Andy Lutomirski <luto@amacapital.net>
    Tested-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 include/linux/socket.h |    3 ++
 net/compat.c           |   13 +++++++-
 net/socket.c           |   72 ++++++++++++++++++++++--------------------------
 3 files changed, 47 insertions(+), 41 deletions(-)

commit b481a366021e5db07a9ea138bc0c1fe598a5ba2f
Author: Andy Lutomirski <luto@amacapital.net>
Date:   Wed May 22 14:07:44 2013 -0700

    Upstream commit: 1be374a0518a288147c6a7398792583200a67261
    
    net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg
    
    To: linux-kernel@vger.kernel.org
    Cc: x86@kernel.org, trinity@vger.kernel.org, Andy Lutomirski <luto@amacapital.net>, netdev@vger.kernel.org, "David S.
        Miller" <davem@davemloft.net>
    Subject: [PATCH 5/5] net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg
    
    MSG_CMSG_COMPAT is (AFAIK) not intended to be part of the API --
    it's a hack that steals a bit to indicate to other networking code
    that a compat entry was used.  So don't allow it from a non-compat
    syscall.
    
    This prevents an oops when running this code:
    
    int main()
    {
        int s;
        struct sockaddr_in addr;
        struct msghdr *hdr;
    
        char *highpage = mmap((void*)(TASK_SIZE_MAX - 4096), 4096,
                              PROT_READ | PROT_WRITE,
                              MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0);
        if (highpage == MAP_FAILED)
                err(1, "mmap");
    
        s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
        if (s == -1)
                err(1, "socket");
    
            addr.sin_family = AF_INET;
            addr.sin_port = htons(1);
            addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
        if (connect(s, (struct sockaddr*)&addr, sizeof(addr)) != 0)
                err(1, "connect");
    
        void *evil = highpage + 4096 - COMPAT_MSGHDR_SIZE;
        printf("Evil address is %p\n", evil);
    
        if (syscall(__NR_sendmmsg, s, evil, 1, MSG_CMSG_COMPAT) < 0)
                err(1, "sendmmsg");
    
        return 0;
    }
    
    Cc: David S. Miller <davem@davemloft.net>
    Signed-off-by: Andy Lutomirski <luto@amacapital.net>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/socket.c |   33 +++++++++++++++++++++++++++++++--
 1 files changed, 31 insertions(+), 2 deletions(-)

commit 6ccb09f408cc4ff23adbf68c7d2307f5fffcf88e
Author: Kees Cook <keescook@chromium.org>
Date:   Fri May 10 14:48:21 2013 -0700

    Upstream commit: e0e29b683d6784ef59bbc914eac85a04b650e63c
    
    b43: stop format string leaking into error msgs
    
    The module parameter "fwpostfix" is userspace controllable, unfiltered,
    and is used to define the firmware filename. b43_do_request_fw() populates
    ctx->errors[] on error, containing the firmware filename. b43err()
    parses its arguments as a format string. For systems with b43 hardware,
    this could lead to a uid-0 to ring-0 escalation.
    
    CVE-2013-2852
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@vger.kernel.org
    Signed-off-by: John W. Linville <linville@tuxdriver.com>

 drivers/net/wireless/b43/main.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit dfb67a67049ace7b94ad7e2febfac69816d50d85
Author: Mark A. Greer <mgreer@animalcreek.com>
Date:   Wed May 29 12:25:34 2013 -0700

    Upstream commit: f873ded213d6d8c36354c0fc903af44da4fd6ac5
    
    mwifiex: debugfs: Fix out of bounds array access
    
    When reading the contents of '/sys/kernel/debug/mwifiex/p2p0/info',
    the following panic occurs:
    
    $ cat /sys/kernel/debug/mwifiex/p2p0/info
    Unable to handle kernel paging request at virtual address 74706164
    pgd = de530000
    [74706164] *pgd=00000000
    Internal error: Oops: 5 [#1] SMP ARM
    Modules linked in: phy_twl4030_usb omap2430 musb_hdrc mwifiex_sdio mwifiex
    CPU: 0 PID: 1635 Comm: cat Not tainted 3.10.0-rc1-00010-g1268390 #1
    task: de16b6c0 ti: de048000 task.ti: de048000
    PC is at strnlen+0xc/0x4c
    LR is at string+0x3c/0xf8
    pc : [<c02c123c>]    lr : [<c02c2d1c>]    psr: a0000013
    sp : de049e10  ip : c06efba0  fp : de6d2092
    r10: bf01a260  r9 : ffffffff  r8 : 74706164
    r7 : 0000ffff  r6 : ffffffff  r5 : de6d209c  r4 : 00000000
    r3 : ff0a0004  r2 : 74706164  r1 : ffffffff  r0 : 74706164
    Flags: NzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
    Control: 10c5387d  Table: 9e530019  DAC: 00000015
    Process cat (pid: 1635, stack limit = 0xde048240)
    Stack: (0xde049e10 to 0xde04a000)
    9e00:                                     de6d2092 00000002 bf01a25e de6d209c
    9e20: de049e80 c02c438c 0000000a ff0a0004 ffffffff 00000000 00000000 de049e48
    9e40: 00000000 2192df6d ff0a0004 ffffffff 00000000 de6d2092 de049ef8 bef3cc00
    9e60: de6b0000 dc358000 de6d2000 00000000 00000003 c02c45a4 bf01790c bf01a254
    9e80: 74706164 bf018698 00000000 de59c3c0 de048000 de049f80 00001000 bef3cc00
    9ea0: 00000008 00000000 00000000 00000000 00000000 00000000 00000000 00000000
    9ec0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
    9ee0: 00000000 00000000 00000000 00000001 00000000 00000000 6669776d 20786569
    9f00: 20302e31 2e343128 392e3636 3231702e 00202933 00000000 00000003 c0294898
    9f20: 00000000 00000000 00000000 00000000 de59c3c0 c0107c04 de554000 de59c3c0
    9f40: 00001000 bef3cc00 de049f80 bef3cc00 de049f80 00000000 00000003 c0108a00
    9f60: de048000 de59c3c0 00000000 00000000 de59c3c0 00001000 bef3cc00 c0108b60
    9f80: 00000000 00000000 00001000 bef3cc00 00000003 00000003 c0014128 de048000
    9fa0: 00000000 c0013f80 00001000 bef3cc00 00000003 bef3cc00 00001000 00000000
    9fc0: 00001000 bef3cc00 00000003 00000003 00000001 00000001 00000001 00000003
    9fe0: 00000000 bef3cbdc 00011984 b6f1127c 60000010 00000003 18dbdd2c 7f7bfffd
    [<c02c123c>] (strnlen+0xc/0x4c) from [<c02c2d1c>] (string+0x3c/0xf8)
    [<c02c2d1c>] (string+0x3c/0xf8) from [<c02c438c>] (vsnprintf+0x1e8/0x3e8)
    [<c02c438c>] (vsnprintf+0x1e8/0x3e8) from [<c02c45a4>] (sprintf+0x18/0x24)
    [<c02c45a4>] (sprintf+0x18/0x24) from [<bf01790c>] (mwifiex_info_read+0xfc/0x3e8 [mwifiex])
    [<bf01790c>] (mwifiex_info_read+0xfc/0x3e8 [mwifiex]) from [<c0108a00>] (vfs_read+0xb0/0x144)
    [<c0108a00>] (vfs_read+0xb0/0x144) from [<c0108b60>] (SyS_read+0x44/0x70)
    [<c0108b60>] (SyS_read+0x44/0x70) from [<c0013f80>] (ret_fast_syscall+0x0/0x30)
    Code: e12fff1e e3510000 e1a02000 0a00000d (e5d03000)
    ---[ end trace ca98273dc605a04f ]---
    
    The panic is caused by the mwifiex_info_read() routine assuming that
    there can only be four modes (0-3) which is an invalid assumption.
    For example, when testing P2P, the mode is '8' (P2P_CLIENT) so the
    code accesses data beyond the bounds of the bss_modes[] array which
    causes the panic.  Fix this by updating bss_modes[] to support the
    current list of modes and adding a check to prevent the out-of-bounds
    access from occuring in the future when more modes are added.
    
    Signed-off-by: Mark A. Greer <mgreer@animalcreek.com>
    Acked-by: Bing Zhao <bzhao@marvell.com>
    Signed-off-by: John W. Linville <linville@tuxdriver.com>

 drivers/net/wireless/mwifiex/debugfs.c |   22 +++++++++++++++++-----
 1 files changed, 17 insertions(+), 5 deletions(-)

commit 04152dec6e99ca4c0fc52219f7cf2152dafe6b52
Author: Johan Hedberg <johan.hedberg@intel.com>
Date:   Tue May 28 13:46:30 2013 +0300

    Upstream commit: cb3b3152b2f5939d67005cff841a1ca748b19888
    
    Bluetooth: Fix missing length checks for L2CAP signalling PDUs
    
    There has been code in place to check that the L2CAP length header
    matches the amount of data received, but many PDU handlers have not been
    checking that the data received actually matches that expected by the
    specific PDU. This patch adds passing the length header to the specific
    handler functions and ensures that those functions fail cleanly in the
    case of an incorrect amount of data.
    
    Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
    Signed-off-by: John W. Linville <linville@tuxdriver.com>

 net/bluetooth/l2cap_core.c |   70 ++++++++++++++++++++++++++++++++-----------
 1 files changed, 52 insertions(+), 18 deletions(-)

commit 628be2427afb241b5a1aa24bc5907d05287e1f25
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Mon Jun 3 12:00:49 2013 +0300

    Upstream commit: a8241c63517ec0b900695daa9003cddc41c536a1
    
    ipvs: info leak in __ip_vs_get_dest_entries()
    
    The entry struct has a 2 byte hole after ->port and another 4 byte
    hole after ->stats.outpkts.  You must have CAP_NET_ADMIN in your
    namespace to hit this information leak.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Acked-by: Julian Anastasov <ja@ssi.bg>
    Signed-off-by: Simon Horman <horms@verge.net.au>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

 net/netfilter/ipvs/ip_vs_ctl.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 066d9226bc6c569d5f420c978b758e0bddd23444
Author: Robin Holt <holt@sgi.com>
Date:   Wed Jun 12 14:04:37 2013 -0700

    Upstream commit: cf7df378aa4ff7da3a44769b7ff6e9eef1a9f3db
    
    reboot: rigrate shutdown/reboot to boot cpu
    
    We recently noticed that reboot of a 1024 cpu machine takes approx 16
    minutes of just stopping the cpus.  The slowdown was tracked to commit
    f96972f2dc63 ("kernel/sys.c: call disable_nonboot_cpus() in
    kernel_restart()").
    
    The current implementation does all the work of hot removing the cpus
    before halting the system.  We are switching to just migrating to the
    boot cpu and then continuing with shutdown/reboot.
    
    This also has the effect of not breaking x86's command line parameter
    for specifying the reboot cpu.  Note, this code was shamelessly copied
    from arch/x86/kernel/reboot.c with bits removed pertaining to the
    reboot_cpu command line parameter.
    
    Signed-off-by: Robin Holt <holt@sgi.com>
    Tested-by: Shawn Guo <shawn.guo@linaro.org>
    Cc: "Srivatsa S. Bhat" <srivatsa.bhat@linux.vnet.ibm.com>
    Cc: H. Peter Anvin <hpa@zytor.com>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: Ingo Molnar <mingo@elte.hu>
    Cc: Russ Anderson <rja@sgi.com>
    Cc: Robin Holt <holt@sgi.com>
    Cc: Russell King <linux@arm.linux.org.uk>
    Cc: Guan Xuetao <gxt@mprc.pku.edu.cn>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 kernel/sys.c |   29 ++++++++++++++++++++++++++---
 1 files changed, 26 insertions(+), 3 deletions(-)

commit 94e2a91600b07d39825e7059195f35eb611a39a2
Merge: 20cc761 e6e3059
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jun 13 16:23:46 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit e6e3059de5525ebcd55af43b20c9cdbf43b9d30a
Merge: c6aadb1 4b73feb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jun 13 16:23:39 2013 -0400

    Merge branch 'linux-3.9.y' into pax-test

commit 20cc7613e38cde07adc73179a91d6c15292e8d43
Author: Daniel Borkmann <dborkman@redhat.com>
Date:   Thu Jun 6 15:53:47 2013 +0200

    Upstream commit: 1abd165ed757db1afdefaac0a4bc8a70f97d258c
    
    net: sctp: fix NULL pointer dereference in socket destruction
    
    While stress testing sctp sockets, I hit the following panic:
    
    BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
    IP: [<ffffffffa0490c4e>] sctp_endpoint_free+0xe/0x40 [sctp]
    PGD 7cead067 PUD 7ce76067 PMD 0
    Oops: 0000 [#1] SMP
    Modules linked in: sctp(F) libcrc32c(F) [...]
    CPU: 7 PID: 2950 Comm: acc Tainted: GF            3.10.0-rc2+ #1
    Hardware name: Dell Inc. PowerEdge T410/0H19HD, BIOS 1.6.3 02/01/2011
    task: ffff88007ce0e0c0 ti: ffff88007b568000 task.ti: ffff88007b568000
    RIP: 0010:[<ffffffffa0490c4e>]  [<ffffffffa0490c4e>] sctp_endpoint_free+0xe/0x40 [sctp]
    RSP: 0018:ffff88007b569e08  EFLAGS: 00010292
    RAX: 0000000000000000 RBX: ffff88007db78a00 RCX: dead000000200200
    RDX: ffffffffa049fdb0 RSI: ffff8800379baf38 RDI: 0000000000000000
    RBP: ffff88007b569e18 R08: ffff88007c230da0 R09: 0000000000000001
    R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
    R13: ffff880077990d00 R14: 0000000000000084 R15: ffff88007db78a00
    FS:  00007fc18ab61700(0000) GS:ffff88007fc60000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
    CR2: 0000000000000020 CR3: 000000007cf9d000 CR4: 00000000000007e0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
    Stack:
     ffff88007b569e38 ffff88007db78a00 ffff88007b569e38 ffffffffa049fded
     ffffffff81abf0c0 ffff88007db78a00 ffff88007b569e58 ffffffff8145b60e
     0000000000000000 0000000000000000 ffff88007b569eb8 ffffffff814df36e
    Call Trace:
     [<ffffffffa049fded>] sctp_destroy_sock+0x3d/0x80 [sctp]
     [<ffffffff8145b60e>] sk_common_release+0x1e/0xf0
     [<ffffffff814df36e>] inet_create+0x2ae/0x350
     [<ffffffff81455a6f>] __sock_create+0x11f/0x240
     [<ffffffff81455bf0>] sock_create+0x30/0x40
     [<ffffffff8145696c>] SyS_socket+0x4c/0xc0
     [<ffffffff815403be>] ? do_page_fault+0xe/0x10
     [<ffffffff8153cb32>] ? page_fault+0x22/0x30
     [<ffffffff81544e02>] system_call_fastpath+0x16/0x1b
    Code: 0c c9 c3 66 2e 0f 1f 84 00 00 00 00 00 e8 fb fe ff ff c9 c3 66 0f
          1f 84 00 00 00 00 00 55 48 89 e5 53 48 83 ec 08 66 66 66 66 90 <48>
          8b 47 20 48 89 fb c6 47 1c 01 c6 40 12 07 e8 9e 68 01 00 48
    RIP  [<ffffffffa0490c4e>] sctp_endpoint_free+0xe/0x40 [sctp]
     RSP <ffff88007b569e08>
    CR2: 0000000000000020
    ---[ end trace e0d71ec1108c1dd9 ]---
    
    I did not hit this with the lksctp-tools functional tests, but with a
    small, multi-threaded test program, that heavily allocates, binds,
    listens and waits in accept on sctp sockets, and then randomly kills
    some of them (no need for an actual client in this case to hit this).
    Then, again, allocating, binding, etc, and then killing child processes.
    
    This panic then only occurs when ``echo 1 > /proc/sys/net/sctp/auth_enable''
    is set. The cause for that is actually very simple: in sctp_endpoint_init()
    we enter the path of sctp_auth_init_hmacs(). There, we try to allocate
    our crypto transforms through crypto_alloc_hash(). In our scenario,
    it then can happen that crypto_alloc_hash() fails with -EINTR from
    crypto_larval_wait(), thus we bail out and release the socket via
    sk_common_release(), sctp_destroy_sock() and hit the NULL pointer
    dereference as soon as we try to access members in the endpoint during
    sctp_endpoint_free(), since endpoint at that time is still NULL. Now,
    if we have that case, we do not need to do any cleanup work and just
    leave the destruction handler.
    
    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
    Acked-by: Neil Horman <nhorman@tuxdriver.com>
    Acked-by: Vlad Yasevich <vyasevich@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/sctp/socket.c |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

commit 386ba837978cc8a1111440bdcd8600f2df4634a4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jun 12 20:37:48 2013 -0400

    fix deadlock when booting i386 kernel without NX

 mm/mmap.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

commit fe96e11acb36fcda9a9e6f6439557db4aa4e8da0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jun 11 22:18:07 2013 -0400

    fix elif / elif defined() typo in recent change

 kernel/events/core.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit bc43377e1e757cd37a06be0187884a42af718aab
Merge: 3cdea63 c6aadb1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jun 11 18:50:39 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit c6aadb12ae8dd3d12c2d6b8fbe80d29e514d60c0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jun 11 18:49:36 2013 -0400

    Update to pax-linux-3.9.4-test9.patch:
    - fixed a KERNEXEC regression resulting in unusable RAM regions (http://forums.grsecurity.net/viewtopic.php?f=3&t=3506)
    - removed a user-triggerable BUG_ON, fixing it properly wasn't worth the effort

 arch/x86/kernel/setup.c |    2 +-
 mm/mlock.c              |    1 -
 2 files changed, 1 insertions(+), 2 deletions(-)

commit 3cdea63e90607d8d55820b101854091623feedb8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jun 10 21:21:44 2013 -0400

    Fix fanotify infoleak reported by Dan Carpenter at:
    https://lkml.org/lkml/2013/6/3/128
    
    Requires CAP_SYS_ADMIN, so this is about as low priority as it gets

 fs/notify/fanotify/fanotify_user.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 373a2b5df78f82b9d3db72bd6577e29a71591323
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jun 10 21:16:46 2013 -0400

    Backport infoleak fix by Dan Carpenter in cpqarray:
    https://lkml.org/lkml/2013/6/3/131

 drivers/block/cpqarray.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 251e84b9b05e063981b20be154c9389862f94759
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jun 10 21:04:17 2013 -0400

    Backport 050e4b8fb7cdd7096c987a9cd556029c622c7fe2

 drivers/cdrom/cdrom.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 383d89bf95818b05a485a6e8b118963b5bcbc83e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jun 10 18:34:32 2013 -0400

    change const to __read_only

 kernel/sysctl.c |   18 +++++++++---------
 1 files changed, 9 insertions(+), 9 deletions(-)

commit 8f08f803f605649e63f0857a1b9a9805b629eaa4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jun 10 17:34:13 2013 -0400

    compile fix, make const values const

 kernel/sysctl.c |   18 +++++++++---------
 1 files changed, 9 insertions(+), 9 deletions(-)

commit 6b90c228f6d4a3c2cc9c2b9a6a7ac14534ebd42d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jun 10 17:37:13 2013 -0400

    Backport upstream commit: af733960ca59f7d59ea337e1f633771c9e67101a

 drivers/char/mwave/tp3780i.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 1c590aa70c95ebd76ba9672aa23d800b81780615
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jun 9 19:50:35 2013 -0400

    allow -1 perf_event_paranoid

 kernel/sysctl.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit defdc4a2bd3efda4af2bb6f3aa8f495fa8078584
Merge: 4e85539 117c3fa
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jun 9 17:30:12 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 117c3fa8d26c3806103123560f807d99071b60b6
Merge: ed9b427 5dd2e98
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jun 9 17:30:00 2013 -0400

    Merge branch 'linux-3.9.y' into pax-test

commit 4e8553989b0406f15be4a2dccdbc7599cc2b4f42
Author: Eric Dumazet <edumazet@google.com>
Date:   Mon May 13 21:25:52 2013 +0000

    Upstream commit: 54d27fcb338bd9c42d1dfc5a39e18f6f9d373c2e
    
    tcp: fix tcp_md5_hash_skb_data()
    
    TCP md5 communications fail [1] for some devices, because sg/crypto code
    assume page offsets are below PAGE_SIZE.
    
    This was discovered using mlx4 driver [2], but I suspect loopback
    might trigger the same bug now we use order-3 pages in tcp_sendmsg()
    
    [1] Failure is giving following messages.
    
    huh, entered softirq 3 NET_RX ffffffff806ad230 preempt_count 00000100,
    exited with 00000101?
    
    [2] mlx4 driver uses order-2 pages to allocate RX frags
    
    Reported-by: Matt Schnall <mischnal@google.com>
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Cc: Bernhard Beck <bbeck@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/tcp.c |    7 +++++--
 1 files changed, 5 insertions(+), 2 deletions(-)

commit 4f1ed254c28a1b3e03c0b0b744c5042661c295eb
Author: Eric Dumazet <edumazet@google.com>
Date:   Fri May 17 04:53:13 2013 +0000

    Upstream commit: 284041ef21fdf2e0d216ab6b787bc9072b4eb58a
    
    ipv6: fix possible crashes in ip6_cork_release()
    
    commit 0178b695fd6b4 ("ipv6: Copy cork options in ip6_append_data")
    added some code duplication and bad error recovery, leading to potential
    crash in ip6_cork_release() as kfree() could be called with garbage.
    
    use kzalloc() to make sure this wont happen.
    
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Cc: Herbert Xu <herbert@gondor.apana.org.au>
    Cc: Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>
    Cc: Neal Cardwell <ncardwell@google.com>

 net/ipv6/ip6_output.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 5771263fe368cd384127dd17d7596a7e1a4e2eec
Author: Chen Gang <gang.chen@asianux.com>
Date:   Thu May 16 23:13:04 2013 +0000

    Upstream commit: ff0102ee104847023c36357e2b9f133f3f40d211
    
    net: irda: using kzalloc() instead of kmalloc() to avoid strncpy() issue.
    
    'discovery->data.info' length is 22, NICKNAME_MAX_LEN is 21, so the
    strncpy() will always left the last byte of 'discovery->data.info'
    uninitialized.
    
    When 'text' length is longer than 21 (NICKNAME_MAX_LEN), if still left
    the last byte of 'discovery->data.info' uninitialized, the next
    strlen() will cause issue.
    
    Also 'discovery->data' is 'struct irda_device_info' which defined in
    "include/uapi/...", it may copy to user mode, so need whole initialized.
    
    All together, need use kzalloc() instead of kmalloc() to initialize all
    members firstly.
    
    Signed-off-by: Chen Gang <gang.chen@asianux.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/irda/irlap_frame.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit c01c9af268cb066f240aec53454b8b74d8d01688
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Sun May 19 08:36:36 2013 +0000

    Upstream commit: 25dff94ff9df40d4d663bb6ea3193a7758cc50e5
    
    isdn/kcapi: fix a small underflow
    
    In get_capi_ctr_by_nr() and get_capi_appl_by_nr() the parameter comes
    from skb->data.  The current code can underflow to one space before the
    start of the array.
    
    The sanity check isn't needed in __get_capi_appl_by_nr() but I changed
    it to match the others.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/isdn/capi/kcapi.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

commit 4a3f12a9df775147b0c4b0277de1aa99eddc5c66
Author: Timo Teräs <timo.teras@iki.fi>
Date:   Wed May 22 01:40:47 2013 +0000

    Upstream commit: 497574c72c9922cf20c12aed15313c389f722fa0
    
    xfrm: properly handle invalid states as an error
    
    The error exit path needs err explicitly set. Otherwise it
    returns success and the only caller, xfrm_output_resume(),
    would oops in skb_dst(skb)->ops derefence as skb_dst(skb) is
    NULL.
    
    Bug introduced in commit bb65a9cb (xfrm: removes a superfluous
    check and add a statistic).
    
    Signed-off-by: Timo Teräs <timo.teras@iki.fi>
    Cc: Li RongQing <roy.qing.li@gmail.com>
    Cc: Steffen Klassert <steffen.klassert@secunet.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/xfrm/xfrm_output.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 61d8e1e848afa93cd971f6d1da875ad98b6ddfbd
Author: Jeff Mahoney <jeffm@jeffreymahoney.com>
Date:   Fri May 31 15:07:52 2013 -0400

    Upstream commit: 0bdc7acba56a7ca4232f15f37b16f7ec079385ab
    
    reiserfs: fix spurious multiple-fill in reiserfs_readdir_dentry
    
    After sleeping for filldir(), we check to see if the file system has
    changed and research. The next_pos pointer is updated but its value
    isn't pushed into the key used for the search itself. As a result,
    the search returns the same item that the last cycle of the loop did
    and filldir() is called multiple times with the same data.
    
    The end result is that the buffer can contain the same name multiple
    times. This can be returned to userspace or used internally in the
    xattr code where it can manifest with the following warning:
    
    jdm-20004 reiserfs_delete_xattrs: Couldn't delete all xattrs (-2)
    
    reiserfs_for_each_xattr uses reiserfs_readdir_dentry to iterate over
    the xattr names and ends up trying to unlink the same name twice. The
    second attempt fails with -ENOENT and the error is returned. At some
    point I'll need to add support into reiserfsck to remove the orphaned
    directories left behind when this occurs.
    
    The fix is to push the value into the key before researching.
    
    Signed-off-by: Jeff Mahoney <jeffm@suse.com>
    Signed-off-by: Jan Kara <jack@suse.cz>

 fs/reiserfs/dir.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit ca0746bf380eec77d75d1741ac4742ded0e55ec7
Author: Jeff Mahoney <jeffm@suse.com>
Date:   Fri May 31 15:51:17 2013 -0400

    Upstream commit: a1457c0ce976bad1356b9b0437f2a5c3ab8a9cfc
    
    reiserfs: fix deadlock with nfs racing on create/lookup
    
    Reiserfs is currently able to be deadlocked by having two NFS clients
    where one has removed and recreated a file and another is accessing the
    file with an open file handle.
    
    If one client deletes and recreates a file with timing such that the
    recreated file obtains the same [dirid, objectid] pair as the original
    file while another client accesses the file via file handle, the create
    and lookup can race and deadlock if the lookup manages to create the
    in-memory inode first.
    
    The create thread, in insert_inode_locked4, will hold the write lock
    while waiting on the other inode to be unlocked. The lookup thread,
    anywhere in the iget path, will release and reacquire the write lock while
    it schedules. If it needs to reacquire the lock while the create thread
    has it, it will never be able to make forward progress because it needs
    to reacquire the lock before ultimately unlocking the inode.
    
    This patch drops the write lock across the insert_inode_locked4 call so
    that the ordering of inode_wait -> write lock is retained. Since this
    would have been the case before the BKL push-down, this is safe.
    
    Signed-off-by: Jeff Mahoney <jeffm@suse.com>
    Signed-off-by: Jan Kara <jack@suse.cz>

 fs/reiserfs/inode.c |    9 +++++++--
 1 files changed, 7 insertions(+), 2 deletions(-)

commit cd21c0eb4950498be46a07257426c0cea4aa2bf1
Author: Jeff Mahoney <jeffm@suse.com>
Date:   Fri May 31 15:54:17 2013 -0400

    Upstream commit: 4a8570112b76a63ad21cfcbe2783f98f7fd5ba1b
    
    reiserfs: fix problems with chowning setuid file w/ xattrs
    
    reiserfs_chown_xattrs() takes the iattr struct passed into ->setattr
    and uses it to iterate over all the attrs associated with a file to change
    ownership of xattrs (and transfer quota associated with the xattr files).
    
    When the setuid bit is cleared during chown, ATTR_MODE and iattr->ia_mode
    are passed to all the xattrs as well. This means that the xattr directory
    will have S_IFREG added to its mode bits.
    
    This has been prevented in practice by a missing IS_PRIVATE check
    in reiserfs_acl_chmod, which caused a double-lock to occur while holding
    the write lock. Since the file system was completely locked up, the
    writeout of the corrupted mode never happened.
    
    This patch temporarily clears everything but ATTR_UID|ATTR_GID for the
    calls to reiserfs_setattr and adds the missing IS_PRIVATE check.
    
    Signed-off-by: Jeff Mahoney <jeffm@suse.com>
    Signed-off-by: Jan Kara <jack@suse.cz>

 fs/reiserfs/xattr.c     |   14 +++++++++++++-
 fs/reiserfs/xattr_acl.c |    3 +++
 2 files changed, 16 insertions(+), 1 deletions(-)

commit c18cef940310c06bdf86d64d8cb227e56e165300
Author: Dave Chinner <dchinner@redhat.com>
Date:   Mon May 27 16:38:25 2013 +1000

    Upstream commit: 2962f5a5dcc56f69cbf62121a7be67cc15d6940b
    
    xfs: kill suid/sgid through the truncate path.
    
    XFS has failed to kill suid/sgid bits correctly when truncating
    files of non-zero size since commit c4ed4243 ("xfs: split
    xfs_setattr") introduced in the 3.1 kernel. Fix it.
    
    Fix it.
    
    cc: stable kernel <stable@vger.kernel.org>
    Signed-off-by: Dave Chinner <dchinner@redhat.com>
    Reviewed-by: Brian Foster <bfoster@redhat.com>
    Signed-off-by: Ben Myers <bpm@sgi.com>
    
    (cherry picked from commit 56c19e89b38618390addfc743d822f99519055c6)

 fs/xfs/xfs_iops.c |   47 ++++++++++++++++++++++++++++++++---------------
 1 files changed, 32 insertions(+), 15 deletions(-)

commit 8e62c6a0946a4b11a55540094a0ee5d3a222dbcc
Author: Trond Myklebust <Trond.Myklebust@netapp.com>
Date:   Wed May 29 15:36:40 2013 -0400

    Upstream commit: f448badd34700ae728a32ba024249626d49c10e1
    
    NFSv4: Fix a thinko in nfs4_try_open_cached
    
    We need to pass the full open mode flags to nfs_may_open() when doing
    a delegated open.
    
    Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
    Cc: stable@vger.kernel.org

 fs/nfs/nfs4proc.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit c47de62893a9f269be0a272c2840aac1e2a35c68
Author: Chen Gang <gang.chen@asianux.com>
Date:   Thu May 30 01:18:43 2013 +0000

    Upstream commit: ea99b1adf22abd62bdcf14b1c9a0a4d3664eefd8
    
    parisc: kernel: using strlcpy() instead of strcpy()
    
    'boot_args' is an input args, and 'boot_command_line' has a fix length.
    So use strlcpy() instead of strcpy() to avoid memory overflow.
    
    Signed-off-by: Chen Gang <gang.chen@asianux.com>
    Acked-by: Kyle McMartin <kyle@mcmartin.ca>
    Signed-off-by: Helge Deller <deller@gmx.de>

 arch/parisc/kernel/setup.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit ce869e6f799f95fcac340420ba3612503df80dbf
Author: Chen Gang <gang.chen@asianux.com>
Date:   Mon May 27 04:57:09 2013 +0000

    Upstream commit: 3f108de96ba449a8df3d7e3c053bf890fee2cb95
    
    parisc: memory overflow, 'name' length is too short for using
    
    'path.bc[i]' can be asigned by PCI_SLOT() which can '> 10', so sizeof(6
    * "%u:" + "%u" + '\0') may be 21.
    
    Since 'name' length is 20, it may be memory overflow.
    
    And 'path.bc[i]' is 'unsigned char' for printing, we can be sure the
    max length of 'name' must be less than 28.
    
    So simplify thinking, we can use 28 instead of 20 directly, and do not
    think of whether 'patchc.bc[i]' can '> 100'.
    
    Signed-off-by: Chen Gang <gang.chen@asianux.com>
    Signed-off-by: Helge Deller <deller@gmx.de>

 arch/parisc/kernel/drivers.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 5dc65cd34d442783118a17c518e2daedb90a31d0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jun 4 17:52:23 2013 -0400

    add PERF_HARDEN recommendation

 grsecurity/Kconfig |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit 45b0f6e97666ca330b9a69e7fd2d2d9345d9618c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jun 4 17:22:44 2013 -0400

    Introduce new feature: CONFIG_GRKERNSEC_PERF_HARDEN

 grsecurity/Kconfig         |   19 +++++++++++++++++++
 include/linux/perf_event.h |    5 +++++
 kernel/events/core.c       |   10 +++++++++-
 kernel/sysctl.c            |    9 ++++++++-
 4 files changed, 41 insertions(+), 2 deletions(-)

commit 84619a3501fd38285a72d9e963f58d1827beedd6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jun 1 14:23:31 2013 -0400

    remove user-triggerable BUG_ON in do_munlockall()

 mm/mlock.c |    1 -
 1 files changed, 0 insertions(+), 1 deletions(-)

commit f4bcf6087bd7b9a5b9c9021790396865c5362da0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jun 1 13:44:05 2013 -0400

    Upstream commit: cea4dcfdad926a27a18e188720efe0f2c9403456
    
    From: Kees Cook <keescook@chromium.org>
    Date: Thu, 23 May 2013 17:32:17 +0000
    Subject: iscsi-target: fix heap buffer overflow on error
    
    If a key was larger than 64 bytes, as checked by iscsi_check_key(), the
    error response packet, generated by iscsi_add_notunderstood_response(),
    would still attempt to copy the entire key into the packet, overflowing
    the structure on the heap.
    
    Remote preauthentication kernel memory corruption was possible if a
    target was configured and listening on the network.
    
    CVE-2013-2850
    
    Embargo-screwup-by: Kees Cook <keescook@chromium.org>
    Cc: stable@vger.kernel.org
    Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>

 drivers/target/iscsi/iscsi_target_parameters.c |    8 +++-----
 drivers/target/iscsi/iscsi_target_parameters.h |    4 +++-
 2 files changed, 6 insertions(+), 6 deletions(-)

commit 2fdc3e0a0ecd44f22d49ea2230638ed650dd5e7e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jun 1 13:43:26 2013 -0400

    Revert "Fix distro-embargoed bug CVE-2013-2850, bad strncpy parameters"
    Applying upstream fix instead
    
    This reverts commit 8c237f4a53a038ab0f1c4fdc3656bdb3d77b7291.

 drivers/target/iscsi/iscsi_target_parameters.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

commit 8ad50b7b6bbaaec7f07f894c15d76abe801f0769
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Sun May 19 21:52:20 2013 +0300

    Upstream commit: e75b61897276c5100e61c9c74fd55ded28f31431
    
    USB: cxacru: potential underflow in cxacru_cm_get_array()
    
    commit 2a0ebf80aa95cc758d4725f74a7016e992606a39 upstream.
    
    The value of "offd" comes off the instance->rcv_buf[] and we used it as
    the offset into an array.  The problem is that we check the upper bound
    but not for negative values.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

 drivers/usb/atm/cxacru.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 8c237f4a53a038ab0f1c4fdc3656bdb3d77b7291
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jun 1 11:30:17 2013 -0400

    Fix distro-embargoed bug CVE-2013-2850, bad strncpy parameters

 drivers/target/iscsi/iscsi_target_parameters.c |    5 ++---
 1 files changed, 2 insertions(+), 3 deletions(-)

commit 8578566969d91678a3d7d5251b4eafc6d7775314
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu May 30 17:44:15 2013 -0400

    Apply compatibility fix to previous RLIMIT_NPROC change
    don't enforce the rlimit check at exec time if the user is root
    Prevents problems with sudo if root is listed as part of a group
    in limits.conf with process limits enforced

 kernel/sys.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 0ed0c927ce3db94e2d0c0f328e24a28fe4f143e7
Merge: 643b294 ed9b427
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed May 29 19:19:28 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit ed9b4276488528d0c3803df1dc0df804238241e0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed May 29 19:18:45 2013 -0400

    Updated to pax-linux-3.9.4-test8.patch:
    - fixed some fallout detected by the checker plugin

 arch/x86/kernel/crash_dump_64.c               |    2 +-
 drivers/base/devtmpfs.c                       |    6 +++---
 drivers/char/agp/compat_ioctl.c               |    2 +-
 drivers/char/agp/frontend.c                   |    2 +-
 drivers/char/mem.c                            |    2 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c         |    4 ++--
 drivers/i2c/i2c-dev.c                         |    2 +-
 drivers/media/v4l2-core/v4l2-compat-ioctl32.c |    6 +++---
 drivers/media/v4l2-core/v4l2-ioctl.c          |   20 ++++++++++++--------
 fs/9p/vfs_addr.c                              |    2 +-
 fs/binfmt_elf.c                               |    4 ++--
 fs/compat_ioctl.c                             |    4 ++--
 fs/exec.c                                     |    2 +-
 fs/namespace.c                                |    8 ++++----
 fs/proc/vmcore.c                              |   12 ++++++++----
 fs/read_write.c                               |    2 +-
 include/linux/syscalls.h                      |    8 ++++----
 init/do_mounts_initrd.c                       |    8 ++++----
 init/main.c                                   |    4 ++--
 kernel/events/core.c                          |    2 +-
 kernel/events/internal.h                      |   10 +++++-----
 mm/page_io.c                                  |    2 +-
 security/keys/internal.h                      |    2 +-
 tools/gcc/checker_plugin.c                    |    1 +
 24 files changed, 63 insertions(+), 54 deletions(-)

commit 643b294b41c6adcad1cf107efe4ae52a834e6f15
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed May 29 18:51:31 2013 -0400

    eliminate gcc warning

 fs/exec.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit cf6f73059387ffeddb7b1de3e97a3cf588bcef86
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed May 29 18:30:20 2013 -0400

    use BUILD_BUG() instead of BUILD_BUG_ON(1)

 arch/x86/net/bpf_jit_comp.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 5343410354267368e5809f3ad8d9a264f141be18
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed May 29 17:57:41 2013 -0400

    defensively handle additions to the BPF JIT by introducing a BUILD_BUG_ON
    for unknown opcodes

 arch/x86/net/bpf_jit_comp.c |   11 +++++++----
 1 files changed, 7 insertions(+), 4 deletions(-)

commit 01f78a604b47c93fb26e8aeb68ef619bb3b8579d
Author: Xiao Guangrong <xiaoguangrong@linux.vnet.ibm.com>
Date:   Fri May 24 15:55:11 2013 -0700

    Upstream commit: d34883d4e35c0a994e91dd847a82b4c9e0c31d83
    
    mm: mmu_notifier: re-fix freed page still mapped in secondary MMU
    
    Commit 751efd8610d3 ("mmu_notifier_unregister NULL Pointer deref and
    multiple ->release()") breaks the fix 3ad3d901bbcf ("mm: mmu_notifier:
    fix freed page still mapped in secondary MMU").
    
    Since hlist_for_each_entry_rcu() is changed now, we can not revert that
    patch directly, so this patch reverts the commit and simply fix the bug
    spotted by that patch
    
    This bug spotted by commit 751efd8610d3 is:
    
        There is a race condition between mmu_notifier_unregister() and
        __mmu_notifier_release().
    
        Assume two tasks, one calling mmu_notifier_unregister() as a result
        of a filp_close() ->flush() callout (task A), and the other calling
        mmu_notifier_release() from an mmput() (task B).
    
                            A                               B
        t1                                            srcu_read_lock()
        t2            if (!hlist_unhashed())
        t3                                            srcu_read_unlock()
        t4            srcu_read_lock()
        t5                                            hlist_del_init_rcu()
        t6                                            synchronize_srcu()
        t7            srcu_read_unlock()
        t8            hlist_del_rcu()  <--- NULL pointer deref.
    
    This can be fixed by using hlist_del_init_rcu instead of hlist_del_rcu.
    
    The another issue spotted in the commit is "multiple ->release()
    callouts", we needn't care it too much because it is really rare (e.g,
    can not happen on kvm since mmu-notify is unregistered after
    exit_mmap()) and the later call of multiple ->release should be fast
    since all the pages have already been released by the first call.
    Anyway, this issue should be fixed in a separate patch.
    
    -stable suggestions: Any version that has commit 751efd8610d3 need to be
    backported.  I find the oldest version has this commit is 3.0-stable.
    
    [akpm@linux-foundation.org: tweak comments]
    Signed-off-by: Xiao Guangrong <xiaoguangrong@linux.vnet.ibm.com>
    Tested-by: Robin Holt <holt@sgi.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 mm/mmu_notifier.c |   79 ++++++++++++++++++++++++++---------------------------
 1 files changed, 39 insertions(+), 40 deletions(-)

commit 163a5539b36247865d39b2bcfa8efc03a62124a6
Author: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
Date:   Fri May 24 15:55:21 2013 -0700

    Upstream commit: 7c3425123ddfdc5f48e7913ff59d908789712b18
    
    mm/THP: use pmd_populate() to update the pmd with pgtable_t pointer
    
    We should not use set_pmd_at to update pmd_t with pgtable_t pointer.
    set_pmd_at is used to set pmd with huge pte entries and architectures
    like ppc64, clear few flags from the pte when saving a new entry.
    Without this change we observe bad pte errors like below on ppc64 with
    THP enabled.
    
      BUG: Bad page map in process ld mm=0xc000001ee39f4780 pte:7fc3f37848000001 pmd:c000001ec0000000
    
    Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
    Cc: Hugh Dickins <hughd@google.com>
    Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
    Reviewed-by: Andrea Arcangeli <aarcange@redhat.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 mm/huge_memory.c |    7 ++++++-
 1 files changed, 6 insertions(+), 1 deletions(-)

commit 3e54faf888d324d5f362dcba16173ea7bba61e8a
Author: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
Date:   Fri May 24 15:55:08 2013 -0700

    Upstream commit: 7b92d03c3239f43e5b86c9cc9630f026d36ee995
    
    fat: fix possible overflow for fat_clusters
    
    Intermediate value of fat_clusters can be overflowed on 32bits arch.
    
    Reported-by: Krzysztof Strasburger <strasbur@chkw386.ch.pwr.wroc.pl>
    Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 fs/fat/inode.c |   15 ++++++++++++++-
 1 files changed, 14 insertions(+), 1 deletions(-)

commit 2d9fc67d9d63641e6bbf389edba8d8514c68655d
Author: Jarod Wilson <jarod@redhat.com>
Date:   Fri May 24 15:55:31 2013 -0700

    Upstream commit: 1e7e2e05c179a68aaf8830fe91547a87f4589e53
    
    drivers/char/random.c: fix priming of last_data
    
    Commit ec8f02da9ea5 ("random: prime last_data value per fips
    requirements") added priming of last_data per fips requirements.
    
    Unfortuantely, it did so in a way that can lead to multiple threads all
    incrementing nbytes, but only one actually doing anything with the extra
    data, which leads to some fun random corruption and panics.
    
    The fix is to simply do everything needed to prime last_data in a single
    shot, so there's no window for multiple cpus to increment nbytes -- in
    fact, we won't even increment or decrement nbytes anymore, we'll just
    extract the needed EXTRACT_SIZE one time per pool and then carry on with
    the normal routine.
    
    All these changes have been tested across multiple hosts and
    architectures where panics were previously encoutered.  The code changes
    are are strictly limited to areas only touched when when booted in fips
    mode.
    
    This change should also go into 3.8-stable, to make the myriads of fips
    users on 3.8.x happy.
    
    Signed-off-by: Jarod Wilson <jarod@redhat.com>
    Tested-by: Jan Stancek <jstancek@redhat.com>
    Tested-by: Jan Stodola <jstodola@redhat.com>
    Cc: Herbert Xu <herbert@gondor.apana.org.au>
    Acked-by: Neil Horman <nhorman@tuxdriver.com>
    Cc: "David S. Miller" <davem@davemloft.net>
    Cc: Matt Mackall <mpm@selenic.com>
    Cc: "Theodore Ts'o" <tytso@mit.edu>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 drivers/char/random.c |   30 +++++++++++++++---------------
 1 files changed, 15 insertions(+), 15 deletions(-)

commit 2d74639040ba6ce47f57ec010714ec06529c4b42
Author: Jiri Kosina <jkosina@suse.cz>
Date:   Fri May 24 15:55:33 2013 -0700

    Upstream commit: 10b3a32d292c21ea5b3ad5ca5975e88bb20b8d68
    
    random: fix accounting race condition with lockless irq entropy_count update
    
    Commit 902c098a3663 ("random: use lockless techniques in the interrupt
    path") turned IRQ path from being spinlock protected into lockless
    cmpxchg-retry update.
    
    That commit removed r->lock serialization between crediting entropy bits
    from IRQ context and accounting when extracting entropy on userspace
    read path, but didn't turn the r->entropy_count reads/updates in
    account() to use cmpxchg as well.
    
    It has been observed, that under certain circumstances this leads to
    read() on /dev/urandom to return 0 (EOF), as r->entropy_count gets
    corrupted and becomes negative, which in turn results in propagating 0
    all the way from account() to the actual read() call.
    
    Convert the accounting code to be the proper lockless counterpart of
    what has been partially done by 902c098a3663.
    
    Signed-off-by: Jiri Kosina <jkosina@suse.cz>
    Cc: Theodore Ts'o <tytso@mit.edu>
    Cc: Greg KH <greg@kroah.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 drivers/char/random.c |   26 +++++++++++++++++---------
 1 files changed, 17 insertions(+), 9 deletions(-)

commit 65d05c7ea468c23c175105526dd4f163302a92cf
Merge: 1a98d0a 6ce3a135
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat May 25 07:48:15 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        arch/x86/kernel/vm86_32.c

commit 6ce3a13567ec17c1e72a88871ddf46da61ad5166
Merge: 79bdd65 0bfd8ff
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat May 25 07:46:55 2013 -0400

    Merge branch 'linux-3.9.y' into pax-test

commit 1a98d0a10ede55ae99fabfb2d67eb536d3de9444
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu May 23 18:42:23 2013 -0400

    use existing local variable

 fs/exec.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit b2b80ef8586061e32e986b31608717c25d1e7c54
Merge: cb45fbd 79bdd65
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu May 23 17:58:53 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 79bdd65dac68267bc1b201c6b4a99966a373c305
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu May 23 17:57:46 2013 -0400

    Update to pax-linux-3.9.3-test7.patch:
    - fixed some size overflow related warnings (hash table, attributes)
    - fixed a gcc bug/feature exposed by constification, the investigation was prompted by http://rikiji.it/2013/05/10/CVE-2013-2094-x86.html

 arch/x86/include/asm/page_64.h    |    2 +-
 arch/x86/kernel/head64.c          |    2 +-
 tools/gcc/constify_plugin.c       |   48 ++-
 tools/gcc/size_overflow_hash.data | 1191 +++++++++++++++++++------------------
 4 files changed, 651 insertions(+), 592 deletions(-)

commit cb45fbda4967b1b544a754fbdc92d73283379522
Merge: 62588fa 57c11b8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon May 20 17:32:17 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 57c11b85acd841a088aa4df8e60be337880df8cd
Merge: 0598b37 4bb0869
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon May 20 17:32:08 2013 -0400

    Merge branch 'linux-3.9.y' into pax-test

commit 62588fa72b82a8ff7027f52dc2a05729f41e0f53
Merge: e261c7b 0598b37
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri May 17 22:57:36 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 0598b3778624dbc6c3887af025c040dbd6e92ba5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri May 17 22:57:07 2013 -0400

    Update to pax-linux-3.9.2-test6.patch:
    - fixed a gcc assert in the structleak plugin, reported by Emese Revfy
    - fixed pfn extraction from pud/pgd entries, reported by ousado

 arch/x86/include/asm/pgtable.h |    9 +++++++--
 tools/gcc/structleak_plugin.c  |    3 ++-
 2 files changed, 9 insertions(+), 3 deletions(-)

commit e261c7bc611e9127bbb7bd95cddd51524bf255ae
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu May 16 22:54:12 2013 -0400

    add offset to topdown check, fixes compilation

 arch/x86/kernel/sys_x86_64.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 455c5ed5279cf546f5d5c3844fb16f17300b2219
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu May 16 20:57:41 2013 -0400

    CONFIG_GRKERNSEC depends on the recently-introduced CONFIG_TTY,
    reported by lulzh3ad on irc

 security/Kconfig |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 0d4593e84707cdf6deb6b925c18c676a476b1613
Merge: 43cd0c0 39a877f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu May 16 20:39:11 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 39a877f192ed305d88edac10a14a9e8e1e161f3f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu May 16 20:37:35 2013 -0400

    Update to pax-linux-3.9.2-test105.patch:
    - fixed !EFI boot problem, reported by spender
    - fixed a few compile warnings
    - fixed some more compile errors due to constification
    - fixed some arm fallout, reported by Michael Tremer

 arch/arm/include/asm/psci.h                        |    2 +-
 arch/arm/kernel/psci.c                             |    2 +-
 arch/x86/kernel/sys_x86_64.c                       |    3 +--
 arch/x86/realmode/init.c                           |    2 +-
 drivers/hwmon/pmbus/pmbus_core.c                   |   10 +++++-----
 drivers/irqchip/irq-gic.c                          |    2 +-
 .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c  |    4 +++-
 .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c  |   12 +++++++++---
 drivers/platform/x86/chromeos_laptop.c             |    2 +-
 fs/jfs/super.c                                     |    4 ++--
 include/linux/irqchip/arm-gic.h                    |    2 ++
 include/sound/compress_driver.h                    |    2 +-
 net/mac80211/cfg.c                                 |    4 ++--
 sound/soc/fsl/fsl_ssi.c                            |    2 +-
 14 files changed, 31 insertions(+), 22 deletions(-)

commit 43cd0c0c7bf3f3331689f88130a8e8ce58fc8540
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu May 16 20:35:22 2013 -0400

    Fix usercopy false positive under gcc 4.1

 arch/x86/kernel/signal.c |    9 +++++++--
 1 files changed, 7 insertions(+), 2 deletions(-)

commit 56a166129d817f6634c8c230e6ec497669bdfaca
Author: Amerigo Wang <amwang@redhat.com>
Date:   Thu May 9 21:56:37 2013 +0000

    Upstream commit: 5dbd5068430b8bd1c19387d46d6c1a88b261257f
    
    ipv6,gre: do not leak info to user-space
    
    There is a hole in struct ip6_tnl_parm2, so we have to
    zero the struct on stack before copying it to user-space.
    
    Cc: David S. Miller <davem@davemloft.net>
    Signed-off-by: Cong Wang <amwang@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv6/ip6_gre.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit d6f50dae2653ad912952da40417a8ccbd59c7699
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue May 14 16:52:35 2013 -0400

    disable unprivileged kernel profiling under HIDESYM, rename
    the variable to something more appropriate

 include/linux/perf_event.h |    8 ++++----
 kernel/events/core.c       |    6 +++++-
 kernel/sysctl.c            |    4 ++--
 3 files changed, 11 insertions(+), 7 deletions(-)

commit 01322c6951bed4eedefbd2178dbd99292b365d99
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon May 13 17:19:57 2013 -0400

    mark GRKERNSEC_RAND_THREADSTACK broken until PaX fixes its
    existing stack-heap gap code for the new unified vm_unmapped_area

 grsecurity/Kconfig |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 8e576ddc2196770ba2b86ba8f7b9e76c141d1083
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon May 13 15:40:32 2013 -0400

    fix NX fault on early boot

 arch/x86/realmode/init.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 85ce9b6f668f9b02f21d23ae61a1bacc8804f615
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon May 13 10:48:13 2013 -0400

    compile fix, we weren't using %pa anyway and it's now being used
    by upstream for physical address printing

 lib/vsprintf.c |    3 +--
 1 files changed, 1 insertions(+), 2 deletions(-)

commit 4eeaeea04d4776b8263f0e9b018edcdbe66c929d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon May 13 10:39:52 2013 -0400

    compile fix

 grsecurity/grsec_chroot.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 155fe84d0b966e41b077781e6b3bc6f6ed5b294b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon May 13 10:35:36 2013 -0400

    compile fixes

 grsecurity/grsec_chroot.c  |    2 +-
 include/linux/grinternal.h |    8 ++++----
 include/linux/grsecurity.h |    4 ++--
 3 files changed, 7 insertions(+), 7 deletions(-)

commit f92047409f0a843ec0b44033ca4c37e539f9a1d5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon May 13 10:27:18 2013 -0400

    compile fix

 fs/exec.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

commit 0e4123608755ab6af3f448cca6f6a8a57dbdcff1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon May 13 10:23:17 2013 -0400

    Initial port of grsecurity for 3.9.2

 Documentation/kernel-parameters.txt                |    4 +
 Makefile                                           |    8 +-
 arch/alpha/include/asm/cache.h                     |    4 +-
 arch/alpha/kernel/osf_sys.c                        |   12 +-
 arch/arm/include/asm/thread_info.h                 |    9 +-
 arch/arm/kernel/process.c                          |    4 +-
 arch/arm/kernel/ptrace.c                           |    9 +
 arch/arm/kernel/traps.c                            |    7 +-
 arch/arm/mm/fault.c                                |   29 +-
 arch/arm/mm/mmap.c                                 |    8 +-
 arch/avr32/include/asm/cache.h                     |    4 +-
 arch/blackfin/include/asm/cache.h                  |    3 +-
 arch/cris/include/arch-v10/arch/cache.h            |    3 +-
 arch/cris/include/arch-v32/arch/cache.h            |    3 +-
 arch/frv/include/asm/cache.h                       |    3 +-
 arch/frv/mm/elf-fdpic.c                            |    4 +-
 arch/hexagon/include/asm/cache.h                   |    6 +-
 arch/ia64/include/asm/cache.h                      |    3 +-
 arch/ia64/kernel/sys_ia64.c                        |    2 +
 arch/ia64/mm/hugetlbpage.c                         |    2 +
 arch/m32r/include/asm/cache.h                      |    4 +-
 arch/m68k/include/asm/cache.h                      |    4 +-
 arch/metag/mm/hugetlbpage.c                        |    1 +
 arch/microblaze/include/asm/cache.h                |    3 +-
 arch/mips/include/asm/cache.h                      |    3 +-
 arch/mips/include/asm/thread_info.h                |    9 +-
 arch/mips/kernel/ptrace.c                          |    9 +
 arch/mips/kernel/scall32-o32.S                     |    2 +-
 arch/mips/kernel/scall64-64.S                      |    2 +-
 arch/mips/kernel/scall64-n32.S                     |    2 +-
 arch/mips/kernel/scall64-o32.S                     |    2 +-
 arch/mips/mm/mmap.c                                |    4 +-
 arch/mn10300/proc-mn103e010/include/proc/cache.h   |    4 +-
 arch/mn10300/proc-mn2ws0050/include/proc/cache.h   |    4 +-
 arch/openrisc/include/asm/cache.h                  |    4 +-
 arch/parisc/include/asm/cache.h                    |    5 +-
 arch/parisc/kernel/sys_parisc.c                    |   17 +-
 arch/powerpc/include/asm/cache.h                   |    3 +-
 arch/powerpc/include/asm/thread_info.h             |    8 +-
 arch/powerpc/kernel/process.c                      |   10 +-
 arch/powerpc/kernel/ptrace.c                       |   14 +
 arch/powerpc/kernel/traps.c                        |    5 +
 arch/powerpc/mm/slice.c                            |    8 +-
 arch/s390/include/asm/cache.h                      |    4 +-
 arch/score/include/asm/cache.h                     |    4 +-
 arch/sh/include/asm/cache.h                        |    3 +-
 arch/sh/mm/mmap.c                                  |    6 +-
 arch/sparc/include/asm/cache.h                     |    4 +-
 arch/sparc/include/asm/thread_info_64.h            |    9 +-
 arch/sparc/kernel/process_32.c                     |    6 +-
 arch/sparc/kernel/process_64.c                     |    8 +-
 arch/sparc/kernel/ptrace_64.c                      |   14 +
 arch/sparc/kernel/sys_sparc_64.c                   |    8 +-
 arch/sparc/kernel/syscalls.S                       |    8 +-
 arch/sparc/kernel/traps_32.c                       |    8 +-
 arch/sparc/kernel/traps_64.c                       |   28 +-
 arch/sparc/kernel/unaligned_64.c                   |    2 +-
 arch/sparc/mm/fault_64.c                           |    2 +-
 arch/sparc/mm/hugetlbpage.c                        |    3 +-
 arch/tile/include/asm/cache.h                      |    3 +-
 arch/tile/mm/hugetlbpage.c                         |    2 +
 arch/um/defconfig                                  |    1 -
 arch/um/include/asm/cache.h                        |    3 +-
 arch/unicore32/include/asm/cache.h                 |    6 +-
 arch/x86/Kconfig                                   |    5 +-
 arch/x86/Kconfig.debug                             |    2 +-
 arch/x86/ia32/ia32_aout.c                          |    2 +
 arch/x86/include/asm/thread_info.h                 |    8 +-
 arch/x86/kernel/dumpstack.c                        |    8 +
 arch/x86/kernel/entry_32.S                         |    2 +-
 arch/x86/kernel/entry_64.S                         |    2 +-
 arch/x86/kernel/ioport.c                           |   13 +
 arch/x86/kernel/ptrace.c                           |   14 +
 arch/x86/kernel/smpboot.c                          |    3 +
 arch/x86/kernel/sys_i386_32.c                      |   14 +-
 arch/x86/kernel/sys_x86_64.c                       |    6 +-
 arch/x86/kernel/verify_cpu.S                       |    1 +
 arch/x86/kernel/vm86_32.c                          |   16 +
 arch/x86/mm/fault.c                                |   12 +-
 arch/x86/mm/hugetlbpage.c                          |   15 +-
 arch/x86/mm/init.c                                 |   66 +-
 arch/x86/net/bpf_jit_comp.c                        |  126 +-
 arch/xtensa/variants/dc232b/include/variant/core.h |    2 +-
 arch/xtensa/variants/fsf/include/variant/core.h    |    3 +-
 arch/xtensa/variants/s6000/include/variant/core.h  |    3 +-
 drivers/block/cciss.c                              |    2 +
 drivers/char/Kconfig                               |    4 +-
 drivers/char/genrtc.c                              |    1 +
 drivers/char/mem.c                                 |   17 +
 drivers/char/random.c                              |   12 +
 drivers/gpu/drm/drm_info.c                         |    4 +
 drivers/hid/hid-wiimote-debug.c                    |    2 +-
 drivers/media/radio/radio-cadet.c                  |    2 +-
 drivers/message/fusion/mptbase.c                   |    9 +
 drivers/net/bonding/bond_main.c                    |    2 +-
 drivers/net/phy/mdio-bitbang.c                     |    1 +
 drivers/net/wireless/zd1211rw/zd_usb.c             |    2 +-
 drivers/pci/proc.c                                 |    9 +
 drivers/rtc/rtc-dev.c                              |    3 +
 drivers/tty/sysrq.c                                |    2 +-
 drivers/tty/vt/keyboard.c                          |   22 +-
 drivers/usb/storage/realtek_cr.c                   |    2 +-
 drivers/video/logo/logo_linux_clut224.ppm          | 2721 ++++++--------
 drivers/xen/xenfs/xenstored.c                      |    5 +
 fs/attr.c                                          |    1 +
 fs/autofs4/waitq.c                                 |    9 +
 fs/binfmt_aout.c                                   |    7 +
 fs/binfmt_elf.c                                    |    8 +-
 fs/btrfs/ioctl.c                                   |    6 +-
 fs/compat.c                                        |   20 +-
 fs/coredump.c                                      |   10 +-
 fs/debugfs/inode.c                                 |    4 +
 fs/exec.c                                          |  181 +-
 fs/ext2/balloc.c                                   |    4 +-
 fs/ext3/balloc.c                                   |    4 +-
 fs/ext4/balloc.c                                   |    4 +-
 fs/fcntl.c                                         |    5 +
 fs/file.c                                          |    4 +
 fs/filesystems.c                                   |    4 +
 fs/fs_struct.c                                     |   13 +-
 fs/hugetlbfs/inode.c                               |    5 +-
 fs/namei.c                                         |  241 ++-
 fs/namespace.c                                     |   24 +
 fs/open.c                                          |   38 +
 fs/pipe.c                                          |    2 +-
 fs/proc/Kconfig                                    |   10 +-
 fs/proc/array.c                                    |   59 +-
 fs/proc/base.c                                     |  168 +-
 fs/proc/cmdline.c                                  |    4 +
 fs/proc/devices.c                                  |    4 +
 fs/proc/fd.c                                       |   17 +-
 fs/proc/inode.c                                    |   17 +
 fs/proc/internal.h                                 |    3 +
 fs/proc/kcore.c                                    |    3 +
 fs/proc/proc_net.c                                 |   12 +
 fs/proc/proc_sysctl.c                              |   43 +-
 fs/proc/root.c                                     |    8 +
 fs/proc/task_mmu.c                                 |   75 +-
 fs/readdir.c                                       |   19 +
 fs/select.c                                        |    2 +
 fs/seq_file.c                                      |   12 +-
 fs/stat.c                                          |   19 +-
 fs/sysfs/dir.c                                     |   12 +
 fs/utimes.c                                        |    7 +
 fs/xattr.c                                         |   19 +-
 grsecurity/Kconfig                                 | 1031 +++++
 grsecurity/Makefile                                |   38 +
 grsecurity/gracl.c                                 | 4073 ++++++++++++++++++++
 grsecurity/gracl_alloc.c                           |  105 +
 grsecurity/gracl_cap.c                             |  110 +
 grsecurity/gracl_fs.c                              |  431 +++
 grsecurity/gracl_ip.c                              |  387 ++
 grsecurity/gracl_learn.c                           |  207 +
 grsecurity/gracl_res.c                             |   68 +
 grsecurity/gracl_segv.c                            |  305 ++
 grsecurity/gracl_shm.c                             |   40 +
 grsecurity/grsec_chdir.c                           |   19 +
 grsecurity/grsec_chroot.c                          |  370 ++
 grsecurity/grsec_disabled.c                        |  434 +++
 grsecurity/grsec_exec.c                            |  187 +
 grsecurity/grsec_fifo.c                            |   24 +
 grsecurity/grsec_fork.c                            |   23 +
 grsecurity/grsec_init.c                            |  283 ++
 grsecurity/grsec_link.c                            |   58 +
 grsecurity/grsec_log.c                             |  326 ++
 grsecurity/grsec_mem.c                             |   40 +
 grsecurity/grsec_mount.c                           |   62 +
 grsecurity/grsec_pax.c                             |   36 +
 grsecurity/grsec_ptrace.c                          |   30 +
 grsecurity/grsec_sig.c                             |  222 ++
 grsecurity/grsec_sock.c                            |  244 ++
 grsecurity/grsec_sysctl.c                          |  469 +++
 grsecurity/grsec_time.c                            |   16 +
 grsecurity/grsec_tpe.c                             |   73 +
 grsecurity/grsum.c                                 |   61 +
 include/linux/capability.h                         |    5 +
 include/linux/cred.h                               |    3 +
 include/linux/fs.h                                 |   10 +
 include/linux/fsnotify.h                           |    6 +
 include/linux/gracl.h                              |  319 ++
 include/linux/gralloc.h                            |    9 +
 include/linux/grdefs.h                             |  140 +
 include/linux/grinternal.h                         |  215 +
 include/linux/grmsg.h                              |  111 +
 include/linux/grsecurity.h                         |  242 ++
 include/linux/grsock.h                             |   19 +
 include/linux/kallsyms.h                           |   14 +-
 include/linux/kmod.h                               |    2 +
 include/linux/mm.h                                 |    1 +
 include/linux/netfilter/xt_gradm.h                 |    9 +
 include/linux/printk.h                             |    3 +-
 include/linux/proc_fs.h                            |   12 +
 include/linux/sched.h                              |   68 +-
 include/linux/security.h                           |    1 +
 include/linux/seq_file.h                           |    3 +
 include/linux/shm.h                                |    4 +
 include/linux/skbuff.h                             |    3 +
 include/linux/slab.h                               |    9 -
 include/linux/sysctl.h                             |    2 +
 include/linux/thread_info.h                        |    2 +
 include/linux/uidgid.h                             |    5 +
 include/linux/vermagic.h                           |    9 +-
 include/net/secure_seq.h                           |    1 +
 include/trace/events/fs.h                          |   53 +
 include/uapi/linux/personality.h                   |    1 +
 init/Kconfig                                       |    3 +-
 init/main.c                                        |   14 +
 ipc/mqueue.c                                       |    1 +
 ipc/shm.c                                          |   28 +
 kernel/capability.c                                |   39 +-
 kernel/cgroup.c                                    |    2 +-
 kernel/compat.c                                    |    1 +
 kernel/configs.c                                   |   11 +
 kernel/cred.c                                      |  110 +-
 kernel/exit.c                                      |   10 +-
 kernel/fork.c                                      |   41 +-
 kernel/futex.c                                     |    1 +
 kernel/kallsyms.c                                  |    9 +
 kernel/kcmp.c                                      |    4 +
 kernel/kmod.c                                      |   71 +-
 kernel/kprobes.c                                   |    4 +-
 kernel/ksysfs.c                                    |    2 +
 kernel/lockdep_proc.c                              |   10 +-
 kernel/module.c                                    |   81 +-
 kernel/panic.c                                     |    4 +-
 kernel/pid.c                                       |   19 +-
 kernel/posix-timers.c                              |    8 +
 kernel/printk.c                                    |   13 +-
 kernel/ptrace.c                                    |   20 +-
 kernel/resource.c                                  |   10 +
 kernel/sched/core.c                                |    6 +-
 kernel/signal.c                                    |   37 +-
 kernel/sys.c                                       |   45 +-
 kernel/sysctl.c                                    |   39 +-
 kernel/taskstats.c                                 |    6 +
 kernel/time.c                                      |    5 +
 kernel/time/timekeeping.c                          |    3 +
 kernel/time/timer_list.c                           |   12 +
 kernel/time/timer_stats.c                          |   10 +-
 lib/Kconfig.debug                                  |    5 +-
 lib/is_single_threaded.c                           |    3 +
 lib/vsprintf.c                                     |   35 +-
 localversion-grsec                                 |    1 +
 mm/Kconfig                                         |    4 +-
 mm/filemap.c                                       |    1 +
 mm/kmemleak.c                                      |    4 +-
 mm/mempolicy.c                                     |   12 +-
 mm/migrate.c                                       |    3 +-
 mm/mlock.c                                         |    3 +
 mm/mmap.c                                          |   64 +-
 mm/mprotect.c                                      |    8 +
 mm/process_vm_access.c                             |    6 +
 mm/shmem.c                                         |    2 +-
 mm/slab.c                                          |    2 +-
 mm/slub.c                                          |   14 +-
 mm/vmalloc.c                                       |    4 +
 mm/vmstat.c                                        |   18 +-
 net/8021q/vlan.c                                   |    7 +
 net/core/dev_ioctl.c                               |    4 +
 net/core/net-procfs.c                              |    5 +
 net/core/secure_seq.c                              |    4 +-
 net/core/sock_diag.c                               |    7 +
 net/ipv4/af_inet.c                                 |    5 +-
 net/ipv4/inet_hashtables.c                         |    5 +
 net/ipv4/ip_sockglue.c                             |    3 +-
 net/ipv4/tcp_input.c                               |    4 +-
 net/ipv4/tcp_ipv4.c                                |   24 +-
 net/ipv4/tcp_minisocks.c                           |    9 +-
 net/ipv4/tcp_timer.c                               |   11 +
 net/ipv4/udp.c                                     |   24 +
 net/ipv6/tcp_ipv6.c                                |   23 +-
 net/ipv6/udp.c                                     |    7 +
 net/netfilter/Kconfig                              |   10 +
 net/netfilter/Makefile                             |    1 +
 net/netfilter/nf_conntrack_core.c                  |    8 +
 net/netfilter/xt_gradm.c                           |   51 +
 net/netrom/af_netrom.c                             |    2 +-
 net/phonet/af_phonet.c                             |    2 +-
 net/sctp/probe.c                                   |    2 +-
 net/sctp/proc.c                                    |    3 +-
 net/socket.c                                       |   66 +-
 net/sysctl_net.c                                   |    2 +-
 net/tipc/link.c                                    |   11 +-
 net/unix/af_unix.c                                 |   31 +-
 security/Kconfig                                   |  342 ++-
 security/commoncap.c                               |   29 +
 security/min_addr.c                                |    2 +
 security/security.c                                |    2 -
 security/selinux/hooks.c                           |    2 -
 security/tomoyo/mount.c                            |    4 +
 security/yama/Kconfig                              |    2 +-
 291 files changed, 15221 insertions(+), 2052 deletions(-)

commit 88854c350c899bceca4a94598c42bed44d0dc91b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon May 13 07:37:47 2013 -0400

    Initial import of pax-linux-3.9.2-test2.patch

 Documentation/dontdiff                           |   45 +-
 Documentation/kernel-parameters.txt              |   12 +
 Makefile                                         |  100 +-
 arch/alpha/include/asm/atomic.h                  |   10 +
 arch/alpha/include/asm/elf.h                     |    7 +
 arch/alpha/include/asm/pgalloc.h                 |    6 +
 arch/alpha/include/asm/pgtable.h                 |   11 +
 arch/alpha/kernel/module.c                       |    2 +-
 arch/alpha/kernel/osf_sys.c                      |    8 +-
 arch/alpha/mm/fault.c                            |  141 +-
 arch/arm/Kconfig                                 |    2 +-
 arch/arm/include/asm/atomic.h                    |  421 ++-
 arch/arm/include/asm/cache.h                     |    5 +-
 arch/arm/include/asm/cacheflush.h                |    2 +-
 arch/arm/include/asm/checksum.h                  |   14 +-
 arch/arm/include/asm/cmpxchg.h                   |    2 +
 arch/arm/include/asm/domain.h                    |   33 +-
 arch/arm/include/asm/elf.h                       |   13 +-
 arch/arm/include/asm/fncpy.h                     |    2 +
 arch/arm/include/asm/futex.h                     |   10 +
 arch/arm/include/asm/kmap_types.h                |    2 +-
 arch/arm/include/asm/mach/dma.h                  |    2 +-
 arch/arm/include/asm/mach/map.h                  |    7 +-
 arch/arm/include/asm/outercache.h                |    2 +-
 arch/arm/include/asm/page.h                      |    2 +-
 arch/arm/include/asm/pgalloc.h                   |   22 +-
 arch/arm/include/asm/pgtable-2level-hwdef.h      |    5 +
 arch/arm/include/asm/pgtable-2level.h            |    1 +
 arch/arm/include/asm/pgtable-3level-hwdef.h      |    2 +
 arch/arm/include/asm/pgtable-3level.h            |    2 +
 arch/arm/include/asm/pgtable.h                   |   56 +-
 arch/arm/include/asm/proc-fns.h                  |    2 +-
 arch/arm/include/asm/processor.h                 |    5 +-
 arch/arm/include/asm/smp.h                       |    2 +-
 arch/arm/include/asm/thread_info.h               |    6 +-
 arch/arm/include/asm/uaccess.h                   |   92 +-
 arch/arm/include/uapi/asm/ptrace.h               |    2 +-
 arch/arm/kernel/armksyms.c                       |    6 +-
 arch/arm/kernel/entry-armv.S                     |  107 +-
 arch/arm/kernel/entry-common.S                   |   41 +-
 arch/arm/kernel/entry-header.S                   |   60 +
 arch/arm/kernel/fiq.c                            |    2 +
 arch/arm/kernel/head.S                           |    6 +-
 arch/arm/kernel/hw_breakpoint.c                  |    2 +-
 arch/arm/kernel/module.c                         |   29 +-
 arch/arm/kernel/patch.c                          |    2 +
 arch/arm/kernel/perf_event_cpu.c                 |    2 +-
 arch/arm/kernel/process.c                        |   15 +-
 arch/arm/kernel/setup.c                          |   22 +-
 arch/arm/kernel/signal.c                         |   24 +-
 arch/arm/kernel/smp.c                            |    2 +-
 arch/arm/kernel/traps.c                          |   15 +-
 arch/arm/kernel/vmlinux.lds.S                    |   22 +-
 arch/arm/lib/clear_user.S                        |    6 +-
 arch/arm/lib/copy_from_user.S                    |    6 +-
 arch/arm/lib/copy_page.S                         |    1 +
 arch/arm/lib/copy_to_user.S                      |    6 +-
 arch/arm/lib/csumpartialcopyuser.S               |    4 +-
 arch/arm/lib/delay.c                             |    2 +-
 arch/arm/lib/uaccess_with_memcpy.c               |    2 +-
 arch/arm/mach-kirkwood/common.c                  |   19 +-
 arch/arm/mach-omap2/board-n8x0.c                 |    2 +-
 arch/arm/mach-omap2/gpmc.c                       |   22 +-
 arch/arm/mach-omap2/omap-wakeupgen.c             |    2 +-
 arch/arm/mach-omap2/omap_device.c                |    4 +-
 arch/arm/mach-omap2/omap_device.h                |    4 +-
 arch/arm/mach-omap2/omap_hwmod.c                 |    4 +-
 arch/arm/mach-omap2/wd_timer.c                   |    6 +-
 arch/arm/mach-ux500/include/mach/setup.h         |    7 -
 arch/arm/mm/Kconfig                              |    3 +-
 arch/arm/mm/alignment.c                          |    8 +
 arch/arm/mm/fault.c                              |   91 +
 arch/arm/mm/fault.h                              |   12 +
 arch/arm/mm/init.c                               |   41 +
 arch/arm/mm/ioremap.c                            |    4 +-
 arch/arm/mm/mmap.c                               |   36 +-
 arch/arm/mm/mmu.c                                |  187 +-
 arch/arm/mm/proc-v7-2level.S                     |    3 +
 arch/arm/plat-omap/sram.c                        |    2 +
 arch/arm/plat-samsung/include/plat/dma-ops.h     |    2 +-
 arch/arm64/kernel/debug-monitors.c               |    2 +-
 arch/arm64/kernel/hw_breakpoint.c                |    2 +-
 arch/avr32/include/asm/elf.h                     |    8 +-
 arch/avr32/include/asm/kmap_types.h              |    4 +-
 arch/avr32/mm/fault.c                            |   27 +
 arch/frv/include/asm/atomic.h                    |   10 +
 arch/frv/include/asm/kmap_types.h                |    2 +-
 arch/frv/mm/elf-fdpic.c                          |    3 +-
 arch/ia64/include/asm/atomic.h                   |   10 +
 arch/ia64/include/asm/elf.h                      |    7 +
 arch/ia64/include/asm/pgalloc.h                  |   12 +
 arch/ia64/include/asm/pgtable.h                  |   13 +-
 arch/ia64/include/asm/spinlock.h                 |    2 +-
 arch/ia64/include/asm/uaccess.h                  |   26 +-
 arch/ia64/kernel/err_inject.c                    |    2 +-
 arch/ia64/kernel/mca.c                           |    2 +-
 arch/ia64/kernel/module.c                        |   48 +-
 arch/ia64/kernel/palinfo.c                       |    2 +-
 arch/ia64/kernel/salinfo.c                       |    2 +-
 arch/ia64/kernel/sys_ia64.c                      |    7 +
 arch/ia64/kernel/topology.c                      |    2 +-
 arch/ia64/kernel/vmlinux.lds.S                   |    2 +-
 arch/ia64/mm/fault.c                             |   32 +-
 arch/ia64/mm/init.c                              |   13 +
 arch/m32r/lib/usercopy.c                         |    6 +
 arch/mips/include/asm/atomic.h                   |   14 +
 arch/mips/include/asm/elf.h                      |   11 +-
 arch/mips/include/asm/exec.h                     |    2 +-
 arch/mips/include/asm/page.h                     |    2 +-
 arch/mips/include/asm/pgalloc.h                  |    5 +
 arch/mips/kernel/binfmt_elfn32.c                 |    7 +
 arch/mips/kernel/binfmt_elfo32.c                 |    7 +
 arch/mips/kernel/process.c                       |   12 -
 arch/mips/mm/fault.c                             |   17 +
 arch/mips/mm/mmap.c                              |   51 +-
 arch/parisc/include/asm/atomic.h                 |   10 +
 arch/parisc/include/asm/elf.h                    |    7 +
 arch/parisc/include/asm/pgalloc.h                |    6 +
 arch/parisc/include/asm/pgtable.h                |   11 +
 arch/parisc/include/asm/uaccess.h                |    4 +-
 arch/parisc/kernel/module.c                      |   50 +-
 arch/parisc/kernel/sys_parisc.c                  |    9 +-
 arch/parisc/kernel/traps.c                       |    4 +-
 arch/parisc/mm/fault.c                           |  140 +-
 arch/powerpc/include/asm/atomic.h                |   10 +
 arch/powerpc/include/asm/elf.h                   |   19 +-
 arch/powerpc/include/asm/exec.h                  |    2 +-
 arch/powerpc/include/asm/kmap_types.h            |    2 +-
 arch/powerpc/include/asm/mman.h                  |    2 +-
 arch/powerpc/include/asm/page.h                  |    8 +-
 arch/powerpc/include/asm/page_64.h               |    7 +-
 arch/powerpc/include/asm/pgalloc-64.h            |    7 +
 arch/powerpc/include/asm/pgtable.h               |    1 +
 arch/powerpc/include/asm/pte-hash32.h            |    1 +
 arch/powerpc/include/asm/reg.h                   |    1 +
 arch/powerpc/include/asm/smp.h                   |    2 +-
 arch/powerpc/include/asm/uaccess.h               |  140 +-
 arch/powerpc/kernel/exceptions-64e.S             |    4 +-
 arch/powerpc/kernel/exceptions-64s.S             |    2 +-
 arch/powerpc/kernel/module_32.c                  |   13 +-
 arch/powerpc/kernel/process.c                    |   55 -
 arch/powerpc/kernel/signal_32.c                  |    2 +-
 arch/powerpc/kernel/signal_64.c                  |    2 +-
 arch/powerpc/kernel/sysfs.c                      |    2 +-
 arch/powerpc/kernel/vdso.c                       |    5 +-
 arch/powerpc/lib/usercopy_64.c                   |   18 -
 arch/powerpc/mm/fault.c                          |   54 +-
 arch/powerpc/mm/mmap_64.c                        |   16 +
 arch/powerpc/mm/mmu_context_nohash.c             |    2 +-
 arch/powerpc/mm/numa.c                           |    2 +-
 arch/powerpc/mm/slice.c                          |   23 +-
 arch/powerpc/platforms/cell/spufs/file.c         |    4 +-
 arch/powerpc/platforms/powermac/smp.c            |    2 +-
 arch/s390/include/asm/atomic.h                   |   10 +
 arch/s390/include/asm/elf.h                      |   13 +-
 arch/s390/include/asm/exec.h                     |    2 +-
 arch/s390/include/asm/uaccess.h                  |   15 +-
 arch/s390/kernel/module.c                        |   22 +-
 arch/s390/kernel/process.c                       |   36 -
 arch/s390/mm/mmap.c                              |   24 +
 arch/score/include/asm/exec.h                    |    2 +-
 arch/score/kernel/process.c                      |    5 -
 arch/sh/kernel/cpu/sh4a/smp-shx3.c               |    2 +-
 arch/sh/mm/mmap.c                                |   22 +-
 arch/sparc/include/asm/atomic_64.h               |  106 +-
 arch/sparc/include/asm/cache.h                   |    2 +-
 arch/sparc/include/asm/elf_32.h                  |    7 +
 arch/sparc/include/asm/elf_64.h                  |    7 +
 arch/sparc/include/asm/pgalloc_32.h              |    1 +
 arch/sparc/include/asm/pgalloc_64.h              |    1 +
 arch/sparc/include/asm/pgtable_32.h              |   15 +-
 arch/sparc/include/asm/pgtsrmmu.h                |    5 +
 arch/sparc/include/asm/spinlock_64.h             |   35 +-
 arch/sparc/include/asm/thread_info_32.h          |    2 +
 arch/sparc/include/asm/thread_info_64.h          |    2 +
 arch/sparc/include/asm/uaccess.h                 |    1 +
 arch/sparc/include/asm/uaccess_32.h              |   27 +-
 arch/sparc/include/asm/uaccess_64.h              |   19 +-
 arch/sparc/kernel/Makefile                       |    2 +-
 arch/sparc/kernel/prom_common.c                  |    2 +-
 arch/sparc/kernel/sys_sparc_32.c                 |    2 +-
 arch/sparc/kernel/sys_sparc_64.c                 |   48 +-
 arch/sparc/kernel/sysfs.c                        |    2 +-
 arch/sparc/kernel/traps_64.c                     |   13 +-
 arch/sparc/kernel/us3_cpufreq.c                  |   69 +-
 arch/sparc/lib/Makefile                          |    2 +-
 arch/sparc/lib/atomic_64.S                       |  136 +-
 arch/sparc/lib/ksyms.c                           |    6 +
 arch/sparc/mm/Makefile                           |    2 +-
 arch/sparc/mm/fault_32.c                         |  292 ++
 arch/sparc/mm/fault_64.c                         |  486 ++
 arch/sparc/mm/hugetlbpage.c                      |   21 +-
 arch/tile/include/asm/atomic_64.h                |   10 +
 arch/tile/include/asm/uaccess.h                  |    4 +-
 arch/um/Makefile                                 |    4 +
 arch/um/include/asm/kmap_types.h                 |    2 +-
 arch/um/include/asm/page.h                       |    3 +
 arch/um/include/asm/pgtable-3level.h             |    1 +
 arch/um/kernel/process.c                         |   16 -
 arch/x86/Kconfig                                 |   10 +-
 arch/x86/Kconfig.cpu                             |    6 +-
 arch/x86/Kconfig.debug                           |    6 +-
 arch/x86/Makefile                                |   10 +
 arch/x86/boot/Makefile                           |    3 +
 arch/x86/boot/bitops.h                           |    4 +-
 arch/x86/boot/boot.h                             |    4 +-
 arch/x86/boot/compressed/Makefile                |    3 +
 arch/x86/boot/compressed/eboot.c                 |    2 -
 arch/x86/boot/compressed/head_32.S               |    7 +-
 arch/x86/boot/compressed/head_64.S               |    8 +-
 arch/x86/boot/compressed/misc.c                  |    4 +-
 arch/x86/boot/cpucheck.c                         |   28 +-
 arch/x86/boot/header.S                           |    6 +-
 arch/x86/boot/memory.c                           |    2 +-
 arch/x86/boot/video-vesa.c                       |    1 +
 arch/x86/boot/video.c                            |    2 +-
 arch/x86/crypto/aes-x86_64-asm_64.S              |    4 +
 arch/x86/crypto/aesni-intel_asm.S                |   21 +
 arch/x86/crypto/blowfish-x86_64-asm_64.S         |    7 +
 arch/x86/crypto/camellia-x86_64-asm_64.S         |    7 +
 arch/x86/crypto/cast5-avx-x86_64-asm_64.S        |    7 +
 arch/x86/crypto/cast6-avx-x86_64-asm_64.S        |    7 +
 arch/x86/crypto/salsa20-x86_64-asm_64.S          |    4 +
 arch/x86/crypto/serpent-avx-x86_64-asm_64.S      |    7 +
 arch/x86/crypto/serpent-sse2-x86_64-asm_64.S     |    4 +
 arch/x86/crypto/sha1_ssse3_asm.S                 |    2 +
 arch/x86/crypto/twofish-avx-x86_64-asm_64.S      |    7 +
 arch/x86/crypto/twofish-x86_64-asm_64-3way.S     |    4 +
 arch/x86/crypto/twofish-x86_64-asm_64.S          |    3 +
 arch/x86/ia32/ia32_signal.c                      |   14 +-
 arch/x86/ia32/ia32entry.S                        |  141 +-
 arch/x86/ia32/sys_ia32.c                         |    6 +-
 arch/x86/include/asm/alternative-asm.h           |   39 +
 arch/x86/include/asm/alternative.h               |    4 +-
 arch/x86/include/asm/apic.h                      |    2 +-
 arch/x86/include/asm/apm.h                       |    4 +-
 arch/x86/include/asm/atomic.h                    |  307 ++-
 arch/x86/include/asm/atomic64_32.h               |  100 +
 arch/x86/include/asm/atomic64_64.h               |  202 +-
 arch/x86/include/asm/bitops.h                    |    4 +-
 arch/x86/include/asm/boot.h                      |    7 +-
 arch/x86/include/asm/cache.h                     |    5 +-
 arch/x86/include/asm/cacheflush.h                |    2 +-
 arch/x86/include/asm/checksum_32.h               |   12 +-
 arch/x86/include/asm/cmpxchg.h                   |   35 +
 arch/x86/include/asm/compat.h                    |    2 +-
 arch/x86/include/asm/cpufeature.h                |    4 +-
 arch/x86/include/asm/desc.h                      |   67 +-
 arch/x86/include/asm/desc_defs.h                 |    6 +
 arch/x86/include/asm/div64.h                     |    2 +-
 arch/x86/include/asm/elf.h                       |   31 +-
 arch/x86/include/asm/emergency-restart.h         |    2 +-
 arch/x86/include/asm/fpu-internal.h              |    6 +-
 arch/x86/include/asm/futex.h                     |   16 +-
 arch/x86/include/asm/hw_irq.h                    |    4 +-
 arch/x86/include/asm/i8259.h                     |    2 +-
 arch/x86/include/asm/io.h                        |   21 +-
 arch/x86/include/asm/irqflags.h                  |    5 +
 arch/x86/include/asm/kprobes.h                   |    9 +-
 arch/x86/include/asm/local.h                     |  142 +-
 arch/x86/include/asm/mman.h                      |   15 +
 arch/x86/include/asm/mmu.h                       |   16 +-
 arch/x86/include/asm/mmu_context.h               |   76 +-
 arch/x86/include/asm/module.h                    |   17 +-
 arch/x86/include/asm/nmi.h                       |    6 +-
 arch/x86/include/asm/page_64.h                   |    2 +-
 arch/x86/include/asm/paravirt.h                  |   46 +-
 arch/x86/include/asm/paravirt_types.h            |   17 +-
 arch/x86/include/asm/pgalloc.h                   |   23 +
 arch/x86/include/asm/pgtable-2level.h            |    2 +
 arch/x86/include/asm/pgtable-3level.h            |    4 +
 arch/x86/include/asm/pgtable.h                   |  113 +-
 arch/x86/include/asm/pgtable_32.h                |   14 +-
 arch/x86/include/asm/pgtable_32_types.h          |   15 +-
 arch/x86/include/asm/pgtable_64.h                |   19 +-
 arch/x86/include/asm/pgtable_64_types.h          |    5 +
 arch/x86/include/asm/pgtable_types.h             |   36 +-
 arch/x86/include/asm/processor.h                 |   39 +-
 arch/x86/include/asm/ptrace.h                    |   26 +-
 arch/x86/include/asm/realmode.h                  |    4 +-
 arch/x86/include/asm/reboot.h                    |   10 +-
 arch/x86/include/asm/rwsem.h                     |   60 +-
 arch/x86/include/asm/segment.h                   |   24 +-
 arch/x86/include/asm/smp.h                       |   14 +-
 arch/x86/include/asm/spinlock.h                  |   36 +-
 arch/x86/include/asm/stackprotector.h            |    4 +-
 arch/x86/include/asm/stacktrace.h                |   32 +-
 arch/x86/include/asm/switch_to.h                 |    4 +-
 arch/x86/include/asm/thread_info.h               |   83 +-
 arch/x86/include/asm/uaccess.h                   |   96 +-
 arch/x86/include/asm/uaccess_32.h                |  106 +-
 arch/x86/include/asm/uaccess_64.h                |  232 +-
 arch/x86/include/asm/word-at-a-time.h            |    2 +-
 arch/x86/include/asm/x86_init.h                  |   10 +-
 arch/x86/include/asm/xsave.h                     |   10 +-
 arch/x86/include/uapi/asm/e820.h                 |    2 +-
 arch/x86/kernel/Makefile                         |    2 +-
 arch/x86/kernel/acpi/boot.c                      |    4 +-
 arch/x86/kernel/acpi/sleep.c                     |    4 +
 arch/x86/kernel/acpi/wakeup_32.S                 |    6 +-
 arch/x86/kernel/alternative.c                    |   65 +-
 arch/x86/kernel/apic/apic.c                      |    4 +-
 arch/x86/kernel/apic/apic_flat_64.c              |    4 +-
 arch/x86/kernel/apic/apic_noop.c                 |    2 +-
 arch/x86/kernel/apic/bigsmp_32.c                 |    2 +-
 arch/x86/kernel/apic/es7000_32.c                 |    5 +-
 arch/x86/kernel/apic/io_apic.c                   |    8 +-
 arch/x86/kernel/apic/numaq_32.c                  |    3 +-
 arch/x86/kernel/apic/probe_32.c                  |    2 +-
 arch/x86/kernel/apic/summit_32.c                 |    2 +-
 arch/x86/kernel/apic/x2apic_cluster.c            |    4 +-
 arch/x86/kernel/apic/x2apic_phys.c               |    2 +-
 arch/x86/kernel/apic/x2apic_uv_x.c               |    2 +-
 arch/x86/kernel/apm_32.c                         |   19 +-
 arch/x86/kernel/asm-offsets.c                    |   20 +
 arch/x86/kernel/asm-offsets_64.c                 |    1 +
 arch/x86/kernel/cpu/Makefile                     |    4 -
 arch/x86/kernel/cpu/amd.c                        |    2 +-
 arch/x86/kernel/cpu/common.c                     |   75 +-
 arch/x86/kernel/cpu/intel.c                      |    2 +-
 arch/x86/kernel/cpu/intel_cacheinfo.c            |   50 +-
 arch/x86/kernel/cpu/mcheck/mce.c                 |   31 +-
 arch/x86/kernel/cpu/mcheck/p5.c                  |    3 +
 arch/x86/kernel/cpu/mcheck/therm_throt.c         |    2 +-
 arch/x86/kernel/cpu/mcheck/winchip.c             |    3 +
 arch/x86/kernel/cpu/mtrr/main.c                  |    2 +-
 arch/x86/kernel/cpu/mtrr/mtrr.h                  |    2 +-
 arch/x86/kernel/cpu/perf_event.c                 |    8 +-
 arch/x86/kernel/cpu/perf_event_intel.c           |    6 +-
 arch/x86/kernel/cpu/perf_event_intel_uncore.c    |    4 +-
 arch/x86/kernel/cpu/perf_event_intel_uncore.h    |    2 +-
 arch/x86/kernel/cpuid.c                          |    2 +-
 arch/x86/kernel/crash.c                          |    4 +-
 arch/x86/kernel/doublefault_32.c                 |    8 +-
 arch/x86/kernel/dumpstack.c                      |   30 +-
 arch/x86/kernel/dumpstack_32.c                   |   34 +-
 arch/x86/kernel/dumpstack_64.c                   |   63 +-
 arch/x86/kernel/early_printk.c                   |    1 +
 arch/x86/kernel/entry_32.S                       |  354 ++-
 arch/x86/kernel/entry_64.S                       |  530 ++-
 arch/x86/kernel/ftrace.c                         |   14 +-
 arch/x86/kernel/head64.c                         |    1 -
 arch/x86/kernel/head_32.S                        |  237 +-
 arch/x86/kernel/head_64.S                        |  120 +-
 arch/x86/kernel/i386_ksyms_32.c                  |    8 +
 arch/x86/kernel/i387.c                           |    2 +-
 arch/x86/kernel/i8259.c                          |   10 +-
 arch/x86/kernel/io_delay.c                       |    2 +-
 arch/x86/kernel/ioport.c                         |    2 +-
 arch/x86/kernel/irq.c                            |    8 +-
 arch/x86/kernel/irq_32.c                         |   69 +-
 arch/x86/kernel/irq_64.c                         |    2 +-
 arch/x86/kernel/kdebugfs.c                       |    2 +-
 arch/x86/kernel/kgdb.c                           |   25 +-
 arch/x86/kernel/kprobes/core.c                   |   30 +-
 arch/x86/kernel/kprobes/opt.c                    |   16 +-
 arch/x86/kernel/kvm.c                            |    2 +-
 arch/x86/kernel/ldt.c                            |   31 +-
 arch/x86/kernel/machine_kexec_32.c               |    6 +-
 arch/x86/kernel/microcode_core.c                 |    2 +-
 arch/x86/kernel/microcode_intel.c                |    4 +-
 arch/x86/kernel/module.c                         |   76 +-
 arch/x86/kernel/msr.c                            |    2 +-
 arch/x86/kernel/nmi.c                            |   19 +-
 arch/x86/kernel/nmi_selftest.c                   |    4 +-
 arch/x86/kernel/paravirt-spinlocks.c             |    2 +-
 arch/x86/kernel/paravirt.c                       |   43 +-
 arch/x86/kernel/pci-calgary_64.c                 |    2 +-
 arch/x86/kernel/pci-iommu_table.c                |    2 +-
 arch/x86/kernel/pci-swiotlb.c                    |    2 +-
 arch/x86/kernel/process.c                        |   57 +-
 arch/x86/kernel/process_32.c                     |   29 +-
 arch/x86/kernel/process_64.c                     |   15 +-
 arch/x86/kernel/ptrace.c                         |   25 +-
 arch/x86/kernel/pvclock.c                        |    8 +-
 arch/x86/kernel/reboot.c                         |   44 +-
 arch/x86/kernel/relocate_kernel_64.S             |    4 +-
 arch/x86/kernel/setup.c                          |   19 +-
 arch/x86/kernel/setup_percpu.c                   |   29 +-
 arch/x86/kernel/signal.c                         |   15 +-
 arch/x86/kernel/smp.c                            |    2 +-
 arch/x86/kernel/smpboot.c                        |   15 +-
 arch/x86/kernel/step.c                           |   10 +-
 arch/x86/kernel/sys_i386_32.c                    |  248 +
 arch/x86/kernel/sys_x86_64.c                     |   19 +-
 arch/x86/kernel/tboot.c                          |   14 +-
 arch/x86/kernel/time.c                           |   10 +-
 arch/x86/kernel/tls.c                            |    7 +-
 arch/x86/kernel/traps.c                          |   64 +-
 arch/x86/kernel/uprobes.c                        |    2 +-
 arch/x86/kernel/vm86_32.c                        |    6 +-
 arch/x86/kernel/vmlinux.lds.S                    |  148 +-
 arch/x86/kernel/vsyscall_64.c                    |   12 +-
 arch/x86/kernel/x8664_ksyms_64.c                 |    2 -
 arch/x86/kernel/x86_init.c                       |    8 +-
 arch/x86/kernel/xsave.c                          |    2 +
 arch/x86/kvm/cpuid.c                             |   21 +-
 arch/x86/kvm/emulate.c                           |    4 +-
 arch/x86/kvm/lapic.c                             |    2 +-
 arch/x86/kvm/paging_tmpl.h                       |    2 +-
 arch/x86/kvm/svm.c                               |    8 +
 arch/x86/kvm/vmx.c                               |   57 +-
 arch/x86/kvm/x86.c                               |   10 +-
 arch/x86/lguest/boot.c                           |    3 +-
 arch/x86/lib/atomic64_386_32.S                   |  164 +
 arch/x86/lib/atomic64_cx8_32.S                   |  103 +-
 arch/x86/lib/checksum_32.S                       |  100 +-
 arch/x86/lib/clear_page_64.S                     |    5 +-
 arch/x86/lib/cmpxchg16b_emu.S                    |    2 +
 arch/x86/lib/copy_page_64.S                      |   24 +-
 arch/x86/lib/copy_user_64.S                      |   47 +-
 arch/x86/lib/copy_user_nocache_64.S              |   20 +-
 arch/x86/lib/csum-copy_64.S                      |    2 +
 arch/x86/lib/csum-wrappers_64.c                  |    4 +-
 arch/x86/lib/getuser.S                           |   70 +-
 arch/x86/lib/insn.c                              |    6 +-
 arch/x86/lib/iomap_copy_64.S                     |    2 +
 arch/x86/lib/memcpy_64.S                         |   18 +-
 arch/x86/lib/memmove_64.S                        |   34 +-
 arch/x86/lib/memset_64.S                         |    7 +-
 arch/x86/lib/mmx_32.c                            |  243 +-
 arch/x86/lib/msr-reg.S                           |   18 +-
 arch/x86/lib/putuser.S                           |   90 +-
 arch/x86/lib/rwlock.S                            |   42 +
 arch/x86/lib/rwsem.S                             |    6 +-
 arch/x86/lib/thunk_64.S                          |    2 +
 arch/x86/lib/usercopy_32.c                       |  376 +-
 arch/x86/lib/usercopy_64.c                       |   25 +-
 arch/x86/mm/extable.c                            |   25 +-
 arch/x86/mm/fault.c                              |  556 ++-
 arch/x86/mm/gup.c                                |    2 +-
 arch/x86/mm/highmem_32.c                         |    4 +
 arch/x86/mm/hugetlbpage.c                        |   30 +-
 arch/x86/mm/init.c                               |   90 +-
 arch/x86/mm/init_32.c                            |  119 +-
 arch/x86/mm/init_64.c                            |   44 +-
 arch/x86/mm/iomap_32.c                           |    4 +
 arch/x86/mm/ioremap.c                            |   15 +-
 arch/x86/mm/kmemcheck/kmemcheck.c                |    4 +-
 arch/x86/mm/mmap.c                               |   41 +-
 arch/x86/mm/mmio-mod.c                           |   10 +-
 arch/x86/mm/numa.c                               |    2 +-
 arch/x86/mm/pageattr-test.c                      |    2 +-
 arch/x86/mm/pageattr.c                           |   33 +-
 arch/x86/mm/pat.c                                |   12 +-
 arch/x86/mm/pf_in.c                              |   10 +-
 arch/x86/mm/pgtable.c                            |  137 +-
 arch/x86/mm/pgtable_32.c                         |    3 +
 arch/x86/mm/physaddr.c                           |    4 +-
 arch/x86/mm/setup_nx.c                           |    7 +
 arch/x86/mm/tlb.c                                |    4 +
 arch/x86/net/bpf_jit.S                           |   14 +
 arch/x86/net/bpf_jit_comp.c                      |   37 +-
 arch/x86/oprofile/backtrace.c                    |    8 +-
 arch/x86/oprofile/nmi_int.c                      |    8 +-
 arch/x86/oprofile/op_model_amd.c                 |    8 +-
 arch/x86/oprofile/op_model_ppro.c                |    7 +-
 arch/x86/oprofile/op_x86_model.h                 |    2 +-
 arch/x86/pci/amd_bus.c                           |    2 +-
 arch/x86/pci/irq.c                               |    8 +-
 arch/x86/pci/mrst.c                              |    4 +-
 arch/x86/pci/pcbios.c                            |  144 +-
 arch/x86/platform/efi/efi_32.c                   |   19 +
 arch/x86/platform/efi/efi_stub_32.S              |   64 +-
 arch/x86/platform/efi/efi_stub_64.S              |    8 +
 arch/x86/platform/mrst/mrst.c                    |    6 +-
 arch/x86/platform/olpc/olpc_dt.c                 |    2 +-
 arch/x86/power/cpu.c                             |    4 +-
 arch/x86/realmode/init.c                         |    8 +-
 arch/x86/realmode/rm/Makefile                    |    3 +
 arch/x86/realmode/rm/header.S                    |    4 +-
 arch/x86/realmode/rm/trampoline_32.S             |   12 +-
 arch/x86/realmode/rm/trampoline_64.S             |    2 +-
 arch/x86/tools/relocs.c                          |   95 +-
 arch/x86/vdso/Makefile                           |    2 +-
 arch/x86/vdso/vdso32-setup.c                     |   23 +-
 arch/x86/vdso/vma.c                              |   29 +-
 arch/x86/xen/enlighten.c                         |   47 +-
 arch/x86/xen/mmu.c                               |    9 +
 arch/x86/xen/smp.c                               |   18 +-
 arch/x86/xen/xen-asm_32.S                        |   12 +-
 arch/x86/xen/xen-head.S                          |   11 +
 arch/x86/xen/xen-ops.h                           |    2 -
 block/blk-iopoll.c                               |    4 +-
 block/blk-map.c                                  |    2 +-
 block/blk-softirq.c                              |    4 +-
 block/bsg.c                                      |   12 +-
 block/compat_ioctl.c                             |    2 +-
 block/partitions/efi.c                           |    8 +-
 block/scsi_ioctl.c                               |   27 +-
 crypto/cryptd.c                                  |    4 +-
 drivers/acpi/apei/apei-internal.h                |    2 +-
 drivers/acpi/apei/cper.c                         |    8 +-
 drivers/acpi/bgrt.c                              |    6 +-
 drivers/acpi/blacklist.c                         |    4 +-
 drivers/acpi/ec_sys.c                            |   12 +-
 drivers/acpi/processor_idle.c                    |    2 +-
 drivers/acpi/sysfs.c                             |    4 +-
 drivers/ata/libahci.c                            |    2 +-
 drivers/ata/libata-core.c                        |    8 +-
 drivers/ata/pata_arasan_cf.c                     |    4 +-
 drivers/atm/adummy.c                             |    2 +-
 drivers/atm/ambassador.c                         |    8 +-
 drivers/atm/atmtcp.c                             |   14 +-
 drivers/atm/eni.c                                |   10 +-
 drivers/atm/firestream.c                         |    8 +-
 drivers/atm/fore200e.c                           |   14 +-
 drivers/atm/he.c                                 |   18 +-
 drivers/atm/horizon.c                            |    4 +-
 drivers/atm/idt77252.c                           |   36 +-
 drivers/atm/iphase.c                             |   34 +-
 drivers/atm/lanai.c                              |   12 +-
 drivers/atm/nicstar.c                            |   46 +-
 drivers/atm/solos-pci.c                          |    4 +-
 drivers/atm/suni.c                               |    4 +-
 drivers/atm/uPD98402.c                           |   16 +-
 drivers/atm/zatm.c                               |    6 +-
 drivers/base/bus.c                               |    4 +-
 drivers/base/devtmpfs.c                          |    2 +-
 drivers/base/node.c                              |    2 +-
 drivers/base/power/domain.c                      |    4 +-
 drivers/base/power/wakeup.c                      |    8 +-
 drivers/base/syscore.c                           |    4 +-
 drivers/block/cciss.c                            |   28 +-
 drivers/block/cciss.h                            |    2 +-
 drivers/block/cpqarray.c                         |   28 +-
 drivers/block/cpqarray.h                         |    2 +-
 drivers/block/drbd/drbd_int.h                    |    6 +-
 drivers/block/drbd/drbd_main.c                   |    8 +-
 drivers/block/drbd/drbd_receiver.c               |   22 +-
 drivers/block/loop.c                             |    2 +-
 drivers/block/pktcdvd.c                          |    2 +-
 drivers/cdrom/cdrom.c                            |    9 +-
 drivers/cdrom/gdrom.c                            |    1 -
 drivers/char/agp/frontend.c                      |    2 +-
 drivers/char/hpet.c                              |    2 +-
 drivers/char/ipmi/ipmi_msghandler.c              |    8 +-
 drivers/char/ipmi/ipmi_si_intf.c                 |    8 +-
 drivers/char/mem.c                               |   41 +-
 drivers/char/nvram.c                             |    2 +-
 drivers/char/pcmcia/synclink_cs.c                |   18 +-
 drivers/char/random.c                            |   10 +-
 drivers/char/sonypi.c                            |    9 +-
 drivers/char/tpm/tpm_acpi.c                      |    3 +-
 drivers/char/tpm/tpm_eventlog.c                  |    7 +-
 drivers/char/virtio_console.c                    |    4 +-
 drivers/clocksource/arm_arch_timer.c             |    2 +-
 drivers/clocksource/metag_generic.c              |    2 +-
 drivers/cpufreq/acpi-cpufreq.c                   |   20 +-
 drivers/cpufreq/cpufreq.c                        |    9 +-
 drivers/cpufreq/cpufreq_governor.c               |    4 +-
 drivers/cpufreq/cpufreq_governor.h               |    2 +-
 drivers/cpufreq/cpufreq_stats.c                  |    2 +-
 drivers/cpufreq/p4-clockmod.c                    |   12 +-
 drivers/cpufreq/speedstep-centrino.c             |    7 +-
 drivers/cpuidle/cpuidle.c                        |    2 +-
 drivers/cpuidle/governor.c                       |    4 +-
 drivers/cpuidle/sysfs.c                          |    2 +-
 drivers/devfreq/devfreq.c                        |    4 +-
 drivers/dma/sh/shdma.c                           |    2 +-
 drivers/edac/edac_mc_sysfs.c                     |   12 +-
 drivers/edac/edac_pci_sysfs.c                    |   22 +-
 drivers/edac/mce_amd.h                           |    2 +-
 drivers/firewire/core-card.c                     |    2 +-
 drivers/firewire/core-cdev.c                     |    3 +-
 drivers/firewire/core-device.c                   |    2 +-
 drivers/firewire/core-transaction.c              |    1 +
 drivers/firewire/core.h                          |    1 +
 drivers/firmware/dmi-id.c                        |    2 +-
 drivers/firmware/dmi_scan.c                      |    7 +-
 drivers/firmware/efivars.c                       |    4 +-
 drivers/firmware/google/memconsole.c             |    4 +-
 drivers/gpio/gpio-ich.c                          |    2 +-
 drivers/gpio/gpio-vr41xx.c                       |    2 +-
 drivers/gpu/drm/drm_crtc_helper.c                |    2 +-
 drivers/gpu/drm/drm_drv.c                        |    6 +-
 drivers/gpu/drm/drm_fops.c                       |   18 +-
 drivers/gpu/drm/drm_global.c                     |   14 +-
 drivers/gpu/drm/drm_info.c                       |   14 +-
 drivers/gpu/drm/drm_ioc32.c                      |   13 +-
 drivers/gpu/drm/drm_ioctl.c                      |    2 +-
 drivers/gpu/drm/drm_lock.c                       |    4 +-
 drivers/gpu/drm/drm_stub.c                       |    2 +-
 drivers/gpu/drm/i810/i810_dma.c                  |    8 +-
 drivers/gpu/drm/i810/i810_drv.h                  |    4 +-
 drivers/gpu/drm/i915/i915_debugfs.c              |    2 +-
 drivers/gpu/drm/i915/i915_dma.c                  |    2 +-
 drivers/gpu/drm/i915/i915_drv.h                  |    4 +-
 drivers/gpu/drm/i915/i915_gem_execbuffer.c       |    6 +-
 drivers/gpu/drm/i915/i915_ioc32.c                |   11 +-
 drivers/gpu/drm/i915/i915_irq.c                  |   22 +-
 drivers/gpu/drm/i915/intel_display.c             |   26 +-
 drivers/gpu/drm/mga/mga_drv.h                    |    4 +-
 drivers/gpu/drm/mga/mga_ioc32.c                  |   11 +-
 drivers/gpu/drm/mga/mga_irq.c                    |    8 +-
 drivers/gpu/drm/nouveau/nouveau_bios.c           |    2 +-
 drivers/gpu/drm/nouveau/nouveau_drm.h            |    2 +-
 drivers/gpu/drm/nouveau/nouveau_gem.c            |    4 +-
 drivers/gpu/drm/nouveau/nouveau_ioc32.c          |    2 +-
 drivers/gpu/drm/nouveau/nouveau_vga.c            |    2 +-
 drivers/gpu/drm/r128/r128_cce.c                  |    2 +-
 drivers/gpu/drm/r128/r128_drv.h                  |    4 +-
 drivers/gpu/drm/r128/r128_ioc32.c                |   11 +-
 drivers/gpu/drm/r128/r128_irq.c                  |    4 +-
 drivers/gpu/drm/r128/r128_state.c                |    4 +-
 drivers/gpu/drm/radeon/mkregtable.c              |    4 +-
 drivers/gpu/drm/radeon/radeon_device.c           |    2 +-
 drivers/gpu/drm/radeon/radeon_drv.h              |    2 +-
 drivers/gpu/drm/radeon/radeon_ioc32.c            |   13 +-
 drivers/gpu/drm/radeon/radeon_irq.c              |    6 +-
 drivers/gpu/drm/radeon/radeon_state.c            |    4 +-
 drivers/gpu/drm/radeon/radeon_ttm.c              |   37 +-
 drivers/gpu/drm/radeon/rs690.c                   |    4 +-
 drivers/gpu/drm/ttm/ttm_page_alloc.c             |    4 +-
 drivers/gpu/drm/udl/udl_fb.c                     |    1 -
 drivers/gpu/drm/via/via_drv.h                    |    4 +-
 drivers/gpu/drm/via/via_irq.c                    |   18 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_drv.h              |    2 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c             |    8 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_irq.c              |    4 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_marker.c           |    2 +-
 drivers/hid/hid-core.c                           |    4 +-
 drivers/hv/channel.c                             |    4 +-
 drivers/hv/hv.c                                  |    2 +-
 drivers/hv/hyperv_vmbus.h                        |    2 +-
 drivers/hv/vmbus_drv.c                           |    4 +-
 drivers/hwmon/acpi_power_meter.c                 |    4 +-
 drivers/hwmon/applesmc.c                         |    2 +-
 drivers/hwmon/asus_atk0110.c                     |   10 +-
 drivers/hwmon/coretemp.c                         |    2 +-
 drivers/hwmon/ibmaem.c                           |    2 +-
 drivers/hwmon/sht15.c                            |   12 +-
 drivers/hwmon/via-cputemp.c                      |    2 +-
 drivers/i2c/busses/i2c-amd756-s4882.c            |    2 +-
 drivers/i2c/busses/i2c-nforce2-s4985.c           |    2 +-
 drivers/ide/ide-cd.c                             |    2 +-
 drivers/iio/industrialio-core.c                  |    2 +-
 drivers/infiniband/core/cm.c                     |   32 +-
 drivers/infiniband/core/fmr_pool.c               |   20 +-
 drivers/infiniband/hw/cxgb4/mem.c                |    4 +-
 drivers/infiniband/hw/ipath/ipath_rc.c           |    6 +-
 drivers/infiniband/hw/ipath/ipath_ruc.c          |    6 +-
 drivers/infiniband/hw/mthca/mthca_cmd.c          |    2 +-
 drivers/infiniband/hw/mthca/mthca_mr.c           |    2 +-
 drivers/infiniband/hw/nes/nes.c                  |    4 +-
 drivers/infiniband/hw/nes/nes.h                  |   40 +-
 drivers/infiniband/hw/nes/nes_cm.c               |   62 +-
 drivers/infiniband/hw/nes/nes_mgt.c              |    8 +-
 drivers/infiniband/hw/nes/nes_nic.c              |   40 +-
 drivers/infiniband/hw/nes/nes_verbs.c            |   10 +-
 drivers/infiniband/hw/qib/qib.h                  |    1 +
 drivers/input/gameport/gameport.c                |    4 +-
 drivers/input/input.c                            |    4 +-
 drivers/input/joystick/sidewinder.c              |    1 +
 drivers/input/joystick/xpad.c                    |    4 +-
 drivers/input/mouse/psmouse.h                    |    2 +-
 drivers/input/mousedev.c                         |    2 +-
 drivers/input/serio/serio.c                      |    4 +-
 drivers/iommu/iommu.c                            |    2 +-
 drivers/iommu/irq_remapping.c                    |   10 +-
 drivers/irqchip/irq-gic.c                        |    4 +-
 drivers/isdn/capi/capi.c                         |   10 +-
 drivers/isdn/gigaset/interface.c                 |    8 +-
 drivers/isdn/hardware/avm/b1.c                   |    4 +-
 drivers/isdn/i4l/isdn_tty.c                      |   22 +-
 drivers/isdn/icn/icn.c                           |    2 +-
 drivers/leds/leds-clevo-mail.c                   |    2 +-
 drivers/leds/leds-ss4200.c                       |    2 +-
 drivers/lguest/core.c                            |   10 +-
 drivers/lguest/page_tables.c                     |    2 +-
 drivers/lguest/x86/core.c                        |   12 +-
 drivers/lguest/x86/switcher_32.S                 |   27 +-
 drivers/md/bitmap.c                              |    2 +-
 drivers/md/dm-ioctl.c                            |    2 +-
 drivers/md/dm-raid1.c                            |   16 +-
 drivers/md/dm-stripe.c                           |   10 +-
 drivers/md/dm-table.c                            |    2 +-
 drivers/md/dm-thin-metadata.c                    |    4 +-
 drivers/md/dm.c                                  |   16 +-
 drivers/md/md.c                                  |   26 +-
 drivers/md/md.h                                  |    6 +-
 drivers/md/persistent-data/dm-space-map.h        |    1 +
 drivers/md/raid1.c                               |    4 +-
 drivers/md/raid10.c                              |   16 +-
 drivers/md/raid5.c                               |   10 +-
 drivers/media/dvb-core/dvbdev.c                  |    2 +-
 drivers/media/dvb-frontends/dib3000.h            |    2 +-
 drivers/media/pci/cx88/cx88-video.c              |    6 +-
 drivers/media/platform/omap/omap_vout.c          |   11 +-
 drivers/media/platform/s5p-tv/mixer.h            |    2 +-
 drivers/media/platform/s5p-tv/mixer_grp_layer.c  |    2 +-
 drivers/media/platform/s5p-tv/mixer_reg.c        |    2 +-
 drivers/media/platform/s5p-tv/mixer_video.c      |   24 +-
 drivers/media/platform/s5p-tv/mixer_vp_layer.c   |    2 +-
 drivers/media/radio/radio-cadet.c                |    2 +
 drivers/media/usb/dvb-usb/cxusb.c                |    2 +-
 drivers/media/usb/dvb-usb/dw2102.c               |    2 +-
 drivers/media/v4l2-core/v4l2-ioctl.c             |    5 +-
 drivers/message/fusion/mptsas.c                  |   34 +-
 drivers/message/fusion/mptscsih.c                |   19 +-
 drivers/message/i2o/i2o_proc.c                   |   51 +-
 drivers/message/i2o/iop.c                        |    8 +-
 drivers/mfd/janz-cmodio.c                        |    1 +
 drivers/mfd/twl4030-irq.c                        |    9 +-
 drivers/mfd/twl6030-irq.c                        |   10 +-
 drivers/misc/c2port/core.c                       |    4 +-
 drivers/misc/kgdbts.c                            |    4 +-
 drivers/misc/lis3lv02d/lis3lv02d.c               |    8 +-
 drivers/misc/lis3lv02d/lis3lv02d.h               |    2 +-
 drivers/misc/sgi-gru/gruhandles.c                |    4 +-
 drivers/misc/sgi-gru/gruprocfs.c                 |    8 +-
 drivers/misc/sgi-gru/grutables.h                 |  154 +-
 drivers/misc/sgi-xp/xp.h                         |    2 +-
 drivers/misc/sgi-xp/xpc.h                        |    3 +-
 drivers/misc/sgi-xp/xpc_main.c                   |    4 +-
 drivers/mmc/core/mmc_ops.c                       |    2 +-
 drivers/mmc/host/dw_mmc.h                        |    2 +-
 drivers/mmc/host/sdhci-s3c.c                     |    8 +-
 drivers/mtd/devices/doc2000.c                    |    2 +-
 drivers/mtd/nand/denali.c                        |    1 +
 drivers/mtd/nftlmount.c                          |    1 +
 drivers/mtd/sm_ftl.c                             |    2 +-
 drivers/net/bonding/bond_main.c                  |    2 +-
 drivers/net/ethernet/8390/ax88796.c              |    4 +-
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h  |    2 +-
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c   |   11 +-
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h   |    3 +-
 drivers/net/ethernet/broadcom/tg3.h              |    1 +
 drivers/net/ethernet/chelsio/cxgb3/l2t.h         |    2 +-
 drivers/net/ethernet/dec/tulip/de4x5.c           |    4 +-
 drivers/net/ethernet/emulex/benet/be_main.c      |    2 +-
 drivers/net/ethernet/faraday/ftgmac100.c         |    2 +
 drivers/net/ethernet/faraday/ftmac100.c          |    2 +
 drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c     |    2 +-
 drivers/net/ethernet/neterion/vxge/vxge-config.c |    7 +-
 drivers/net/ethernet/realtek/r8169.c             |    8 +-
 drivers/net/ethernet/sfc/ptp.c                   |    2 +-
 drivers/net/ethernet/stmicro/stmmac/mmc_core.c   |    4 +-
 drivers/net/hyperv/hyperv_net.h                  |    2 +-
 drivers/net/hyperv/rndis_filter.c                |    4 +-
 drivers/net/ieee802154/fakehard.c                |    2 +-
 drivers/net/macvlan.c                            |   18 +-
 drivers/net/macvtap.c                            |    2 +-
 drivers/net/ppp/ppp_generic.c                    |    4 +-
 drivers/net/slip/slhc.c                          |    2 +-
 drivers/net/team/team.c                          |    2 +-
 drivers/net/tun.c                                |    5 +-
 drivers/net/usb/hso.c                            |   23 +-
 drivers/net/vxlan.c                              |    2 +-
 drivers/net/wireless/at76c50x-usb.c              |    2 +-
 drivers/net/wireless/ath/ath9k/ar9002_mac.c      |   30 +-
 drivers/net/wireless/ath/ath9k/ar9003_mac.c      |   58 +-
 drivers/net/wireless/ath/ath9k/hw.h              |    4 +-
 drivers/net/wireless/iwlegacy/3945-mac.c         |    4 +-
 drivers/net/wireless/iwlwifi/dvm/debugfs.c       |   26 +-
 drivers/net/wireless/iwlwifi/pcie/trans.c        |    4 +-
 drivers/net/wireless/mac80211_hwsim.c            |   32 +-
 drivers/net/wireless/rndis_wlan.c                |    2 +-
 drivers/net/wireless/rt2x00/rt2x00.h             |    2 +-
 drivers/net/wireless/rt2x00/rt2x00queue.c        |    4 +-
 drivers/net/wireless/ti/wl1251/sdio.c            |   12 +-
 drivers/net/wireless/ti/wl12xx/main.c            |    8 +-
 drivers/net/wireless/ti/wl18xx/main.c            |    6 +-
 drivers/oprofile/buffer_sync.c                   |    8 +-
 drivers/oprofile/event_buffer.c                  |    2 +-
 drivers/oprofile/oprof.c                         |    2 +-
 drivers/oprofile/oprofile_files.c                |    2 +-
 drivers/oprofile/oprofile_stats.c                |   10 +-
 drivers/oprofile/oprofile_stats.h                |   10 +-
 drivers/oprofile/oprofilefs.c                    |    2 +-
 drivers/oprofile/timer_int.c                     |    2 +-
 drivers/parport/procfs.c                         |    4 +-
 drivers/pci/hotplug/acpiphp_ibm.c                |    4 +-
 drivers/pci/hotplug/cpcihp_generic.c             |    6 +-
 drivers/pci/hotplug/cpcihp_zt5550.c              |   14 +-
 drivers/pci/hotplug/cpqphp_nvram.c               |    4 +
 drivers/pci/hotplug/pci_hotplug_core.c           |    6 +-
 drivers/pci/hotplug/pciehp_core.c                |    2 +-
 drivers/pci/pci-sysfs.c                          |    6 +-
 drivers/pci/pci.h                                |    2 +-
 drivers/pci/pcie/aspm.c                          |    6 +-
 drivers/pci/probe.c                              |    2 +-
 drivers/platform/x86/msi-laptop.c                |   14 +-
 drivers/platform/x86/sony-laptop.c               |    2 +-
 drivers/platform/x86/thinkpad_acpi.c             |   70 +-
 drivers/pnp/pnpbios/bioscalls.c                  |   14 +-
 drivers/pnp/resource.c                           |    4 +-
 drivers/power/pda_power.c                        |    7 +-
 drivers/power/power_supply.h                     |    4 +-
 drivers/power/power_supply_core.c                |    7 +-
 drivers/power/power_supply_sysfs.c               |    6 +-
 drivers/regulator/max8660.c                      |    6 +-
 drivers/regulator/max8973-regulator.c            |    8 +-
 drivers/regulator/mc13892-regulator.c            |    6 +-
 drivers/rtc/rtc-cmos.c                           |    4 +-
 drivers/rtc/rtc-ds1307.c                         |    2 +-
 drivers/rtc/rtc-m48t59.c                         |    4 +-
 drivers/scsi/bfa/bfa_fcpim.h                     |    2 +-
 drivers/scsi/bfa/bfa_ioc.h                       |    4 +-
 drivers/scsi/hosts.c                             |    4 +-
 drivers/scsi/hpsa.c                              |   30 +-
 drivers/scsi/hpsa.h                              |    2 +-
 drivers/scsi/libfc/fc_exch.c                     |   50 +-
 drivers/scsi/libsas/sas_ata.c                    |    2 +-
 drivers/scsi/lpfc/lpfc.h                         |    8 +-
 drivers/scsi/lpfc/lpfc_debugfs.c                 |   18 +-
 drivers/scsi/lpfc/lpfc_init.c                    |    6 +-
 drivers/scsi/lpfc/lpfc_scsi.c                    |   16 +-
 drivers/scsi/pmcraid.c                           |   20 +-
 drivers/scsi/pmcraid.h                           |    8 +-
 drivers/scsi/qla2xxx/qla_attr.c                  |    4 +-
 drivers/scsi/qla2xxx/qla_gbl.h                   |    4 +-
 drivers/scsi/qla2xxx/qla_os.c                    |    6 +-
 drivers/scsi/qla4xxx/ql4_def.h                   |    2 +-
 drivers/scsi/qla4xxx/ql4_os.c                    |    6 +-
 drivers/scsi/scsi.c                              |    2 +-
 drivers/scsi/scsi_lib.c                          |    6 +-
 drivers/scsi/scsi_sysfs.c                        |    2 +-
 drivers/scsi/scsi_tgt_lib.c                      |    2 +-
 drivers/scsi/scsi_transport_fc.c                 |    8 +-
 drivers/scsi/scsi_transport_iscsi.c              |    6 +-
 drivers/scsi/scsi_transport_srp.c                |    6 +-
 drivers/scsi/sd.c                                |    2 +-
 drivers/scsi/sg.c                                |    2 +-
 drivers/spi/spi.c                                |    2 +-
 drivers/staging/iio/iio_hwmon.c                  |    2 +-
 drivers/staging/octeon/ethernet-rx.c             |   12 +-
 drivers/staging/octeon/ethernet.c                |    8 +-
 drivers/staging/rtl8712/rtl871x_io.h             |    2 +-
 drivers/staging/sbe-2t3e3/netdev.c               |    2 +-
 drivers/staging/usbip/vhci.h                     |    2 +-
 drivers/staging/usbip/vhci_hcd.c                 |    6 +-
 drivers/staging/usbip/vhci_rx.c                  |    2 +-
 drivers/staging/vt6655/hostap.c                  |    7 +-
 drivers/staging/vt6656/hostap.c                  |    7 +-
 drivers/staging/zcache/tmem.c                    |    4 +-
 drivers/staging/zcache/tmem.h                    |    2 +
 drivers/target/target_core_device.c              |    2 +-
 drivers/target/target_core_transport.c           |    2 +-
 drivers/tty/cyclades.c                           |    6 +-
 drivers/tty/hvc/hvc_console.c                    |   14 +-
 drivers/tty/hvc/hvcs.c                           |   21 +-
 drivers/tty/ipwireless/tty.c                     |   27 +-
 drivers/tty/moxa.c                               |    2 +-
 drivers/tty/n_gsm.c                              |    4 +-
 drivers/tty/n_tty.c                              |    3 +-
 drivers/tty/pty.c                                |    4 +-
 drivers/tty/rocket.c                             |    6 +-
 drivers/tty/serial/kgdboc.c                      |   32 +-
 drivers/tty/serial/samsung.c                     |    9 +-
 drivers/tty/serial/serial_core.c                 |    8 +-
 drivers/tty/synclink.c                           |   34 +-
 drivers/tty/synclink_gt.c                        |   28 +-
 drivers/tty/synclinkmp.c                         |   34 +-
 drivers/tty/tty_io.c                             |    2 +-
 drivers/tty/tty_ldisc.c                          |   10 +-
 drivers/tty/tty_port.c                           |   22 +-
 drivers/uio/uio.c                                |   21 +-
 drivers/usb/atm/cxacru.c                         |    2 +-
 drivers/usb/atm/usbatm.c                         |   24 +-
 drivers/usb/core/devices.c                       |    6 +-
 drivers/usb/core/hcd.c                           |    4 +-
 drivers/usb/core/message.c                       |    2 +-
 drivers/usb/core/sysfs.c                         |    2 +-
 drivers/usb/core/usb.c                           |    2 +-
 drivers/usb/early/ehci-dbgp.c                    |   16 +-
 drivers/usb/gadget/u_serial.c                    |   22 +-
 drivers/usb/serial/console.c                     |    6 +-
 drivers/usb/storage/usb.h                        |    2 +-
 drivers/usb/wusbcore/wa-hc.h                     |    4 +-
 drivers/usb/wusbcore/wa-xfer.c                   |    2 +-
 drivers/video/aty/aty128fb.c                     |    2 +-
 drivers/video/aty/atyfb_base.c                   |    8 +-
 drivers/video/aty/mach64_cursor.c                |    5 +-
 drivers/video/backlight/kb3886_bl.c              |    2 +-
 drivers/video/fb_defio.c                         |    6 +-
 drivers/video/fbcmap.c                           |    3 +-
 drivers/video/fbmem.c                            |    6 +-
 drivers/video/i810/i810_accel.c                  |    1 +
 drivers/video/mb862xx/mb862xxfb_accel.c          |   16 +-
 drivers/video/nvidia/nvidia.c                    |   27 +-
 drivers/video/s1d13xxxfb.c                       |    6 +-
 drivers/video/smscufx.c                          |    4 +-
 drivers/video/udlfb.c                            |   36 +-
 drivers/video/uvesafb.c                          |   53 +-
 drivers/video/vesafb.c                           |   58 +-
 drivers/video/via/via_clock.h                    |    2 +-
 fs/9p/vfs_inode.c                                |    2 +-
 fs/Kconfig.binfmt                                |    2 +-
 fs/aio.c                                         |   11 +-
 fs/autofs4/waitq.c                               |    2 +-
 fs/befs/endian.h                                 |    4 +-
 fs/befs/linuxvfs.c                               |    2 +-
 fs/binfmt_aout.c                                 |   23 +-
 fs/binfmt_elf.c                                  |  605 +++-
 fs/binfmt_flat.c                                 |    6 +
 fs/bio.c                                         |    6 +-
 fs/block_dev.c                                   |    2 +-
 fs/btrfs/ctree.c                                 |    9 +-
 fs/btrfs/super.c                                 |    2 +-
 fs/cachefiles/bind.c                             |    6 +-
 fs/cachefiles/daemon.c                           |    8 +-
 fs/cachefiles/internal.h                         |   12 +-
 fs/cachefiles/namei.c                            |    2 +-
 fs/cachefiles/proc.c                             |   12 +-
 fs/cachefiles/rdwr.c                             |    2 +-
 fs/ceph/dir.c                                    |    2 +-
 fs/cifs/cifs_debug.c                             |   12 +-
 fs/cifs/cifsfs.c                                 |    8 +-
 fs/cifs/cifsglob.h                               |   54 +-
 fs/cifs/link.c                                   |    2 +-
 fs/cifs/misc.c                                   |    4 +-
 fs/cifs/smb1ops.c                                |   80 +-
 fs/cifs/smb2ops.c                                |   84 +-
 fs/cifs/smb2pdu.c                                |    3 +-
 fs/coda/cache.c                                  |   10 +-
 fs/compat.c                                      |    6 +-
 fs/compat_binfmt_elf.c                           |    2 +
 fs/compat_ioctl.c                                |    8 +-
 fs/configfs/dir.c                                |   10 +-
 fs/coredump.c                                    |   24 +-
 fs/dcache.c                                      |    2 +-
 fs/ecryptfs/inode.c                              |    4 +-
 fs/ecryptfs/miscdev.c                            |    2 +-
 fs/ecryptfs/read_write.c                         |    2 +-
 fs/exec.c                                        |  362 ++-
 fs/ext4/ext4.h                                   |   20 +-
 fs/ext4/mballoc.c                                |   44 +-
 fs/ext4/super.c                                  |    2 +-
 fs/fhandle.c                                     |    3 +-
 fs/fifo.c                                        |   22 +-
 fs/fs_struct.c                                   |    8 +-
 fs/fscache/cookie.c                              |   36 +-
 fs/fscache/internal.h                            |  196 +-
 fs/fscache/object.c                              |   28 +-
 fs/fscache/operation.c                           |   30 +-
 fs/fscache/page.c                                |  110 +-
 fs/fscache/stats.c                               |  344 +-
 fs/fuse/cuse.c                                   |   10 +-
 fs/fuse/dev.c                                    |    2 +-
 fs/fuse/dir.c                                    |    2 +-
 fs/gfs2/inode.c                                  |    2 +-
 fs/hugetlbfs/inode.c                             |   13 +-
 fs/inode.c                                       |    4 +-
 fs/jffs2/erase.c                                 |    3 +-
 fs/jffs2/wbuf.c                                  |    3 +-
 fs/jfs/super.c                                   |    6 +-
 fs/libfs.c                                       |   10 +-
 fs/lockd/clntproc.c                              |    4 +-
 fs/locks.c                                       |    8 +-
 fs/namei.c                                       |   15 +-
 fs/namespace.c                                   |    2 +-
 fs/nfs/callback_xdr.c                            |    2 +-
 fs/nfs/inode.c                                   |    6 +-
 fs/nfsd/nfs4proc.c                               |    2 +-
 fs/nfsd/nfs4xdr.c                                |    6 +-
 fs/nfsd/nfscache.c                               |    8 +-
 fs/nfsd/vfs.c                                    |    6 +-
 fs/nls/nls_base.c                                |   18 +-
 fs/nls/nls_euc-jp.c                              |    6 +-
 fs/nls/nls_koi8-ru.c                             |    6 +-
 fs/notify/fanotify/fanotify_user.c               |    4 +-
 fs/notify/notification.c                         |    4 +-
 fs/ntfs/dir.c                                    |    2 +-
 fs/ntfs/file.c                                   |    4 +-
 fs/ocfs2/localalloc.c                            |    2 +-
 fs/ocfs2/ocfs2.h                                 |   10 +-
 fs/ocfs2/suballoc.c                              |   12 +-
 fs/ocfs2/super.c                                 |   20 +-
 fs/pipe.c                                        |   33 +-
 fs/proc/array.c                                  |   20 +
 fs/proc/base.c                                   |    4 +-
 fs/proc/kcore.c                                  |   32 +-
 fs/proc/meminfo.c                                |    2 +-
 fs/proc/nommu.c                                  |    2 +-
 fs/proc/proc_sysctl.c                            |   18 +-
 fs/proc/self.c                                   |    2 +-
 fs/proc/task_mmu.c                               |   39 +-
 fs/proc/task_nommu.c                             |    4 +-
 fs/qnx6/qnx6.h                                   |    4 +-
 fs/quota/netlink.c                               |    4 +-
 fs/readdir.c                                     |    2 +-
 fs/reiserfs/do_balan.c                           |    2 +-
 fs/reiserfs/procfs.c                             |    2 +-
 fs/reiserfs/reiserfs.h                           |    4 +-
 fs/seq_file.c                                    |    2 +-
 fs/splice.c                                      |   36 +-
 fs/sysfs/bin.c                                   |    6 +-
 fs/sysfs/dir.c                                   |    2 +-
 fs/sysfs/file.c                                  |   10 +-
 fs/sysfs/symlink.c                               |    2 +-
 fs/sysv/sysv.h                                   |    2 +-
 fs/ubifs/io.c                                    |    2 +-
 fs/udf/misc.c                                    |    2 +-
 fs/ufs/swab.h                                    |    4 +-
 fs/xattr.c                                       |   21 +
 fs/xattr_acl.c                                   |    4 +-
 fs/xfs/xfs_bmap.c                                |    2 +-
 fs/xfs/xfs_dir2_sf.c                             |   10 +-
 fs/xfs/xfs_ioctl.c                               |    2 +-
 fs/xfs/xfs_iops.c                                |    2 +-
 include/asm-generic/4level-fixup.h               |    2 +
 include/asm-generic/atomic-long.h                |  210 +
 include/asm-generic/atomic.h                     |    2 +-
 include/asm-generic/atomic64.h                   |   12 +
 include/asm-generic/cache.h                      |    4 +-
 include/asm-generic/emergency-restart.h          |    2 +-
 include/asm-generic/kmap_types.h                 |    4 +-
 include/asm-generic/local.h                      |   13 +
 include/asm-generic/pgtable-nopmd.h              |   18 +-
 include/asm-generic/pgtable-nopud.h              |   15 +-
 include/asm-generic/pgtable.h                    |    8 +
 include/asm-generic/vmlinux.lds.h                |   10 +-
 include/crypto/algapi.h                          |    2 +-
 include/drm/drmP.h                               |   17 +-
 include/drm/drm_crtc_helper.h                    |    2 +-
 include/drm/ttm/ttm_memory.h                     |    2 +-
 include/keys/asymmetric-subtype.h                |    2 +-
 include/linux/atmdev.h                           |    4 +-
 include/linux/binfmts.h                          |    3 +-
 include/linux/blkdev.h                           |    2 +-
 include/linux/blktrace_api.h                     |    2 +-
 include/linux/cache.h                            |    4 +
 include/linux/cdrom.h                            |    1 -
 include/linux/cleancache.h                       |    2 +-
 include/linux/compat.h                           |    6 +-
 include/linux/compiler-gcc4.h                    |   20 +
 include/linux/compiler.h                         |   65 +-
 include/linux/completion.h                       |    6 +-
 include/linux/configfs.h                         |    2 +-
 include/linux/cpu.h                              |    2 +-
 include/linux/cpufreq.h                          |    3 +-
 include/linux/cpuidle.h                          |    5 +-
 include/linux/cpumask.h                          |   12 +-
 include/linux/crypto.h                           |    6 +-
 include/linux/ctype.h                            |    2 +-
 include/linux/decompress/mm.h                    |    2 +-
 include/linux/devfreq.h                          |    2 +-
 include/linux/device.h                           |    7 +-
 include/linux/dma-mapping.h                      |    2 +-
 include/linux/dmaengine.h                        |    4 +-
 include/linux/efi.h                              |    1 +
 include/linux/elf.h                              |    2 +
 include/linux/err.h                              |    4 +-
 include/linux/extcon.h                           |    2 +-
 include/linux/fb.h                               |    2 +-
 include/linux/filter.h                           |    4 +
 include/linux/frontswap.h                        |    2 +-
 include/linux/fs.h                               |    3 +-
 include/linux/fs_struct.h                        |    2 +-
 include/linux/fscache-cache.h                    |    4 +-
 include/linux/fscache.h                          |    2 +-
 include/linux/fsnotify.h                         |    2 +-
 include/linux/ftrace_event.h                     |    2 +-
 include/linux/genhd.h                            |    2 +-
 include/linux/genl_magic_func.h                  |    2 +-
 include/linux/gfp.h                              |   12 +-
 include/linux/highmem.h                          |   12 +
 include/linux/hwmon-sysfs.h                      |    5 +-
 include/linux/i2c.h                              |    1 +
 include/linux/i2o.h                              |    2 +-
 include/linux/if_pppox.h                         |    2 +-
 include/linux/init.h                             |   33 +-
 include/linux/init_task.h                        |    7 +
 include/linux/interrupt.h                        |    8 +-
 include/linux/iommu.h                            |    2 +-
 include/linux/ioport.h                           |    2 +-
 include/linux/irq.h                              |    3 +-
 include/linux/irqchip/arm-gic.h                  |    2 +-
 include/linux/key-type.h                         |    2 +-
 include/linux/kgdb.h                             |    6 +-
 include/linux/kobject.h                          |    3 +-
 include/linux/kobject_ns.h                       |    2 +-
 include/linux/kref.h                             |    2 +-
 include/linux/kvm_host.h                         |    4 +-
 include/linux/libata.h                           |    2 +-
 include/linux/list.h                             |   15 +
 include/linux/math64.h                           |    6 +-
 include/linux/mm.h                               |  110 +-
 include/linux/mm_types.h                         |   20 +
 include/linux/mmiotrace.h                        |    4 +-
 include/linux/mmzone.h                           |    2 +-
 include/linux/mod_devicetable.h                  |    6 +-
 include/linux/module.h                           |   60 +-
 include/linux/moduleloader.h                     |   16 +
 include/linux/moduleparam.h                      |    4 +-
 include/linux/namei.h                            |    6 +-
 include/linux/net.h                              |    2 +-
 include/linux/netdevice.h                        |    3 +-
 include/linux/netfilter.h                        |    2 +-
 include/linux/netfilter/ipset/ip_set.h           |    2 +-
 include/linux/netfilter/nfnetlink.h              |    2 +-
 include/linux/nls.h                              |    2 +-
 include/linux/notifier.h                         |    3 +-
 include/linux/oprofile.h                         |    4 +-
 include/linux/pci_hotplug.h                      |    3 +-
 include/linux/perf_event.h                       |   12 +-
 include/linux/pipe_fs_i.h                        |    6 +-
 include/linux/platform_data/usb-ehci-s5p.h       |    2 +-
 include/linux/platform_data/usb-exynos.h         |    2 +-
 include/linux/pm_domain.h                        |    2 +-
 include/linux/pm_runtime.h                       |    2 +-
 include/linux/pnp.h                              |    2 +-
 include/linux/poison.h                           |    4 +-
 include/linux/power/smartreflex.h                |    2 +-
 include/linux/ppp-comp.h                         |    2 +-
 include/linux/proc_fs.h                          |    2 +-
 include/linux/random.h                           |    5 +
 include/linux/rculist.h                          |   16 +
 include/linux/reboot.h                           |   14 +-
 include/linux/regset.h                           |    3 +-
 include/linux/relay.h                            |    2 +-
 include/linux/rio.h                              |    2 +-
 include/linux/rmap.h                             |    4 +-
 include/linux/sched.h                            |   67 +-
 include/linux/sched/sysctl.h                     |    1 +
 include/linux/seq_file.h                         |    1 +
 include/linux/skbuff.h                           |   12 +-
 include/linux/slab.h                             |   36 +-
 include/linux/slab_def.h                         |   33 +-
 include/linux/slob_def.h                         |    4 +-
 include/linux/slub_def.h                         |   10 +-
 include/linux/sock_diag.h                        |    2 +-
 include/linux/sonet.h                            |    2 +-
 include/linux/sunrpc/addr.h                      |    8 +-
 include/linux/sunrpc/clnt.h                      |    2 +-
 include/linux/sunrpc/svc.h                       |    2 +-
 include/linux/sunrpc/svc_rdma.h                  |   18 +-
 include/linux/sunrpc/svcauth.h                   |    2 +-
 include/linux/swiotlb.h                          |    3 +-
 include/linux/syscalls.h                         |    2 +-
 include/linux/syscore_ops.h                      |    2 +-
 include/linux/sysctl.h                           |    6 +-
 include/linux/sysfs.h                            |   10 +-
 include/linux/sysrq.h                            |    3 +-
 include/linux/thread_info.h                      |    7 +
 include/linux/tty.h                              |    4 +-
 include/linux/tty_driver.h                       |    2 +-
 include/linux/tty_ldisc.h                        |    2 +-
 include/linux/types.h                            |   16 +
 include/linux/uaccess.h                          |    6 +-
 include/linux/unaligned/access_ok.h              |   24 +-
 include/linux/usb.h                              |    4 +-
 include/linux/usb/renesas_usbhs.h                |    2 +-
 include/linux/vermagic.h                         |   21 +-
 include/linux/vmalloc.h                          |   11 +-
 include/linux/vmstat.h                           |   20 +-
 include/linux/xattr.h                            |    5 +-
 include/linux/zlib.h                             |    3 +-
 include/media/v4l2-dev.h                         |    2 +-
 include/media/v4l2-ioctl.h                       |    1 -
 include/net/9p/transport.h                       |    2 +-
 include/net/bluetooth/l2cap.h                    |    2 +-
 include/net/caif/cfctrl.h                        |    6 +-
 include/net/flow.h                               |    2 +-
 include/net/genetlink.h                          |    2 +-
 include/net/gro_cells.h                          |    2 +-
 include/net/inet_connection_sock.h               |    2 +-
 include/net/inetpeer.h                           |    8 +-
 include/net/ip.h                                 |    2 +-
 include/net/ip_fib.h                             |    2 +-
 include/net/ip_vs.h                              |    8 +-
 include/net/irda/ircomm_tty.h                    |    1 +
 include/net/iucv/af_iucv.h                       |    2 +-
 include/net/llc_c_ac.h                           |    2 +-
 include/net/llc_c_ev.h                           |    4 +-
 include/net/llc_c_st.h                           |    2 +-
 include/net/llc_s_ac.h                           |    2 +-
 include/net/llc_s_st.h                           |    2 +-
 include/net/mac80211.h                           |    2 +-
 include/net/neighbour.h                          |    2 +-
 include/net/net_namespace.h                      |   12 +-
 include/net/netdma.h                             |    2 +-
 include/net/netlink.h                            |    2 +-
 include/net/netns/conntrack.h                    |    6 +-
 include/net/netns/ipv4.h                         |    2 +-
 include/net/protocol.h                           |    4 +-
 include/net/rtnetlink.h                          |    2 +-
 include/net/sctp/sctp.h                          |    6 +-
 include/net/sctp/sm.h                            |    4 +-
 include/net/sctp/structs.h                       |    2 +-
 include/net/sock.h                               |    6 +-
 include/net/tcp.h                                |    8 +-
 include/net/xfrm.h                               |    8 +-
 include/rdma/iw_cm.h                             |    2 +-
 include/scsi/libfc.h                             |    3 +-
 include/scsi/scsi_device.h                       |    6 +-
 include/scsi/scsi_transport_fc.h                 |    3 +-
 include/sound/soc.h                              |    4 +-
 include/target/target_core_base.h                |    2 +-
 include/trace/events/irq.h                       |    4 +-
 include/uapi/linux/a.out.h                       |    8 +
 include/uapi/linux/byteorder/little_endian.h     |   28 +-
 include/uapi/linux/elf.h                         |   28 +
 include/uapi/linux/screen_info.h                 |    3 +-
 include/uapi/linux/swab.h                        |    6 +-
 include/uapi/linux/sysctl.h                      |    6 +-
 include/uapi/linux/xattr.h                       |    4 +
 include/video/udlfb.h                            |    8 +-
 include/video/uvesafb.h                          |    1 +
 init/Kconfig                                     |    2 +-
 init/Makefile                                    |    3 +
 init/do_mounts.c                                 |   14 +-
 init/do_mounts.h                                 |    8 +-
 init/do_mounts_initrd.c                          |   22 +-
 init/do_mounts_md.c                              |    6 +-
 init/init_task.c                                 |    4 +
 init/initramfs.c                                 |   40 +-
 init/main.c                                      |   77 +-
 ipc/ipc_sysctl.c                                 |   10 +-
 ipc/mq_sysctl.c                                  |    2 +-
 ipc/msg.c                                        |   11 +-
 ipc/sem.c                                        |   11 +-
 ipc/shm.c                                        |   17 +-
 kernel/acct.c                                    |    2 +-
 kernel/audit.c                                   |    8 +-
 kernel/auditsc.c                                 |    4 +-
 kernel/capability.c                              |    3 +
 kernel/compat.c                                  |   40 +-
 kernel/debug/debug_core.c                        |   16 +-
 kernel/debug/kdb/kdb_main.c                      |    4 +-
 kernel/events/core.c                             |   28 +-
 kernel/exit.c                                    |    4 +-
 kernel/fork.c                                    |  167 +-
 kernel/futex.c                                   |    9 +
 kernel/futex_compat.c                            |    2 +-
 kernel/gcov/base.c                               |    7 +-
 kernel/hrtimer.c                                 |    4 +-
 kernel/irq_work.c                                |    7 +-
 kernel/jump_label.c                              |    5 +
 kernel/kallsyms.c                                |   39 +-
 kernel/kexec.c                                   |    3 +-
 kernel/kmod.c                                    |    4 +-
 kernel/kprobes.c                                 |    8 +-
 kernel/ksysfs.c                                  |    2 +-
 kernel/lockdep.c                                 |    7 +-
 kernel/module.c                                  |  337 +-
 kernel/mutex-debug.c                             |   12 +-
 kernel/mutex-debug.h                             |    4 +-
 kernel/mutex.c                                   |    7 +-
 kernel/notifier.c                                |   17 +-
 kernel/panic.c                                   |    3 +-
 kernel/pid.c                                     |    2 +-
 kernel/pid_namespace.c                           |    2 +-
 kernel/posix-cpu-timers.c                        |    4 +-
 kernel/posix-timers.c                            |   20 +-
 kernel/power/process.c                           |   12 +-
 kernel/profile.c                                 |   14 +-
 kernel/ptrace.c                                  |    8 +-
 kernel/rcupdate.c                                |    4 +-
 kernel/rcutiny.c                                 |    4 +-
 kernel/rcutiny_plugin.h                          |    2 +-
 kernel/rcutorture.c                              |   56 +-
 kernel/rcutree.c                                 |   68 +-
 kernel/rcutree.h                                 |   24 +-
 kernel/rcutree_plugin.h                          |   20 +-
 kernel/rcutree_trace.c                           |   22 +-
 kernel/rtmutex-tester.c                          |   24 +-
 kernel/sched/auto_group.c                        |    4 +-
 kernel/sched/core.c                              |   51 +-
 kernel/sched/fair.c                              |    4 +-
 kernel/signal.c                                  |   12 +-
 kernel/smp.c                                     |    2 +-
 kernel/smpboot.c                                 |    4 +-
 kernel/softirq.c                                 |   18 +-
 kernel/srcu.c                                    |    4 +-
 kernel/sys.c                                     |   10 +-
 kernel/sysctl.c                                  |   39 +-
 kernel/time.c                                    |    2 +-
 kernel/time/alarmtimer.c                         |    2 +-
 kernel/time/tick-broadcast.c                     |    2 +-
 kernel/time/timer_stats.c                        |   10 +-
 kernel/timer.c                                   |    6 +-
 kernel/trace/blktrace.c                          |    6 +-
 kernel/trace/ftrace.c                            |   20 +-
 kernel/trace/ring_buffer.c                       |   76 +-
 kernel/trace/trace.c                             |    8 +-
 kernel/trace/trace.h                             |    2 +-
 kernel/trace/trace_events.c                      |   25 +-
 kernel/trace/trace_mmiotrace.c                   |    8 +-
 kernel/trace/trace_output.c                      |   12 +-
 kernel/trace/trace_stack.c                       |    2 +-
 kernel/user_namespace.c                          |    2 +-
 kernel/utsname_sysctl.c                          |    2 +-
 kernel/watchdog.c                                |    2 +-
 lib/Kconfig.debug                                |    6 +-
 lib/Makefile                                     |    2 +-
 lib/bitmap.c                                     |    8 +-
 lib/bug.c                                        |    2 +
 lib/debugobjects.c                               |    2 +-
 lib/devres.c                                     |    4 +-
 lib/div64.c                                      |    4 +-
 lib/dma-debug.c                                  |    4 +-
 lib/inflate.c                                    |    2 +-
 lib/ioremap.c                                    |    4 +-
 lib/kobject.c                                    |    4 +-
 lib/list_debug.c                                 |  126 +-
 lib/radix-tree.c                                 |    2 +-
 lib/strncpy_from_user.c                          |    2 +-
 lib/strnlen_user.c                               |    2 +-
 lib/swiotlb.c                                    |    2 +-
 lib/vsprintf.c                                   |   12 +-
 mm/Kconfig                                       |    6 +-
 mm/filemap.c                                     |    2 +-
 mm/fremap.c                                      |    5 +
 mm/highmem.c                                     |    7 +-
 mm/hugetlb.c                                     |   70 +-
 mm/internal.h                                    |    1 +
 mm/maccess.c                                     |    4 +-
 mm/madvise.c                                     |   41 +
 mm/memory-failure.c                              |   26 +-
 mm/memory.c                                      |  424 ++-
 mm/mempolicy.c                                   |   26 +
 mm/mlock.c                                       |   16 +-
 mm/mmap.c                                        |  576 ++-
 mm/mprotect.c                                    |  139 +-
 mm/mremap.c                                      |   44 +-
 mm/nommu.c                                       |   21 +-
 mm/page-writeback.c                              |    4 +-
 mm/page_alloc.c                                  |   41 +-
 mm/percpu.c                                      |    2 +-
 mm/process_vm_access.c                           |   14 +-
 mm/rmap.c                                        |   38 +-
 mm/shmem.c                                       |   19 +-
 mm/slab.c                                        |  105 +-
 mm/slab.h                                        |    5 +-
 mm/slab_common.c                                 |   11 +-
 mm/slob.c                                        |  201 +-
 mm/slub.c                                        |   99 +-
 mm/sparse-vmemmap.c                              |    4 +-
 mm/sparse.c                                      |    2 +-
 mm/swap.c                                        |    3 +
 mm/swapfile.c                                    |   12 +-
 mm/util.c                                        |    6 +
 mm/vmalloc.c                                     |   82 +-
 mm/vmstat.c                                      |   12 +-
 net/8021q/vlan.c                                 |    5 +-
 net/9p/mod.c                                     |    4 +-
 net/9p/trans_fd.c                                |    2 +-
 net/atm/atm_misc.c                               |    8 +-
 net/atm/lec.h                                    |    2 +-
 net/atm/proc.c                                   |    6 +-
 net/atm/resources.c                              |    4 +-
 net/ax25/sysctl_net_ax25.c                       |    2 +-
 net/batman-adv/bat_iv_ogm.c                      |    8 +-
 net/batman-adv/hard-interface.c                  |    4 +-
 net/batman-adv/soft-interface.c                  |    4 +-
 net/batman-adv/types.h                           |    6 +-
 net/batman-adv/unicast.c                         |    2 +-
 net/bluetooth/hci_sock.c                         |    2 +-
 net/bluetooth/l2cap_core.c                       |    6 +-
 net/bluetooth/l2cap_sock.c                       |   12 +-
 net/bluetooth/rfcomm/sock.c                      |    4 +-
 net/bluetooth/rfcomm/tty.c                       |   10 +-
 net/bridge/netfilter/ebtables.c                  |    6 +-
 net/caif/cfctrl.c                                |   11 +-
 net/can/af_can.c                                 |    2 +-
 net/can/gw.c                                     |    6 +-
 net/compat.c                                     |   34 +-
 net/core/datagram.c                              |    2 +-
 net/core/dev.c                                   |   16 +-
 net/core/flow.c                                  |    8 +-
 net/core/iovec.c                                 |    4 +-
 net/core/neighbour.c                             |    2 +-
 net/core/net-sysfs.c                             |    2 +-
 net/core/net_namespace.c                         |    8 +-
 net/core/rtnetlink.c                             |   13 +-
 net/core/scm.c                                   |    8 +-
 net/core/sock.c                                  |   24 +-
 net/core/sock_diag.c                             |    9 +-
 net/core/sysctl_net_core.c                       |   18 +-
 net/decnet/af_decnet.c                           |    1 +
 net/decnet/sysctl_net_decnet.c                   |    4 +-
 net/ipv4/af_inet.c                               |    8 +-
 net/ipv4/ah4.c                                   |    2 +-
 net/ipv4/devinet.c                               |   14 +-
 net/ipv4/esp4.c                                  |    2 +-
 net/ipv4/fib_frontend.c                          |    6 +-
 net/ipv4/fib_semantics.c                         |    2 +-
 net/ipv4/inet_connection_sock.c                  |    2 +-
 net/ipv4/inetpeer.c                              |    4 +-
 net/ipv4/ip_fragment.c                           |   15 +-
 net/ipv4/ip_gre.c                                |    6 +-
 net/ipv4/ip_sockglue.c                           |    2 +-
 net/ipv4/ip_vti.c                                |    4 +-
 net/ipv4/ipcomp.c                                |    2 +-
 net/ipv4/ipconfig.c                              |    6 +-
 net/ipv4/ipip.c                                  |    4 +-
 net/ipv4/netfilter/arp_tables.c                  |   12 +-
 net/ipv4/netfilter/ip_tables.c                   |   12 +-
 net/ipv4/ping.c                                  |    2 +-
 net/ipv4/raw.c                                   |   14 +-
 net/ipv4/route.c                                 |   18 +-
 net/ipv4/sysctl_net_ipv4.c                       |   45 +-
 net/ipv4/tcp_input.c                             |    2 +-
 net/ipv4/tcp_probe.c                             |    2 +-
 net/ipv4/udp.c                                   |   10 +-
 net/ipv4/xfrm4_policy.c                          |   14 +-
 net/ipv6/addrconf.c                              |    6 +-
 net/ipv6/icmp.c                                  |    2 +-
 net/ipv6/ip6_gre.c                               |    8 +-
 net/ipv6/ip6_tunnel.c                            |    4 +-
 net/ipv6/ipv6_sockglue.c                         |    2 +-
 net/ipv6/netfilter/ip6_tables.c                  |   12 +-
 net/ipv6/netfilter/nf_conntrack_reasm.c          |   14 +-
 net/ipv6/raw.c                                   |   19 +-
 net/ipv6/reassembly.c                            |   13 +-
 net/ipv6/route.c                                 |    2 +-
 net/ipv6/sit.c                                   |    4 +-
 net/ipv6/sysctl_net_ipv6.c                       |    2 +-
 net/ipv6/udp.c                                   |    8 +-
 net/ipv6/xfrm6_policy.c                          |   13 +-
 net/irda/ircomm/ircomm_tty.c                     |   18 +-
 net/iucv/af_iucv.c                               |    4 +-
 net/iucv/iucv.c                                  |    2 +-
 net/key/af_key.c                                 |    4 +-
 net/mac80211/cfg.c                               |    8 +-
 net/mac80211/ieee80211_i.h                       |    3 +-
 net/mac80211/iface.c                             |   14 +-
 net/mac80211/main.c                              |    2 +-
 net/mac80211/pm.c                                |    6 +-
 net/mac80211/rate.c                              |    2 +-
 net/mac80211/rc80211_pid_debugfs.c               |    2 +-
 net/mac80211/util.c                              |    2 +-
 net/netfilter/ipset/ip_set_core.c                |    2 +-
 net/netfilter/ipvs/ip_vs_conn.c                  |    6 +-
 net/netfilter/ipvs/ip_vs_core.c                  |    4 +-
 net/netfilter/ipvs/ip_vs_ctl.c                   |   14 +-
 net/netfilter/ipvs/ip_vs_lblc.c                  |    2 +-
 net/netfilter/ipvs/ip_vs_lblcr.c                 |    2 +-
 net/netfilter/ipvs/ip_vs_sync.c                  |    6 +-
 net/netfilter/ipvs/ip_vs_xmit.c                  |    4 +-
 net/netfilter/nf_conntrack_acct.c                |    2 +-
 net/netfilter/nf_conntrack_ecache.c              |    2 +-
 net/netfilter/nf_conntrack_helper.c              |    2 +-
 net/netfilter/nf_conntrack_proto.c               |    2 +-
 net/netfilter/nf_conntrack_standalone.c          |    2 +-
 net/netfilter/nf_conntrack_timestamp.c           |    2 +-
 net/netfilter/nf_log.c                           |   10 +-
 net/netfilter/nf_sockopt.c                       |    4 +-
 net/netfilter/nfnetlink_log.c                    |    4 +-
 net/netfilter/xt_statistic.c                     |    8 +-
 net/netlink/af_netlink.c                         |    4 +-
 net/netlink/genetlink.c                          |   16 +-
 net/packet/af_packet.c                           |   12 +-
 net/phonet/pep.c                                 |    6 +-
 net/phonet/socket.c                              |    2 +-
 net/phonet/sysctl.c                              |    2 +-
 net/rds/cong.c                                   |    6 +-
 net/rds/ib.h                                     |    2 +-
 net/rds/ib_cm.c                                  |    2 +-
 net/rds/ib_recv.c                                |    4 +-
 net/rds/iw.h                                     |    2 +-
 net/rds/iw_cm.c                                  |    2 +-
 net/rds/iw_recv.c                                |    4 +-
 net/rds/rds.h                                    |    2 +-
 net/rds/tcp.c                                    |    2 +-
 net/rds/tcp_send.c                               |    2 +-
 net/rxrpc/af_rxrpc.c                             |    2 +-
 net/rxrpc/ar-ack.c                               |   14 +-
 net/rxrpc/ar-call.c                              |    2 +-
 net/rxrpc/ar-connection.c                        |    2 +-
 net/rxrpc/ar-connevent.c                         |    2 +-
 net/rxrpc/ar-input.c                             |    4 +-
 net/rxrpc/ar-internal.h                          |    8 +-
 net/rxrpc/ar-local.c                             |    2 +-
 net/rxrpc/ar-output.c                            |    4 +-
 net/rxrpc/ar-peer.c                              |    2 +-
 net/rxrpc/ar-proc.c                              |    4 +-
 net/rxrpc/ar-transport.c                         |    2 +-
 net/rxrpc/rxkad.c                                |    4 +-
 net/sctp/ipv6.c                                  |    6 +-
 net/sctp/protocol.c                              |   10 +-
 net/sctp/sm_sideeffect.c                         |    2 +-
 net/sctp/socket.c                                |   21 +-
 net/sctp/sysctl.c                                |    4 +-
 net/socket.c                                     |   18 +-
 net/sunrpc/clnt.c                                |    4 +-
 net/sunrpc/sched.c                               |    4 +-
 net/sunrpc/svc.c                                 |    4 +-
 net/sunrpc/xprtrdma/svc_rdma.c                   |   38 +-
 net/sunrpc/xprtrdma/svc_rdma_recvfrom.c          |    6 +-
 net/sunrpc/xprtrdma/svc_rdma_sendto.c            |    2 +-
 net/sunrpc/xprtrdma/svc_rdma_transport.c         |   10 +-
 net/tipc/link.c                                  |    6 +-
 net/tipc/msg.c                                   |    2 +-
 net/tipc/subscr.c                                |    2 +-
 net/unix/sysctl_net_unix.c                       |    2 +-
 net/wireless/wext-core.c                         |   19 +-
 net/xfrm/xfrm_policy.c                           |   27 +-
 net/xfrm/xfrm_state.c                            |   29 +-
 net/xfrm/xfrm_sysctl.c                           |    2 +-
 scripts/Makefile.build                           |    2 +-
 scripts/Makefile.clean                           |    3 +-
 scripts/Makefile.host                            |   28 +-
 scripts/basic/fixdep.c                           |   12 +-
 scripts/gcc-plugin.sh                            |   17 +
 scripts/headers_install.pl                       |    1 +
 scripts/link-vmlinux.sh                          |    2 +-
 scripts/mod/file2alias.c                         |   14 +-
 scripts/mod/modpost.c                            |   25 +-
 scripts/mod/modpost.h                            |    6 +-
 scripts/mod/sumversion.c                         |    2 +-
 scripts/package/builddeb                         |    1 +
 scripts/pnmtologo.c                              |    6 +-
 scripts/sortextable.h                            |    6 +-
 security/Kconfig                                 |  675 +++-
 security/apparmor/lsm.c                          |    2 +-
 security/integrity/ima/ima.h                     |    4 +-
 security/integrity/ima/ima_api.c                 |    2 +-
 security/integrity/ima/ima_fs.c                  |    4 +-
 security/integrity/ima/ima_queue.c               |    2 +-
 security/keys/compat.c                           |    2 +-
 security/keys/key.c                              |   18 +-
 security/keys/keyctl.c                           |    8 +-
 security/keys/keyring.c                          |    6 +-
 security/security.c                              |    9 +-
 security/selinux/hooks.c                         |    2 +-
 security/selinux/include/xfrm.h                  |    2 +-
 security/smack/smack_lsm.c                       |    2 +-
 security/tomoyo/tomoyo.c                         |    2 +-
 security/yama/yama_lsm.c                         |   22 +-
 sound/aoa/codecs/onyx.c                          |    7 +-
 sound/aoa/codecs/onyx.h                          |    1 +
 sound/core/oss/pcm_oss.c                         |   18 +-
 sound/core/pcm_compat.c                          |    2 +-
 sound/core/pcm_native.c                          |    4 +-
 sound/core/seq/seq_device.c                      |    8 +-
 sound/drivers/mts64.c                            |   14 +-
 sound/drivers/opl4/opl4_lib.c                    |    2 +-
 sound/drivers/portman2x4.c                       |    3 +-
 sound/firewire/amdtp.c                           |    4 +-
 sound/firewire/amdtp.h                           |    2 +-
 sound/firewire/isight.c                          |   10 +-
 sound/firewire/scs1x.c                           |    8 +-
 sound/oss/sb_audio.c                             |    2 +-
 sound/oss/swarm_cs4297a.c                        |    6 +-
 sound/pci/ymfpci/ymfpci.h                        |    2 +-
 sound/pci/ymfpci/ymfpci_main.c                   |   12 +-
 tools/gcc/.gitignore                             |    1 +
 tools/gcc/Makefile                               |   45 +
 tools/gcc/checker_plugin.c                       |  171 +
 tools/gcc/colorize_plugin.c                      |  151 +
 tools/gcc/constify_plugin.c                      |  518 ++
 tools/gcc/generate_size_overflow_hash.sh         |   94 +
 tools/gcc/kallocstat_plugin.c                    |  170 +
 tools/gcc/kernexec_plugin.c                      |  465 ++
 tools/gcc/latent_entropy_plugin.c                |  327 ++
 tools/gcc/size_overflow_hash.data                | 5876 ++++++++++++++++++++++
 tools/gcc/size_overflow_plugin.c                 | 2114 ++++++++
 tools/gcc/stackleak_plugin.c                     |  327 ++
 tools/gcc/structleak_plugin.c                    |  276 +
 tools/perf/util/include/asm/alternative-asm.h    |    3 +
 tools/perf/util/include/linux/compiler.h         |    8 +
 virt/kvm/kvm_main.c                              |   32 +-
 1555 files changed, 30474 insertions(+), 7126 deletions(-)
commit a00016a11e35e91aec8e2d9b6ec4c6fbb11d6d2b
Merge: 0949bd4 fc53d63
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 22 19:03:44 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit fc53d6338964741b368070ec5c935bc579b8c2a6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 22 19:02:45 2012 -0400

    Update to pax-linux-3.2.12-test33.patch

commit 0949bd46a6455b308f66ad7c993bfee62412db35
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 22 16:56:09 2012 -0400

    Use current_umask() instead of current->fs->umask

commit 22f6432d0fe733619cfcb523782ed7d80c46d645
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 21 19:42:42 2012 -0400

    compile fix

commit 0cad49d6b8fbb32395da924c1665a1110a9a9eef
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 21 19:34:56 2012 -0400

    Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain
    uses of domains with particular hash collisions

commit 47fc52e0a068a29d6cca2f809daf0679cba33c44
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 20:25:49 2012 -0400

    zero kernel_role

commit b00953b43c69238d181d21121ef1577c988d5f6b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 19:29:34 2012 -0400

    zero real_root after releasing it

commit 0b3ab73ce5d34a2c3206955cd65eddd6bdfd32a1
Merge: b724f59 273f98e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 19:11:26 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit 273f98e58cdac555d3b5dce5c1ca168349f95878
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 19:10:52 2012 -0400

    Temporary workaround for (most) size_overflow plugin false-positives
    Increase randomization for brk-managed heap to 21 bits
    Update to pax-linux-3.2.12-test32.patch

commit b724f59125304460c2af8bd4b02921993afbb5d3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 18:58:53 2012 -0400

    compile fix

commit 329f1a9d0f137d0a973316c53bbec18a6eeecd4f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 18:52:23 2012 -0400

    Require default and kernel role

commit a7c5c4f55bdd61cfcd0fb1be7a67160429409878
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 18:47:28 2012 -0400

    Allow policies without special roles
    don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles)

commit 402ec3d24d66d38403dc543c84851f5e72d39e22
Merge: 8e012dc f14661a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 19 18:06:59 2012 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        fs/namei.c

commit f14661aaf202155c97f66626cea0269017bb7775
Merge: eae671f 058b017
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 19 18:05:44 2012 -0400

    Merge branch 'linux-3.2.y' into pax-test

commit 8e012dcf7a50b7cde34c2cec93ecedd049123b75
Author: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
Date:   Fri Mar 16 17:08:39 2012 -0700

    nilfs2: fix NULL pointer dereference in nilfs_load_super_block()
    
    According to the report from Slicky Devil, nilfs caused kernel oops at
    nilfs_load_super_block function during mount after he shrank the
    partition without resizing the filesystem:
    
     BUG: unable to handle kernel NULL pointer dereference at 00000048
     IP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2]
     *pde = 00000000
     Oops: 0000 [#1] PREEMPT SMP
     ...
     Call Trace:
      [<d0d7a87b>] init_nilfs+0x4b/0x2e0 [nilfs2]
      [<d0d6f707>] nilfs_mount+0x447/0x5b0 [nilfs2]
      [<c0226636>] mount_fs+0x36/0x180
      [<c023d961>] vfs_kern_mount+0x51/0xa0
      [<c023ddae>] do_kern_mount+0x3e/0xe0
      [<c023f189>] do_mount+0x169/0x700
      [<c023fa9b>] sys_mount+0x6b/0xa0
      [<c04abd1f>] sysenter_do_call+0x12/0x28
     Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43
     20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72
     48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00
     EIP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc
     CR2: 0000000000000048
    
    This turned out due to a defect in an error path which runs if the
    calculated location of the secondary super block was invalid.
    
    This patch fixes it and eliminates the reported oops.
    
    Reported-by: Slicky Devil <slicky.dvl@gmail.com>
    Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
    Tested-by: Slicky Devil <slicky.dvl@gmail.com>
    Cc: <stable@vger.kernel.org>        [2.6.30+]
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 8067d7f69bf27dc08057a771cf125e71e4575bf2
Author: Haogang Chen <haogangchen@gmail.com>
Date:   Fri Mar 16 17:08:38 2012 -0700

    nilfs2: clamp ns_r_segments_percentage to [1, 99]
    
    ns_r_segments_percentage is read from the disk.  Bogus or malicious
    value could cause integer overflow and malfunction due to meaningless
    disk usage calculation.  This patch reports error when mounting such
    bogus volumes.
    
    Signed-off-by: Haogang Chen <haogangchen@gmail.com>
    Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit e1a90645643f9b0194a5984ec8febd06360d5c8b
Author: Eric Dumazet <eric.dumazet@gmail.com>
Date:   Sat Mar 10 09:20:21 2012 +0000

    tcp: fix syncookie regression
    
    commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit())
    added a serious regression on synflood handling.
    
    Simon Kirby discovered a successful connection was delayed by 20 seconds
    before being responsive.
    
    In my tests, I discovered that xmit frames were lost, and needed ~4
    retransmits and a socket dst rebuild before being really sent.
    
    In case of syncookie initiated connection, we use a different path to
    initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared.
    
    As ip_queue_xmit() now depends on inet flow being setup, fix this by
    copying the temp flowi4 we use in cookie_v4_check().
    
    Reported-by: Simon Kirby <sim@netnation.com>
    Bisected-by: Simon Kirby <sim@netnation.com>
    Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
    Tested-by: Eric Dumazet <eric.dumazet@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 06c6c8628bf38b08b4d97f4c55cde9fdecfb5d65
Author: Stanislav Kinsbursky <skinsbursky@parallels.com>
Date:   Mon Mar 12 02:59:41 2012 +0000

    tun: don't hold network namespace by tun sockets
    
    v3: added previously removed sock_put() to the tun_release() callback, because
    sk_release_kernel() doesn't drop the socket reference.
    
    v2: sk_release_kernel() used for socket release. Dummy tun_release() is
    required for sk_release_kernel() ---> sock_release() ---> sock->ops->release()
    call.
    
    TUN was designed to destroy it's socket on network namesapce shutdown. But this
    will never happen for persistent device, because it's socket holds network
    namespace.
    This patch removes of holding network namespace by TUN socket and replaces it
    by creating socket in init_net and then changing it's net it to desired one. On
    shutdown socket is moved back to init_net prior to final put.
    
    Signed-off-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 46ae7374bd387c58d673a9e58852a9fd31042c5c
Author: Tyler Hicks <tyhicks@canonical.com>
Date:   Mon Dec 12 10:02:30 2011 -0600

    vfs: Correctly set the dir i_mutex lockdep class
    
    9a7aa12f3911853a introduced additional logic around setting the i_mutex
    lockdep class for directory inodes. The idea was that some filesystems
    may want their own special lockdep class for different directory
    inodes and calling unlock_new_inode() should not clobber one of
    those special classes.
    
    I believe that the added conditional, around the *negated* return value
    of lockdep_match_class(), caused directory inodes to be placed in the
    wrong lockdep class.
    
    inode_init_always() sets the i_mutex lockdep class with i_mutex_key for
    all inodes. If the filesystem did not change the class during inode
    initialization, then the conditional mentioned above was false and the
    directory inode was incorrectly left in the non-directory lockdep class.
    If the filesystem did set a special lockdep class, then the conditional
    mentioned above was true and that class was clobbered with
    i_mutex_dir_key.
    
    This patch removes the negation from the conditional so that the i_mutex
    lockdep class is properly set for directory inodes. Special classes are
    preserved and directory inodes with unmodified classes are set with
    i_mutex_dir_key.
    
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Reviewed-by: Jan Kara <jack@suse.cz>
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

commit 603590b0d2eca61ce26499eac9c563bc567a18c9
Author: Jan Kara <jack@suse.cz>
Date:   Mon Feb 20 17:54:00 2012 +0100

    udf: Fix deadlock in udf_release_file()
    
    udf_release_file() can be called from munmap() path with mmap_sem held.  Thus
    we cannot take i_mutex there because that ranks above mmap_sem. Luckily,
    i_mutex is not needed in udf_release_file() anymore since protection by
    i_data_sem is enough to protect from races with write and truncate.
    
    Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
    Reviewed-by: Namjae Jeon <linkinjeon@gmail.com>
    Signed-off-by: Jan Kara <jack@suse.cz>
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

commit ca79ab9034f3c2f7e3f65c35e0d9ed3ecea529bf
Author: Miklos Szeredi <mszeredi@suse.cz>
Date:   Tue Mar 6 13:56:33 2012 +0100

    vfs: fix double put after complete_walk()
    
    complete_walk() already puts nd->path, no need to do it again at cleanup time.
    
    This would result in Oopses if triggered, apparently the codepath is not too
    well exercised.
    
    Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
    CC: stable@vger.kernel.org
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

commit 13885ba2b18400f3ef6540497d30f1af896605e5
Author: Miklos Szeredi <mszeredi@suse.cz>
Date:   Tue Mar 6 13:56:34 2012 +0100

    vfs: fix return value from do_last()
    
    complete_walk() returns either ECHILD or ESTALE.  do_last() turns this into
    ECHILD unconditionally.  If not in RCU mode, this error will reach userspace
    which is complete nonsense.
    
    Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
    CC: stable@vger.kernel.org
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    
    Conflicts:
    
        fs/namei.c

commit f5ab7572c99ffb58953eb1070622307e904c3b7f
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Sat Mar 10 17:07:28 2012 -0500

    restore smp_mb() in unlock_new_inode()
    
    wait_on_inode() doesn't have ->i_lock
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

commit f3e758cd08e3881982d4b78eb72fe8a1ead6b872
Author: David S. Miller <davem@davemloft.net>
Date:   Tue Mar 13 18:19:51 2012 -0700

    sparc32: Add -Av8 to assembler command line.
    
    Newer version of binutils are more strict about specifying the
    correct options to enable certain classes of instructions.
    
    The sparc32 build is done for v7 in order to support sun4c systems
    which lack hardware integer multiply and divide instructions.
    
    So we have to pass -Av8 when building the assembler routines that
    use these instructions and get patched into the kernel when we find
    out that we have a v8 capable cpu.
    
    Reported-by: Paul Gortmaker <paul.gortmaker@windriver.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 66276ec78b2a971d2e704e5ef963cdc8b6a049a4
Author: Thomas Gleixner <tglx@linutronix.de>
Date:   Fri Mar 9 20:55:10 2012 +0100

    x86: Derandom delay_tsc for 64 bit
    
    Commit f0fbf0abc093 ("x86: integrate delay functions") converted
    delay_tsc() into a random delay generator for 64 bit.  The reason is
    that it merged the mostly identical versions of delay_32.c and
    delay_64.c.  Though the subtle difference of the result was:
    
     static void delay_tsc(unsigned long loops)
     {
    -   unsigned bclock, now;
    +   unsigned long bclock, now;
    
    Now the function uses rdtscl() which returns the lower 32bit of the
    TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64
    bit this fails when the lower 32bit are close to wrap around when
    bclock is read, because the following check
    
           if ((now - bclock) >= loops)
                        break;
    
    evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0
    because the unsigned long (now - bclock) of these values results in
    0xffffffff00000001 which is definitely larger than the loops
    value. That explains Tvortkos observation:
    
    "Because I am seeing udelay(500) (_occasionally_) being short, and
     that by delaying for some duration between 0us (yep) and 491us."
    
    Make those variables explicitely u32 again, so this works for both 32
    and 64 bit.
    
    Reported-by: Tvrtko Ursulin <tvrtko.ursulin@onelan.co.uk>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Cc: stable@vger.kernel.org # >= 2.6.27
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 2d0ddb60f5031bdf79b4d51225f9f2d5856255bf
Author: Al Viro <viro@ZenIV.linux.org.uk>
Date:   Thu Mar 8 17:51:19 2012 +0000

    aio: fix the "too late munmap()" race
    
    Current code has put_ioctx() called asynchronously from aio_fput_routine();
    that's done *after* we have killed the request that used to pin ioctx,
    so there's nothing to stop io_destroy() waiting in wait_for_all_aios()
    from progressing.  As the result, we can end up with async call of
    put_ioctx() being the last one and possibly happening during exit_mmap()
    or elf_core_dump(), neither of which expects stray munmap() being done
    to them...
    
    We do need to prevent _freeing_ ioctx until aio_fput_routine() is done
    with that, but that's all we care about - neither io_destroy() nor
    exit_aio() will progress past wait_for_all_aios() until aio_fput_routine()
    does really_put_req(), so the ioctx teardown won't be done until then
    and we don't care about the contents of ioctx past that point.
    
    Since actual freeing of these suckers is RCU-delayed, we don't need to
    bump ioctx refcount when request goes into list for async removal.
    All we need is rcu_read_lock held just over the ->ctx_lock-protected
    area in aio_fput_routine().
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
    Acked-by: Benjamin LaHaise <bcrl@kvack.org>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 002124c055afbf09b52226af65621999e8316448
Author: Al Viro <viro@ZenIV.linux.org.uk>
Date:   Wed Mar 7 05:16:35 2012 +0000

    aio: fix io_setup/io_destroy race
    
    Have ioctx_alloc() return an extra reference, so that caller would drop it
    on success and not bother with re-grabbing it on failure exit.  The current
    code is obviously broken - io_destroy() from another thread that managed
    to guess the address io_setup() would've returned would free ioctx right
    under us; gets especially interesting if aio_context_t * we pass to
    io_setup() points to PROT_READ mapping, so put_user() fails and we end
    up doing io_destroy() on kioctx another thread has just got freed...
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Acked-by: Benjamin LaHaise <bcrl@kvack.org>
    Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit a1cd2719b8ed8e40dbd98c87713ac23a2169f6d8
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Thu Mar 15 15:17:12 2012 -0700

    drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode
    
    strict_strtoul() writes a long but ->gamma_mode only has space to store an
    int, so on 64 bit systems we end up scribbling over ->gamma_table_count as
    well.  I've changed it to use kstrtouint() instead.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Acked-by: Inki Dae <inki.dae@samsung.com>
    Signed-off-by: Florian Tobias Schandinat <FlorianSchandinat@gmx.de>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit cf83f735a5571f4341ee6eab947a1f7d833cea6e
Merge: e4b05b6 eae671f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 16 21:04:27 2012 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        security/Kconfig

commit eae671fafe93f04685c04a089cc13efebc05d600
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 16 20:58:01 2012 -0400

    Update to pax-linux-3.2.11-test31.patch
    Introduction of the size_overflow plugin from Emese Revfy
    Many thanks to Emese for her hard work :)

commit e4b05b65c645c412eceb9c950ee7b4771627e6b1
Merge: e55aa68 258c015
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 15 20:59:19 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit 258c0159fa6dd5044ca984eeaad57bb6e21bacea
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 15 20:59:05 2012 -0400

    fix ARM compilation

commit e55aa68f4bb20e75cd7423123aa612c2a69590c0
Merge: 8f95ea9 55b7573
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 14 19:33:41 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit 55b7573f6c2f3be26fb39c7bd6a9d742d02811ca
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 14 19:33:15 2012 -0400

    Update to pax-linux-3.2.10-test28.patch

commit 8f95ea9f718c293794a1f6bdd2a5f5f336f7bd64
Merge: c8786a2 886ac5e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 13 17:38:13 2012 -0400

    Merge branch 'pax-test' into grsec-test
    
    Greets and thanks to snq for his assistance in testing/debugging REFCOUNT on ARM :)

commit 886ac5eeb1835e87cf7398b8aae9e9ba6b36bf77
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 13 17:37:44 2012 -0400

    Update to pax-linux-3.2.10-test26.patch

commit c8786a2abed5e5327f68efa520c04db99bb6a63a
Merge: 219c982 c061fcf
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 13 17:25:06 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit c061fcfa6b78f3774800821144d8ac2d94d7da3e
Merge: 89373d2 3f4b3b2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 13 17:25:02 2012 -0400

    Merge branch 'linux-3.2.y' into pax-test

commit 219c982a05abe47be4ea7d749e1b408e0cb86f1f
Merge: 54e19a3 89373d2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 12 17:23:57 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit 89373d2abafb9bda97f78bdb157d1d05cf21e008
Merge: a778588 7459f11
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 12 17:23:49 2012 -0400

    Merge branch 'linux-3.2.y' into pax-test

commit 54e19a3979978fca902b14ae25125f26fbbbc7a7
Merge: c4650f1 a778588
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 12 16:51:25 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit a778588c9d1b75c48c1f09aac98c1b28bd87a749
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 12 16:51:12 2012 -0400

    Update to pax-linux-3.2.9-test24.patch

commit c4650f14b13f84735fe3de06a1f3ff5776473eff
Merge: fb2abee 1015790
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 11 21:08:28 2012 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        security/Kconfig

commit 101579028a736c224e590c7e12a7357018c424e1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 11 21:07:27 2012 -0400

    Update to pax-linux-3.2.9-test22.patch

commit fb2abee4b9b49f5f18342a8cdf7aa3ba2b7c9100
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 11 11:02:17 2012 -0400

    Allow 4096 CPUs

commit 96bae28cbe6a41d48e3b56e5904814096e956000
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 11 10:25:58 2012 -0400

    Use a per-cpu 48-bit counter instead of a global atomic64
    Initialize each counter to have the cpu number in the lower 16 bits
    instead of incrementing the counter each time by 1, perform the increments
    above the cpu number so that wrapping/exhausting the counter doesn't corrupt
    any state
    idea from PaX Team

commit b975688101da6e966aebb1bc6b8c5c5983974f9c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 10 20:33:12 2012 -0500

    Special vnsec edition! :)
    Further reduce argv/env allowance for suid/sgid apps to 512KB
    Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap)
    Clear 3GB personality on suid/sgid binaries
    Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64)
      with the main purpose of throwing off program stack -> arg/env alignment
    Update documentation

commit e5cfa902c4e891d11dd2086543d2555aa0c27d33
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 10 19:54:47 2012 -0500

    Resolve skbuff.h warnings that turn into errors during compilation in
    the grsecurity directory with -Werror

commit 2023210ad43a944033fcacc660ce410888f562ee
Merge: ece4383 5f66adf
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 9 19:48:01 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 5f66adf72f83730a07bc79a2fab56afed6dbbd0e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 9 19:47:06 2012 -0500

    Add colorize plugin

commit ece4383e5e91c92d138c4df84225a70b552f4d69
Merge: a366d0e ab4a5a1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 9 17:56:46 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit ab4a5a1a67289c3585e2ff8aa64ecece7bd17eea
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 9 17:56:26 2012 -0500

    Update to pax-linux-3.2.9-test21.patch

commit a366d0ed963ce93fce10121c1100989d5f064e75
Author: Mikulas Patocka <mpatocka@redhat.com>
Date:   Sun Mar 4 19:52:03 2012 -0500

    mm: fix find_vma_prev
    
    Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory
    management on PA-RISC.
    
    After application of the patch, programs that allocate big arrays on the
    stack crash with segfault, for example, this will crash if compiled
    without optimization:
    
      int main()
      {
        char array[200000];
        array[199999] = 0;
        return 0;
      }
    
    The reason is that PA-RISC has up-growing stack and the stack is usually
    the last memory area.  In the above example, a page fault happens above
    the stack.
    
    Previously, if we passed too high address to find_vma_prev, it returned
    NULL and stored the last VMA in *pprev.  After "simplify find_vma_prev"
    change, it stores NULL in *pprev.  Consequently, the stack area is not
    found and it is not expanded, as it used to be before the change.
    
    This patch restores the old behavior and makes it return the last VMA in
    *pprev if the requested address is higher than address of any other VMA.
    
    Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
    Acked-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 9cd8dd4d56051099f11563f72fcd91cd0ce19604
Author: Hugh Dickins <hughd@google.com>
Date:   Tue Mar 6 12:28:52 2012 -0800

    mmap: EINVAL not ENOMEM when rejecting VM_GROWS
    
    Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP
    from shared anonymous: hoist the file case's -EINVAL up for both.
    
    Signed-off-by: Hugh Dickins <hughd@google.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 97745dce6c87f9d9ca5b4be9bd4c2fc1684ca04c
Author: Al Viro <viro@ZenIV.linux.org.uk>
Date:   Mon Mar 5 06:38:42 2012 +0000

    aout: move setup_arg_pages() prior to reading/mapping the binary
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 3b20ce55ae8cffee43cb4afdf5be438b5ac4fef0
Author: Jan Beulich <JBeulich@suse.com>
Date:   Mon Mar 5 16:49:24 2012 +0000

    vsprintf: make %pV handling compatible with kasprintf()
    
    kasprintf() (and potentially other functions that I didn't run across so
    far) want to evaluate argument lists twice.  Caring to do so for the
    primary list is obviously their job, but they can't reasonably be
    expected to check the format string for instances of %pV, which however
    need special handling too: On architectures like x86-64 (as opposed to
    e.g.  ix86), using the same argument list twice doesn't produce the
    expected results, as an internally managed cursor gets updated during
    the first run.
    
    Fix the problem by always acting on a copy of the original list when
    handling %pV.
    
    Signed-off-by: Jan Beulich <jbeulich@suse.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 4146896ab9674f51d4909f3a52bc7fe80f04e4cb
Author: Al Viro <viro@ZenIV.linux.org.uk>
Date:   Mon Mar 5 06:39:47 2012 +0000

    VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit a831bd53764695ea680cc1fa3c98759a610ed2ac
Author: Christian König <deathsimple@vodafone.de>
Date:   Tue Feb 28 23:19:20 2012 +0100

    drm/radeon: fix uninitialized variable
    
    Without this fix the driver randomly treats
    textures as arrays and I'm really wondering
    why gcc isn't complaining about it.
    
    Signed-off-by: Christian König <deathsimple@vodafone.de>
    Reviewed-by: Jerome Glisse <jglisse@redhat.com>
    Signed-off-by: Dave Airlie <airlied@redhat.com>

commit aa2cd55f97f3cc03bdd895b6e8ba99619ee69dfc
Author: H. Peter Anvin <hpa@zytor.com>
Date:   Fri Mar 2 10:43:48 2012 -0800

    regset: Prevent null pointer reference on readonly regsets
    
    The regset common infrastructure assumed that regsets would always
    have .get and .set methods, but not necessarily .active methods.
    Unfortunately people have since written regsets without .set methods.
    
    Rather than putting in stub functions everywhere, handle regsets with
    null .get or .set methods explicitly.
    
    Signed-off-by: H. Peter Anvin <hpa@zytor.com>
    Reviewed-by: Oleg Nesterov <oleg@redhat.com>
    Acked-by: Roland McGrath <roland@hack.frob.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 072ddd99401c79b53c6bf6bff9deb93022124c79
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 5 18:12:57 2012 -0500

    Fix compiler errors reported on forums

commit 1606774b48af24e6f99d99c624c0e447d4b66474
Merge: 3127bd5 4ca2ffd
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 5 17:31:35 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 4ca2ffd9da024f4ba2d0cb6245ba1b2726169452
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 5 17:31:21 2012 -0500

    Update to pax-linux-3.2.9-test20.patch

commit 3127bd581a292966b1057c7433219dac188c3720
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 2 21:30:37 2012 -0500

    Fix memory leak on logged exec_id check failure in /proc/pid/statm
    Thanks to Djalal Harouni for the report

commit d9f1a3be0e97e0632f97379322712d8deeb3ce23
Merge: 0a56be8 9aa8288
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 2 18:38:22 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 9aa8288a09e6e03ce37c08136b26bff17a093b5c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 2 18:37:43 2012 -0500

    Update to pax-linux-3.2.9-test19.patch

commit 0a56be884bbd7ce733cac0b879c45383494d73b0
Merge: 9e66745 3f5c52a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 1 20:18:01 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 3f5c52aba100b3bb252980f9d363aafde52da1a2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 1 20:16:56 2012 -0500

    Update to pax-linux-3.2.9-test18.patch

commit ae53ec231d12719a36bf871f8c5841020ed692ee
Merge: b255baf 44fb317
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 1 20:15:31 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test

commit 9e667456c03eadea2f305be761abe4de9a5877a3
Merge: 5e4e200 b255baf
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 27 20:53:59 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit b255baf50365d39b406f43aab2c64745607baaa2
Merge: 340ce90 1de504e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 27 20:53:29 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test
    Update to pax-linux-3.2.8-test17.patch
    
    Conflicts:
        arch/x86/include/asm/i387.h
        arch/x86/kernel/process_32.c
        arch/x86/kernel/traps.c

commit 5e4e200ac530452884b625cb75de240e1e98c731
Merge: 44306d7 340ce90
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 27 18:02:13 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 340ce90d98a043fa8e4ed9ffc229d4c1f86e2fec
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 27 18:01:48 2012 -0500

    Update to pax-linux-3.2.7-test17.patch

commit 44306d7b3097f77e73040dd25f4f6750751bae7a
Merge: 29d0b07 521c411
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 26 19:04:15 2012 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        Makefile

commit 521c411bb4ca66ce01146fde8bac9dd22414076d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 26 19:03:33 2012 -0500

    Update to pax-linux-3.2.7-test16.patch

commit 29d0b07290bb9a10cdfcc3c30058e16265330dea
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 26 17:12:44 2012 -0500

    fix typo

commit 344f6d84e5d3fdc6ec40a078fc2f5861d340b2ef
Merge: f45b3be caa8f83
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 20:59:27 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit caa8f83456c4d0b204beefffaa1d1993f2348d08
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 20:59:12 2012 -0500

    Update to pax-linux-3.2.7-test15.patch

commit f45b3be34a345502a302e736af9a65742ddef7cb
Merge: 62f35fd 9f1309b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 11:40:15 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 9f1309b0b935e3b30fc87a9e3009b84cf943ef47
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 11:39:57 2012 -0500

    Update to pax-linux-3.2.7-test14.patch

commit 62f35fdbecc58f2988fe13638d907b87a15776bb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 09:08:55 2012 -0500

    We could log on attempted exploits of writing /proc/self/mem, but the current
    log function declares the access a read, so just swap the ordering for now

commit 066ee8f9c26f1549b4ad893508777b549c8d4b79
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 08:46:14 2012 -0500

    Log /proc/pid/mem attempts

commit 674471e581893a94d475acac3e3c4496209b3ac9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 08:15:00 2012 -0500

    Make use of f_version for protecting /proc file structs (fine since we're not a directory
    or seq_file)

commit eab42cfdd237ffcdd8ec24bedecc275a3a9e987f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 24 20:02:19 2012 -0500

    Fix ia64 compilation

commit 50dfea412fd395e0183c2ade368efa525d38b267
Merge: 12db845 4c6f99b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 24 19:00:53 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 4c6f99bf338e03966356b147d0360cb3b522a44f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 24 19:00:36 2012 -0500

    (6:57:09 PM) pipacs: but you can be proactive
    (Fix other-arch atomic64/REFCOUNT compilation failures)

commit 12db8453f6bb0a756f369c9151668ba1249bc478
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 23 21:10:12 2012 -0500

    Remove unnecessary copies, as suggested by solar

commit cc02cab84368467ea03cb35f861a8a7092d91ab4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 23 20:59:35 2012 -0500

    Make global_exec_counter static, as suggested by solar

commit e642091a475ebb3a30e81f85e7751233d0c2af43
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 23 19:00:26 2012 -0500

    sync with stable tree

commit 6df09c3d8e371905b7b8fe90c4188f23614c6be5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 23 18:48:47 2012 -0500

    Remove unneeded gr_acl_handle_fchmod, as the code is shared now by gr_acl_handle_chmod
    Remove handling of old kludge in chmod/fchmod

commit 815cb62f2ca7b58efc39778b3a855feb675ab56c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 23 18:18:49 2012 -0500

    Apply umask checks to chmod/fchmod as well, as requested by sponsor
    Union the enforced umask with the existing one to produce minimal privilege
    Change umask type to u16

commit 0e7668c6abbdbcd3f7f9759e3994d6f4bc9953f0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 22 18:16:11 2012 -0500

    Add per-role umask enforcement to RBAC, requested by a sponsor

commit ad5ac943fe58199f1cc475912a39edb157acb77b
Merge: dda0bb5 41722e3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 20 20:04:42 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 41722e342e116d95f3d3556d66c97c888d752d39
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 20 20:04:00 2012 -0500

    Merge changes from pax-linux-3.2.7-test12.patch, fixes KVM incompatibility with
    KERNEXEC plugin

commit dda0bb57137846a476a866c60db2681aaf6052c0
Merge: 4fd554e d70927a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 20 20:01:41 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit d70927afec977d489a54c106a3c3ddc32e953050
Merge: 1daebf1 9d0231c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 20 20:01:33 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test

commit 4fd554e3a097b22c5049fcdc423897477deff5ef
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 20 09:17:57 2012 -0500

    Fix wrong logic on capability checks for switching roles, broke policies
    Thanks to Richard Kojedzinszky for reporting

commit 12f97d52ac603f24344f8d71569c412a307e9422
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 21:20:10 2012 -0500

    sparc64 compile fix

commit 07af3d8e76a6a47ce1836e5b20ed8c0f879c8201
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 18:38:32 2012 -0500

    Update configuration help and name for GRKERNSEC_PROC_MEMMAP

commit 5ced6f8def06c2176b40b5fa07345fc723dc4dcb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 18:18:01 2012 -0500

    optimize the check a bit

commit 03159050f64989be44ae03be769cbed62a7cd2e5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 18:00:45 2012 -0500

    smile VUPEN :D
    (limit argv+env to 1MB for suid/sgid binaries)

commit dd759d8800d225a397e4de49fe729c7d601298d2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 17:49:33 2012 -0500

    Address Space Protection -> Memory Protections (suggested on IRC for consistency)

commit 4de635bda8ebfb85312e3bf851bdbff93de400da
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 17:45:06 2012 -0500

    Change the long long type for exec_id to the proper u64

commit 4feb07e7cb64b3d0f0f8cca1aef70bc725cae6fa
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Thu Feb 9 00:46:47 2012 +0000

    isdn: type bug in isdn_net_header()
    
    We use len to store the return value from eth_header().  eth_header()
    can return -ETH_HLEN (-14).  We want to pass this back instead of
    truncating it to 65522 and returning that.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Acked-by: Neil Horman <nhorman@tuxdriver.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 134ac8545b47f0f27d550ea6e1edb3a1ed7a9748
Author: Heiko Carstens <heiko.carstens@de.ibm.com>
Date:   Sat Feb 4 10:47:10 2012 +0100

    exec: fix use-after-free bug in setup_new_exec()
    
    Setting the task name is done within setup_new_exec() by accessing
    bprm->filename. However this happens after flush_old_exec().
    This may result in a use after free bug, flush_old_exec() may
    "complete" vfork_done, which will wake up the parent which in turn
    may free the passed in filename.
    To fix this add a new tcomm field in struct linux_binprm which
    contains the now early generated task name until it is used.
    
    Fixes this bug on s390:
    
      Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000
      Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818)
      Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374)
      Call Trace:
      ([<0000000000282e2c>] setup_new_exec+0x38/0x374)
       [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4
       [<0000000000280a42>] search_binary_handler+0x38e/0x5bc
       [<0000000000282b6c>] do_execve_common+0x410/0x514
       [<0000000000282cb6>] do_execve+0x46/0x58
       [<00000000005bce58>] kernel_execve+0x28/0x70
       [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140
       [<00000000005bc8da>] kernel_thread_starter+0x6/0xc
       [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc
      Last Breaking-Event-Address:
       [<00000000002830f0>] setup_new_exec+0x2fc/0x374
    
      Kernel panic - not syncing: Fatal exception: panic_on_oops
    
    Reported-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
    Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit d758ee9f5230893dabb5aab737b3109684bde196
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Fri Feb 10 09:03:58 2012 +0100

    relay: prevent integer overflow in relay_open()
    
    "subbuf_size" and "n_subbufs" come from the user and they need to be
    capped to prevent an integer overflow.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Cc: stable@kernel.org
    Signed-off-by: Jens Axboe <axboe@kernel.dk>

commit 40ed7b34848b8e0d7bf9a3fc21a7c75ce1ae507c
Merge: b1baadf 1daebf1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 13 17:47:04 2012 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        fs/proc/base.c

commit 1daebf1d623fe5b0efdd329f78562eb7078bc772
Merge: 1413df2 c2db2e2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 13 17:45:54 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test

commit b1baadf5047ab67cf61cd20bf58c6afb09c37c7d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 12 16:44:05 2012 -0500

    add missing declaration

commit 3981059c35e8463002517935c28f3d74b8e3703c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 12 16:36:04 2012 -0500

    Require CAP_SETUID/CAP_SETGID in a subject in order to change roles
    in addition to existing checks (this handles the setresuid ruid = euid case)

commit 0beab03263c773f463412c350ad9064b44b6ede0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 12 16:13:40 2012 -0500

    Revert setreuid changes when RBAC is enabled, breaks freeradius
    I'll fix the learning issue Lavish reported a different way through
    gradm modifications
    
    This reverts commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111.

commit 0c61cb1cfbbfec7d07647268c922d51434d22621
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 11 14:22:46 2012 -0500

    copy exec_id on fork

commit 000c08e0890630086b2ed04084050ed856a7ec31
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 10 20:00:36 2012 -0500

    compile fix

commit 54b8c8f54484e5ee18040657827158bc4b63bccc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 10 19:19:52 2012 -0500

    Introduce enhancement to CONFIG_GRKERNSEC_PROC_MEMMAP
    denies reading of sensitive /proc/pid entries where the file descriptor
    was opened in a different task than the one performing the read

commit dd19579049186e2648b9ae5e42af04cfda7ab2dc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 10 17:43:24 2012 -0500

    Remove duplicate signal check

commit 6ff60c34155bb73a4eec7bbfe6f59e9d35e1c0c6
Merge: 4eba97e 1413df2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 8 19:24:34 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 1413df258d4664d928b876ffb57e1bdc1ccd06f6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 8 19:24:08 2012 -0500

    Merge changes from pax-linux-3.2.4-test11.patch

commit 4eba97eda7f7d25b7ab6ad5c9de094545e749044
Merge: 0e058dd 8dd90a2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 6 17:50:12 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 8dd90a21adfeefd86134d1fedf77b958bc59eaa3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 6 17:49:07 2012 -0500

    Merge changes from pax-linux-3.2.4-test10.patch, fixes BPF JIT double-free

commit a6b5dfed0937a0eb386b4b519a387f8e8177ffdc
Merge: 7e4169c 6133971
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 6 17:48:57 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test

commit 0e058dd6d14e0c67c44dd332a871f1fe1bb06095
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 5 19:24:45 2012 -0500

    We now allow configurations with no PaX markings, giving the system no way to override the defaults

commit 9afb0110287e31c3c56d861b4927f64f8dbd7857
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 5 10:01:23 2012 -0500

    Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory

commit a6a0ad24a5f7bef90236d94c1bdfe21d291fc834
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 4 21:01:16 2012 -0500

    Improve security of ptrace-based monitoring/sandboxing
    See:
    http://article.gmane.org/gmane.linux.kernel.lsm/15156

commit ca4ca5a1027b41f9528794e52a53ce9c47926101
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 20:42:55 2012 -0500

    fix typo

commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 20:25:38 2012 -0500

    Reported by lavish on IRC:
    If a suid/sgid binary did not learn any setuid/setgid call during learning,
    we would not any CAP_SETUID/CAP_SETGID capability to the task, nor
    any restrictions on uid/gid changes.  uid and gid can however be changed
    within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to
    euid/egid.
    
    My fix:
    POSIX doesn't specify whether unprivileged users can perform the above
    setresuid/setresgid as an unprivileged user, though Linux has historically
    permitted them.  Modify this behavior when RBAC is enabled to require
    CAP_SETUID/CAP_SETGID for these operations.
    
    Thanks to Lavish for the report!
    
    Conflicts:
    
        kernel/sys.c

commit e55be1f30908f1ad4450cb0558cde71ff5c7247f
Merge: ba586eb 7e4169c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 20:10:21 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 7e4169c6c880ec9641f1178c88545913c8a21e1f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 20:10:05 2012 -0500

    Merge changes from pax-linux-3.2.4-test9.patch

commit ba586ebbcd0ed781e38a99c580a757a00347c6eb
Author: Christopher Yeoh <cyeoh@au1.ibm.com>
Date:   Thu Feb 2 11:34:09 2012 +1030

    Fix race in process_vm_rw_core
    
    This fixes the race in process_vm_core found by Oleg (see
    
      http://article.gmane.org/gmane.linux.kernel/1235667/
    
    for details).
    
    This has been updated since I last sent it as the creation of the new
    mm_access() function did almost exactly the same thing as parts of the
    previous version of this patch did.
    
    In order to use mm_access() even when /proc isn't enabled, we move it to
    kernel/fork.c where other related process mm access functions already
    are.
    
    Signed-off-by: Chris Yeoh <yeohc@au1.ibm.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    Conflicts:
    
        fs/proc/base.c
        mm/process_vm_access.c

commit b9194d60fb9fe579f5c34817ed822abde18939a0
Author: Oleg Nesterov <oleg@redhat.com>
Date:   Tue Jan 31 17:15:11 2012 +0100

    proc: make sure mem_open() doesn't pin the target's memory
    
    Once /proc/pid/mem is opened, the memory can't be released until
    mem_release() even if its owner exits.
    
    Change mem_open() to do atomic_inc(mm_count) + mmput(), this only
    pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count)
    before access_remote_vm(), this verifies that this mm is still alive.
    
    I am not sure what should mem_rw() return if atomic_inc_not_zero()
    fails. With this patch it returns zero to match the "mm == NULL" case,
    may be it should return -EINVAL like it did before e268337d.
    
    Perhaps it makes sense to add the additional fatal_signal_pending()
    check into the main loop, to ensure we do not hold this memory if
    the target task was oom-killed.
    
    Cc: stable@kernel.org
    Signed-off-by: Oleg Nesterov <oleg@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit d4500134f9363bc79556e0e7a1fd811cd8552cc4
Author: Oleg Nesterov <oleg@redhat.com>
Date:   Tue Jan 31 17:14:38 2012 +0100

    proc: mem_release() should check mm != NULL
    
    mem_release() can hit mm == NULL, add the necessary check.
    
    Cc: stable@kernel.org
    Signed-off-by: Oleg Nesterov <oleg@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 5d1c11221a86f233fdbb232312a561f85d0a3a05
Author: Oleg Nesterov <oleg@redhat.com>
Date:   Tue Jan 31 17:14:54 2012 +0100

    note: redisabled mem_write
    
    proc: unify mem_read() and mem_write()
    
    No functional changes, cleanup and preparation.
    
    mem_read() and mem_write() are very similar. Move this code into the
    new common helper, mem_rw(), which takes the additional "int write"
    argument.
    
    Cc: stable@kernel.org
    Signed-off-by: Oleg Nesterov <oleg@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    Conflicts:
    
        fs/proc/base.c

commit af966b421d9f55ab7e1a8b2741beba44b22bc2e0
Merge: 3903f01 01fee18
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 19:50:40 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 01fee1851aef26b898ccba5312cabf1f919b74cb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 19:49:46 2012 -0500

    Merge changes from pax-linux-3.2.4-test8.patch

commit c2490ddbfc3f5dd664dd0e1b8575856c3be01879
Merge: 201c0db 141936c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 19:49:01 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test

commit 3903f0172ecadf7a575ba3535402a1506133640a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jan 30 23:26:44 2012 -0500

    Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT
    
    We'll whitelist required directories for compatibility instead of requiring
    that people disable the feature entirely if they use SELinux, fuse, etc
    
    Conflicts:
    
        fs/sysfs/mount.c

commit e3618feaa7e63807f1b88c199882075b3ec9bd05
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 29 01:12:19 2012 -0500

    perform RBAC check if TPE is on but match fails, matches previous behavior

commit 627b7fe22799a86e2f81a74f0e0c53474bec3100
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jan 28 13:17:06 2012 -0500

    log more information about the reason for a TPE denial for novice users, requested by a sponsor

commit efefd67008cbad8a8591e2484410966a300a39a5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:58:53 2012 -0500

    merge upstream sha512 changes

commit 8a79280377db78fb2091fe01eddb9e24f75d9fe1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:49:07 2012 -0500

    drop lock on error in xfs_readlink
    
    http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0

commit aa5f2f63e37f426bf2211c5fb8f7bc70de14f08a
Author: Li Wang <liwang@nudt.edu.cn>
Date:   Thu Jan 19 09:44:36 2012 +0800

    eCryptfs: Infinite loop due to overflow in ecryptfs_write()
    
    ecryptfs_write() can enter an infinite loop when truncating a file to a
    size larger than 4G. This only happens on architectures where size_t is
    represented by 32 bits.
    
    This was caused by a size_t overflow due to it incorrectly being used to
    store the result of a calculation which uses potentially large values of
    type loff_t.
    
    [tyhicks@canonical.com: rewrite subject and commit message]
    Signed-off-by: Li Wang <liwang@nudt.edu.cn>
    Signed-off-by: Yunchuan Wen <wenyunchuan@kylinos.com.cn>
    Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>

commit a7607747d0f74f357d78bb796d70635dd05f46e8
Author: Tyler Hicks <tyhicks@canonical.com>
Date:   Thu Jan 19 20:33:44 2012 -0600

    eCryptfs: Check inode changes in setattr
    
    Most filesystems call inode_change_ok() very early in ->setattr(), but
    eCryptfs didn't call it at all. It allowed the lower filesystem to make
    the call in its ->setattr() function. Then, eCryptfs would copy the
    appropriate inode attributes from the lower inode to the eCryptfs inode.
    
    This patch changes that and actually calls inode_change_ok() on the
    eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call
    would happen earlier in ecryptfs_setattr(), but there are some possible
    inode initialization steps that must happen first.
    
    Since the call was already being made on the lower inode, the change in
    functionality should be minimal, except for the case of a file extending
    truncate call. In that case, inode_newsize_ok() was never being
    called on the eCryptfs inode. Rather than inode_newsize_ok() catching
    maximum file size errors early on, eCryptfs would encrypt zeroed pages
    and write them to the lower filesystem until the lower filesystem's
    write path caught the error in generic_write_checks(). This patch
    introduces a new function, called ecryptfs_inode_newsize_ok(), which
    checks if the new lower file size is within the appropriate limits when
    the truncate operation will be growing the lower file.
    
    In summary this change prevents eCryptfs truncate operations (and the
    resulting page encryptions), which would exceed the lower filesystem
    limits or FSIZE rlimits, from ever starting.
    
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Reviewed-by: Li Wang <liwang@nudt.edu.cn>
    Cc: <stable@vger.kernel.org>

commit 0d96f190a39505254ace4e9330219aaeda9b64e3
Author: Tyler Hicks <tyhicks@canonical.com>
Date:   Wed Jan 18 18:30:04 2012 -0600

    eCryptfs: Make truncate path killable
    
    ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a
    page, zeroes out the appropriate portions, and then encrypts the page
    before writing it to the lower filesystem. It was unkillable and due to
    the lack of sparse file support could result in tying up a large portion
    of system resources, while encrypting pages of zeros, with no way for
    the truncate operation to be stopped from userspace.
    
    This patch adds the ability for ecryptfs_write() to detect a pending
    fatal signal and return as gracefully as possible. The intent is to
    leave the lower file in a useable state, while still allowing a user to
    break out of the encryption loop. If a pending fatal signal is detected,
    the eCryptfs inode size is updated to reflect the modified inode size
    and then -EINTR is returned.
    
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Cc: <stable@vger.kernel.org>

commit a02d0d2516b9e92edffeb8fca87462bca49c1f6f
Author: Tyler Hicks <tyhicks@canonical.com>
Date:   Tue Jan 24 10:02:22 2012 -0600

    eCryptfs: Fix oops when printing debug info in extent crypto functions
    
    If pages passed to the eCryptfs extent-based crypto functions are not
    mapped and the module parameter ecryptfs_verbosity=1 was specified at
    loading time, a NULL pointer dereference will occur.
    
    Note that this wouldn't happen on a production system, as you wouldn't
    pass ecryptfs_verbosity=1 on a production system. It leaks private
    information to the system logs and is for debugging only.
    
    The debugging info printed in these messages is no longer very useful
    and rather than doing a kmap() in these debugging paths, it will be
    better to simply remove the debugging paths completely.
    
    https://launchpad.net/bugs/913651
    
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Reported-by: Daniel DeFreez
    Cc: <stable@vger.kernel.org>

commit b1c44d3054dc7f293b2e0a98c0e9e5e03e01f04c
Author: Tyler Hicks <tyhicks@canonical.com>
Date:   Thu Jan 12 11:30:44 2012 +0100

    eCryptfs: Sanitize write counts of /dev/ecryptfs
    
    A malicious count value specified when writing to /dev/ecryptfs may
    result in a a very large kernel memory allocation.
    
    This patch peeks at the specified packet payload size, adds that to the
    size of the packet headers and compares the result with the write count
    value. The resulting maximum memory allocation size is approximately 532
    bytes.
    
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Reported-by: Sasha Levin <levinsasha928@gmail.com>
    Cc: <stable@vger.kernel.org>

commit 96dcb7282d323813181a1791f51c0ab7696b675b
Merge: 6c09fa5 201c0db
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:44:15 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 201c0dbf177527367676028151e36d340923f033
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:43:24 2012 -0500

    Merge changes from pax-linux-3.2.2-test6.patch, fixes 0 order vmalloc allocation errors
    on loading modules with empty sections

commit 6c09fa566a7c29f00556ca12f343f2db91c4f42b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:42:13 2012 -0500

    compile fix

commit 917ae526b4fcec2b3e1afefa13de9dff7d8a5423
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:39:28 2012 -0500

    use LSM flags instead of duplicating checks

commit 0cf3be2ea2ae43c9dd4933fb26c0429041b8acb8
Merge: 44b9f11 558718b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 18:56:23 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 558718b2217beff69edf60f34a6f9893d910e9ac
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 18:56:04 2012 -0500

    Merge changes from pax-linux-3.2.2-test6.patch

commit 44b9f1132b2de7cbf5f57525fe0f7f9fb0a76507
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 18:53:55 2012 -0500

    don't increase the size of task_struct when unnecessary
    change ptrace_readexec log message

commit a9c9626e054adb885883aa64f85506852894dd33
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 18:16:28 2012 -0500

    Update documentation for CONFIG_GRKERNSEC_PTRACE_READEXEC --
    the protection applies to all unreadable binaries.

commit 98fdf4ab69eba7a72efb2054295daafdbbc2fb8f
Merge: 7b3f3af 05a1349
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 25 20:52:09 2012 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        block/scsi_ioctl.c
        drivers/scsi/sd.c
        fs/proc/base.c

commit 05a134966efb9cb9346ad3422888969ffc79ac1d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 25 20:47:36 2012 -0500

    Resync with pax-linux-3.2.2-test5.patch

commit 5ecaafd81b229aeeb5656df36f9c8da86307f82a
Merge: c6d443d 3499d64
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 25 20:45:16 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test (and pax-linux-3.2.2-test5.patch)
    
    Conflicts:
        ipc/shm.c

commit 7b3f3afd7444613c759d68ff8c2efaebfae3bab1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 24 19:42:01 2012 -0500

    Add two new features, one is automatic by enabling CONFIG_GRKERNSEC
    (may be changed if it breaks some userland), the other has its own
    config option
    
    First feature requires CAP_SYS_ADMIN to write to any sysctl entry via
    the syscall or /proc/sys.
    
    Second feature requires read access to a suid/sgid binary in order
    to ptrace it, preventing infoleaking of binaries in situations where
    the admin has specified 4711 or 2711 perms.  Feature has been
    given the config option CONFIG_GRKERNSEC_PTRACE_READEXEC and
    a sysctl entry of ptrace_readexec

commit 11a7bb25c411c9dccfdca5718639b4becdffd388
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 22 14:37:10 2012 -0500

    Compilation fixes

commit cd400e21c7c352baba47d6f375297a7847afb33a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 22 14:20:27 2012 -0500

    Initial port of grsecurity 2.2.2 for Linux 3.2.1
    Note that the new syscalls added to this kernel for remote process read/write
    are subject to ptrace hardening/other relevant RBAC features
    /proc/slabinfo is S_IRUSR via mainline now, so I made slab_allocators S_IRUSR by default
    as well
    pax_track_stack has been removed from support for this kernel -- if you're running this kernel
    you should be using a version of gcc with plugin support

commit c6d443d1270f455c56a4ffe0f1dd3d3e7ec12a2f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 22 11:47:31 2012 -0500

    Import pax-linux-3.2.1-test5.patch
commit bfd7db842f835f9837cd43644459b3a95b0b488d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 22 11:02:02 2012 -0500

    Allow processes to access others' /proc/pid/maps files (subject to the normal modification of data)
    instead of returning -EACCES
    thanks to Wraith from irc for the report

commit 873ac13576506cd48ddb527c2540f274e249da50
Merge: 34083dd 8a44fcc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 20 18:04:02 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 8a44fcc90cf3368003dc84e1ed013b2e4248c9b2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 20 18:02:15 2012 -0500

    Merge the diff between pax-linux-3.2.1-test4.patch and pax-linux-3.2.1-test5.patch
    Denies executable shared memory when MPROTECT is active
    Fixes ia32 emulation crash on 64bit host introduced in a recent patch

commit 34083ddf5c0b2b1c0f5e9f7d9e32ddcba223446b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jan 19 20:23:14 2012 -0500

    Introduce new GRKERNSEC_SETXID implementation
    We're not able to change the credentials of other threads in the process until at most
    one syscall after the first thread does it, since we mark the threads as needing rescheduling
    and such work occurs on syscall exit.
    This does however ensure that we're only modifying the current task's credentials
    which upholds RCU expectations
    
    Many thanks to corsac for testing

commit 5f900ad54d3992a4e1cda88273acc2f897a42e71
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jan 19 17:42:48 2012 -0500

    Simplify backport

commit f02e444f7b2fb286f99d3b4031ff4e44a4606c37
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jan 19 17:08:16 2012 -0500

    Commit the latest silent fix for a local privilege escalation from Linus
    Also disable writing to /proc/pid/mem
    http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc

commit 814d38c72b1ee3338294576a05af4f6ca9cffa6c
Merge: 0394a3f 7e6299b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 18 20:22:09 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 7e6299b4733c082dde930375dd207b63237751ec
Merge: 83555fb 9bb1282
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 18 20:21:37 2012 -0500

    Merge branch 'linux-3.1.y' into pax-test

commit 0394a3f36c6195dcaf22e265c94d11bb7338c6f7
Author: Jesper Juhl <jj@chaosbits.net>
Date:   Sun Jan 8 22:44:29 2012 +0100

    audit: always follow va_copy() with va_end()
    
    A call to va_copy() should always be followed by a call to va_end() in
    the same function.  In kernel/autit.c::audit_log_vformat() this is not
    always done.  This patch makes sure va_end() is always called.
    
    Signed-off-by: Jesper Juhl <jj@chaosbits.net>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: Eric Paris <eparis@redhat.com>
    Cc: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit fcbb39319e88bfdf70efe3931cf80a9f23b1a4d9
Author: Andi Kleen <ak@linux.intel.com>
Date:   Thu Jan 12 17:20:30 2012 -0800

    panic: don't print redundant backtraces on oops
    
    When an oops causes a panic and panic prints another backtrace it's pretty
    common to have the original oops data be scrolled away on a 80x50 screen.
    
    The second backtrace is quite redundant and not needed anyways.
    
    So don't print the panic backtrace when oops_in_progress is true.
    
    [akpm@linux-foundation.org: add comment]
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
    Cc: Michael Holzheu <holzheu@linux.vnet.ibm.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 22e4717d04333e2aff6d5d1b2c1b16045f367a1f
Author: Miklos Szeredi <mszeredi@suse.cz>
Date:   Thu Jan 12 17:59:46 2012 +0100

    fsnotify: don't BUG in fsnotify_destroy_mark()
    
    Removing the parent of a watched file results in "kernel BUG at
    fs/notify/mark.c:139".
    
    To reproduce
    
      add "-w /tmp/audit/dir/watched_file" to audit.rules
      rm -rf /tmp/audit/dir
    
    This is caused by fsnotify_destroy_mark() being called without an
    extra reference taken by the caller.
    
    Reported by Francesco Cosoleto here:
    
      https://bugzilla.novell.com/show_bug.cgi?id=689860
    
    Fix by removing the BUG_ON and adding a comment about not accessing mark after
    the iput.
    
    Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
    CC: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 1a90cff66ed00cd57bf00a990d13e95060fa362c
Author: Paolo Bonzini <pbonzini@redhat.com>
Date:   Thu Jan 12 16:01:28 2012 +0100

    block: fail SCSI passthrough ioctls on partition devices
    
    Linux allows executing the SG_IO ioctl on a partition or LVM volume, and
    will pass the command to the underlying block device.  This is
    well-known, but it is also a large security problem when (via Unix
    permissions, ACLs, SELinux or a combination thereof) a program or user
    needs to be granted access only to part of the disk.
    
    This patch lets partitions forward a small set of harmless ioctls;
    others are logged with printk so that we can see which ioctls are
    actually sent.  In my tests only CDROM_GET_CAPABILITY actually occurred.
    Of course it was being sent to a (partition on a) hard disk, so it would
    have failed with ENOTTY and the patch isn't changing anything in
    practice.  Still, I'm treating it specially to avoid spamming the logs.
    
    In principle, this restriction should include programs running with
    CAP_SYS_RAWIO.  If for example I let a program access /dev/sda2 and
    /dev/sdb, it still should not be able to read/write outside the
    boundaries of /dev/sda2 independent of the capabilities.  However, for
    now programs with CAP_SYS_RAWIO will still be allowed to send the
    ioctls.  Their actions will still be logged.
    
    This patch does not affect the non-libata IDE driver.  That driver
    however already tests for bd != bd->bd_contains before issuing some
    ioctl; it could be restricted further to forbid these ioctls even for
    programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO.
    
    Cc: linux-scsi@vger.kernel.org
    Cc: Jens Axboe <axboe@kernel.dk>
    Cc: James Bottomley <JBottomley@parallels.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    [ Make it also print the command name when warning - Linus ]
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit b41a1178caa15bd7d6d5b36c04c7b1ead05717e2
Author: Paolo Bonzini <pbonzini@redhat.com>
Date:   Thu Jan 12 16:01:27 2012 +0100

    block: add and use scsi_blk_cmd_ioctl
    
    Introduce a wrapper around scsi_cmd_ioctl that takes a block device.
    
    The function will then be enhanced to detect partition block devices
    and, in that case, subject the ioctls to whitelisting.
    
    Cc: linux-scsi@vger.kernel.org
    Cc: Jens Axboe <axboe@kernel.dk>
    Cc: James Bottomley <JBottomley@parallels.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 97a79814903fc350e1d13704ea31528a42705401
Author: Kees Cook <keescook@chromium.org>
Date:   Sat Jan 7 10:41:04 2012 -0800

    audit: treat s_id as an untrusted string
    
    The use of s_id should go through the untrusted string path, just to be
    extra careful.
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Acked-by: Mimi Zohar <zohar@us.ibm.com>
    Signed-off-by: Eric Paris <eparis@redhat.com>

commit 2d3f39e9dd73f26a8248fd4442f110d983c5b419
Author: Xi Wang <xi.wang@gmail.com>
Date:   Tue Dec 20 18:39:41 2011 -0500

    audit: fix signedness bug in audit_log_execve_info()
    
    In the loop, a size_t "len" is used to hold the return value of
    audit_log_single_execve_arg(), which returns -1 on error.  In that
    case the error handling (len <= 0) will be bypassed since "len" is
    unsigned, and the loop continues with (p += len) being wrapped.
    Change the type of "len" to signed int to fix the error handling.
    
        size_t len;
        ...
        for (...) {
                len = audit_log_single_execve_arg(...);
                if (len <= 0)
                        break;
                p += len;
        }
    
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Signed-off-by: Eric Paris <eparis@redhat.com>

commit 1b3dc2ea3204fb22b9d0d30b2b7953991f5be594
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Tue Jan 17 03:28:51 2012 -0300

    [media] ds3000: using logical && instead of bitwise &
    
    The intent here was to test if the FE_HAS_LOCK was set.  The current
    test is equivalent to "if (status) { ..."
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>

commit 36522330dc59d2fc70c042f3f081d75c32b6259a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jan 16 13:10:38 2012 -0500

    Ignore the 0 signal for protected task RBAC checks

commit d513acd55f7a683f6e146a4f570cdb63300479ab
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jan 16 11:56:13 2012 -0500

    whitespace cleanup

commit ced261c4b82818c700aff8487f647f6f3e5b5122
Merge: d48751f 83555fb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 13 20:12:54 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 83555fb431e5be6c0e09687ff3bdc583f0caf9d9
Merge: fcd8129 93dad39
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 13 20:12:43 2012 -0500

    Merge branch 'linux-3.1.y' into pax-test

commit d48751f3919ae855fda0ff6c149db82442329253
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 11 19:05:47 2012 -0500

    Call our own set_user when forcing change to new id

commit 26d9d497f6b926bc1699980aa18c360a3d3c52a0
Merge: e6578ff fcd8129
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 10 16:00:10 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit fcd8129277601f2e2d5a2066120cf8b2472d7d1f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 10 15:58:43 2012 -0500

    Merge changes from pax-linux-3.1.8-test23.patch

commit e6578ff3e7629c432ed9b99bde6af2a1c00279b5
Merge: 8859ec3 a120549
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 21:45:56 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit a12054967a77090de1caa07c41e694a77db4e237
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 21:45:30 2012 -0500

    Merge changes from pax-linux-3.1.8-test22.patch

commit 8859ec32f9815c274df65448f9f2960176c380d3
Merge: a5016b4 ddd4114
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 21:26:08 2012 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        fs/binfmt_elf.c
        security/Kconfig

commit ddd41147e158a79704983a409b7433eba797cf66
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 21:12:42 2012 -0500

    Resync with PaX patch (whitespace difference)

commit 29e569df8205c5f0e043fe4803aa984406c8b118
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 21:09:47 2012 -0500

    Merge changes from pax-linux-3.1.8-test21.patch

commit a5016b4f9c09c337b17e063a7f369af1e86d944d
Merge: 0124c92 04231d5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 18:52:20 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 04231d52dc8d0d6788a6bc6709dc046d3eb37097
Merge: 7bdddeb a919904
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 18:51:50 2012 -0500

    Merge branch 'linux-3.1.y' into pax-test
    
    Conflicts:
        include/net/flow.h

commit 0124c9264234c450904a0a5fa2f8c608ab8e3796
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 18:33:05 2012 -0500

    Make GRKERNSEC_SETXID option compatible with credential debugging

commit 69919c6da7cf8a781439da15b597a7d6bc9b3abe
Author: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Date:   Wed Dec 28 15:57:11 2011 -0800

    mm/mempolicy.c: refix mbind_range() vma issue
    
    commit 8aacc9f550 ("mm/mempolicy.c: fix pgoff in mbind vma merge") is the
    slightly incorrect fix.
    
    Why? Think following case.
    
    1. map 4 pages of a file at offset 0
    
       [0123]
    
    2. map 2 pages just after the first mapping of the same file but with
       page offset 2
    
       [0123][23]
    
    3. mbind() 2 pages from the first mapping at offset 2.
       mbind_range() should treat new vma is,
    
       [0123][23]
         |23|
         mbind vma
    
       but it does
    
       [0123][23]
         |01|
         mbind vma
    
       Oops. then, it makes wrong vma merge and splitting ([01][0123] or similar).
    
    This patch fixes it.
    
    [testcase]
      test result - before the patch
    
        case4: 126: test failed. expect '2,4', actual '2,2,2'
                case5: passed
        case6: passed
        case7: passed
        case8: passed
        case_n: 246: test failed. expect '4,2', actual '1,4'
    
        ------------[ cut here ]------------
        kernel BUG at mm/filemap.c:135!
        invalid opcode: 0000 [#4] SMP DEBUG_PAGEALLOC
    
        (snip long bug on messages)
    
      test result - after the patch
    
        case4: passed
                case5: passed
        case6: passed
        case7: passed
        case8: passed
        case_n: passed
    
      source:  mbind_vma_test.c
    ============================================================
     #include <numaif.h>
     #include <numa.h>
     #include <sys/mman.h>
     #include <stdio.h>
     #include <unistd.h>
     #include <stdlib.h>
     #include <string.h>
    
    static unsigned long pagesize;
    void* mmap_addr;
    struct bitmask *nmask;
    char buf[1024];
    FILE *file;
    char retbuf[10240] = "";
    int mapped_fd;
    
    char *rubysrc = "ruby -e '\
      pid = %d; \
      vstart = 0x%llx; \
      vend = 0x%llx; \
      s = `pmap -q #{pid}`; \
      rary = []; \
      s.each_line {|line|; \
        ary=line.split(\" \"); \
        addr = ary[0].to_i(16); \
        if(vstart <= addr && addr < vend) then \
          rary.push(ary[1].to_i()/4); \
        end; \
      }; \
      print rary.join(\",\"); \
    '";
    
    void init(void)
    {
        void* addr;
        char buf[128];
    
        nmask = numa_allocate_nodemask();
        numa_bitmask_setbit(nmask, 0);
    
        pagesize = getpagesize();
    
        sprintf(buf, "%s", "mbind_vma_XXXXXX");
        mapped_fd = mkstemp(buf);
        if (mapped_fd == -1)
                perror("mkstemp "), exit(1);
        unlink(buf);
    
        if (lseek(mapped_fd, pagesize*8, SEEK_SET) < 0)
                perror("lseek "), exit(1);
        if (write(mapped_fd, "\0", 1) < 0)
                perror("write "), exit(1);
    
        addr = mmap(NULL, pagesize*8, PROT_NONE,
                    MAP_SHARED, mapped_fd, 0);
        if (addr == MAP_FAILED)
                perror("mmap "), exit(1);
    
        if (mprotect(addr+pagesize, pagesize*6, PROT_READ|PROT_WRITE) < 0)
                perror("mprotect "), exit(1);
    
        mmap_addr = addr + pagesize;
    
        /* make page populate */
        memset(mmap_addr, 0, pagesize*6);
    }
    
    void fin(void)
    {
        void* addr = mmap_addr - pagesize;
        munmap(addr, pagesize*8);
    
        memset(buf, 0, sizeof(buf));
        memset(retbuf, 0, sizeof(retbuf));
    }
    
    void mem_bind(int index, int len)
    {
        int err;
    
        err = mbind(mmap_addr+pagesize*index, pagesize*len,
                    MPOL_BIND, nmask->maskp, nmask->size, 0);
        if (err)
                perror("mbind "), exit(err);
    }
    
    void mem_interleave(int index, int len)
    {
        int err;
    
        err = mbind(mmap_addr+pagesize*index, pagesize*len,
                    MPOL_INTERLEAVE, nmask->maskp, nmask->size, 0);
        if (err)
                perror("mbind "), exit(err);
    }
    
    void mem_unbind(int index, int len)
    {
        int err;
    
        err = mbind(mmap_addr+pagesize*index, pagesize*len,
                    MPOL_DEFAULT, NULL, 0, 0);
        if (err)
                perror("mbind "), exit(err);
    }
    
    void Assert(char *expected, char *value, char *name, int line)
    {
        if (strcmp(expected, value) == 0) {
                fprintf(stderr, "%s: passed\n", name);
                return;
        }
        else {
                fprintf(stderr, "%s: %d: test failed. expect '%s', actual '%s'\n",
                        name, line,
                        expected, value);
    //          exit(1);
        }
    }
    
    /*
          AAAA
        PPPPPPNNNNNN
        might become
        PPNNNNNNNNNN
        case 4 below
    */
    void case4(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        mem_bind(0, 4);
        mem_unbind(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("2,4", retbuf, "case4", __LINE__);
    
        fin();
    }
    
    /*
           AAAA
     PPPPPPNNNNNN
     might become
     PPPPPPPPPPNN
     case 5 below
    */
    void case5(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        mem_bind(0, 2);
        mem_bind(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("4,2", retbuf, "case5", __LINE__);
    
        fin();
    }
    
    /*
            AAAA
        PPPPNNNNXXXX
        might become
        PPPPPPPPPPPP 6
    */
    void case6(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        mem_bind(0, 2);
        mem_bind(4, 2);
        mem_bind(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("6", retbuf, "case6", __LINE__);
    
        fin();
    }
    
    /*
        AAAA
    PPPPNNNNXXXX
    might become
    PPPPPPPPXXXX 7
    */
    void case7(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        mem_bind(0, 2);
        mem_interleave(4, 2);
        mem_bind(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("4,2", retbuf, "case7", __LINE__);
    
        fin();
    }
    
    /*
        AAAA
    PPPPNNNNXXXX
    might become
    PPPPNNNNNNNN 8
    */
    void case8(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        mem_bind(0, 2);
        mem_interleave(4, 2);
        mem_interleave(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("2,4", retbuf, "case8", __LINE__);
    
        fin();
    }
    
    void case_n(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        /* make redundunt mappings [0][1234][34][7] */
        mmap(mmap_addr + pagesize*4, pagesize*2, PROT_READ|PROT_WRITE,
             MAP_FIXED|MAP_SHARED, mapped_fd, pagesize*3);
    
        /* Expect to do nothing. */
        mem_unbind(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("4,2", retbuf, "case_n", __LINE__);
    
        fin();
    }
    
    int main(int argc, char** argv)
    {
        case4();
        case5();
        case6();
        case7();
        case8();
        case_n();
    
        return 0;
    }
    =============================================================
    
    Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
    Acked-by: Johannes Weiner <hannes@cmpxchg.org>
    Cc: Minchan Kim <minchan.kim@gmail.com>
    Cc: Caspar Zhang <caspar@casparzhang.com>
    Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
    Cc: Christoph Lameter <cl@linux.com>
    Cc: Hugh Dickins <hugh.dickins@tiscali.co.uk>
    Cc: Mel Gorman <mel@csn.ul.ie>
    Cc: Lee Schermerhorn <lee.schermerhorn@hp.com>
    Cc: <stable@vger.kernel.org>                [3.1.x]
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit f3a1082005781777086df235049f8c0b7efe524e
Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Date:   Tue Dec 27 22:32:41 2011 -0500

    packet: fix possible dev refcnt leak when bind fail
    
    If bind is fail when bind is called after set PACKET_FANOUT
    sock option, the dev refcnt will leak.
    
    Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 915f8b08dac68839dc7204ee81cf9852fda16d24
Author: Haogang Chen <haogangchen@gmail.com>
Date:   Mon Dec 19 17:11:56 2011 -0800

    nilfs2: potential integer overflow in nilfs_ioctl_clean_segments()
    
    There is a potential integer overflow in nilfs_ioctl_clean_segments().
    When a large argv[n].v_nmembs is passed from the userspace, the subsequent
    call to vmalloc() will allocate a buffer smaller than expected, which
    leads to out-of-bound access in nilfs_ioctl_move_blocks() and
    lfs_clean_segments().
    
    The following check does not prevent the overflow because nsegs is also
    controlled by the userspace and could be very large.
    
                if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment)
                        goto out_free;
    
    This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and
    returns -EINVAL when overflow.
    
    Signed-off-by: Haogang Chen <haogangchen@gmail.com>
    Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 006afb6eb7a7398edc0068c3a7b9510ffaf80f72
Author: Kautuk Consul <consul.kautuk@gmail.com>
Date:   Mon Dec 19 17:12:04 2011 -0800

    mm/vmalloc.c: remove static declaration of va from __get_vm_area_node
    
    Static storage is not required for the struct vmap_area in
    __get_vm_area_node.
    
    Removing "static" to store this variable on the stack instead.
    
    Signed-off-by: Kautuk Consul <consul.kautuk@gmail.com>
    Acked-by: David Rientjes <rientjes@google.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 461ecdf221edb089e5fa0d5563e1688cd0a36f66
Author: Michel Lespinasse <walken@google.com>
Date:   Mon Dec 19 17:12:06 2011 -0800

    binary_sysctl(): fix memory leak
    
    binary_sysctl() calls sysctl_getname() which allocates from names_cache
    slab usin __getname()
    
    The matching function to free the name is __putname(), and not putname()
    which should be used only to match getname() allocations.
    
    This is because when auditing is enabled, putname() calls audit_putname
    *instead* (not in addition) to __putname().  Then, if a syscall is in
    progress, audit_putname does not release the name - instead, it expects
    the name to get released when the syscall completes, but that will happen
    only if audit_getname() was called previously, i.e.  if the name was
    allocated with getname() rather than the naked __getname().  So,
    __getname() followed by putname() ends up leaking memory.
    
    Signed-off-by: Michel Lespinasse <walken@google.com>
    Acked-by: Al Viro <viro@zeniv.linux.org.uk>
    Cc: Christoph Hellwig <hch@infradead.org>
    Cc: Eric Paris <eparis@redhat.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 0a2cd3ef50c0bae70d59c74a77db0455d26fde56
Author: Sean Hefty <sean.hefty@intel.com>
Date:   Tue Dec 6 21:17:11 2011 +0000

    RDMA/cma: Verify private data length
    
    private_data_len is defined as a u8.  If the user specifies a large
    private_data size (> 220 bytes), we will calculate a total length that
    exceeds 255, resulting in private_data_len wrapping back to 0.  This
    can lead to overwriting random kernel memory.  Avoid this by verifying
    that the resulting size fits into a u8.
    
    Reported-by: B. Thery <benjamin.thery@bull.net>
    Addresses: <http://bugs.openfabrics.org/bugzilla/show_bug.cgi?id=2335>
    Signed-off-by: Sean Hefty <sean.hefty@intel.com>
    Signed-off-by: Roland Dreier <roland@purestorage.com>

commit 6b618c54aaec99078629ec5b9575cb7d6fc31176
Author: Xi Wang <xi.wang@gmail.com>
Date:   Sun Dec 11 23:40:56 2011 -0800

    Input: cma3000_d0x - fix signedness bug in cma3000_thread_irq()
    
    The error check (intr_status < 0) didn't work because intr_status is
    a u8.  Change its type to signed int.
    
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Signed-off-by: Dmitry Torokhov <dtor@mail.ru>

commit e27f34e383d7863b2528a63b81b23db09781f6b6
Author: Xi Wang <xi.wang@gmail.com>
Date:   Fri Dec 16 12:44:15 2011 +0000

    sctp: fix incorrect overflow check on autoclose
    
    Commit 8ffd3208 voids the previous patches f6778aab and 810c0719 for
    limiting the autoclose value.  If userspace passes in -1 on 32-bit
    platform, the overflow check didn't work and autoclose would be set
    to 0xffffffff.
    
    This patch defines a max_autoclose (in seconds) for limiting the value
    and exposes it through sysctl, with the following intentions.
    
    1) Avoid overflowing autoclose * HZ.
    
    2) Keep the default autoclose bound consistent across 32- and 64-bit
       platforms (INT_MAX / HZ in this patch).
    
    3) Keep the autoclose value consistent between setsockopt() and
       getsockopt() calls.
    
    Suggested-by: Vlad Yasevich <vladislav.yasevich@hp.com>
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 8ebdfaad2f46ff0ac9fef9858e436bcc712a1ac8
Author: Xi Wang <xi.wang@gmail.com>
Date:   Wed Dec 21 05:18:33 2011 -0500

    vmwgfx: fix incorrect VRAM size check in vmw_kms_fb_create()
    
    Commit e133e737 didn't correctly fix the integer overflow issue.
    
    -   unsigned int required_size;
    +   u64 required_size;
        ...
        required_size = mode_cmd->pitch * mode_cmd->height;
    -   if (unlikely(required_size > dev_priv->vram_size)) {
    +   if (unlikely(required_size > (u64) dev_priv->vram_size)) {
    
    Note that both pitch and height are u32.  Their product is still u32 and
    would overflow before being assigned to required_size.  A correct way is
    to convert pitch and height to u64 before the multiplication.
    
        required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height;
    
    This patch calls the existing vmw_kms_validate_mode_vram() for
    validation.
    
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Reviewed-and-tested-by: Thomas Hellstrom <thellstrom@vmware.com>
    Signed-off-by: Dave Airlie <airlied@redhat.com>
    
    Conflicts:
    
        drivers/gpu/drm/vmwgfx/vmwgfx_kms.c

commit eb8f0bd01fb994c9abc77dc84729794cd841753d
Author: Xi Wang <xi.wang@gmail.com>
Date:   Thu Dec 22 13:35:22 2011 +0000

    rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt()
    
    Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will
    cause a kernel oops due to insufficient bounds checking.
    
        if (count > 1<<30) {
                /* Enforce a limit to prevent overflow */
                return -EINVAL;
        }
        count = roundup_pow_of_two(count);
        table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count));
    
    Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as:
    
        ... + (count * sizeof(struct rps_dev_flow))
    
    where sizeof(struct rps_dev_flow) is 8.  (1 << 30) * 8 will overflow
    32 bits.
    
    This patch replaces the magic number (1 << 30) with a symbolic bound.
    
    Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 648188958672024b616c42c1f6c98c8cfc85619d
Author: Xi Wang <xi.wang@gmail.com>
Date:   Fri Dec 30 10:40:17 2011 -0500

    netfilter: ctnetlink: fix timeout calculation
    
    The sanity check (timeout < 0) never works; the dividend is unsigned
    and so is the division, which should have been a signed division.
    
        long timeout = (ct->timeout.expires - jiffies) / HZ;
        if (timeout < 0)
                timeout = 0;
    
    This patch converts the time values to signed for the division.
    
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

commit ab03a0973cee73f88655ff4981812ad316a6cd59
Merge: 76f82df 7bdddeb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 3 17:42:50 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 7bdddebd9d274a344a1c57a561152160c9e9a32a
Merge: 3e59cb5 55cc81a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 3 17:42:36 2012 -0500

    Merge branch 'linux-3.1.y' into pax-test

commit 76f82df18ba181687f454426fa9ced7a92b2ac1f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 22 20:15:02 2011 -0500

    Only further restrict futex targeting another process -- our modified
    permission check also happened to allow a case where a process retaining
    uid 0 could issue futex syscalls against other uid 0 tasks, despite the euid
    being non-zero (reported on forums by ben_w)

commit 6b235a4450a5fea41663ec35fa0608988b6078c6
Merge: 97c16f0 3e59cb5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 22 19:11:06 2011 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        fs/hfs/btree.c

commit 3e59cb503d4ca6ce0954b8d3eb508cf7d1a31f50
Merge: 285eb4e c26f60b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 22 19:09:57 2011 -0500

    Merge branch 'linux-3.1.y' into pax-test
    
    Conflicts:
        arch/x86/kernel/process.c

commit 97c16f0fcff592160c1787bd1c56ae7ad070ac17
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Dec 19 21:54:01 2011 -0500

    Add new option: "Enforce consistent multithreaded privileges"

commit 7d125a16a5245b2bafc9184b8f93e864394ba1cb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Dec 7 19:58:31 2011 -0500

    Remove harmless duplicate code -- exec_file would be null already so the
    second check would never pass.

commit 4e3304e94aa72737810bc50169519af157dce4ce
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Dec 7 19:50:39 2011 -0500

    Revert back to (possibly?) undocumented /proc/pid behavior that gdb
    depended on for attaching to a thread.  Entries exist in /proc for
    threads, but are not visible in a readdir.

commit 1bd899335f23815cfe8deac44c6b346398f3b95e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 18:03:28 2011 -0500

    Put the already-walked path if in RCU-walk mode

commit ec7ae36b7159f10649709779443a988662965d66
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 17:35:21 2011 -0500

    Fix memory leak introduced by recent (unpublished) commit
    75ab998b94a29d464518d6d501bdde3fbfcbfa14

commit 1e2318a8ea2e67eaf17236be374b5da8a5ba5e04
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 13:56:10 2011 -0500

    Explicitly check size copied to userland in override_release to silence gcc

commit c30a85d0fff67e0724e726febb934c0b6fa01c6c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 13:54:02 2011 -0500

    Initialize variable to silence erroneous gcc warning

commit 2cf8e7a3bf4e97b2cd3de9ebc453bc505dc7eb78
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 13:47:47 2011 -0500

    Future-proof other potential RCU-aware locations where we can log.

commit 0c904e8c7ea0338c47c7ae825e093a152dc8f8a8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 13:02:54 2011 -0500

    Fix freeze reported by 'vs' on the forums.  Bug occurred due to
    MAY_NOT_BLOCK added to Linux 3.1.  Our logging code, when a capability used
    in generic_permission() was in the task's effective set but disallowed by
    RBAC, would block when acquiring locks resulting in the freeze.
    
    Also update the ordering of checks so that CAP_DAC_READ_SEARCH isn't logged
    as being required when CAP_DAC_OVERRIDE is present (consistent with
    older patches).

commit ab694e5eccfbc369baa593ebc1269d1908cf16dc
Author: Xi Wang <xi.wang@gmail.com>
Date:   Tue Nov 29 09:26:30 2011 +0000

    sctp: better integer overflow check in sctp_auth_create_key()
    
    The check from commit 30c2235c is incomplete and cannot prevent
    cases like key_len = 0x80000000 (INT_MAX + 1).  In that case, the
    left-hand side of the check (INT_MAX - key_len), which is unsigned,
    becomes 0xffffffff (UINT_MAX) and bypasses the check.
    
    However this shouldn't be a security issue.  The function is called
    from the following two code paths:
    
     1) setsockopt()
    
     2) sctp_auth_asoc_set_secret()
    
    In case (1), sca_keylength is never going to exceed 65535 since it's
    bounded by a u16 from the user API.  As such, the key length will
    never overflow.
    
    In case (2), sca_keylength is computed based on the user key (1 short)
    and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still
    will not overflow.
    
    In other words, this overflow check is not really necessary.  Just
    make it more correct.
    
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Cc: Vlad Yasevich <vladislav.yasevich@hp.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit e565e28c3635a1d50f80541fbf6b606d742fec76
Author: Josh Boyer <jwboyer@redhat.com>
Date:   Fri Aug 19 14:50:26 2011 -0400

    fs/minix: Verify bitmap block counts before mounting
    
    Newer versions of MINIX can create filesystems that allocate an extra
    bitmap block.  Mounting of this succeeds, but doing a statfs call will
    result in an oops in count_free because of a negative number being used
    for the bh index.
    
    Avoid this by verifying the number of allocated blocks at mount time,
    erroring out if there are not enough and make statfs ignore the extras
    if there are too many.
    
    This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792
    
    Signed-off-by: Josh Boyer <jwboyer@redhat.com>
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

commit 6e134e398ec1a3f428261680e83df4319e64bed9
Author: Julia Lawall <julia@diku.dk>
Date:   Tue Nov 15 14:53:11 2011 -0800

    drivers/gpu/vga/vgaarb.c: add missing kfree
    
    kbuf is a buffer that is local to this function, so all of the error paths
    leaving the function should release it.
    
    Signed-off-by: Julia Lawall <julia@diku.dk>
    Cc: Jesper Juhl <jj@chaosbits.net>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Dave Airlie <airlied@redhat.com>

commit 2b9057b321e36860e8d63985b5c4e496f254b717
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Dec 3 21:33:28 2011 -0500

    Import changes between pax-linux-3.1.4-test18.patch and grsecurity-2.2.2-3.1.4-201112021740.patch

commit 5dfe6091dca281a456eaff5e7b4692d768a05cfd
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Dec 3 21:29:37 2011 -0500

    Import pax-linux-3.1.4-test18.patch

commit 285eb4ea45d853ae00426b3315a61c1368080dad
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Dec 10 18:33:46 2011 -0500

    Import changes from pax-linux-3.1.5-test20.patch

commit a6bda918fc90ec1d5c387e978d147ad2044153f1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 8 20:55:54 2011 -0500

    Import changes from pax-linux-3.1.4-test19.patch

commit e6d987bdb782b280f882cc20055e3d9cb28ad3a5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Dec 3 21:29:37 2011 -0500

    Import pax-linux-3.1.4-test18.patch
commit c982acca364cbd7677bad7e53b9c7ecfaa6dfeb7
Merge: 814820a 3a59a59
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun May 12 21:51:18 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        security/Kconfig

commit 3a59a59cf5e1bf88f96b05c64f7969e97f7f051f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun May 12 21:50:07 2013 -0400

    Update to pax-linux-3.8.13-test24.patch:
    - fixed sparc/constification compile error, reported by blake
    - UDEREF/amd64 should be a bit more efficient when disabled at boot time
    - fixed some unnecessary integer truncations that could trip up the size overflow plugin

 arch/arm/kernel/vmlinux.lds.S       |    4 ++--
 arch/sparc/kernel/us3_cpufreq.c     |    4 ++--
 arch/x86/ia32/ia32entry.S           |    4 ++--
 arch/x86/include/asm/pgtable.h      |    6 ++++--
 arch/x86/include/asm/uaccess.h      |    6 +++---
 arch/x86/kernel/kprobes-opt.c       |    4 ++++
 arch/x86/lib/copy_user_nocache_64.S |    2 +-
 arch/x86/lib/getuser.S              |    8 ++++----
 arch/x86/lib/putuser.S              |    8 ++++----
 arch/x86/mm/fault.c                 |    6 +++---
 drivers/net/slip/slhc.c             |    2 +-
 drivers/staging/iio/ring_sw.c       |    2 +-
 fs/binfmt_elf.c                     |    6 +++---
 fs/nfsd/nfscache.c                  |    2 +-
 fs/xattr.c                          |   21 +++++++++++++++++++++
 include/linux/syscalls.h            |    2 +-
 include/linux/xattr.h               |    3 +++
 init/main.c                         |    3 +++
 kernel/futex_compat.c               |    2 +-
 kernel/trace/trace.h                |    2 +-
 net/socket.c                        |    2 +-
 security/Kconfig                    |    2 +-
 22 files changed, 67 insertions(+), 34 deletions(-)

commit 814820abfe5b9a34401d838b2510431a4cd92be9
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Mon May 6 09:31:17 2013 +0000

    Upstream commit: 6bf15191f666c5965d212561d7a5c7b78b808dfa
    
    tipc: potential divide by zero in tipc_link_recv_fragment()
    
    The worry here is that fragm_sz could be zero since it comes from
    skb->data.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/tipc/link.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

commit b58503d2784f0a4dbf4d9dbef9bdcc7bf163e3c1
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Mon May 6 08:28:41 2013 +0000

    Upstream commit: cb4b102f0ab29fcbaf945c6b1f85ef006cdb8edc
    
    tipc: add a bounds check in link_recv_changeover_msg()
    
    The bearer_id here comes from skb->data and it can be a number from 0 to
    7.  The problem is that the ->links[] array has only 2 elements so I
    have added a range check.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/tipc/link.c |    5 ++++-
 1 files changed, 4 insertions(+), 1 deletions(-)

commit ed0428c4ef6c5498870772f212ac651216eb8d0c
Merge: 2452d8d dbf932a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun May 12 21:18:25 2013 -0400

    Merge branch 'linux-3.8.y' into pax-test
    
    Conflicts:
        arch/x86/kernel/cpu/perf_event_intel_uncore.c
        arch/x86/mm/init.c

commit a113d6ac19303cd76d405df5aef5a4d190e6e7d7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun May 12 20:24:01 2013 -0400

    compile fix

 grsecurity/gracl.c      |    1 +
 grsecurity/gracl_segv.c |    1 +
 2 files changed, 2 insertions(+), 0 deletions(-)

commit 1bd664ee9054a28bbcf1dad6f9ffbc9e8500bb00
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun May 12 18:25:26 2013 -0400

    fix btrfs support here as well

 grsecurity/gracl_segv.c |   17 +++++++++--------
 1 files changed, 9 insertions(+), 8 deletions(-)

commit c75e4664fe4d20da1639f70d9def097c4f20856b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun May 12 18:12:57 2013 -0400

    Fix RBAC compatibility with btrfs compiled as a module, as
    reported on the forums by YuHg at:
    http://forums.grsecurity.net/viewtopic.php?t=2575&p=12952#p12952

 fs/btrfs/inode.c            |   11 +----------
 grsecurity/gracl.c          |   19 ++++++++++---------
 grsecurity/gracl_segv.c     |    2 +-
 grsecurity/grsec_disabled.c |    2 +-
 4 files changed, 13 insertions(+), 21 deletions(-)

commit e40c5804acc5b83e10d16ca3ba92502a3e5f7f27
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat May 11 12:12:00 2013 -0400

    allow copies just up to the start of kernel code

 fs/exec.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 04638852588cf243f865f5a73aa9dab94fab53b7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri May 10 16:53:07 2013 -0400

    MODULES_EXEC_VADDR is a virtual address

 fs/exec.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 017fc58a177b8b3fd9c2a7a4366f3590c9d49435
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri May 10 16:51:03 2013 -0400

    exempt module rx areas from usercopy protection under i386 kernexec
    their .rodata will be placed between stext/etext causing copies of
    constant strings to trigger usercopy reports/terminations

 fs/exec.c |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

commit c1b2cc5dd5f5ae5c88402c7acbcb270f8d36a9da
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed May 8 20:25:52 2013 -0400

    User jorgus on the forums:
    http://forums.grsecurity.net/viewtopic.php?f=3&t=3446
    discovered that the upstreamed version of enforcing RLIMIT_NPROC
    at setuid/exec time missed an important corner case:
    If RLIMIT_NPROC is set after a setuid occurs and the user's process
    limit is reached elsewhere, no enforcement of RLIMIT_NPROC will
    happen at exec time for the task with a modified RLIMIT_NPROC.
    
    This patch fixes that.

 kernel/sys.c |    7 +++++++
 1 files changed, 7 insertions(+), 0 deletions(-)

commit 85ffce8c95bd1d9114852f74db8c66ddbc2e77ff
Merge: 539fff0 2452d8d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed May 8 18:13:41 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 2452d8d0416d5c9c32805443dd89e5c9778dea4a
Merge: 6c850d8 9c9ab76
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed May 8 18:13:31 2013 -0400

    Merge branch 'linux-3.8.y' into pax-test
    
    Conflicts:
        arch/x86/kernel/irq.c
        kernel/trace/trace_stack.c

commit 539fff0cf95c3dcc02c5e0ac3ef8da4519efdb9a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue May 7 21:43:00 2013 -0400

    turn counter into a flag

 grsecurity/Kconfig        |    2 +-
 grsecurity/grsec_chroot.c |    8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

commit 3da48c0f89377e1ef76470d4b19f19df793fdf32
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue May 7 21:02:39 2013 -0400

    add GRKERNSEC_CHROOT_INITRD to work around Plymouth stupidity
    useful for Fedora/RHEL users

 grsecurity/Kconfig        |   10 ++++++++++
 grsecurity/grsec_chroot.c |   17 +++++++++++++++--
 2 files changed, 25 insertions(+), 2 deletions(-)

commit 418102925c0cfb0de51b0a021abaa575e28fafa6
Author: Peter Zijlstra <a.p.zijlstra@chello.nl>
Date:   Fri May 3 14:11:25 2013 +0200

    Upstream commit: 7cc23cd6c0c7d7f4bee057607e7ce01568925717
    
    perf/x86/intel/lbr: Demand proper privileges for PERF_SAMPLE_BRANCH_KERNEL
    
    We should always have proper privileges when requesting kernel
    data.
    
    Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
    Cc: <stable@kernel.org>
    Cc: Andi Kleen <ak@linux.intel.com>
    Cc: eranian@google.com
    Link: http://lkml.kernel.org/r/20130503121256.230745028@chello.nl
    [ Fix build error reported by fengguang.wu@intel.com, propagate error code back. ]
    Signed-off-by: Ingo Molnar <mingo@kernel.org>
    Link: http://lkml.kernel.org/n/tip-v0x9ky3ahzr6nm3c6ilwrili@git.kernel.org

 arch/x86/kernel/cpu/perf_event_intel_lbr.c |   13 ++++++++++---
 1 files changed, 10 insertions(+), 3 deletions(-)

commit f9e1af27cca1722a4c6a801000b5b3b5410401a2
Author: Eric Dumazet <edumazet@google.com>
Date:   Mon Apr 29 05:58:52 2013 +0000

    Upstream commit: aebda156a570782a86fc4426842152237a19427d
    
    net: defer net_secret[] initialization
    
    Instead of feeding net_secret[] at boot time, defer the init
    at the point first socket is created.
    
    This permits some platforms to use better entropy sources than
    the ones available at boot time.
    
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 include/net/secure_seq.h |    1 +
 net/core/secure_seq.c    |    4 +---
 net/ipv4/af_inet.c       |    5 ++++-
 3 files changed, 6 insertions(+), 4 deletions(-)

commit a9229d75129cd9744a5e486ec99a0fe6aeaf10ac
Author: Daniel Borkmann <dborkman@redhat.com>
Date:   Wed May 1 02:59:23 2013 +0000

    Upstream commit: be3e45810bb1ee0bdfa93f6b9532d8c451e50f48
    
    net: sctp: attribute printl with __printf for gcc fmt checks
    
    Let GCC check for format string errors in sctp's probe printl
    function. This patch fixes the warning when compiled with W=1:
    
    net/sctp/probe.c:73:2: warning: function might be possible candidate
    for 'gnu_printf' format attribute [-Wmissing-format-attribute]
    
    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/sctp/probe.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 81b98190c66a90f0ed2de4560f542b1dea7664f2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu May 2 19:58:54 2013 -0400

    remove no-longer-needed vmware 8 compat fix

 mm/page_alloc.c |    6 ------
 1 files changed, 0 insertions(+), 6 deletions(-)

commit a7716a90c1dbe09a8a6d98c74ea2f7fe2a530e94
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu May 2 19:55:23 2013 -0400

    remove unnecessary < 0 check

 net/phonet/af_phonet.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit a4e8dd5b1cca13c2e4145af75694a04aaa811f3f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed May 1 18:30:48 2013 -0400

    remove references to CONFIG_X86_WP_WORKS_OK

 arch/um/defconfig |    1 -
 security/Kconfig  |    2 +-
 2 files changed, 1 insertions(+), 2 deletions(-)

commit 408da6791f93ffe00d26bfe919f1b2218fe0804d
Merge: a8dbe8e 6c850d8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed May 1 18:28:44 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        arch/sparc/mm/ultra.S
        drivers/tty/tty_io.c

commit 6c850d8b76b375e418b6a18a33cc8263f36fabcf
Merge: cdbcbef 9fa1d01
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed May 1 18:25:18 2013 -0400

    Merge branch 'linux-3.8.y' into pax-test

commit a8dbe8ee7a0a3ace489e2f95d69d33e14d5f0b78
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Apr 29 18:44:23 2013 -0400

    add module.h to silence compiler warning, thanks to
    Sergei Trofimovich

 fs/btrfs/inode.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 55eba82aca97aa56378e000840c48965557721e8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Apr 29 18:43:03 2013 -0400

    compilation fix

 kernel/trace/trace.h |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit e3bf912b54af6df7fbebc68b5999554562056c5c
Merge: 5b72e37 cdbcbef
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Apr 29 18:34:42 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit cdbcbef45c4f003cbee11e10668a35d424c17c60
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Apr 29 18:33:35 2013 -0400

    Update to pax-linux-3.8.10-test21.patch:
    - removed size overflow coverage of resource_size(), reported at http://forums.grsecurity.net/viewtopic.php?f=3&t=3412
    - fixed bad pointer arithmetic in nfsd_cache_update, reported by Jason A. Donenfeld and http://forums.grsecurity.net/viewtopic.php?f=3&t=3438
      note that the false positive is not fixed yet
    - fixed a few unintended bitmask computations found by a not-yet-public gcc plugin
    - fixed the kernel stack leak bug in do_tgkill, found by the size overflow plugin (https://code.google.com/p/chromium/issues/detail?id=223444)
    - reverted the nested NMI fix in search for a real one
    - simplified the arm_delay_ops constification

 arch/arm/include/asm/delay.h     |    8 ++++----
 arch/arm/lib/delay.c             |   17 +++++------------
 arch/x86/kernel/entry_64.S       |   11 ++++++++++-
 arch/x86/kernel/i8259.c          |    2 +-
 arch/x86/kernel/pci-calgary_64.c |    2 +-
 arch/x86/kvm/vmx.c               |    4 ++--
 drivers/block/pktcdvd.c          |    2 +-
 fs/btrfs/extent-tree.c           |    2 +-
 fs/nfsd/nfscache.c               |    6 ++++--
 kernel/trace/trace.c             |    2 +-
 tools/gcc/structleak_plugin.c    |    4 ++++
 11 files changed, 34 insertions(+), 26 deletions(-)

commit 5b72e3790fa0e8a16a09c0ef745d8065620a1e74
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Apr 26 20:53:06 2013 -0400

    don't use file_inode()

 drivers/tty/tty_io.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit a2df9595fa2e3c7a0c63b1acac75425fd4feb946
Author: Jiri Slaby <jslaby@suse.cz>
Date:   Fri Apr 26 13:48:53 2013 +0200

    Upstream commit: 37b7f3c76595e23257f61bd80b223de8658617ee
    
    TTY: fix atime/mtime regression
    
    In commit b0de59b5733d ("TTY: do not update atime/mtime on read/write")
    we removed timestamps from tty inodes to fix a security issue and waited
    if something breaks.  Well, 'w', the utility to find out logged users
    and their inactivity time broke.  It shows that users are inactive since
    the time they logged in.
    
    To revert to the old behaviour while still preventing attackers to
    guess the password length, we update the timestamps in one-minute
    intervals by this patch.
    
    Signed-off-by: Jiri Slaby <jslaby@suse.cz>
    Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    Conflicts:
    
        drivers/tty/tty_io.c

 drivers/tty/tty_io.c |   15 ++++++++++++++-
 1 files changed, 14 insertions(+), 1 deletions(-)

commit c9c76fe07da7611a5062dd3234e5d2369e0a78ec
Author: Jiri Slaby <jslaby@suse.cz>
Date:   Fri Feb 15 15:25:05 2013 +0100

    Upstream commit: b0de59b5733d
    
    TTY: do not update atime/mtime on read/write
    
    On http://vladz.devzero.fr/013_ptmx-timing.php, we can see how to find
    out length of a password using timestamps of /dev/ptmx. It is
    documented in "Timing Analysis of Keystrokes and Timing Attacks on
    SSH". To avoid that problem, do not update time when reading
    from/writing to a TTY.
    
    I am afraid of regressions as this is a behavior we have since 0.97
    and apps may expect the time to be current, e.g. for monitoring
    whether there was a change on the TTY. Now, there is no change. So
    this would better have a lot of testing before it goes upstream.
    
    References: CVE-2013-0160
    
    Signed-off-by: Jiri Slaby <jslaby@suse.cz>
    Cc: stable <stable@vger.kernel.org> # after 3.9 is out
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 drivers/tty/tty_io.c |    8 ++------
 1 files changed, 2 insertions(+), 6 deletions(-)

commit 5344a24e2320d61dbdb88aae04922f0799deefd0
Author: Zhao Hongjiang <zhaohongjiang@huawei.com>
Date:   Fri Apr 26 11:03:53 2013 +0800

    Upstream commit: 91d80a84bbc8f28375cca7e65ec666577b4209ad
    
    aio: fix possible invalid memory access when DEBUG is enabled
    
    dprintk() shouldn't access @ring after it's unmapped.
    
    Signed-off-by: Zhao Hongjiang <zhaohongjiang@huawei.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 fs/aio.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 786841cb279bbd8e458d67e112a1d01a3d4598a7
Author: John David Anglin <dave.anglin@bell.net>
Date:   Tue Apr 23 22:42:07 2013 +0200

    Upstream commit: bda079d336cd8183e1d844a265ea87ae3e1bbe78
    
    parisc: use spin_lock_irqsave/spin_unlock_irqrestore for PTE updates
    
    User applications running on SMP kernels have long suffered from instability
    and random segmentation faults.  This patch improves the situation although
    there is more work to be done.
    
    One of the problems is the various routines in pgtable.h that update page table
    entries use different locking mechanisms, or no lock at all (set_pte_at).  This
    change modifies the routines to all use the same lock pa_dbit_lock.  This lock
    is used for dirty bit updates in the interruption code. The patch also purges
    the TLB entries associated with the PTE to ensure that inconsistent values are
    not used after the page table entry is updated.  The UP and SMP code are now
    identical.
    
    The change also includes a minor update to the purge_tlb_entries function in
    cache.c to improve its efficiency.
    
    Signed-off-by: John David Anglin <dave.anglin@bell.net>
    Cc: Helge Deller <deller@gmx.de>
    Signed-off-by: Helge Deller <deller@gmx.de>

 arch/parisc/include/asm/pgtable.h |   47 +++++++++++++++++++-----------------
 arch/parisc/kernel/cache.c        |    5 +---
 2 files changed, 26 insertions(+), 26 deletions(-)

commit 775a77ad179d4c25bc94e85ef81135cbdffcfdc1
Merge: ba54c97 4d05084
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Apr 26 18:17:20 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        arch/x86/kvm/x86.c
        include/linux/capability.h

commit 4d0508463d0ee3ec4b9eca1ea6bed3be03a3df21
Merge: c664779 bb8dd67
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Apr 26 18:15:45 2013 -0400

    Merge branch 'linux-3.8.y' into pax-test

commit ba54c977fe8c3afc4a9efd7afc3f30cf10b02fa2
Author: David S. Miller <davem@davemloft.net>
Date:   Wed Apr 24 16:52:18 2013 -0700

    Upstream commit: f0af97070acbad5d6a361f485828223a4faaa0ee
    
    sparc64: Fix missing put_cpu_var() in tlb_batch_add_one() when not batching.
    
    Reported-by: Meelis Roos <mroos@linux.ee>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 arch/sparc/mm/tlb.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit dc080cfd57c7cdc426f8c6c2da11911ac99959d8
Author: David S. Miller <davem@davemloft.net>
Date:   Fri Apr 19 17:26:26 2013 -0400

    Upstream commit: f36391d2790d04993f48da6a45810033a2cdf847
    
    sparc64: Fix race in TLB batch processing.
    
    As reported by Dave Kleikamp, when we emit cross calls to do batched
    TLB flush processing we have a race because we do not synchronize on
    the sibling cpus completing the cross call.
    
    So meanwhile the TLB batch can be reset (tb->tlb_nr set to zero, etc.)
    and either flushes are missed or flushes will flush the wrong
    addresses.
    
    Fix this by using generic infrastructure to synchonize on the
    completion of the cross call.
    
    This first required getting the flush_tlb_pending() call out from
    switch_to() which operates with locks held and interrupts disabled.
    The problem is that smp_call_function_many() cannot be invoked with
    IRQs disabled and this is explicitly checked for with WARN_ON_ONCE().
    
    We get the batch processing outside of locked IRQ disabled sections by
    using some ideas from the powerpc port. Namely, we only batch inside
    of arch_{enter,leave}_lazy_mmu_mode() calls.  If we're not in such a
    region, we flush TLBs synchronously.
    
    1) Get rid of xcall_flush_tlb_pending and per-cpu type
       implementations.
    
    2) Do TLB batch cross calls instead via:
    
        smp_call_function_many()
                tlb_pending_func()
                        __flush_tlb_pending()
    
    3) Batch only in lazy mmu sequences:
    
        a) Add 'active' member to struct tlb_batch
        b) Define __HAVE_ARCH_ENTER_LAZY_MMU_MODE
        c) Set 'active' in arch_enter_lazy_mmu_mode()
        d) Run batch and clear 'active' in arch_leave_lazy_mmu_mode()
        e) Check 'active' in tlb_batch_add_one() and do a synchronous
               flush if it's clear.
    
    4) Add infrastructure for synchronous TLB page flushes.
    
        a) Implement __flush_tlb_page and per-cpu variants, patch
           as needed.
        b) Likewise for xcall_flush_tlb_page.
        c) Implement smp_flush_tlb_page() to invoke the cross-call.
        d) Wire up global_flush_tlb_page() to the right routine based
               upon CONFIG_SMP
    
    5) It turns out that singleton batches are very common, 2 out of every
       3 batch flushes have only a single entry in them.
    
       The batch flush waiting is very expensive, both because of the poll
       on sibling cpu completeion, as well as because passing the tlb batch
       pointer to the sibling cpus invokes a shared memory dereference.
    
       Therefore, in flush_tlb_pending(), if there is only one entry in
       the batch perform a completely asynchronous global_flush_tlb_page()
       instead.
    
    Reported-by: Dave Kleikamp <dave.kleikamp@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Acked-by: Dave Kleikamp <dave.kleikamp@oracle.com>

 arch/sparc/include/asm/pgtable_64.h   |    1 +
 arch/sparc/include/asm/switch_to_64.h |    3 +-
 arch/sparc/include/asm/tlbflush_64.h  |   37 +++++++++--
 arch/sparc/kernel/smp_64.c            |   41 ++++++++++-
 arch/sparc/mm/tlb.c                   |   38 +++++++++-
 arch/sparc/mm/tsb.c                   |   57 ++++++++++++----
 arch/sparc/mm/ultra.S                 |  119 ++++++++++++++++++++++++++-------
 7 files changed, 241 insertions(+), 55 deletions(-)

commit cd80cc3cfd122295e6ec6db1e5e16e5b7a5d3b59
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date:   Fri Apr 19 15:32:32 2013 +0000

    Upstream commit: 83f1b4ba917db5dc5a061a44b3403ddb6e783494
    
    net: fix incorrect credentials passing
    
    Commit 257b5358b32f ("scm: Capture the full credentials of the scm
    sender") changed the credentials passing code to pass in the effective
    uid/gid instead of the real uid/gid.
    
    Obviously this doesn't matter most of the time (since normally they are
    the same), but it results in differences for suid binaries when the wrong
    uid/gid ends up being used.
    
    This just undoes that (presumably unintentional) part of the commit.
    
    Reported-by: Andy Lutomirski <luto@amacapital.net>
    Cc: Eric W. Biederman <ebiederm@xmission.com>
    Cc: Serge E. Hallyn <serge@hallyn.com>
    Cc: David S. Miller <davem@davemloft.net>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 include/net/scm.h |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit e126225d1fcaa405ff2a7f1518d615cffe42e7d5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Apr 18 19:22:40 2013 -0400

    move _etext to only cover kernel code, not read-only data, as reported by Gu1

 arch/arm/kernel/vmlinux.lds.S |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 98ad6adbc48759e4f9eae435d3e51ba487155685
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Apr 18 19:17:24 2013 -0400

    add asm/sections.h for USERCOPY change

 fs/exec.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit c403a6c43da1bcac9b1ef2bca9bba0fb84a40f10
Author: Dmitry Popov <dp@highloadlab.com>
Date:   Thu Apr 11 08:55:07 2013 +0000

    Upstream commit: d66954a066158781ccf9c13c91d0316970fe57b6
    
    tcp: incoming connections might use wrong route under synflood
    
    There is a bug in cookie_v4_check (net/ipv4/syncookies.c):
        flowi4_init_output(&fl4, 0, sk->sk_mark, RT_CONN_FLAGS(sk),
                           RT_SCOPE_UNIVERSE, IPPROTO_TCP,
                           inet_sk_flowi_flags(sk),
                           (opt && opt->srr) ? opt->faddr : ireq->rmt_addr,
                           ireq->loc_addr, th->source, th->dest);
    
    Here we do not respect sk->sk_bound_dev_if, therefore wrong dst_entry may be
    taken. This dst_entry is used by new socket (get_cookie_sock ->
    tcp_v4_syn_recv_sock), so its packets may take the wrong path.
    
    Signed-off-by: Dmitry Popov <dp@highloadlab.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/syncookies.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 3600395e8fef3ae712e72f9b68c3609639616df8
Author: Thomas Graf <tgraf@suug.ch>
Date:   Thu Apr 11 10:57:18 2013 +0000

    Upstream commit: 50bceae9bd3569d56744882f3012734d48a1d413
    
    tcp: Reallocate headroom if it would overflow csum_start
    
    If a TCP retransmission gets partially ACKed and collapsed multiple
    times it is possible for the headroom to grow beyond 64K which will
    overflow the 16bit skb->csum_start which is based on the start of
    the headroom. It has been observed rarely in the wild with IPoIB due
    to the 64K MTU.
    
    Verify if the acking and collapsing resulted in a headroom exceeding
    what csum_start can cover and reallocate the headroom if so.
    
    A big thank you to Jim Foraker <foraker1@llnl.gov> and the team at
    LLNL for helping out with the investigation and testing.
    
    Reported-by: Jim Foraker <foraker1@llnl.gov>
    Signed-off-by: Thomas Graf <tgraf@suug.ch>
    Acked-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/tcp_output.c |    8 ++++++--
 1 files changed, 6 insertions(+), 2 deletions(-)

commit 4b0b9a5038da806a2b6eba9efc3f3a53c5188a61
Author: Ivan Vecera <ivecera@redhat.com>
Date:   Fri Apr 12 16:49:24 2013 +0200

    Upstream commit: f11a869d4e38397ac81f2a3d22e8d2aeb3992b0f
    
    be2net: take care of __vlan_put_tag return value
    
    The driver should use return value of __vlan_put_tag with appropriate
    NULL-check instead of old skb pointer.
    
    Signed-off-by: Ivan Vecera <ivecera@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/ethernet/emulex/benet/be_main.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

commit 8d3aca40a891f13b9b1e0d957913fa788fd1cc55
Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Date:   Fri Apr 12 03:17:12 2013 +0000

    Upstream commit: 3be8fbab18fbc06b6ff94a56f9c225e29ea64a73
    
    tuntap: fix error return code in tun_set_iff()
    
    Fix to return a negative error code from the error handling
    case instead of 0, as returned elsewhere in this function.
    
    [ Bug added in linux-3.8 , commit 4008e97f866db665
      ("tuntap: fix ambigious multiqueue API") ]
    
    Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
    Acked-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/tun.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 42cfd101287e0ffa5e8425ca7dd3c4131a7a601c
Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Date:   Sat Apr 13 15:49:03 2013 +0000

    Upstream commit: 06848c10f720cbc20e3b784c0df24930b7304b93
    
    esp4: fix error return code in esp_output()
    
    Fix to return a negative error code from the error handling
    case instead of 0, as returned elsewhere in this function.
    
    Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
    Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/esp4.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

commit 2b45b5f52c2a8930f80c62de392a62516c83e225
Author: Bjørn Mork <bjorn@mork.no>
Date:   Tue Apr 16 00:17:07 2013 +0000

    Upstream commit: 32b161aa88aa40a83888a995c6e2ef81140219b1
    
    net: cdc_mbim: remove bogus sizeof()
    
    The intention was to test against the constant, not the size of
    the constant.
    
    Signed-off-by: Bjørn Mork <bjorn@mork.no>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/usb/cdc_mbim.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 17d7408795519037a5a1272c7888238e20830bfe
Author: Vyacheslav Dubeyko <slava@dubeyko.com>
Date:   Wed Apr 17 15:58:33 2013 -0700

    Upstream commit: 12f267a20aecf8b84a2a9069b9011f1661c779b4
    
    hfsplus: fix potential overflow in hfsplus_file_truncate()
    
    Change a u32 to loff_t hfsplus_file_truncate().
    
    Signed-off-by: Vyacheslav Dubeyko <slava@dubeyko.com>
    Cc: Christoph Hellwig <hch@infradead.org>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: Hin-Tak Leung <htl10@users.sourceforge.net>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 fs/hfsplus/extents.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 5c9574e7f16e7a9b3ea9b419c46ddc57110a555b
Author: Emese Revfy <re.emese@gmail.com>
Date:   Wed Apr 17 15:58:36 2013 -0700

    Upstream commit: b9e146d8eb3b9ecae5086d373b50fa0c1f3e7f0f
    
    kernel/signal.c: stop info leak via the tkill and the tgkill syscalls
    
    This fixes a kernel memory contents leak via the tkill and tgkill syscalls
    for compat processes.
    
    This is visible in the siginfo_t->_sifields._rt.si_sigval.sival_ptr field
    when handling signals delivered from tkill.
    
    The place of the infoleak:
    
    int copy_siginfo_to_user32(compat_siginfo_t __user *to, siginfo_t *from)
    {
            ...
            put_user_ex(ptr_to_compat(from->si_ptr), &to->si_ptr);
            ...
    }
    
    Signed-off-by: Emese Revfy <re.emese@gmail.com>
    Reviewed-by: PaX Team <pageexec@freemail.hu>
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: Oleg Nesterov <oleg@redhat.com>
    Cc: "Eric W. Biederman" <ebiederm@xmission.com>
    Cc: Serge Hallyn <serge.hallyn@canonical.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 kernel/signal.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 0942d16614b0ef59d50b10151d77ec52fc98c2d0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 17 20:17:00 2013 -0400

    Improve PAX_USERCOPY to reject direct copies to/from main kernel text

 fs/exec.c |   29 +++++++++++++++++++++++++++--
 1 files changed, 27 insertions(+), 2 deletions(-)

commit 3cb37d0c0c77dc3928ff8417f982139f95366eba
Merge: e87c19f c664779
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 17 20:06:08 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit c664779987cb0c27a242029f0e0db812e3236203
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 17 19:54:09 2013 -0400

    add intentional_overflow marking for resource_size() as reasoned by:
    http://forums.grsecurity.net/viewtopic.php?f=3&t=3412

 include/linux/ioport.h |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit e87c19f8312355b8658e5138c16bfa6043a379c8
Merge: 802d119 d0c636c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 17 16:57:12 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit d0c636ceaaf406e606898ce3e770e32fb043ea8a
Merge: bc88628 2396403
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 17 16:57:01 2013 -0400

    Merge branch 'linux-3.8.y' into pax-test
    
    Conflicts:
        arch/x86/kernel/paravirt.c

commit 802d1193dcb507b2a62a2de0a869a7dbadd66b9b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Apr 14 21:39:51 2013 -0400

    move location of RBAC user check on setfsuid until after capability checks
    for consistency with other checks

 kernel/sys.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

commit 1a860d7d67051559ab2e6d10f9888649c92904e6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Apr 14 21:34:46 2013 -0400

    A denied setfsuid by the RBAC system would result in an abort_creds() being called
    with an uninitalized pointer, introduced by a bad forward-port

 kernel/sys.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

commit 9f94b84d0e5e101fe8ea8ebcc8eeb141d8a6edb9
Merge: c38d142 bc88628
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Apr 14 21:28:33 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        security/Kconfig

commit bc88628a6a8fcccaabb90908640809b0540df225
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Apr 14 21:26:41 2013 -0400

    Update to pax-linux-3.8.7-test20.patch:
    - fixed KERNEXEC and NMI nesting problem reported by stef&hunger
    - changed PHYSICAL_ALIGN/START to fix http://forums.grsecurity.net/viewtopic.php?f=3&t=3414
    - CONSTIFY depends on KERNEXEC (for the kernel open/close feature)
    - fixed CONSTIFY and powerpc interference, reported by  John Hardin (https://bugs.gentoo.org/show_bug.cgi?id=456364)

 arch/powerpc/include/asm/smp.h |    2 +-
 arch/x86/Kconfig               |    4 ++--
 arch/x86/kernel/entry_64.S     |    8 ++++----
 security/Kconfig               |    2 +-
 4 files changed, 8 insertions(+), 8 deletions(-)

commit c38d142744489fc4d9be80188b6435a278438fd9
Author: Suleiman Souhlal <suleiman@google.com>
Date:   Sat Apr 13 16:03:06 2013 -0700

    Upstream commit: 5b55d708335a9e3e4f61f2dadf7511502205ccd1
    
    vfs: Revert spurious fix to spinning prevention in prune_icache_sb
    
    Revert commit 62a3ddef6181 ("vfs: fix spinning prevention in prune_icache_sb").
    
    This commit doesn't look right: since we are looking at the tail of the
    list (sb->s_inode_lru.prev) if we want to skip an inode, we should put
    it back at the head of the list instead of the tail, otherwise we will
    keep spinning on it.
    
    Discovered when investigating why prune_icache_sb came top in perf
    reports of a swapping load.
    
    Signed-off-by: Suleiman Souhlal <suleiman@google.com>
    Signed-off-by: Hugh Dickins <hughd@google.com>
    Cc: stable@vger.kernel.org # v3.2+
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 fs/inode.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 93019624b80ba59798393942798d7f6ed0c1dbc6
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date:   Sat Apr 13 15:15:30 2013 -0700

    Upstream commit: a49b7e82cab0f9b41f483359be83f44fbb6b4979
    
    kobject: fix kset_find_obj() race with concurrent last kobject_put()
    
    Anatol Pomozov identified a race condition that hits module unloading
    and re-loading.  To quote Anatol:
    
     "This is a race codition that exists between kset_find_obj() and
      kobject_put().  kset_find_obj() might return kobject that has refcount
      equal to 0 if this kobject is freeing by kobject_put() in other
      thread.
    
      Here is timeline for the crash in case if kset_find_obj() searches for
      an object tht nobody holds and other thread is doing kobject_put() on
      the same kobject:
    
        THREAD A (calls kset_find_obj())     THREAD B (calls kobject_put())
        splin_lock()
                                             atomic_dec_return(kobj->kref), counter gets zero here
                                             ... starts kobject cleanup ....
                                             spin_lock() // WAIT thread A in kobj_kset_leave()
        iterate over kset->list
        atomic_inc(kobj->kref) (counter becomes 1)
        spin_unlock()
                                             spin_lock() // taken
                                             // it does not know that thread A increased counter so it
                                             remove obj from list
                                             spin_unlock()
                                             vfree(module) // frees module object with containing kobj
    
        // kobj points to freed memory area!!
        kobject_put(kobj) // OOPS!!!!
    
      The race above happens because module.c tries to use kset_find_obj()
      when somebody unloads module.  The module.c code was introduced in
      commit 6494a93d55fa"
    
    Anatol supplied a patch specific for module.c that worked around the
    problem by simply not using kset_find_obj() at all, but rather than make
    a local band-aid, this just fixes kset_find_obj() to be thread-safe
    using the proper model of refusing the get a new reference if the
    refcount has already dropped to zero.
    
    See examples of this proper refcount handling not only in the kref
    documentation, but in various other equivalent uses of this pattern by
    grepping for atomic_inc_not_zero().
    
    [ Side note: the module race does indicate that module loading and
      unloading is not properly serialized wrt sysfs information using the
      module mutex.  That may require further thought, but this is the
      correct fix at the kobject layer regardless. ]
    
    Reported-analyzed-and-tested-by: Anatol Pomozov <anatol.pomozov@gmail.com>
    Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 lib/kobject.c |    9 ++++++++-
 1 files changed, 8 insertions(+), 1 deletions(-)

commit 5277b052b5fab36729e1255fb3b12f47a4b12867
Author: Dave Hansen <dave@sr71.net>
Date:   Fri Apr 12 16:23:54 2013 -0700

    Upstream commit: 1de14c3c5cbc9bb17e9dcc648cda51c0c85d54b9
    
    x86-32: Fix possible incomplete TLB invalidate with PAE pagetables
    
    This patch attempts to fix:
    
        https://bugzilla.kernel.org/show_bug.cgi?id=56461
    
    The symptom is a crash and messages like this:
    
        chrome: Corrupted page table at address 34a03000
        *pdpt = 0000000000000000 *pde = 0000000000000000
        Bad pagetable: 000f [#1] PREEMPT SMP
    
    Ingo guesses this got introduced by commit 611ae8e3f520 ("x86/tlb:
    enable tlb flush range support for x86") since that code started to free
    unused pagetables.
    
    On x86-32 PAE kernels, that new code has the potential to free an entire
    PMD page and will clear one of the four page-directory-pointer-table
    (aka pgd_t entries).
    
    The hardware aggressively "caches" these top-level entries and invlpg
    does not actually affect the CPU's copy.  If we clear one we *HAVE* to
    do a full TLB flush, otherwise we might continue using a freed pmd page.
    (note, we do this properly on the population side in pud_populate()).
    
    This patch tracks whenever we clear one of these entries in the 'struct
    mmu_gather', and ensures that we follow up with a full tlb flush.
    
    BTW, I disassembled and checked that:
    
        if (tlb->fullmm == 0)
    and
        if (!tlb->fullmm && !tlb->need_flush_all)
    
    generate essentially the same code, so there should be zero impact there
    to the !PAE case.
    
    Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
    Cc: Peter Anvin <hpa@zytor.com>
    Cc: Ingo Molnar <mingo@kernel.org>
    Cc: Artem S Tashkinov <t.artem@mailcity.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 arch/x86/include/asm/tlb.h |    2 +-
 arch/x86/mm/pgtable.c      |    7 +++++++
 include/asm-generic/tlb.h  |    7 ++++++-
 mm/memory.c                |    1 +
 4 files changed, 15 insertions(+), 2 deletions(-)

commit 521e573fc77d1783c1d4636dfbb4617a922f043d
Merge: 032f626 f807619
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Apr 12 19:29:34 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit f80761993b85df96fc142dfc3a317cadc0f8eae5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Apr 12 19:28:21 2013 -0400

    Update to pax-linux-3.8.7-test19.patch:
    - fixed STACKLEAK/XEN interference once again, reported by Jason A. Donenfeld
    - fixed small typo, reported by mlarm (http://forums.grsecurity.net/viewtopic.php?f=3&t=3411)
    - fixed the structleak plugin to compile for gcc 4.5-4.6 as well

 Makefile                      |    2 +-
 arch/x86/xen/enlighten.c      |    6 +++---
 tools/gcc/structleak_plugin.c |    5 +++--
 3 files changed, 7 insertions(+), 6 deletions(-)

commit 032f626a4ae9bc3196313a2e762650c3d9abdc96
Merge: a3a770e 89886f5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Apr 12 18:38:40 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 89886f561cc0d1c42a99624ec8c3704711088155
Merge: 9123489 531ec28
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Apr 12 18:38:30 2013 -0400

    Merge branch 'linux-3.8.y' into pax-test

commit a3a770e18578841e4fbe2aa0831a22811b4812cf
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Apr 11 20:46:20 2013 -0400

    Revert "Don't auto-enable stackleak if kernel is used for xen dom0, kernel will not boot"
    Will be fixed with the next PaX patch
    
    This reverts commit 63badcd2023717cc62b6c3ad5f25fe504c49e6d7.

 security/Kconfig |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit fc98763e4f1f1487928750b26a63098b9e0ed5b1
Author: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Date:   Fri Mar 29 10:20:56 2013 -0400

    Upstream commit: b22227944b8fe92b19150b4c36421e37979d9a16
    
    xen/mmu: On early bootup, flush the TLB when changing RO->RW bits Xen provided pagetables.
    
    Occassionaly on a DL380 G4 the guest would crash quite early with this:
    
    (XEN) d244:v0: unhandled page fault (ec=0003)
    (XEN) Pagetable walk from ffffffff84dc7000:
    (XEN)  L4[0x1ff] = 00000000c3f18067 0000000000001789
    (XEN)  L3[0x1fe] = 00000000c3f14067 000000000000178d
    (XEN)  L2[0x026] = 00000000dc8b2067 0000000000004def
    (XEN)  L1[0x1c7] = 00100000dc8da067 0000000000004dc7
    (XEN) domain_crash_sync called from entry.S
    (XEN) Domain 244 (vcpu#0) crashed on cpu#3:
    (XEN) ----[ Xen-4.1.3OVM  x86_64  debug=n  Not tainted ]----
    (XEN) CPU:    3
    (XEN) RIP:    e033:[<ffffffff81263f22>]
    (XEN) RFLAGS: 0000000000000216   EM: 1   CONTEXT: pv guest
    (XEN) rax: 0000000000000000   rbx: ffffffff81785f88   rcx: 000000000000003f
    (XEN) rdx: 0000000000000000   rsi: 00000000dc8da063   rdi: ffffffff84dc7000
    
    The offending code shows it to be a loop writting the value zero
    (%rax) in the %rdi (the L4 provided by Xen) register:
    
       0: 44 00 00             add    %r8b,(%rax)
       3: 31 c0                 xor    %eax,%eax
       5: b9 40 00 00 00       mov    $0x40,%ecx
       a: 66 0f 1f 84 00 00 00 nopw   0x0(%rax,%rax,1)
      11: 00 00
      13: ff c9                 dec    %ecx
      15:* 48 89 07             mov    %rax,(%rdi)     <-- trapping instruction
      18: 48 89 47 08           mov    %rax,0x8(%rdi)
      1c: 48 89 47 10           mov    %rax,0x10(%rdi)
    
    which fails. xen_setup_kernel_pagetable recycles some of the Xen's
    page-table entries when it has switched over to its Linux page-tables.
    
    Right before try to clear the page, we  make a hypercall to change
    it from _RO to  _RW and that works (otherwise we would hit an BUG()).
    And the _RW flag is set for that page:
    (XEN)  L1[0x1c7] = 001000004885f067 0000000000004dc7
    
    The error code is 3, so PFEC_page_present and PFEC_write_access, so page is
    present (correct), and we tried to write to the page, but a violation
    occurred. The one theory is that the the page entries in hardware
    (which are cached) are not up to date with what we just set. Especially
    as we have just done an CR3 write and flushed the multicalls.
    
    This patch does solve the problem by flusing out the TLB page
    entry after changing it from _RO to _RW and we don't hit this
    issue anymore.
    
    Fixed-Oracle-Bug: 16243091 [ON OCCASIONS VM START GOES INTO
    'CRASH' STATE: CLEAR_PAGE+0X12 ON HP DL380 G4]
    Reported-and-Tested-by: Saar Maoz <Saar.Maoz@oracle.com>
    Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>

 arch/x86/xen/mmu.c |   12 ++++++++----
 1 files changed, 8 insertions(+), 4 deletions(-)

commit d56bdc2595e76ca48cbfd695def7f82c3ab80c11
Author: Namhyung Kim <namhyung.kim@lge.com>
Date:   Mon Apr 1 21:46:23 2013 +0900

    Upstream commit: 83e03b3fe4daffdebbb42151d5410d730ae50bd1
    
    tracing: Fix double free when function profile init failed
    
    On the failure path, stat->start and stat->pages will refer same page.
    So it'll attempt to free the same page again and get kernel panic.
    
    Link: http://lkml.kernel.org/r/1364820385-32027-1-git-send-email-namhyung@kernel.org
    
    Cc: Frederic Weisbecker <fweisbec@gmail.com>
    Cc: Namhyung Kim <namhyung.kim@lge.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Namhyung Kim <namhyung@kernel.org>
    Signed-off-by: Steven Rostedt <rostedt@goodmis.org>

 kernel/trace/ftrace.c |    1 -
 1 files changed, 0 insertions(+), 1 deletions(-)

commit c86b0de9f4c42a7ede40df5af9436e87ccc784bb
Author: Neil Horman <nhorman@tuxdriver.com>
Date:   Tue Apr 9 23:19:00 2013 +0000

    Upstream commit: 61a0f6efc8932e9914e1782ff3a027e23c687fc6
    
    e100: Add dma mapping error check
    
    e100 uses pci_map_single, but fails to check for a dma mapping error after its
    use, resulting in a stack trace:
    
    [   46.656594] ------------[ cut here ]------------
    [   46.657004] WARNING: at lib/dma-debug.c:933 check_unmap+0x47b/0x950()
    [   46.657004] Hardware name: To Be Filled By O.E.M.
    [   46.657004] e100 0000:00:0e.0: DMA-API: device driver failed to check map
    error[device address=0x000000007a4540fa] [size=90 bytes] [mapped as single]
    [   46.657004] Modules linked in:
    [   46.657004]  w83627hf hwmon_vid snd_via82xx ppdev snd_ac97_codec ac97_bus
    snd_seq snd_pcm snd_mpu401 snd_mpu401_uart ns558 snd_rawmidi gameport parport_pc
    e100 snd_seq_device parport snd_page_alloc snd_timer snd soundcore skge shpchp
    k8temp mii edac_core i2c_viapro edac_mce_amd nfsd auth_rpcgss nfs_acl lockd
    sunrpc binfmt_misc uinput ata_generic pata_acpi radeon i2c_algo_bit
    drm_kms_helper ttm firewire_ohci drm firewire_core pata_via sata_via i2c_core
    sata_promise crc_itu_t
    [   46.657004] Pid: 792, comm: ip Not tainted 3.8.0-0.rc6.git0.1.fc19.x86_64 #1
    [   46.657004] Call Trace:
    [   46.657004]  <IRQ>  [<ffffffff81065ed0>] warn_slowpath_common+0x70/0xa0
    [   46.657004]  [<ffffffff81065f4c>] warn_slowpath_fmt+0x4c/0x50
    [   46.657004]  [<ffffffff81364cfb>] check_unmap+0x47b/0x950
    [   46.657004]  [<ffffffff8136522f>] debug_dma_unmap_page+0x5f/0x70
    [   46.657004]  [<ffffffffa030f0f0>] ? e100_tx_clean+0x30/0x210 [e100]
    [   46.657004]  [<ffffffffa030f1a8>] e100_tx_clean+0xe8/0x210 [e100]
    [   46.657004]  [<ffffffffa030fc6f>] e100_poll+0x56f/0x6c0 [e100]
    [   46.657004]  [<ffffffff8159dce1>] ? net_rx_action+0xa1/0x370
    [   46.657004]  [<ffffffff8159ddb2>] net_rx_action+0x172/0x370
    [   46.657004]  [<ffffffff810703bf>] __do_softirq+0xef/0x3d0
    [   46.657004]  [<ffffffff816e4ebc>] call_softirq+0x1c/0x30
    [   46.657004]  [<ffffffff8101c485>] do_softirq+0x85/0xc0
    [   46.657004]  [<ffffffff81070885>] irq_exit+0xd5/0xe0
    [   46.657004]  [<ffffffff816e5756>] do_IRQ+0x56/0xc0
    [   46.657004]  [<ffffffff816dacb2>] common_interrupt+0x72/0x72
    [   46.657004]  <EOI>  [<ffffffff816da1eb>] ?
    _raw_spin_unlock_irqrestore+0x3b/0x70
    [   46.657004]  [<ffffffff816d124d>] __slab_free+0x58/0x38b
    [   46.657004]  [<ffffffff81214424>] ? fsnotify_clear_marks_by_inode+0x34/0x120
    [   46.657004]  [<ffffffff811b0417>] ? kmem_cache_free+0x97/0x320
    [   46.657004]  [<ffffffff8157fc14>] ? sock_destroy_inode+0x34/0x40
    [   46.657004]  [<ffffffff8157fc14>] ? sock_destroy_inode+0x34/0x40
    [   46.657004]  [<ffffffff811b0692>] kmem_cache_free+0x312/0x320
    [   46.657004]  [<ffffffff8157fc14>] sock_destroy_inode+0x34/0x40
    [   46.657004]  [<ffffffff811e8c28>] destroy_inode+0x38/0x60
    [   46.657004]  [<ffffffff811e8d5e>] evict+0x10e/0x1a0
    [   46.657004]  [<ffffffff811e9605>] iput+0xf5/0x180
    [   46.657004]  [<ffffffff811e4338>] dput+0x248/0x310
    [   46.657004]  [<ffffffff811ce0e1>] __fput+0x171/0x240
    [   46.657004]  [<ffffffff811ce26e>] ____fput+0xe/0x10
    [   46.657004]  [<ffffffff8108d54c>] task_work_run+0xac/0xe0
    [   46.657004]  [<ffffffff8106c6ed>] do_exit+0x26d/0xc30
    [   46.657004]  [<ffffffff8109eccc>] ? finish_task_switch+0x7c/0x120
    [   46.657004]  [<ffffffff816dad58>] ? retint_swapgs+0x13/0x1b
    [   46.657004]  [<ffffffff8106d139>] do_group_exit+0x49/0xc0
    [   46.657004]  [<ffffffff8106d1c4>] sys_exit_group+0x14/0x20
    [   46.657004]  [<ffffffff816e3b19>] system_call_fastpath+0x16/0x1b
    [   46.657004] ---[ end trace 4468c44e2156e7d1 ]---
    [   46.657004] Mapped at:
    [   46.657004]  [<ffffffff813663d1>] debug_dma_map_page+0x91/0x140
    [   46.657004]  [<ffffffffa030e8eb>] e100_xmit_prepare+0x12b/0x1c0 [e100]
    [   46.657004]  [<ffffffffa030c924>] e100_exec_cb+0x84/0x140 [e100]
    [   46.657004]  [<ffffffffa030e56a>] e100_xmit_frame+0x3a/0x190 [e100]
    [   46.657004]  [<ffffffff8159ee89>] dev_hard_start_xmit+0x259/0x6c0
    
    Easy fix, modify the cb paramter to e100_exec_cb to return an error, and do the
    dma_mapping_error check in the obvious place
    
    This was reported previously here:
    http://article.gmane.org/gmane.linux.network/257893
    
    But nobody stepped up and fixed it.
    
    CC: Josh Boyer <jwboyer@redhat.com>
    CC: e1000-devel@lists.sourceforge.net
    Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
    Reported-by: Michal Jaegermann <michal@harddata.com>
    Tested-by: Aaron Brown <aaron.f.brown@intel.com>
    Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/ethernet/intel/e100.c |   36 +++++++++++++++++++++++++-----------
 1 files changed, 25 insertions(+), 11 deletions(-)

commit df93708573ce6c512b9a9406a83a6fd4e87ff6a6
Author: Trond Myklebust <Trond.Myklebust@netapp.com>
Date:   Wed Apr 10 12:44:18 2013 -0400

    Upstream commit: eb04e0ac198cec3bab407ad220438dfa65c19c67
    
    NFSv4: Doh! Typo in the fix to nfs41_walk_client_list
    
    Make sure that we set the status to 0 on success. Missed in testing
    because it never appears when doing multiple mounts to _different_
    servers.
    
    Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
    Cc: <stable@vger.kernel.org> # 3.7.x: 7b1f1fd: NFSv4/4.1: Fix bugs in nfs4[01]_walk_client_list

 fs/nfs/nfs4client.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 0ea7b7294f627588b0b3dc26a8a0ff8e1e27b5ea
Author: Yuval Mintz <yuvalmin@broadcom.com>
Date:   Wed Apr 10 13:34:39 2013 +0300

    Upstream commit: fea75645342c7ad574214497a78e562db12dfd7b
    
    bnx2x: Prevent null pointer dereference in AFEX mode
    
    The cnic module is responsible for initializing various bnx2x structs
    via callbacks provided by the bnx2x module.
    One such struct is the queue object for the FCoE queue.
    
    If a device is working in AFEX mode and its configuration allows FCoE yet
    the cnic module is not loaded, it's very likely a null pointer dereference
    will occur, as the bnx2x will erroneously access the FCoE's queue object.
    
    Prevent said access until cnic properly registers itself.
    
    Signed-off-by: Yuval Mintz <yuvalmin@broadcom.com>
    Signed-off-by: Ariel Elior <ariele@broadcom.com>
    Signed-off-by: Eilon Greenstein <eilong@broadcom.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 2908830232725db624aaa052f7ad38d1f98bf541
Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Date:   Tue Apr 9 14:16:04 2013 +0800

    Upstream commit: 3480a2125923e4b7a56d79efc76743089bf273fc
    
    can: gw: use kmem_cache_free() instead of kfree()
    
    Memory allocated by kmem_cache_alloc() should be freed using
    kmem_cache_free(), not kfree().
    
    Cc: linux-stable <stable@vger.kernel.org> # >= v3.2
    Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
    Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
    Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>

 net/can/gw.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

commit d40b572e845a5fb561e3c4a80cc306cd38888a4e
Author: Christoph Paasch <christoph.paasch@uclouvain.be>
Date:   Sun Apr 7 04:53:15 2013 +0000

    Upstream commit: 50a75a8914539c5dcd441c5f54d237a666a426fd
    
    ipv6/tcp: Stop processing ICMPv6 redirect messages
    
    Tetja Rediske found that if the host receives an ICMPv6 redirect message
    after sending a SYN+ACK, the connection will be reset.
    
    He bisected it down to 093d04d (ipv6: Change skb->data before using
    icmpv6_notify() to propagate redirect), but the origin of the bug comes
    from ec18d9a26 (ipv6: Add redirect support to all protocol icmp error
    handlers.). The bug simply did not trigger prior to 093d04d, because
    skb->data did not point to the inner IP header and thus icmpv6_notify
    did not call the correct err_handler.
    
    This patch adds the missing "goto out;" in tcp_v6_err. After receiving
    an ICMPv6 Redirect, we should not continue processing the ICMP in
    tcp_v6_err, as this may trigger the removal of request-socks or setting
    sk_err(_soft).
    
    Reported-by: Tetja Rediske <tetja@tetja.de>
    Signed-off-by: Christoph Paasch <christoph.paasch@uclouvain.be>
    Acked-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv6/tcp_ipv6.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit c7d5c2524456ef3ea9194840e7a9a75069a46824
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 10 20:32:54 2013 -0400

    - fixed typo in Makefile reported by mlarm (https://forums.grsecurity.net/viewtopic.php?t=3411)

 Makefile |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit acac2380fd97acee4367d2aa24c74322dcf1d22b
Author: Trond Myklebust <Trond.Myklebust@netapp.com>
Date:   Fri Apr 5 16:11:11 2013 -0400

    Upstream commit: 7b1f1fd1842e6ede25183c267ae733a7f67f00bc
    
    NFSv4/4.1: Fix bugs in nfs4[01]_walk_client_list
    
    It is unsafe to use list_for_each_entry_safe() here, because
    when we drop the nn->nfs_client_lock, we pin the _current_ list
    entry and ensure that it stays in the list, but we don't do the
    same for the _next_ list entry. Use of list_for_each_entry() is
    therefore the correct thing to do.
    
    Also fix the refcounting in nfs41_walk_client_list().
    
    Finally, ensure that the nfs_client has finished being initialised
    and, in the case of NFSv4.1, that the session is set up.
    
    Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
    Cc: Chuck Lever <chuck.lever@oracle.com>
    Cc: Bryan Schumaker <bjschuma@netapp.com>
    Cc: stable@vger.kernel.org [>= 3.7]

 fs/nfs/nfs4client.c |   44 ++++++++++++++++++++++++++++----------------
 1 files changed, 28 insertions(+), 16 deletions(-)

commit a6cf5f387b882ac0ce655b75f623f86c075517be
Author: Chuck Lever <chuck.lever@oracle.com>
Date:   Fri Mar 22 12:52:59 2013 -0400

    Upstream commit: a58e0be6f6b3eb2079b0b8fedc9df6fa86869f1e
    
    SUNRPC: Remove extra xprt_put()
    
    While testing error cases where rpc_new_client() fails, I saw
    some oopses.
    
    If rpc_new_client() fails, it already invokes xprt_put().  Thus
    __rpc_clone_client() does not need to invoke it again.
    
    Introduced by commit 1b63a751 "SUNRPC: Refactor rpc_clone_client()"
    Fri Sep 14, 2012.
    
    Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
    Cc: stable@vger.kernel.org [>=3.7]
    Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>

 net/sunrpc/clnt.c |    4 +---
 1 files changed, 1 insertions(+), 3 deletions(-)

commit a744b307c1f65ceb100412dc18cdd7ecc9a8ae00
Author: Trond Myklebust <Trond.Myklebust@netapp.com>
Date:   Fri Apr 5 14:13:21 2013 -0400

    Upstream commit: f05c124a70a4953a66acbd6d6c601ea1eb5d0fa7
    
    SUNRPC: Fix a potential memory leak in rpc_new_client
    
    If the call to rpciod_up() fails, we currently leak a reference to the
    struct rpc_xprt.
    As part of the fix, we also remove the redundant check for xprt!=NULL.
    This is already taken care of by the callers.
    
    Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>

 net/sunrpc/clnt.c |    7 ++-----
 1 files changed, 2 insertions(+), 5 deletions(-)

commit 43b9f1b9b8380984c5c100978bd33e8f16da06ac
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 10 19:16:05 2013 -0400

    From https://lkml.org/lkml/2013/4/8/469:
    [PATCH] rtnetlink: call nlmsg_parse() with correct header length

 net/core/rtnetlink.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 9529169b8c405874fd543b785f53c74fa0501c2a
Author: Christopher Harvey <charvey@matrox.com>
Date:   Fri Apr 5 10:51:15 2013 -0400

    Upstream commit: 1812a3db0874be1d1524086da9e84397b800f546
    
    drm/mgag200: Index 24 in extended CRTC registers is 24 in hex, not decimal.
    
    This change properly enables the "requester" in G200ER cards that is
    responsible for getting pixels out of memory and clocking them out to
    the screen.
    
    Signed-off-by: Christopher Harvey <charvey@matrox.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Dave Airlie <airlied@redhat.com>

 drivers/gpu/drm/mgag200/mgag200_mode.c |   13 +++----------
 1 files changed, 3 insertions(+), 10 deletions(-)

commit 07c42243c7b01e2a7a9d168ad491e28b9ef9082a
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Thu Mar 28 13:30:23 2013 -0400

    Upstream commit: 52f21999c7b921a0390708b66ed286282c2e4bee
    
    ecryptfs: close rmmod race
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

 fs/ecryptfs/miscdev.c |   14 ++------------
 1 files changed, 2 insertions(+), 12 deletions(-)

commit 2800bdcf9cd642b967e5fdc2a15c1c4aefbadd9b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 10 19:03:45 2013 -0400

    Backport overflow fix from upstream commit: ccf932042fa7785832d8989ba1369cd7c7f5d7a1

 arch/ia64/kernel/palinfo.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 83280e384ae3ceadad30369ced111dc7d4b46085
Author: Andrey Vagin <avagin@openvz.org>
Date:   Tue Apr 9 17:33:29 2013 +0400

    Upstream commit: e9c5d8a562f01b211926d70443378eb14b29a676
    
    mnt: release locks on error path in do_loopback
    
    do_loopback calls lock_mount(path) and forget to unlock_mount
    if clone_mnt or copy_mnt fails.
    
    [   77.661566] ================================================
    [   77.662939] [ BUG: lock held when returning to user space! ]
    [   77.664104] 3.9.0-rc5+ #17 Not tainted
    [   77.664982] ------------------------------------------------
    [   77.666488] mount/514 is leaving the kernel with locks still held!
    [   77.668027] 2 locks held by mount/514:
    [   77.668817]  #0:  (&sb->s_type->i_mutex_key#7){+.+.+.}, at: [<ffffffff811cca22>] lock_mount+0x32/0xe0
    [   77.671755]  #1:  (&namespace_sem){+++++.}, at: [<ffffffff811cca3a>] lock_mount+0x4a/0xe0
    
    Signed-off-by: Andrey Vagin <avagin@openvz.org>
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

 fs/namespace.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 679e536b9d9536d804f049fe942367a596253e6d
Author: Alex Williamson <alex.williamson@redhat.com>
Date:   Tue Mar 26 11:33:16 2013 -0600

    Upstream commit: 904c680c7bf016a8619a045850937427f8d7368c
    
    vfio-pci: Fix possible integer overflow
    
    The VFIO_DEVICE_SET_IRQS ioctl takes a start and count parameter, both
    of which are unsigned.  We attempt to bounds check these, but fail to
    account for the case where start is a very large number, allowing
    start + count to wrap back into the valid range.  Bounds check both
    start and start + count.
    
    Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Alex Williamson <alex.williamson@redhat.com>

 drivers/vfio/pci/vfio_pci.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 63badcd2023717cc62b6c3ad5f25fe504c49e6d7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 10 18:48:45 2013 -0400

    Don't auto-enable stackleak if kernel is used for xen dom0, kernel will not boot

 security/Kconfig |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit b5261a6384ee42499b29495aaae40b271e77d394
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Apr 9 17:30:45 2013 -0400

    some undefined behavior fixups

 grsecurity/gracl.c      |    4 ++--
 grsecurity/gracl_ip.c   |   10 +++++-----
 grsecurity/gracl_segv.c |    4 ++--
 3 files changed, 9 insertions(+), 9 deletions(-)

commit 9f83caa35e78be1f3e753586ab217555c3b21ff4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Apr 9 17:28:54 2013 -0400

    don't whine about denied ipv6 when it's not enabled

 grsecurity/gracl_ip.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit 5a02f8bc96bd0c31f9ff09e63f9d85d560b8be61
Merge: 97bca88 9123489
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Apr 9 17:18:45 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 9123489428c58668a89f316db6619739cbdd2c2a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Apr 9 17:17:46 2013 -0400

    Update to pax-linux-3.8.6-test18.patch:
    - new size overflow plugin from Emese to work around a gcc optimization
      resulting in an intentional overflow, reported by Carlos Carvalho
      (http://forums.grsecurity.net/viewtopic.php?f=3&t=3409)

 tools/gcc/size_overflow_plugin.c |   68 ++++++++++++++++++++++++++++++++++++-
 1 files changed, 66 insertions(+), 2 deletions(-)

commit 97bca8889e0f1e853f16b7026c39c6729a8587ab
Merge: 675a41e e9d6073
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Apr 8 21:32:59 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        arch/sparc/kernel/us3_cpufreq.c

commit e9d6073f15010ccace0b6b0f0a19ed63cf1adeef
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Apr 8 21:19:03 2013 -0400

    Update to pax-linux-3.8.6-test17.patch:
    - fixed ia64/ppc/sparc compilation by spender
    - improved the STRUCTLEAK gcc plugin to cover a few more cases (credit to stef for the bugreport)

 arch/ia64/include/asm/uaccess.h    |    2 -
 arch/powerpc/include/asm/uaccess.h |    2 -
 arch/sparc/include/asm/uaccess.h   |    7 ----
 arch/sparc/kernel/prom_common.c    |    2 +-
 arch/sparc/kernel/us3_cpufreq.c    |   69 ++++++++++--------------------------
 tools/gcc/structleak_plugin.c      |   15 ++++----
 6 files changed, 28 insertions(+), 69 deletions(-)

commit 675a41e42a636dcb1e97bffe0f0fa6262242e64b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Apr 7 12:00:50 2013 -0400

    fix similar leaks in sys_recvfrom as fixed in recvmsg, already handled by the new structleak plugin

 net/socket.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 5a216624a06429488f24ce47db093da042f90e48
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Apr 6 13:22:24 2013 -0400

    fix typo

 arch/sparc/kernel/us3_cpufreq.c |    5 +----
 1 files changed, 1 insertions(+), 4 deletions(-)

commit e476ca18d21788898cd3acd1b57049971a2fb70f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Apr 6 13:16:13 2013 -0400

    properly fix cpufreq_driver for ultrasparc III with constification

 arch/sparc/kernel/us3_cpufreq.c |   35 +++++++++++++++++------------------
 1 files changed, 17 insertions(+), 18 deletions(-)

commit 3ef64a33c8a38d17db7d1e6ff13d9036c75598ae
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Apr 6 12:58:48 2013 -0400

    mark prom_sparc_ops __initconst

 arch/sparc/kernel/prom_common.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit daaa8e290cb1eb08e86c6d3f0fb1a8270d897439
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Apr 6 12:53:16 2013 -0400

    fix ia64/powerpc/sparc compilation

 arch/ia64/include/asm/uaccess.h    |    2 --
 arch/powerpc/include/asm/uaccess.h |    2 --
 arch/sparc/include/asm/uaccess.h   |    7 -------
 3 files changed, 0 insertions(+), 11 deletions(-)

commit 4a0cd3af0fd8788bd1c84de775743c8ae51e9a39
Author: Johannes Berg <johannes.berg@intel.com>
Date:   Tue Mar 19 20:26:57 2013 +0100

    Upstream commit: ce1eadda6badef9e4e3460097ede674fca47383d
    
    cfg80211: fix wdev tracing crash
    
    Arend reported a crash in tracing if the driver returns an
    ERR_PTR() value from the add_virtual_intf() callback. This
    is due to the tracing then still attempting to dereference
    the "pointer", fix this by using IS_ERR_OR_NULL().
    
    Reported-by: Arend van Spriel <arend@broadcom.com>
    Tested-by: Arend van Spriel <arend@broadcom.com>
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>

 net/wireless/trace.h |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 68e6eafdaf9a3b37c780b3916a35a1961b1559fd
Author: Johannes Berg <johannes.berg@intel.com>
Date:   Mon Mar 25 11:51:14 2013 +0100

    Upstream commit: 3fbd45ca8d1c98f3c2582ef8bc70ade42f70947b
    
    mac80211: fix remain-on-channel cancel crash
    
    If a ROC item is canceled just as it expires, the work
    struct may be scheduled while it is running (and waiting
    for the mutex). This results in it being run after being
    freed, which obviously crashes.
    
    To fix this don't free it when aborting is requested but
    instead mark it as "to be freed", which makes the work a
    no-op and allows freeing it outside.
    
    Cc: stable@vger.kernel.org [3.6+]
    Reported-by: Jouni Malinen <j@w1.fi>
    Tested-by: Jouni Malinen <j@w1.fi>
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>

 net/mac80211/cfg.c         |    6 ++++--
 net/mac80211/ieee80211_i.h |    3 ++-
 net/mac80211/offchannel.c  |   23 +++++++++++++++++------
 3 files changed, 23 insertions(+), 9 deletions(-)

commit dd5df32b00e3c2344ba39fe01071e7b67b83e1e4
Author: Stone Piao <piaoyun@marvell.com>
Date:   Fri Mar 29 19:21:21 2013 -0700

    Upstream commit: 901ceba4e81e9dd6b4a3c4c37ee22000a6c5c65f
    
    mwifiex: limit channel number not to overflow memory
    
    Limit the channel number in scan request, or the driver scan
    config structure memory will be overflowed.
    
    Cc: <stable@vger.kernel.org> # 3.5+
    Signed-off-by: Stone Piao <piaoyun@marvell.com>
    Signed-off-by: Bing Zhao <bzhao@marvell.com>
    Signed-off-by: John W. Linville <linville@tuxdriver.com>

 drivers/net/wireless/mwifiex/cfg80211.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 207c411512bdaf0e4271f93ecac6ca26588da36f
Author: Gao feng <gaofeng@cn.fujitsu.com>
Date:   Thu Mar 21 19:48:41 2013 +0000

    Upstream commit: 130549fed828cc34c22624c6195afcf9e7ae56fe
    
    netfilter: reset nf_trace in nf_reset
    
    We forgot to clear the nf_trace of sk_buff in nf_reset,
    When we use veth device, this nf_trace information will
    be leaked from one net namespace to another net namespace.
    
    Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

 include/linux/skbuff.h |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit 3b12800d73c763265b2de5f2a7a745d9caa62c6f
Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Date:   Fri Mar 22 01:28:18 2013 +0000

    Upstream commit: 558724a5b2a73ad0c7638e21e8dffc419d267b6c
    
    netfilter: nfnetlink_queue: fix error return code in nfnetlink_queue_init()
    
    Fix to return a negative error code from the error handling
    case instead of 0, as returned elsewhere in this function.
    
    Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

 net/netfilter/nfnetlink_queue_core.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

commit a79feb7d3251eca577d83d7f69eee2b961ab2924
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date:   Sat Mar 23 16:57:59 2013 +0100

    Upstream commit: deadcfc3324410726cd6a663fb4fc46be595abe7
    
    netfilter: nfnetlink_acct: return -EINVAL if object name is empty
    
    If user-space tries to create accounting object with an empty
    name, then return -EINVAL.
    
    Reported-by: Michael Zintakis <michael.zintakis@googlemail.com>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

 net/netfilter/nfnetlink_acct.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 1a51dca4fc16538d90a7a4c92b1ffe7e0fd76cf7
Author: Matthias Schiffer <mschiffer@universe-factory.net>
Date:   Sat Mar 30 10:23:12 2013 +0000

    Upstream commit: 906b1c394d0906a154fbdc904ca506bceb515756
    
    netfilter: ip6t_NPT: Fix translation for non-multiple of 32 prefix lengths
    
    The bitmask used for the prefix mangling was being calculated
    incorrectly, leading to the wrong part of the address being replaced
    when the prefix length wasn't a multiple of 32.
    
    Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

 net/ipv6/netfilter/ip6t_NPT.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 3425de1e3dc22e1602f9c77fe8d258da58416d5e
Author: Veaceslav Falico <vfalico@redhat.com>
Date:   Wed Apr 3 05:46:33 2013 +0000

    Upstream commit: 4de79c737b200492195ebc54a887075327e1ec1d
    
    bonding: remove sysfs before removing devices
    
    We have a race condition if we try to rmmod bonding and simultaneously add
    a bond master through sysfs. In bonding_exit() we first remove the devices
    (through rtnl_link_unregister() ) and only after that we remove the sysfs.
    If we manage to add a device through sysfs after that the devices were
    removed - we'll end up with that device/sysfs structure and with the module
    unloaded.
    
    Fix this by first removing the sysfs and only after that calling
    rtnl_link_unregister().
    
    Signed-off-by: Veaceslav Falico <vfalico@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/bonding/bond_main.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit d12cae44a9d12441d81c489178803237219d403d
Author: Eric W. Biederman <ebiederm@xmission.com>
Date:   Wed Apr 3 16:14:47 2013 +0000

    Upstream commit: 0e82e7f6dfeec1013339612f74abc2cdd29d43d2
    
    af_unix: If we don't care about credentials coallesce all messages
    
    It was reported that the following LSB test case failed
    https://lsbbugs.linuxfoundation.org/attachment.cgi?id=2144 because we
    were not coallescing unix stream messages when the application was
    expecting us to.
    
    The problem was that the first send was before the socket was accepted
    and thus sock->sk_socket was NULL in maybe_add_creds, and the second
    send after the socket was accepted had a non-NULL value for sk->socket
    and thus we could tell the credentials were not needed so we did not
    bother.
    
    The unnecessary credentials on the first message cause
    unix_stream_recvmsg to start verifying that all messages had the same
    credentials before coallescing and then the coallescing failed because
    the second message had no credentials.
    
    Ignoring credentials when we don't care in unix_stream_recvmsg fixes a
    long standing pessimization which would fail to coallesce messages when
    reading from a unix stream socket if the senders were different even if
    we did not care about their credentials.
    
    I have tested this and verified that the in the LSB test case mentioned
    above that the messages do coallesce now, while the were failing to
    coallesce without this change.
    
    Reported-by: Karel Srot <ksrot@redhat.com>
    Reported-by: Ding Tianhong <dingtianhong@huawei.com>
    Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/unix/af_unix.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 126d882492b130da6367f71cdf3ac59bf4f4c1bf
Author: Eric W. Biederman <ebiederm@xmission.com>
Date:   Wed Apr 3 16:13:35 2013 +0000

    Upstream commit: 25da0e3e9d3fb2b522bc2a598076735850310eb1
    
    Revert "af_unix: dont send SCM_CREDENTIAL when dest socket is NULL"
    
    This reverts commit 14134f6584212d585b310ce95428014b653dfaf6.
    
    The problem that the above patch was meant to address is that af_unix
    messages are not being coallesced because we are sending unnecesarry
    credentials.  Not sending credentials in maybe_add_creds totally
    breaks unconnected unix domain sockets that wish to send credentails
    to other sockets.
    
    In practice this break some versions of udev because they receive a
    message and the sending uid is bogus so they drop the message.
    
    Reported-by: Sven Joachim <svenjoac@gmx.de>
    Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/unix/af_unix.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 1295b4f600e8f5ab56af71e5a89e4c0e74e95663
Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Date:   Wed Mar 20 21:31:42 2013 +0000

    Upstream commit: cb0e51d80694fc9964436be1a1a15275e991cb1e
    
    lantiq_etop: use free_netdev(netdev) instead of kfree()
    
    Freeing netdev without free_netdev() leads to net, tx leaks.
    And it may lead to dereferencing freed pointer.
    
    Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/ethernet/lantiq_etop.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 1dcdddf846697fbd0b474e7b12ff92f7b408fe5f
Author: Cong Wang <amwang@redhat.com>
Date:   Fri Mar 22 19:14:07 2013 +0000

    Upstream commit: 4a7df340ed1bac190c124c1601bfc10cde9fb4fb
    
    8021q: fix a potential use-after-free
    
    vlan_vid_del() could possibly free ->vlan_info after a RCU grace
    period, however, we may still refer to the freed memory area
    by 'grp' pointer. Found by code inspection.
    
    This patch moves vlan_vid_del() as behind as possible.
    
    Cc: Patrick McHardy <kaber@trash.net>
    Cc: "David S. Miller" <davem@davemloft.net>
    Signed-off-by: Cong Wang <amwang@redhat.com>
    Acked-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/8021q/vlan.c |    7 +++++++
 1 files changed, 7 insertions(+), 0 deletions(-)

commit fff29c277024a39845d4b535083c8dafc21b45d9
Author: Hong zhi guo <honkiko@gmail.com>
Date:   Sat Mar 23 02:27:50 2013 +0000

    Upstream commit: 9b46922e15f4d9d2aedcd320c3b7f7f54d956da7
    
    bridge: fix crash when set mac address of br interface
    
    When I tried to set mac address of a bridge interface to a mac
    address which already learned on this bridge, I got system hang.
    
    The cause is straight forward: function br_fdb_change_mac_address
    calls fdb_insert with NULL source nbp. Then an fdb lookup is
    performed. If an fdb entry is found and it's local, it's OK. But
    if it's not local, source is dereferenced for printk without NULL
    check.
    
    Signed-off-by: Hong Zhiguo <honkiko@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/bridge/br_fdb.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit b72eca0f8495b4b084bcf3eb4fbb425281ba5349
Author: Kumar Amit Mehta <gmate.amit@gmail.com>
Date:   Sat Mar 23 20:10:25 2013 +0000

    Upstream commit: 8fe7f99a9e11a43183bc27420309ae105e1fec1a
    
    bnx2x: fix assignment of signed expression to unsigned variable
    
    fix for incorrect assignment of signed expression to unsigned variable.
    
    Signed-off-by: Kumar Amit Mehta <gmate.amit@gmail.com>
    Acked-by: Dmitry Kravkov <dmitry@broadcom.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/ethernet/broadcom/bnx2x/bnx2x_dcb.c |   18 +++++++++---------
 1 files changed, 9 insertions(+), 9 deletions(-)

commit 4d2d5e3694574d8e9d7594bf6111f144dccc873e
Author: dingtianhong <dingtianhong@huawei.com>
Date:   Mon Mar 25 17:02:04 2013 +0000

    Upstream commit: 14134f6584212d585b310ce95428014b653dfaf6
    
    af_unix: dont send SCM_CREDENTIAL when dest socket is NULL
    
    SCM_SCREDENTIALS should apply to write() syscalls only either source or destination
    socket asserted SOCK_PASSCRED. The original implememtation in maybe_add_creds is wrong,
    and breaks several LSB testcases ( i.e. /tset/LSB.os/netowkr/recvfrom/T.recvfrom).
    
    Origionally-authored-by: Karel Srot <ksrot@redhat.com>
    Signed-off-by: Ding Tianhong <dingtianhong@huawei.com>
    Acked-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/unix/af_unix.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit b964e1e61f0f0ccaa380be3342f956c604054bdc
Author: Eric W. Biederman <ebiederm@xmission.com>
Date:   Thu Mar 21 02:30:41 2013 -0700

    Upstream commit: eddc0a3abff273842a94784d2d022bbc36dc9015
    
    yama:  Better permission check for ptraceme
    
    Change the permission check for yama_ptrace_ptracee to the standard
    ptrace permission check, testing if the traceer has CAP_SYS_PTRACE
    in the tracees user namespace.
    
    Reviewed-by: Kees Cook <keescook@chromium.org>
    Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>

 security/yama/yama_lsm.c |    4 +---
 1 files changed, 1 insertions(+), 3 deletions(-)

commit b94e71c7b6abe75989edff18aca2781233fa143b
Author: Stanislav Kinsbursky <skinsbursky@parallels.com>
Date:   Mon Apr 1 11:40:51 2013 +0400

    Upstream commit: 2dc958fa2fe6987e7ab106bd97029a09a82fcd8d
    
    ipc: set msg back to -EAGAIN if copy wasn't performed
    
    Make sure that msg pointer is set back to error value in case of
    MSG_COPY flag is set and desired message to copy wasn't found.  This
    garantees that msg is either a error pointer or a copy address.
    
    Otherwise the last message in queue will be freed without unlinking from
    the queue (which leads to memory corruption) and the dummy allocated
    copy won't be released.
    
    Signed-off-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 ipc/msg.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit a997fbbe7a37ffd805f4784a18b8e530da6978d1
Author: Jan Kara <jack@suse.cz>
Date:   Fri Mar 29 15:39:16 2013 +0100

    Upstream commit: 35e5cbc0af240778e61113286c019837e06aeec6
    
    reiserfs: Fix warning and inode leak when deleting inode with xattrs
    
    After commit 21d8a15a (lookup_one_len: don't accept . and ..) reiserfs
    started failing to delete xattrs from inode. This was due to a buggy
    test for '.' and '..' in fill_with_dentries() which resulted in passing
    '.' and '..' entries to lookup_one_len() in some cases. That returned
    error and so we failed to iterate over all xattrs of and inode.
    
    Fix the test in fill_with_dentries() along the lines of the one in
    lookup_one_len().
    
    Reported-by: Pawel Zawora <pzawora@gmail.com>
    CC: stable@vger.kernel.org
    Signed-off-by: Jan Kara <jack@suse.cz>

 fs/reiserfs/xattr.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 9f07957378e0f55abb81da8e23b124a608fbe1cc
Author: Paul Bolle <pebolle@tiscali.nl>
Date:   Wed Apr 3 12:24:45 2013 +0100

    Upstream commit: 4e1db26a0b42e2b6e27c05d68adcc01709c2eed2
    
    ARM: 7690/1: mm: fix CONFIG_LPAE typos
    
    CONFIG_LPAE doesn't exist: the correct option is CONFIG_ARM_LPAE, so fix
    up the two typos under arch/arm/.
    
    The fix to head.S is slightly scary, but this is just for setting up
    an early io-mapping for the serial port when running on a big-endian,
    LPAE system. Since these systems don't exist in the wild (at least, I
    have no access to one outside of kvmtool, which doesn't provide a serial
    port suitable for earlyprintk), then we can revisit the code later if it
    causes any problems.
    
    Signed-off-by: Paul Bolle <pebolle@tiscali.nl>
    Signed-off-by: Will Deacon <will.deacon@arm.com>
    Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>

 arch/arm/kernel/head.S  |    2 +-
 arch/arm/kernel/setup.c |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

commit 984ba346b2d8f158473e9723ba145031368431ed
Author: Catalin Marinas <catalin.marinas@arm.com>
Date:   Tue Mar 26 23:35:04 2013 +0100

    Upstream commit: 93dc68876b608da041fe40ed39424b0fcd5aa2fb
    
    ARM: 7684/1: errata: Workaround for Cortex-A15 erratum 798181 (TLBI/DSB operations)
    
    On Cortex-A15 (r0p0..r3p2) the TLBI/DSB are not adequately shooting down
    all use of the old entries. This patch implements the erratum workaround
    which consists of:
    
    1. Dummy TLBIMVAIS and DSB on the CPU doing the TLBI operation.
    2. Send IPI to the CPUs that are running the same mm (and ASID) as the
       one being invalidated (or all the online CPUs for global pages).
    3. CPU receiving the IPI executes a DMB and CLREX (part of the exception
       return code already).
    
    Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
    Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
    
    Conflicts:
    
        arch/arm/include/asm/tlbflush.h
        arch/arm/kernel/smp_tlb.c
        arch/arm/mm/context.c

 arch/arm/Kconfig                   |   10 +++++
 arch/arm/include/asm/highmem.h     |    7 ++++
 arch/arm/include/asm/mmu_context.h |    2 +
 arch/arm/include/asm/tlbflush.h    |   15 ++++++++
 arch/arm/kernel/smp_tlb.c          |   66 ++++++++++++++++++++++++++++++++++++
 arch/arm/mm/context.c              |    6 ++-
 6 files changed, 104 insertions(+), 2 deletions(-)

commit 9a6ef010c38b3d5471886d2dea6e3c1622e2a286
Author: Jan Stancek <jstancek@redhat.com>
Date:   Thu Apr 4 11:35:10 2013 -0700

    Upstream commit: b6a9b7f6b1f21735a7456d534dc0e68e61359d2c
    
    mm: prevent mmap_cache race in find_vma()
    
    find_vma() can be called by multiple threads with read lock
    held on mm->mmap_sem and any of them can update mm->mmap_cache.
    Prevent compiler from re-fetching mm->mmap_cache, because other
    readers could update it in the meantime:
    
                   thread 1                             thread 2
                                            |
      find_vma()                            |  find_vma()
        struct vm_area_struct *vma = NULL;  |
        vma = mm->mmap_cache;               |
        if (!(vma && vma->vm_end > addr     |
            && vma->vm_start <= addr)) {    |
                                            |    mm->mmap_cache = vma;
        return vma;                         |
         ^^ compiler may optimize this      |
            local variable out and re-read  |
            mm->mmap_cache                  |
    
    This issue can be reproduced with gcc-4.8.0-1 on s390x by running
    mallocstress testcase from LTP, which triggers:
    
      kernel BUG at mm/rmap.c:1088!
        Call Trace:
         ([<000003d100c57000>] 0x3d100c57000)
          [<000000000023a1c0>] do_wp_page+0x2fc/0xa88
          [<000000000023baae>] handle_pte_fault+0x41a/0xac8
          [<000000000023d832>] handle_mm_fault+0x17a/0x268
          [<000000000060507a>] do_protection_exception+0x1e2/0x394
          [<0000000000603a04>] pgm_check_handler+0x138/0x13c
          [<000003fffcf1f07a>] 0x3fffcf1f07a
        Last Breaking-Event-Address:
          [<000000000024755e>] page_add_new_anon_rmap+0xc2/0x168
    
    Thanks to Jakub Jelinek for his insight on gcc and helping to
    track this down.
    
    Signed-off-by: Jan Stancek <jstancek@redhat.com>
    Acked-by: David Rientjes <rientjes@google.com>
    Signed-off-by: Hugh Dickins <hughd@google.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 mm/mmap.c  |    2 +-
 mm/nommu.c |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

commit 53f5096daa14967938bc154e6c41f9119863fb36
Merge: e988d7c 0a45285
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Apr 5 17:32:31 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        drivers/net/ethernet/broadcom/tg3.c

commit 0a452855444d02502df6eb21ef3083cf303f71e1
Merge: 0277fa1 00cfbb8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Apr 5 17:31:15 2013 -0400

    Update to pax-linux-3.8.6-test16.patch:
    - fixed some attribute leakage into userland headers, patch by Mathias Krause
    - fixed some of the access_*_vm related breakage that trigger size overflows, reported by Hunger
    
    Merge branch 'linux-3.8.y' into pax-test
    
    Conflicts:
        drivers/gpu/drm/i915/intel_display.c

commit e988d7c8d946c816a2cb97f0d38048a1584966b8
Merge: baec40e 0277fa1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 3 22:05:41 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 0277fa123b486cf11420967e4568d7653e225fd3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 3 22:04:48 2013 -0400

    Update to pax-linux-3.8.5-test15.patch:
    - fixed section mismatch error caused by CONSTIFY (http://forums.grsecurity.net/viewtopic.php?f=3&t=3388 and http://forums.grsecurity.net/viewtopic.php?f=3&t=3391)
    - fixed integer type mixup in the cx88 driver (http://forums.grsecurity.net/viewtopic.php?f=3&t=3394)

 drivers/media/pci/cx88/cx88-video.c |    6 +++---
 include/net/net_namespace.h         |    4 ++++
 2 files changed, 7 insertions(+), 3 deletions(-)

commit baec40e6708fd5ae2000cad6c70c5980c998b91c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Apr 2 19:50:32 2013 -0400

    fix compilation as reported on forums for gcc versions lacking plugin
    support

 include/net/net_namespace.h |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

commit f6da5efca8a7edc9d3af02d6c35fddae0d2fd095
Merge: 6b69c35 0db9d15
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Apr 2 17:47:27 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 0db9d156826bdd50510086fde837648a3dfd370e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Apr 2 17:46:05 2013 -0400

    Update to pax-linux-3.8.5-test14.patch:
    - removed some no longer necessary __size_overflow marks and updated the overflow plugin's hash table

 arch/x86/include/asm/uaccess_64.h |    6 +-
 include/linux/moduleloader.h      |    4 +-
 tools/gcc/size_overflow_hash.data |   98 +++++++++++++++++++++----------------
 3 files changed, 61 insertions(+), 47 deletions(-)

commit 6b69c3589fa97b454a08c28ecfac5a512f610f4d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Apr 2 17:35:06 2013 -0400

    remove duplicate compiler.h

 include/linux/sysrq.h |    1 -
 1 files changed, 0 insertions(+), 1 deletions(-)

commit 01e1d503fd2220adaaec0b92ea19441bdff73555
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 29 19:53:50 2013 -0400

    fix intentional_overflow marking on sys_sendto

 include/linux/syscalls.h |    2 +-
 net/socket.c             |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

commit cd5ff114d958470f471c63775278e8c05e774630
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 29 18:46:16 2013 -0400

    fix size_overflow false positive

 kernel/futex_compat.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 295ba16cc53df2375261accbedd6575ea327770a
Merge: 18340f1 278a989
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 29 17:36:18 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        fs/exec.c
        include/linux/thread_info.h

commit 278a989c831d62193c7b3d119fe2302babd45d12
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 29 17:34:34 2013 -0400

    Resync with pax-linux-3.8.5-test13.patch

 arch/arm/include/asm/pgtable.h |    3 ++-
 arch/arm/lib/delay.c           |    1 +
 fs/exec.c                      |    8 ++++----
 include/linux/compiler.h       |    1 +
 include/linux/proc_fs.h        |    2 +-
 include/linux/thread_info.h    |    6 +++---
 include/linux/zlib.h           |    3 ++-
 init/main.c                    |    4 ++--
 kernel/user_namespace.c        |    2 +-
 lib/list_debug.c               |    4 ++--
 mm/slab.c                      |    1 +
 mm/slob.c                      |    1 +
 mm/slub.c                      |    1 +
 net/core/sysctl_net_core.c     |    3 +--
 tools/gcc/constify_plugin.c    |    1 +
 15 files changed, 24 insertions(+), 17 deletions(-)

commit 18340f14bd42d06c60995ab04cf6bb235bcaade6
Merge: 05f01ae e8cfeae
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 29 17:30:57 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit e8cfeae7751abb844911a15114dff5c9b2b9fcd9
Merge: b461cb7 aa4cfde
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 29 17:30:44 2013 -0400

    Merge branch 'linux-3.8.y' into pax-test
    
    Conflicts:
        drivers/gpu/drm/i915/i915_gem_execbuffer.c
        fs/nfsd/vfs.c

commit 05f01ae4c3479541586a2387f916a6620889c479
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 29 17:05:39 2013 -0400

    Another infoleak, up to 128 bytes on the stack in __sys_recvmsg
    takes user-provided length, copies up to that amount in a sockaddr_storage
    struct on the stack, then takes an upper-bounded-only user-provided length
    and copies the sockaddr_storage struct back out to userland, complete with
    uninitialized data

 net/socket.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit eea6ade59490784e83e08ec67322288fcf14cb31
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 28 23:07:37 2013 -0400

    return a proper error, otherwise we could be accessing uninitialized data
    (previous define was a positive value)

 drivers/usb/storage/realtek_cr.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 3cc43b90104c3016adb40f412ce2e4b0dcdd4c9e
Merge: c3dc9a6 b461cb7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 28 20:54:24 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit b461cb7b1d85490430ef7896c247794af72c3749
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 28 20:54:11 2013 -0400

    Add structleak plugin

 tools/gcc/structleak_plugin.c |  270 +++++++++++++++++++++++++++++++++++++++++
 1 files changed, 270 insertions(+), 0 deletions(-)

commit c3dc9a6ef10782894bb11fd088fd712db44d8062
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 28 20:53:22 2013 -0400

    Enable structleak by default for the security auto-config

 security/Kconfig |   11 +++++++----
 1 files changed, 7 insertions(+), 4 deletions(-)

commit 6568e7348222fbe00256c9d337c4c24ee57e3f7e
Merge: d8503a3 74bec16
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 28 20:47:10 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 74bec16b657147a5575b1f14f4423a717ba317a6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 28 20:46:13 2013 -0400

    Update to pax-linux-3.8.4-test13.patch:
    - fixed bug with the old PAGEEXEC method and hugetlb, reported by Alex Efros (https://bugs.gentoo.org/show_bug.cgi?id=437722)
    - added a new gcc plugin to plug (pun intended) some of the kernel stack leaks to userland

 Makefile                      |    5 +++-
 arch/x86/include/asm/compat.h |    2 +-
 arch/x86/mm/fault.c           |    3 +-
 fs/binfmt_elf.c               |    2 +-
 include/linux/compiler.h      |   42 ++++++++++++++--------------------------
 security/Kconfig              |   16 +++++++++++++++
 tools/gcc/Makefile            |    2 +
 tools/gcc/constify_plugin.c   |    7 +++++-
 8 files changed, 47 insertions(+), 32 deletions(-)

commit d8503a3a35d68b9ba1615d29335aef3f70d51465
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 28 20:02:40 2013 -0400

    Fix 8-byte stack infoleak in ia32_rt_sigpending
    User controls length, kernel only performs check on the upper bound, will
    fill in any amount less than sizeof(sigset_t) via a copy_to_user under
    KERNEL_DS in sys_rt_sigpending, then will copy the full size of compat_sigset_t
    regardless of whether the sigset_t content copied into it has been initialized
    or not

 arch/x86/ia32/sys_ia32.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 46a9f4b871ebf298ee67cc3f799dbd6c2382022b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 26 21:05:05 2013 -0400

    commit 814d9d4f9164c3d778dadd093a54bb55d9a0c576
    Author: J. Bruce Fields <bfields@redhat.com>
    Date:   Tue Mar 26 14:11:13 2013 -0400
    
        nfsd4: reject "negative" acl lengths
    
        Since we only enforce an upper bound, not a lower bound, a "negative"
        length can get through here.
    
        The symptom seen was a warning when we attempt to a kmalloc with an
        excessive size.
    
        Reported-by: Toralf Förster <toralf.foerster@gmx.de>
        Signed-off-by: J. Bruce Fields <bfields@redhat.com>

 fs/nfsd/nfs4xdr.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 2cf84a1843bfdf9298e2a1dc8df4e52d11a1af89
Author: Jeff Layton <jlayton@redhat.com>
Date:   Mon Mar 11 09:52:19 2013 -0400

    Upstream commit: f853c616883a8de966873a1dab283f1369e275a1
    
    cifs: ignore everything in SPNEGO blob after mechTypes
    
    We've had several reports of people attempting to mount Windows 8 shares
    and getting failures with a return code of -EINVAL. The default sec=
    mode changed recently to sec=ntlmssp. With that, we expect and parse a
    SPNEGO blob from the server in the NEGOTIATE reply.
    
    The current decode_negTokenInit function first parses all of the
    mechTypes and then tries to parse the rest of the negTokenInit reply.
    The parser however currently expects a mechListMIC or nothing to follow the
    mechTypes, but Windows 8 puts a mechToken field there instead to carry
    some info for the new NegoEx stuff.
    
    In practice, we don't do anything with the fields after the mechTypes
    anyway so I don't see any real benefit in continuing to parse them.
    This patch just has the kernel ignore the fields after the mechTypes.
    We'll probably need to reinstate some of this if we ever want to support
    NegoEx.
    
    Reported-by: Jason Burgess <jason@jacknife2.dns2go.com>
    Reported-by: Yan Li <elliot.li.tech@gmail.com>
    Signed-off-by: Jeff Layton <jlayton@redhat.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Steve French <sfrench@us.ibm.com>

 fs/cifs/asn1.c |   53 +++++------------------------------------------------
 1 files changed, 5 insertions(+), 48 deletions(-)

commit 0b1c6223105a05d5a84e39a5e951868e37610e1c
Merge: 93ff726 0deb54c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 25 18:35:15 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 0deb54c1f47145aef38f4d2bf0b7de3e9fbab959
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 25 18:35:05 2013 -0400

    fix typo

 arch/x86/mm/ioremap.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 93ff72680353534d4b0b213aecb61f1fc2f9a152
Merge: be9f8b8 f95e53a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 25 18:30:06 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit f95e53abadb6e4665866e4502ff9f518514193e1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 25 18:29:25 2013 -0400

    Update to pax-linux-3.8.4-test12.patch:
    
    - fixed perf compilation reported by Michael Tremer
    - fixed USERCOPY reports triggered by SCTP, reported by mcp
    - last fix for aslr gap accounting, promise (thanks to spender)

 arch/x86/mm/ioremap.c                    |    3 +++
 fs/binfmt_elf.c                          |    5 ++---
 mm/mmap.c                                |    2 +-
 net/sctp/socket.c                        |   19 +++++++++++++++----
 tools/perf/util/include/linux/compiler.h |    8 ++++++++
 5 files changed, 29 insertions(+), 8 deletions(-)

commit be9f8b82b0d8a21d7515fb6e44a907623381c5df
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 25 16:48:34 2013 -0400

    From: Al Viro <viro@ZenIV.linux.org.uk>
    To: Brad Spengler <spender@grsecurity.net>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    
    Umm...  I see what you are describing, and AFAICS you are correct; let me
    see if I am misreading your analysis:
            * vfsmount_lock may act fair; A holding it shared, with B spinning
    on attempt to take it exclusive may lead to C spinning on attempt to take
    it shared.
            * path_is_under() tries get rename_lock while holding vfsmount_lock
    shared.
            * d_path() et.al. try to take vfsmount_lock shared, while holding
    rename_lock.
    
    All true and yes, it's a bug (I'd probably classify it as a livelock, but
    that doesn't make any real difference).  There are three possible solutions,
    AFAICS:
            1) two-liner in path_is_under() replacing the use of vfsmount_lock
    with that of namespace_sem; trivial, but results in function unexpectedly
    blocking.  The current callers are fine with that, but it's a trouble
    waiting to happen.
            2) replace write_seqlock() in prepend_path() callers with
    read_seqbegin/read_seqretry loops; bigger and more brittle, since unlike
    is_subdir() we need more than just ->d_parent not pointing to something
    freed - we also care about ->d_name.len being in sync with ->d_name.name.
    It probably can be worked around, but...
    
            3) declare that rename_lock nests inside vfsmount_lock and let
    the callers of prepend_path() take vfsmount_lock().  I'd probably prefer
    that one...
    
    Nest rename_lock inside vfsmount_lock
    
    ... lest we get livelocks between path_is_under() and d_path() and friends.
    
    [ add grsec-specific bits, thanks to Alexey Vlasov for his patience in reproducing
      the issue ]
    
    Spotted-by: Brad Spengler <spender@grsecurity.net>
    Cc: stable@vger.kernel.org
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

 fs/dcache.c        |   16 +++++++++++-----
 grsecurity/gracl.c |   20 ++++++++++----------
 2 files changed, 21 insertions(+), 15 deletions(-)

commit d9253ae96e0e88510ae7b8adb8ab3ef089be6dee
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date:   Fri Mar 22 11:44:04 2013 -0700

    Upstream commit: 51f0885e5415b4cc6535e9cdcc5145bfbc134353
    
    vfs,proc: guarantee unique inodes in /proc
    
    Dave Jones found another /proc issue with his Trinity tool: thanks to
    the namespace model, we can have multiple /proc dentries that point to
    the same inode, aliasing directories in /proc/<pid>/net/ for example.
    
    This ends up being a total disaster, because it acts like hardlinked
    directories, and causes locking problems.  We rely on the topological
    sort of the inodes pointed to by dentries, and if we have aliased
    directories, that odering becomes unreliable.
    
    In short: don't do this.  Multiple dentries with the same (directory)
    inode is just a bad idea, and the namespace code should never have
    exposed things this way.  But we're kind of stuck with it.
    
    This solves things by just always allocating a new inode during /proc
    dentry lookup, instead of using "iget_locked()" to look up existing
    inodes by superblock and number.  That actually simplies the code a bit,
    at the cost of potentially doing more inode [de]allocations.
    
    That said, the inode lookup wasn't free either (and did a lot of locking
    of inodes), so it is probably not that noticeable.  We could easily keep
    the old lookup model for non-directory entries, but rather than try to
    be excessively clever this just implements the minimal and simplest
    workaround for the problem.
    
    Reported-and-tested-by: Dave Jones <davej@redhat.com>
    Analyzed-by: Al Viro <viro@zeniv.linux.org.uk>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    Conflicts:
    
        fs/proc/inode.c

 fs/proc/inode.c |    9 +++------
 1 files changed, 3 insertions(+), 6 deletions(-)

commit 399d3bbdb82db765c86118ae5a0bf1d2d17762fb
Author: Vladimir Davydov <vdavydov@parallels.com>
Date:   Fri Mar 22 15:04:51 2013 -0700

    Upstream commit: 38d78e587d4960d0db94add518d27ee74bad2301
    
    mqueue: sys_mq_open: do not call mnt_drop_write() if read-only
    
    mnt_drop_write() must be called only if mnt_want_write() succeeded,
    otherwise the mnt_writers counter will diverge.
    
    mnt_writers counters are used to check if remounting FS as read-only is
    OK, so after an extra mnt_drop_write() call, it would be impossible to
    remount mqueue FS as read-only.  Besides, on umount a warning would be
    printed like this one:
    
      =====================================
      [ BUG: bad unlock balance detected! ]
      3.9.0-rc3 #5 Not tainted
      -------------------------------------
      a.out/12486 is trying to release lock (sb_writers) at:
      mnt_drop_write+0x1f/0x30
      but there are no more locks to release!
    
    Signed-off-by: Vladimir Davydov <vdavydov@parallels.com>
    Cc: Doug Ledford <dledford@redhat.com>
    Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
    Cc: "Eric W. Biederman" <ebiederm@xmission.com>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 ipc/mqueue.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit d3859c71e2ec174b6f3e5cbe06d3011cdddaa59e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 23 13:02:32 2013 -0400

    Don't use constify plugin if not enabled in config,
    reported by Alexey Vlasov

 Makefile |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 3afb82e020593249ac394e9859397c3e0ef5341c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 23 12:50:13 2013 -0400

    oded 0day #2
    http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf
    slide 20

 drivers/net/ethernet/broadcom/tg3.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

commit 4cc4b98b29faff2530540be16e0fcd8a74800b06
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 23 12:15:50 2013 -0400

    oded 0day #1
    http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf
    slide 18

 drivers/net/wireless/zd1211rw/zd_usb.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 8a3292af6fdae4b88b49a2a4ef96eee145b4d479
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 23 12:13:12 2013 -0400

    remove warning on accessing this /proc entry, HIDESYM already caught the infoleak

 drivers/gpu/drm/i915/i915_debugfs.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 44cb11a9470f72157601d0ad4d572d111f90f504
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 22 18:11:42 2013 -0400

    use VM_DONTDUMP

 fs/binfmt_elf.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 92dd7f850ae63e3ddc3d262f2b7134cf54b51abb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 22 17:53:09 2013 -0400

    fix recent RLIMIT_AS changes (due to vm_flags typo)
    
    Conflicts:
    
        fs/binfmt_elf.c

 fs/binfmt_elf.c |    2 +-
 mm/mmap.c       |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

commit fd5f0d92b0fbec02029dad124501a9c80e527a32
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 22 17:08:48 2013 -0400

    complete_walk drops rcu-walk mode, no need for our own dropping
    method outside of generic_permission

 fs/namei.c |   30 ------------------------------
 1 files changed, 0 insertions(+), 30 deletions(-)

commit b49ab1c73edb6442eec609b26bba4d850b3111b6
Merge: 5e9a707 783ade9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 21 21:56:28 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 783ade9f97f0f736e3c83275b7c9fcb2d6e9d9c4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 21 21:55:31 2013 -0400

    Update to pax-linux-3.8.3-test11.patch:
    - rewrote the ASLR gap accounting code once again
    - fixed ptrace compat bug found by the size overflow plugin

 fs/binfmt_elf.c          |   25 ++++++++++++-------------
 fs/exec.c                |    7 ++-----
 include/linux/compat.h   |    2 +-
 include/linux/mm.h       |    5 +++++
 include/linux/mm_types.h |    2 +-
 kernel/ptrace.c          |    2 +-
 mm/mmap.c                |   15 ++++++++++-----
 7 files changed, 32 insertions(+), 26 deletions(-)

commit 5e9a7077d935b2279f25428c5d32fd53cbbfb92a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 21 19:37:33 2013 -0400

    Make the constify plugin usage actually depend on the introduced config option
    (it was still forced on)

 tools/gcc/Makefile |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 1974b4f58d9d729c80ac1987785446115304a54c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 21 16:12:38 2013 -0400

    fix failed merge

 arch/arm/mm/fault.c |   15 +++------------
 1 files changed, 3 insertions(+), 12 deletions(-)

commit 675a8ab4a8fe8315df348735a37a302a7535224c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 20 23:36:14 2013 -0400

    From c4dab66c31612717f798e1e8ff11b57253a81a31 Mon Sep 17 00:00:00 2001
    From: Kees Cook <keescook@chromium.org>
    Date: Sun, 10 Mar 2013 20:09:31 +0000
    Subject: drm/i915: bounds check execbuffer relocation count
    
    It is possible to wrap the counter used to allocate the buffer for
    relocation copies. This could lead to heap writing overflows.
    
    CVE-2013-0913
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Reported-by: Pinkie Pie
    Cc: stable@vger.kernel.org

 drivers/gpu/drm/i915/i915_gem_execbuffer.c |   11 ++++++++---
 1 files changed, 8 insertions(+), 3 deletions(-)

commit ddeac12cbb9076bffd51c544e03463f94c9eaa39
Author: Andy Honig <ahonig@google.com>
Date:   Wed Feb 20 14:48:10 2013 -0800

    Upstream commit: 0b79459b482e85cb7426aa7da683a9f2c97aeae1
    
    KVM: x86: Convert MSR_KVM_SYSTEM_TIME to use gfn_to_hva_cache functions (CVE-2013-1797)
    
    There is a potential use after free issue with the handling of
    MSR_KVM_SYSTEM_TIME.  If the guest specifies a GPA in a movable or removable
    memory such as frame buffers then KVM might continue to write to that
    address even after it's removed via KVM_SET_USER_MEMORY_REGION.  KVM pins
    the page in memory so it's unlikely to cause an issue, but if the user
    space component re-purposes the memory previously used for the guest, then
    the guest will be able to corrupt that memory.
    
    Tested: Tested against kvmclock unit test
    
    Signed-off-by: Andrew Honig <ahonig@google.com>
    Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>

 arch/x86/include/asm/kvm_host.h |    4 +-
 arch/x86/kvm/x86.c              |   47 ++++++++++++++++----------------------
 2 files changed, 22 insertions(+), 29 deletions(-)

commit 0bcac31b57c381001feb69fd6ec8069e61e03432
Author: Andy Honig <ahonig@google.com>
Date:   Mon Mar 11 09:34:52 2013 -0700

    Upstream commit: c300aa64ddf57d9c5d9c898a64b36877345dd4a9
    
    KVM: x86: fix for buffer overflow in handling of MSR_KVM_SYSTEM_TIME (CVE-2013-1796)
    
    If the guest sets the GPA of the time_page so that the request to update the
    time straddles a page then KVM will write onto an incorrect page.  The
    write is done byusing kmap atomic to get a pointer to the page for the time
    structure and then performing a memcpy to that page starting at an offset
    that the guest controls.  Well behaved guests always provide a 32-byte aligned
    address, however a malicious guest could use this to corrupt host kernel
    memory.
    
    Tested: Tested against kvmclock unit test.
    
    Signed-off-by: Andrew Honig <ahonig@google.com>
    Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>

 arch/x86/kvm/x86.c |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

commit 695c59887e4ec10b0b695ab4f645d1226c433be0
Author: Andy Honig <ahonig@google.com>
Date:   Wed Feb 20 14:49:16 2013 -0800

    Upstream commit: a2c118bfab8bc6b8bb213abfc35201e441693d55
    
    KVM: Fix bounds checking in ioapic indirect register reads (CVE-2013-1798)
    
    If the guest specifies a IOAPIC_REG_SELECT with an invalid value and follows
    that with a read of the IOAPIC_REG_WINDOW KVM does not properly validate
    that request.  ioapic_read_indirect contains an
    ASSERT(redir_index < IOAPIC_NUM_PINS), but the ASSERT has no effect in
    non-debug builds.  In recent kernels this allows a guest to cause a kernel
    oops by reading invalid memory.  In older kernels (pre-3.3) this allows a
    guest to read from large ranges of host memory.
    
    Tested: tested against apic unit tests.
    
    Signed-off-by: Andrew Honig <ahonig@google.com>
    Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>

 virt/kvm/ioapic.c |    7 +++++--
 1 files changed, 5 insertions(+), 2 deletions(-)

commit c77e4017f6f372ac09751b6fcd85c35781dc2d9e
Merge: aec3cd4 c522e3a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 20 19:38:25 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit c522e3a2167ff5e18996e55ca8cca5ca6f6d29e3
Merge: c57d855 405acc3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 20 19:38:11 2013 -0400

    Merge branch 'linux-3.8.y' into pax-test

commit aec3cd4d2bd54673b155d9ae3fb9c44becc790d1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 19 19:56:04 2013 -0400

    include linux/compiler.h

 include/linux/zlib.h |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 1f1109e97bc609218e52e4bb57683d3b23cf2e8e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 19 18:42:20 2013 -0400

    fix missing sock_release()

 net/irda/af_irda.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

commit dd65c05cd24faf8946d4941434a553ee285c35a3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 19 18:36:17 2013 -0400

    fix mpt fusion infoleak

 drivers/message/fusion/mptbase.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

commit e297b4f150b769efdc4c547d3caf1e3c0f24735f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 19 18:33:45 2013 -0400

    Fix size_overflow false positive reported by slashbeast

 include/linux/zlib.h |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 5b9982733764361c7102c2b1a9cbe42e5bf4f4be
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 19 17:35:36 2013 -0400

    fix up failed merge

 arch/arm/mm/fault.c |    9 ++-------
 1 files changed, 2 insertions(+), 7 deletions(-)

commit a1bdc34d1d882da3abf47923a760e5b0bbdaf0bd
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 19 17:34:36 2013 -0400

    update documentation on consequences of building without gcc plugin support

 Makefile |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit f49ae0f6c3bbedf6b3817ee2b1b232e0da7fa537
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 19 17:18:13 2013 -0400

    fix compilation failure associated with the latent entropy plugin and lack of gcc plugin support reported on the forums

 init/main.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit f00195c633f91cfbd8c1f530d2c371b713026e20
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 18 22:27:33 2013 -0400

    Fix compile error reported by KDE on the forums

 kernel/user_namespace.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 2979c6ee78aabb4421873ea53581380c6bb6ed05
Merge: 0949569 c57d855
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 18 22:20:46 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        arch/arm/mm/fault.c
        arch/x86/mm/fault.c
        fs/exec.c

commit c57d8557f5f2d77c2c7fa1f58316819a5e1f9293
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 18 21:22:03 2013 -0400

    Update to pax-linux-3.8.2-test9.patch:
     arm changes from spender
      - removed userland access to the vectors page
      - removed obsolete sigreturn trampoline handling
      - added emulation for __kuser_get_tls
      - fixed missing uderef instrumentation in unaligned memory accessors (failed safe)
    - fixed recent sysfs/power_supply attr breakage reported by Steven Allen
    - hopefully fixed the remaining issues with aslr_gap accounting (http://forums.grsecurity.net/viewtopic.php?f=3&t=2960)
    - changed debian packager rules to include the compiler plugins, from Tyler Coumbes <coumbes@gmail.com>
    - fixed the sa_restorer leak discovered and reported by Emese Revfy (CVE-2013-0914, google chromium bug #177956)
    - new size overflow plugin from Emese that instruments a whole lot more code due to tracking function return values
      and more type casts as well. this found the above mentioned sa_restorer leak and would have protected against CVE-2013-0913.

 arch/arm/kernel/process.c                     |    5 +-
 arch/arm/kernel/signal.c                      |   24 +-
 arch/arm/kernel/traps.c                       |    7 -
 arch/arm/mm/alignment.c                       |    8 +
 arch/arm/mm/fault.c                           |   23 +-
 arch/arm/mm/mmu.c                             |    2 +-
 arch/x86/include/asm/bitops.h                 |    2 +-
 arch/x86/include/asm/desc.h                   |    2 +-
 arch/x86/include/asm/div64.h                  |    2 +-
 arch/x86/include/asm/io.h                     |    8 +-
 arch/x86/include/asm/paravirt.h               |    2 +-
 arch/x86/kernel/cpu/perf_event_intel_uncore.c |   16 +-
 arch/x86/kernel/setup_percpu.c                |    2 +-
 arch/x86/mm/fault.c                           |    4 +-
 arch/x86/mm/numa.c                            |    2 +-
 arch/x86/mm/physaddr.c                        |    4 +-
 drivers/ata/libahci.c                         |    2 +-
 drivers/gpu/drm/i915/i915_gem_execbuffer.c    |    2 +-
 drivers/infiniband/hw/mthca/mthca_cmd.c       |    2 +-
 drivers/infiniband/hw/mthca/mthca_mr.c        |    2 +-
 drivers/lguest/page_tables.c                  |    2 +-
 drivers/net/wireless/at76c50x-usb.c           |    2 +-
 drivers/oprofile/oprofile_files.c             |    2 +-
 drivers/power/power_supply_core.c             |    1 +
 drivers/usb/core/message.c                    |    2 +-
 fs/befs/endian.h                              |    4 +-
 fs/binfmt_elf.c                               |    5 +-
 fs/exec.c                                     |    4 +-
 fs/qnx6/qnx6.h                                |    4 +-
 fs/sysv/sysv.h                                |    2 +-
 fs/ubifs/io.c                                 |    2 +-
 fs/ufs/swab.h                                 |    4 +-
 include/linux/compat.h                        |    4 +-
 include/linux/completion.h                    |    6 +-
 include/linux/cpumask.h                       |   12 +-
 include/linux/ctype.h                         |    2 +-
 include/linux/err.h                           |    4 +-
 include/linux/math64.h                        |    6 +-
 include/linux/sched.h                         |    2 +-
 include/linux/unaligned/access_ok.h           |   12 +-
 include/linux/usb.h                           |    2 +-
 include/uapi/linux/byteorder/little_endian.h  |    4 +-
 include/uapi/linux/swab.h                     |    6 +-
 kernel/sched/core.c                           |    6 +-
 kernel/signal.c                               |    3 +
 kernel/time.c                                 |    2 +-
 kernel/timer.c                                |    2 +-
 lib/div64.c                                   |    4 +-
 mm/page-writeback.c                           |    2 +-
 net/socket.c                                  |    2 +
 scripts/package/builddeb                      |    1 +
 tools/gcc/size_overflow_hash.data             | 8869 +++++++++++++++----------
 tools/gcc/size_overflow_plugin.c              | 1072 ++--
 53 files changed, 6227 insertions(+), 3951 deletions(-)

commit 09495691bb31f11ec14d9127429f9a0f3f716f22
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 17 20:51:50 2013 -0400

    fix typo

 grsecurity/gracl.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit deb85b00d0f9f886e264e116313f298401ec5c59
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 17 20:03:33 2013 -0400

    Call update_rlimit_cpu to immediately change RLIMIT_CPU on the task
    with a subject applied to it with RES_CPU.  Otherwise, the limit will only
    begin to be applied at fork time.
    
    Thanks to Bjornar Ness for the report.

 grsecurity/gracl.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

commit 2126421f123513f604ceef2b23ba9ed516de7e58
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 16 22:07:43 2013 -0400

    Move inode auditing prior to our refcnt dropping

 fs/namei.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 4d4e665885aab4bacfe662ad6d2190fc9d817146
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 16 22:00:30 2013 -0400

    Drop reference on completed path walked in RCU mode or when violating
    the chroot fchdir check inside a chroot -- possible culprit for a reported
    vfsmount_lock hang during unmount

 fs/namei.c |    8 ++++++--
 1 files changed, 6 insertions(+), 2 deletions(-)

commit 53a8a413f45340ee176dd36dd283de3a1ebb7417
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 16 16:43:45 2013 -0400

    add user_arg_ptr back to exec.c

 fs/exec.c |   12 ++++++++++++
 1 files changed, 12 insertions(+), 0 deletions(-)

commit 83d285953c7e75db388c7f65be5cf1e16fcedec8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 16 11:22:36 2013 -0400

    Don't globally include compat.h -- with the new X32 support it
    changes some definitions involving ELF binaries resulting in invalid
    coredumps, as reported by KDE on the forums:
    http://forums.grsecurity.net/viewtopic.php?f=3&t=3310
    Thanks to the PaX Team for debugging

 fs/exec.c                  |    3 +++
 grsecurity/grsec_exec.c    |   13 +++++++++++++
 include/linux/grsecurity.h |   15 ---------------
 3 files changed, 16 insertions(+), 15 deletions(-)

commit 67a94583659cf6c583fbbb023ec2a8ed471ba94a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 14 20:59:26 2013 -0400

    Add peer information to /proc/net/unix from Kenan Kalajdzic:
    http://marc.info/?l=linux-netdev&m=126745636809191&w=2
    
    We use a "P" prefix to the inode number instead of "peer=".  This
    additional information can be used, for instance, to find what processes
    are connected to MySQL's unix domain socket.

 net/unix/af_unix.c |   12 +++++++++---
 1 files changed, 9 insertions(+), 3 deletions(-)

commit 1cd623d11a462d151ea8a5cace4521e1724911a3
Author: Oliver Neukum <oneukum@suse.de>
Date:   Tue Mar 12 14:52:42 2013 +0100

    Upstream commit: c0f5ecee4e741667b2493c742b60b6218d40b3aa
    
    USB: cdc-wdm: fix buffer overflow
    
    The buffer for responses must not overflow.
    If this would happen, set a flag, drop the data and return
    an error after user space has read all remaining data.
    
    Signed-off-by: Oliver Neukum <oliver@neukum.org>
    CC: stable@kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 drivers/usb/class/cdc-wdm.c |   23 ++++++++++++++++++++---
 1 files changed, 20 insertions(+), 3 deletions(-)

commit 3e9e7beb379eaf424d0634c0c556e47c07d367fc
Merge: 9cdf9bc db4cb92
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 14 20:23:14 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        security/keys/compat.c

commit db4cb924546e3fec3a59f78d056f48176eaf7100
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 14 20:22:24 2013 -0400

    Update to pax-linux-3.8.2-test8.patch

 arch/arm/include/asm/cache.h                |    2 ++
 arch/arm/mach-omap2/gpmc.c                  |   22 ++++++++++++----------
 arch/arm/mach-omap2/omap_device.c           |    4 ++--
 arch/arm/mach-omap2/omap_device.h           |    4 ++--
 arch/arm/plat-orion/include/plat/addr-map.h |    2 +-
 5 files changed, 19 insertions(+), 15 deletions(-)

commit 5e72fcce7c468d29168c64c72c18ff5ff0d3b4ae
Merge: 3c865f9 1a45c31
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 14 20:20:54 2013 -0400

    Merge branch 'linux-3.8.y' into pax-test
    
    Conflicts:
        arch/arm/include/asm/delay.h
        arch/arm/include/asm/pgtable.h
        arch/arm/lib/delay.c
        security/keys/compat.c

commit 9cdf9bccf22d6a6741e4152bb5d32335beb8caf1
Author: Al Viro <viro@ZenIV.linux.org.uk>
Date:   Tue Mar 12 02:59:49 2013 +0000

    Upstream commit: a930d8790552658140d7d0d2e316af4f0d76a512
    
    vfs: fix pipe counter breakage
    
    If you open a pipe for neither read nor write, the pipe code will not
    add any usage counters to the pipe, causing the 'struct pipe_inode_info"
    to be potentially released early.
    
    That doesn't normally matter, since you cannot actually use the pipe,
    but the pipe release code - particularly fasync handling - still expects
    the actual pipe infrastructure to all be there.  And rather than adding
    NULL pointer checks, let's just disallow this case, the same way we
    already do for the named pipe ("fifo") case.
    
    This is ancient going back to pre-2.4 days, and until trinity, nobody
    naver noticed.
    
    Reported-by: Dave Jones <davej@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 fs/pipe.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit c11fa4be226659a40a6c73f0fa09fee074fba1b2
Author: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Date:   Mon Feb 25 10:20:36 2013 -0500

    Upstream commit: 8aec0f5d4137532de14e6554fd5dd201ff3a3c49
    
    Fix: compat_rw_copy_check_uvector() misuse in aio, readv, writev, and security keys
    
    Looking at mm/process_vm_access.c:process_vm_rw() and comparing it to
    compat_process_vm_rw() shows that the compatibility code requires an
    explicit "access_ok()" check before calling
    compat_rw_copy_check_uvector(). The same difference seems to appear when
    we compare fs/read_write.c:do_readv_writev() to
    fs/compat.c:compat_do_readv_writev().
    
    This subtle difference between the compat and non-compat requirements
    should probably be debated, as it seems to be error-prone. In fact,
    there are two others sites that use this function in the Linux kernel,
    and they both seem to get it wrong:
    
    Now shifting our attention to fs/aio.c, we see that aio_setup_iocb()
    also ends up calling compat_rw_copy_check_uvector() through
    aio_setup_vectored_rw(). Unfortunately, the access_ok() check appears to
    be missing. Same situation for
    security/keys/compat.c:compat_keyctl_instantiate_key_iov().
    
    I propose that we add the access_ok() check directly into
    compat_rw_copy_check_uvector(), so callers don't have to worry about it,
    and it therefore makes the compat call code similar to its non-compat
    counterpart. Place the access_ok() check in the same location where
    copy_from_user() can trigger a -EFAULT error in the non-compat code, so
    the ABI behaviors are alike on both compat and non-compat.
    
    While we are here, fix compat_do_readv_writev() so it checks for
    compat_rw_copy_check_uvector() negative return values.
    
    And also, fix a memory leak in compat_keyctl_instantiate_key_iov() error
    handling.
    
    Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
    Acked-by: Al Viro <viro@ZenIV.linux.org.uk>
    Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    Conflicts:
    
        security/keys/compat.c

 fs/compat.c            |   15 +++++++--------
 mm/process_vm_access.c |    8 --------
 security/keys/compat.c |    3 ++-
 3 files changed, 9 insertions(+), 17 deletions(-)

commit 13487f197ab2d5bc76156224c24c45a44bbd6a11
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 11 18:38:38 2013 -0400

    Fix leak of signal handler addresses across execve, found by Emese Revfy

 kernel/signal.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit 79b130c4b11c7940daf2b33d653a17666331c634
Merge: 6480ce9 3c865f9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 10 20:04:03 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 3c865f9184c6fd56c634bce0096cfc8039d5c43d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 10 20:03:12 2013 -0400

    Update to pax-linux-3.8.2-test7.patch:
    - fixed gcc asserts reported by KDE (http://forums.grsecurity.net/viewtopic.php?f=3&t=3342)
    - adjusted RLIMIT_AS accounting for the extra ASLR gap mappings, reported by Alexander Stoll (https://bugs.gentoo.org/show_bug.cgi?id=459268)

 fs/binfmt_elf.c                   |    3 ++-
 fs/exec.c                         |    3 +++
 include/linux/mm_types.h          |    2 +-
 init/main.c                       |    4 ++--
 mm/mmap.c                         |    2 +-
 mm/page_alloc.c                   |    4 ++--
 tools/gcc/latent_entropy_plugin.c |   11 +++++++----
 7 files changed, 18 insertions(+), 11 deletions(-)

commit 6480ce919bd7d68ba14f3194e4bdd7b61bc8e491
Merge: 4a5305e 25b3569
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 10 10:41:16 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 25b356980568bed9958315bb5a551fdc610055ed
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 10 10:40:48 2013 -0400

    Update to pax-linux-3.8.2-test6.patch:
    - fixed a KERNEXEC false positive on arm reported by Gu1
    - fixed various compile errors reported by x14sg1 (http://forums.grsecurity.net/viewtopic.php?f=3&t=3340)
    - fixed too strict mmap parameter checking on i386, reported by browndav (http://forums.grsecurity.net/viewtopic.php?f=1&t=3339)
    - added fix from spender for some namespace breakage reported by zakalwe
    - small latent entropy improvement: pass pax_extra_latent_entropy to the kernel to extract entropy from RAM content during boot

 Documentation/kernel-parameters.txt |    5 +++++
 arch/arm/kernel/patch.c             |    2 ++
 arch/x86/kernel/sys_i386_32.c       |    5 +++--
 drivers/acpi/blacklist.c            |    2 +-
 drivers/video/aty/mach64_cursor.c   |    1 +
 init/main.c                         |    4 ----
 mm/page_alloc.c                     |   27 +++++++++++++++++++++++++++
 net/ipv4/ip_fragment.c              |    2 +-
 security/Kconfig                    |    5 +++++
 tools/gcc/latent_entropy_plugin.c   |    7 +++++--
 10 files changed, 50 insertions(+), 10 deletions(-)

commit 4a5305eb7b6c5e49c332feeca9b6bfead9ab917f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 9 11:19:06 2013 -0500

    From: Mathias Krause <minipli@googlemail.com>
    To: "David S. Miller" <davem@davemloft.net>
    Cc: netdev@vger.kernel.org, Mathias Krause <minipli@googlemail.com>,
            Stephen Hemminger <stephen@networkplumber.org>
    Subject: [PATCH 1/3] bridge: fix mdb info leaks
    Date: Sat,  9 Mar 2013 16:52:19 +0100
    
    The bridging code discloses heap and stack bytes via the RTM_GETMDB
    netlink interface and via the notify messages send to group RTNLGRP_MDB
    afer a successful add/del.
    
    Fix both cases by initializing all unset members/padding bytes with
    memset(0).
    
    Cc: Stephen Hemminger <stephen@networkplumber.org>
    Signed-off-by: Mathias Krause <minipli@googlemail.com>
    
    From: Mathias Krause <minipli@googlemail.com>
    To: "David S. Miller" <davem@davemloft.net>
    Cc: netdev@vger.kernel.org, Mathias Krause <minipli@googlemail.com>
    Subject: [PATCH 2/3] rtnl: fix info leak on RTM_GETLINK request for VF devices
    Date: Sat,  9 Mar 2013 16:52:20 +0100
    
    Initialize the mac address buffer with 0 as the driver specific function
    will probably not fill the whole buffer. In fact, all in-kernel drivers
    fill only ETH_ALEN of the MAX_ADDR_LEN bytes, i.e. 6 of the 32 possible
    bytes. Therefore we currently leak 26 bytes of stack memory to userland
    via the netlink interface.
    
    Signed-off-by: Mathias Krause <minipli@googlemail.com>
    
    From: Mathias Krause <minipli@googlemail.com>
    To: "David S. Miller" <davem@davemloft.net>
    Cc: netdev@vger.kernel.org, Mathias Krause <minipli@googlemail.com>
    Subject: [PATCH 3/3] dcbnl: fix various netlink info leaks
    Date: Sat,  9 Mar 2013 16:52:21 +0100
    
    The dcb netlink interface leaks stack memory in various places:
    * perm_addr[] buffer is only filled at max with 12 of the 32 bytes but
      copied completely,
    * no in-kernel driver fills all fields of an IEEE 802.1Qaz subcommand,
      so we're leaking up to 58 bytes for ieee_ets structs, up to 136 bytes
      for ieee_pfc structs, etc.,
    * the same is true for CEE -- no in-kernel driver fills the whole
      struct,
    
    Prevent all of the above stack info leaks by properly initializing the
    buffers/structures involved.
    
    Signed-off-by: Mathias Krause <minipli@googlemail.com>

 net/bridge/br_mdb.c  |    4 ++++
 net/core/rtnetlink.c |    1 +
 net/dcb/dcbnl.c      |    8 ++++++++
 3 files changed, 13 insertions(+), 0 deletions(-)

commit 601dd446f896e3a362f706943df18a68d50420a1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 9 09:35:25 2013 -0500

    add open/close wrappers in __patch_text() as reported by Gu1 on IRC

 arch/arm/kernel/patch.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit ae39966fd85a493e9079b357e3faa62245a41222
Author: Peter Hurley <peter@hurleysoftware.com>
Date:   Fri Mar 8 12:43:27 2013 -0800

    Upstream commit: 88b9e456b1649722673ffa147914299799dc9041
    
    ipc: don't allocate a copy larger than max
    
    When MSG_COPY is set, a duplicate message must be allocated for the copy
    before locking the queue.  However, the copy could not be larger than was
    sent which is limited to msg_ctlmax.
    
    Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
    Acked-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 ipc/msg.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

commit 61240e99650ea3e540a03a3e994349c5086f166b
Author: Peter Hurley <peter@hurleysoftware.com>
Date:   Fri Mar 8 12:43:26 2013 -0800

    Upstream commit: e1082f45f1e2bbf6e25f6b614fc6616ebf709d19
    
    ipc: fix potential oops when src msg > 4k w/ MSG_COPY
    
    If the src msg is > 4k, then dest->next points to the
    next allocated segment; resetting it just prior to dereferencing
    is bad.
    
    Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
    Acked-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 ipc/msgutil.c |    3 ---
 1 files changed, 0 insertions(+), 3 deletions(-)

commit 51727f602a267f34fb2e0dc9557f1714028d51a2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 8 22:14:06 2013 -0500

    add missing 'else' in recent constify fixups

 net/ipv4/ip_fragment.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit a38c1a640729b3d8e584d1ab98e908c221bc12cf
Merge: 1580bb3 47c3f47
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 8 18:18:37 2013 -0500

    Merge branch 'pax-test' into grsec-test

commit 47c3f47ba4f874f5c72e4c04b76b6b92e44daebe
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 8 18:17:22 2013 -0500

    Update to pax-linux-3.8.2-test5.patch:
    - fixed some fallout after the last round of constification changes, reported by several people

 arch/arm/common/gic.c                   |    4 ++--
 arch/arm/include/asm/hardware/gic.h     |    3 ++-
 arch/x86/include/asm/nmi.h              |    2 +-
 arch/x86/kernel/nmi.c                   |    2 +-
 arch/x86/pci/irq.c                      |    2 +-
 drivers/base/power/domain.c             |    4 ++--
 drivers/cpufreq/cpufreq_governor.c      |    4 ++--
 drivers/mfd/twl4030-irq.c               |    1 +
 drivers/video/vesafb.c                  |    7 +++++--
 include/linux/irq.h                     |    1 +
 include/linux/pm_domain.h               |    2 +-
 kernel/sched/core.c                     |    4 ++++
 lib/Kconfig.debug                       |    4 ++--
 net/core/sysctl_net_core.c              |    2 +-
 net/decnet/af_decnet.c                  |    1 +
 net/ipv4/devinet.c                      |    2 +-
 net/ipv4/ip_fragment.c                  |    2 +-
 net/ipv4/route.c                        |    2 +-
 net/ipv4/sysctl_net_ipv4.c              |    2 +-
 net/ipv6/netfilter/nf_conntrack_reasm.c |    2 +-
 net/ipv6/reassembly.c                   |    2 +-
 scripts/sortextable.h                   |    6 +++---
 22 files changed, 36 insertions(+), 25 deletions(-)

commit 1580bb38b4db0bf2a46316599815e8b234edad81
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 7 22:02:59 2013 -0500

    add an additional open/close wrapper

 kernel/sched/core.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 21622672d28d58e0d93a805cd1f9650a894a752a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 7 21:58:24 2013 -0500

    fix oops at shutdown with new constify code

 kernel/sched/core.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit f6b9ab9fcc747bb1b14a4857d59e6681936220ec
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 7 21:18:44 2013 -0500

    Add PAX_CONSTIFY_PLUGIN, which we previously enabled unconditionally
    it currently conflicts with some lock debugging options, so made as an
    option to allow for debugging when necessary

 Makefile          |    2 --
 lib/Kconfig.debug |    6 +++---
 security/Kconfig  |   18 ++++++++++++++++++
 3 files changed, 21 insertions(+), 5 deletions(-)

commit 0885b00b8373a1597b69c38032a0c9eee279303b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 7 20:55:19 2013 -0500

    disable DEBUG_LOCK_ALLOC, as it conflicts with the new constify

 lib/Kconfig.debug |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit c8a2617165e7127a54f293cbf57d22d50dd83abd
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 7 20:30:41 2013 -0500

    Fix error:
    drivers/video/vesafb.c:502:3: error: assignment of member ‘fb_pan_display’ in read-only object
    with cast and proper kernexec accessors

 drivers/video/vesafb.c |    7 +++++--
 1 files changed, 5 insertions(+), 2 deletions(-)

commit 99f2814d3e2a6db25985edc47c7e09c4a2d8c408
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 7 20:20:28 2013 -0500

    fix typo

 grsecurity/gracl.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 399674de6c42bbcae2d01b082d6d9ce9d183b000
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 7 20:12:17 2013 -0500

    fix compilation error -- no reason for task_pid_nr to not take a const task ptr

 include/linux/sched.h |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit a6c239eacf683f9dd2aeebb1b1adb71e5eedbd9f
Author: Kees Cook <keescook@chromium.org>
Date:   Mon Feb 25 21:32:25 2013 +0000

    Upstream commit: e70ab977991964a5a7ad1182799451d067e62669
    
    proc connector: reject unprivileged listener bumps
    
    While PROC_CN_MCAST_LISTEN/IGNORE is entirely advisory, it was possible
    for an unprivileged user to turn off notifications for all listeners by
    sending PROC_CN_MCAST_IGNORE. Instead, require the same privileges as
    required for a multicast bind.
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: Evgeniy Polyakov <zbr@ioremap.net>
    Cc: Matt Helsley <matthltc@us.ibm.com>
    Cc: stable@vger.kernel.org
    Acked-by: Evgeniy Polyakov <zbr@ioremap.net>
    Acked-by: Matt Helsley <matthltc@us.ibm.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/connector/cn_proc.c |    8 ++++++++
 1 files changed, 8 insertions(+), 0 deletions(-)

commit ac6014ded57101e3e608941555ff507e20c1ece3
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Tue Feb 26 19:15:02 2013 +0000

    Upstream commit: 90c7881ecee1f08e0a49172cf61371cf2509ee4a
    
    irda: small read beyond end of array in debug code
    
    charset comes from skb->data.  It's a number in the 0-255 range.
    If we have debugging turned on then this could cause a read beyond
    the end of the array.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/irda/iriap.c |    7 +++++--
 1 files changed, 5 insertions(+), 2 deletions(-)

commit e60bd2aad9bfdb68731cc888eae14a7600bd2ffe
Author: Guenter Roeck <linux@roeck-us.net>
Date:   Wed Feb 27 10:57:31 2013 +0000

    Upstream commit: 726bc6b092da4c093eb74d13c07184b18c1af0f1
    
    net/sctp: Validate parameter size for SCTP_GET_ASSOC_STATS
    
    Building sctp may fail with:
    
    In function ‘copy_from_user’,
        inlined from ‘sctp_getsockopt_assoc_stats’ at
        net/sctp/socket.c:5656:20:
    arch/x86/include/asm/uaccess_32.h:211:26: error: call to
        ‘copy_from_user_overflow’ declared with attribute error: copy_from_user()
        buffer size is not provably correct
    
    if built with W=1 due to a missing parameter size validation
    before the call to copy_from_user.
    
    Signed-off-by: Guenter Roeck <linux@roeck-us.net>
    Acked-by: Vlad Yasevich <vyasevich@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/sctp/socket.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

commit be49e0ae9a4d0e8daa831d7d8d6f3a56beda3e3c
Author: Guillaume Nault <g.nault@alphalink.fr>
Date:   Fri Mar 1 05:02:02 2013 +0000

    Upstream commit: 8b82547e33e85fc24d4d172a93c796de1fefa81a
    
    l2tp: Restore socket refcount when sendmsg succeeds
    
    The sendmsg() syscall handler for PPPoL2TP doesn't decrease the socket
    reference counter after successful transmissions. Any successful
    sendmsg() call from userspace will then increase the reference counter
    forever, thus preventing the kernel's session and tunnel data from
    being freed later on.
    
    The problem only happens when writing directly on L2TP sockets.
    PPP sockets attached to L2TP are unaffected as the PPP subsystem
    uses pppol2tp_xmit() which symmetrically increase/decrease reference
    counters.
    
    This patch adds the missing call to sock_put() before returning from
    pppol2tp_sendmsg().
    
    Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/l2tp/l2tp_ppp.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 98a9a5f981f5deda4059a255c1196886f2f27e2f
Author: Cong Wang <amwang@redhat.com>
Date:   Sun Mar 3 16:18:11 2013 +0000

    Upstream commit: ece6b0a2b25652d684a7ced4ae680a863af041e0
    
    rds: limit the size allocated by rds_message_alloc()
    
    Dave Jones reported the following bug:
    
    "When fed mangled socket data, rds will trust what userspace gives it,
    and tries to allocate enormous amounts of memory larger than what
    kmalloc can satisfy."
    
    WARNING: at mm/page_alloc.c:2393 __alloc_pages_nodemask+0xa0d/0xbe0()
    Hardware name: GA-MA78GM-S2H
    Modules linked in: vmw_vsock_vmci_transport vmw_vmci vsock fuse bnep dlci bridge 8021q garp stp mrp binfmt_misc l2tp_ppp l2tp_core rfcomm s
    Pid: 24652, comm: trinity-child2 Not tainted 3.8.0+ #65
    Call Trace:
     [<ffffffff81044155>] warn_slowpath_common+0x75/0xa0
     [<ffffffff8104419a>] warn_slowpath_null+0x1a/0x20
     [<ffffffff811444ad>] __alloc_pages_nodemask+0xa0d/0xbe0
     [<ffffffff8100a196>] ? native_sched_clock+0x26/0x90
     [<ffffffff810b2128>] ? trace_hardirqs_off_caller+0x28/0xc0
     [<ffffffff810b21cd>] ? trace_hardirqs_off+0xd/0x10
     [<ffffffff811861f8>] alloc_pages_current+0xb8/0x180
     [<ffffffff8113eaaa>] __get_free_pages+0x2a/0x80
     [<ffffffff811934fe>] kmalloc_order_trace+0x3e/0x1a0
     [<ffffffff81193955>] __kmalloc+0x2f5/0x3a0
     [<ffffffff8104df0c>] ? local_bh_enable_ip+0x7c/0xf0
     [<ffffffffa0401ab3>] rds_message_alloc+0x23/0xb0 [rds]
     [<ffffffffa04043a1>] rds_sendmsg+0x2b1/0x990 [rds]
     [<ffffffff810b21cd>] ? trace_hardirqs_off+0xd/0x10
     [<ffffffff81564620>] sock_sendmsg+0xb0/0xe0
     [<ffffffff810b2052>] ? get_lock_stats+0x22/0x70
     [<ffffffff810b24be>] ? put_lock_stats.isra.23+0xe/0x40
     [<ffffffff81567f30>] sys_sendto+0x130/0x180
     [<ffffffff810b872d>] ? trace_hardirqs_on+0xd/0x10
     [<ffffffff816c547b>] ? _raw_spin_unlock_irq+0x3b/0x60
     [<ffffffff816cd767>] ? sysret_check+0x1b/0x56
     [<ffffffff810b8695>] ? trace_hardirqs_on_caller+0x115/0x1a0
     [<ffffffff81341d8e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
     [<ffffffff816cd742>] system_call_fastpath+0x16/0x1b
    ---[ end trace eed6ae990d018c8b ]---
    
    Reported-by: Dave Jones <davej@redhat.com>
    Cc: Dave Jones <davej@redhat.com>
    Cc: David S. Miller <davem@davemloft.net>
    Cc: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
    Signed-off-by: Cong Wang <amwang@redhat.com>
    Acked-by: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/rds/message.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit b46df323e01c63c62fdb82cf2c47e4386f5a0499
Author: Cong Wang <amwang@redhat.com>
Date:   Sun Mar 3 16:28:27 2013 +0000

    Upstream commit: 3f736868b47687d1336fe88185560b22bb92021e
    
    sctp: use KMALLOC_MAX_SIZE instead of its own MAX_KMALLOC_SIZE
    
    Don't definite its own MAX_KMALLOC_SIZE, use the one
    defined in mm.
    
    Cc: Vlad Yasevich <vyasevich@gmail.com>
    Cc: Sridhar Samudrala <sri@us.ibm.com>
    Cc: Neil Horman <nhorman@tuxdriver.com>
    Cc: David S. Miller <davem@davemloft.net>
    Signed-off-by: Cong Wang <amwang@redhat.com>
    Acked-by: Neil Horman <nhorman@tuxdriver.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/sctp/ssnmap.c |    8 +++-----
 1 files changed, 3 insertions(+), 5 deletions(-)

commit 4295a024e812f903fc580c81de5e81cc149503fa
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 7 17:57:49 2013 -0500

    Upstream commit: https://lkml.org/lkml/2013/3/6/535

 security/keys/process_keys.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 33edd486a9899a145a15586d7134636b0300aaee
Merge: 4eeeaf3 a2a2094
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 7 17:53:00 2013 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        arch/arm/include/asm/domain.h

commit a2a20947f5e1332e474160a39af520738b3c8c19
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 7 17:51:04 2013 -0500

    Update to pax-linux-3.8.2-test4.patch:
     fixed arm compilation problems reported by Michael Tremer
    - the constify plugin got smarter that enabled, with some additional patching,
      the elimination of about half the static function pointers on amd64/allmod
      (up from about 18%), depending on the kernel config it can be even more (70%)

 Documentation/dontdiff                        |    2 +
 arch/arm/include/asm/domain.h                 |    1 +
 arch/x86/include/asm/i8259.h                  |    2 +-
 arch/x86/include/asm/nmi.h                    |    4 +-
 arch/x86/kernel/acpi/boot.c                   |    4 +-
 arch/x86/kernel/apic/apic_noop.c              |    2 +-
 arch/x86/kernel/apic/es7000_32.c              |    2 +-
 arch/x86/kernel/apic/io_apic.c                |   10 +-
 arch/x86/kernel/cpu/mcheck/mce.c              |    2 +-
 arch/x86/kernel/cpu/perf_event.c              |    6 +-
 arch/x86/kernel/cpu/perf_event_intel_uncore.c |    2 +-
 arch/x86/kernel/cpu/perf_event_intel_uncore.h |    2 +-
 arch/x86/kernel/i8259.c                       |    6 +-
 arch/x86/kernel/io_delay.c                    |    2 +-
 arch/x86/kernel/nmi.c                         |    6 +-
 arch/x86/kernel/nmi_selftest.c                |    4 +-
 arch/x86/kernel/pci-swiotlb.c                 |    2 +-
 arch/x86/oprofile/nmi_int.c                   |    8 +-
 arch/x86/oprofile/op_model_amd.c              |    8 +-
 arch/x86/oprofile/op_model_ppro.c             |    7 +-
 arch/x86/oprofile/op_x86_model.h              |    2 +-
 arch/x86/pci/irq.c                            |    6 +-
 drivers/acpi/apei/apei-internal.h             |    2 +-
 drivers/acpi/bgrt.c                           |    6 +-
 drivers/acpi/blacklist.c                      |    2 +-
 drivers/acpi/processor_idle.c                 |    2 +-
 drivers/acpi/sysfs.c                          |    4 +-
 drivers/base/bus.c                            |    4 +-
 drivers/base/node.c                           |    2 +-
 drivers/base/syscore.c                        |    4 +-
 drivers/block/drbd/drbd_receiver.c            |    4 +-
 drivers/char/random.c                         |    2 +-
 drivers/cpufreq/acpi-cpufreq.c                |   20 ++-
 drivers/cpufreq/cpufreq.c                     |    7 +-
 drivers/cpufreq/cpufreq_governor.c            |    4 +-
 drivers/cpufreq/cpufreq_governor.h            |    2 +-
 drivers/cpufreq/p4-clockmod.c                 |   12 +-
 drivers/cpufreq/speedstep-centrino.c          |    7 +-
 drivers/cpuidle/cpuidle.c                     |    2 +-
 drivers/cpuidle/governor.c                    |    4 +-
 drivers/cpuidle/sysfs.c                       |    2 +-
 drivers/devfreq/devfreq.c                     |    4 +-
 drivers/edac/edac_mc_sysfs.c                  |    2 +-
 drivers/edac/edac_pci_sysfs.c                 |    2 +-
 drivers/firewire/core-device.c                |    2 +-
 drivers/firmware/dmi-id.c                     |    2 +-
 drivers/firmware/efivars.c                    |    2 +-
 drivers/firmware/google/memconsole.c          |    4 +-
 drivers/gpio/gpio-ich.c                       |    2 +-
 drivers/gpu/drm/drm_drv.c                     |    2 +-
 drivers/gpu/drm/drm_ioc32.c                   |    9 +-
 drivers/gpu/drm/i915/i915_ioc32.c             |   11 +-
 drivers/gpu/drm/i915/intel_display.c          |   26 ++-
 drivers/gpu/drm/mga/mga_ioc32.c               |   11 +-
 drivers/gpu/drm/nouveau/nouveau_ioc32.c       |    2 +-
 drivers/gpu/drm/r128/r128_ioc32.c             |   11 +-
 drivers/gpu/drm/radeon/radeon_ioc32.c         |   11 +-
 drivers/gpu/drm/radeon/radeon_ttm.c           |   33 ++--
 drivers/gpu/drm/udl/udl_fb.c                  |    1 -
 drivers/hwmon/acpi_power_meter.c              |    4 +-
 drivers/hwmon/applesmc.c                      |    2 +-
 drivers/hwmon/asus_atk0110.c                  |   10 +-
 drivers/hwmon/ibmaem.c                        |    2 +-
 drivers/hwmon/pmbus/pmbus_core.c              |    2 +-
 drivers/iio/industrialio-core.c               |    2 +-
 drivers/input/mouse/psmouse.h                 |    2 +-
 drivers/iommu/iommu.c                         |    2 +-
 drivers/leds/leds-clevo-mail.c                |    2 +-
 drivers/leds/leds-ss4200.c                    |    2 +-
 drivers/media/v4l2-core/v4l2-ioctl.c          |    5 +-
 drivers/mfd/twl4030-irq.c                     |    8 +-
 drivers/mfd/twl6030-irq.c                     |   10 +-
 drivers/misc/c2port/core.c                    |    4 +-
 drivers/mtd/sm_ftl.c                          |    2 +-
 drivers/net/bonding/bond_main.c               |    2 +-
 drivers/net/macvlan.c                         |   16 +-
 drivers/net/vxlan.c                           |    2 +-
 drivers/pci/hotplug/acpiphp_ibm.c             |    4 +-
 drivers/pci/hotplug/pci_hotplug_core.c        |    6 +-
 drivers/pci/hotplug/pciehp_core.c             |    2 +-
 drivers/pci/pci-sysfs.c                       |    6 +-
 drivers/pci/pci.h                             |    2 +-
 drivers/platform/x86/msi-laptop.c             |   14 +-
 drivers/platform/x86/sony-laptop.c            |    2 +-
 drivers/power/power_supply.h                  |    4 +-
 drivers/power/power_supply_core.c             |    6 +-
 drivers/power/power_supply_sysfs.c            |    6 +-
 drivers/rtc/rtc-cmos.c                        |    4 +-
 drivers/rtc/rtc-ds1307.c                      |    2 +-
 drivers/rtc/rtc-m48t59.c                      |    4 +-
 drivers/scsi/bfa/bfa.h                        |    2 +-
 drivers/staging/iio/iio_hwmon.c               |    2 +-
 drivers/usb/storage/usb.h                     |    2 +-
 drivers/video/aty/atyfb_base.c                |    8 +-
 drivers/video/aty/mach64_cursor.c             |    4 +-
 drivers/video/backlight/kb3886_bl.c           |    2 +-
 drivers/video/fb_defio.c                      |    6 +-
 drivers/video/mb862xx/mb862xxfb_accel.c       |   16 +-
 drivers/video/nvidia/nvidia.c                 |   27 ++-
 drivers/video/s1d13xxxfb.c                    |    6 +-
 drivers/video/smscufx.c                       |    4 +-
 drivers/video/udlfb.c                         |    4 +-
 drivers/video/uvesafb.c                       |   14 +-
 fs/exec.c                                     |    6 +-
 fs/ext4/super.c                               |    2 +-
 fs/jfs/super.c                                |    4 +-
 fs/nfs/callback_xdr.c                         |    2 +-
 fs/nfsd/nfs4proc.c                            |    2 +-
 fs/nfsd/nfs4xdr.c                             |    6 +-
 fs/nls/nls_base.c                             |   18 +-
 fs/nls/nls_euc-jp.c                           |    6 +-
 fs/nls/nls_koi8-ru.c                          |    6 +-
 fs/proc/proc_sysctl.c                         |   18 +-
 include/drm/drmP.h                            |   12 +-
 include/keys/asymmetric-subtype.h             |    2 +-
 include/linux/atmdev.h                        |    2 +-
 include/linux/binfmts.h                       |    2 +-
 include/linux/configfs.h                      |    2 +-
 include/linux/cpufreq.h                       |    3 +-
 include/linux/cpuidle.h                       |    5 +-
 include/linux/devfreq.h                       |    2 +-
 include/linux/device.h                        |    7 +-
 include/linux/extcon.h                        |    2 +-
 include/linux/fb.h                            |    2 +-
 include/linux/fscache.h                       |    2 +-
 include/linux/genl_magic_func.h               |    2 +-
 include/linux/hwmon-sysfs.h                   |    5 +-
 include/linux/iommu.h                         |    2 +-
 include/linux/irq.h                           |    2 +-
 include/linux/key-type.h                      |    2 +-
 include/linux/kobject.h                       |    1 +
 include/linux/kobject_ns.h                    |    2 +-
 include/linux/list.h                          |   14 +-
 include/linux/mod_devicetable.h               |    2 +-
 include/linux/module.h                        |    5 +-
 include/linux/net.h                           |    2 +-
 include/linux/netfilter.h                     |    2 +-
 include/linux/nls.h                           |    2 +-
 include/linux/pci_hotplug.h                   |    3 +-
 include/linux/platform_data/usb-exynos.h      |    2 +-
 include/linux/pnp.h                           |    2 +-
 include/linux/ppp-comp.h                      |    2 +-
 include/linux/rculist.h                       |   16 ++
 include/linux/sched.h                         |    2 +-
 include/linux/sock_diag.h                     |    2 +-
 include/linux/sunrpc/clnt.h                   |    2 +-
 include/linux/sunrpc/svc.h                    |    2 +-
 include/linux/sunrpc/svcauth.h                |    2 +-
 include/linux/swiotlb.h                       |    3 +-
 include/linux/syscore_ops.h                   |    2 +-
 include/linux/sysctl.h                        |    6 +-
 include/linux/sysfs.h                         |   10 +-
 include/linux/sysrq.h                         |    1 +
 include/linux/xattr.h                         |    2 +-
 include/net/9p/transport.h                    |    2 +-
 include/net/bluetooth/l2cap.h                 |    2 +-
 include/net/genetlink.h                       |    2 +-
 include/net/ip.h                              |    2 +-
 include/net/ip_vs.h                           |    4 +-
 include/net/llc_c_ac.h                        |    2 +-
 include/net/llc_c_ev.h                        |    4 +-
 include/net/llc_c_st.h                        |    2 +-
 include/net/llc_s_ac.h                        |    2 +-
 include/net/llc_s_st.h                        |    2 +-
 include/net/mac80211.h                        |    2 +-
 include/net/net_namespace.h                   |    2 +-
 include/net/netns/conntrack.h                 |    6 +-
 include/net/rtnetlink.h                       |    2 +-
 include/net/sctp/sm.h                         |    4 +-
 include/net/sctp/structs.h                    |    2 +-
 include/net/xfrm.h                            |    4 +-
 ipc/ipc_sysctl.c                              |   10 +-
 ipc/mq_sysctl.c                               |    2 +-
 kernel/kmod.c                                 |    2 +-
 kernel/ksysfs.c                               |    2 +-
 kernel/module.c                               |    4 +-
 kernel/pid_namespace.c                        |    2 +-
 kernel/rcutree_plugin.h                       |    2 +-
 kernel/sched/core.c                           |   39 ++--
 kernel/smpboot.c                              |    4 +-
 kernel/softirq.c                              |    2 +-
 kernel/sysctl.c                               |    2 +-
 kernel/utsname_sysctl.c                       |    2 +-
 kernel/watchdog.c                             |    2 +-
 lib/Kconfig.debug                             |    2 +-
 lib/kobject.c                                 |    4 +-
 lib/list_debug.c                              |   57 ++++-
 lib/swiotlb.c                                 |    2 +-
 mm/hugetlb.c                                  |   16 +-
 mm/memory-failure.c                           |    2 +-
 mm/slab_common.c                              |    2 +-
 net/9p/mod.c                                  |    4 +-
 net/ax25/sysctl_net_ax25.c                    |    2 +-
 net/core/neighbour.c                          |    2 +-
 net/core/net-sysfs.c                          |    2 +-
 net/core/net_namespace.c                      |    8 +-
 net/core/rtnetlink.c                          |   11 +-
 net/core/sock_diag.c                          |    9 +-
 net/core/sysctl_net_core.c                    |   15 +-
 net/ipv4/af_inet.c                            |    8 +-
 net/ipv4/devinet.c                            |   12 +-
 net/ipv4/inet_connection_sock.c               |    2 +-
 net/ipv4/ip_fragment.c                        |    9 +-
 net/ipv4/ip_gre.c                             |    6 +-
 net/ipv4/ip_vti.c                             |    4 +-
 net/ipv4/ipip.c                               |    4 +-
 net/ipv4/route.c                              |   14 +-
 net/ipv4/sysctl_net_ipv4.c                    |   43 ++--
 net/ipv6/addrconf.c                           |    4 +-
 net/ipv6/icmp.c                               |    2 +-
 net/ipv6/ip6_gre.c                            |    6 +-
 net/ipv6/ip6_tunnel.c                         |    4 +-
 net/ipv6/netfilter/nf_conntrack_reasm.c       |   12 +-
 net/ipv6/reassembly.c                         |   11 +-
 net/ipv6/route.c                              |    2 +-
 net/ipv6/sit.c                                |    4 +-
 net/ipv6/sysctl_net_ipv6.c                    |    2 +-
 net/netfilter/ipset/ip_set_core.c             |    2 +-
 net/netfilter/ipvs/ip_vs_ctl.c                |    4 +-
 net/netfilter/ipvs/ip_vs_lblc.c               |    2 +-
 net/netfilter/ipvs/ip_vs_lblcr.c              |    2 +-
 net/netfilter/nf_conntrack_acct.c             |    2 +-
 net/netfilter/nf_conntrack_ecache.c           |    2 +-
 net/netfilter/nf_conntrack_helper.c           |    2 +-
 net/netfilter/nf_conntrack_proto.c            |    2 +-
 net/netfilter/nf_conntrack_standalone.c       |    2 +-
 net/netfilter/nf_conntrack_timestamp.c        |    2 +-
 net/netfilter/nf_log.c                        |   10 +-
 net/netfilter/nf_sockopt.c                    |    4 +-
 net/netlink/genetlink.c                       |   16 +-
 net/phonet/sysctl.c                           |    2 +-
 net/rds/rds.h                                 |    2 +-
 net/sctp/ipv6.c                               |    6 +-
 net/sctp/protocol.c                           |   10 +-
 net/sctp/sm_sideeffect.c                      |    2 +-
 net/sctp/sysctl.c                             |    4 +-
 net/sunrpc/clnt.c                             |    4 +-
 net/sunrpc/svc.c                              |    4 +-
 net/unix/sysctl_net_unix.c                    |    2 +-
 net/xfrm/xfrm_policy.c                        |   11 +-
 net/xfrm/xfrm_state.c                         |   29 ++-
 net/xfrm/xfrm_sysctl.c                        |    2 +-
 security/apparmor/lsm.c                       |    2 +-
 security/keys/key.c                           |   18 +-
 security/yama/yama_lsm.c                      |   22 +-
 tools/gcc/Makefile                            |    4 +-
 tools/gcc/constify_plugin.c                   |  299 +++++++++++++++++++------
 tools/gcc/size_overflow_plugin.c              |    7 +-
 248 files changed, 994 insertions(+), 668 deletions(-)

commit 4eeeaf3a560e25d1685f8973ef676b205efaa81b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 6 12:58:21 2013 -0500

    Make slab_state __read_only, it's only written to during init

 mm/slab_common.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit e7067b68d36fb9e0e8818de5d9ce1b4ba19ce24a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 6 12:31:35 2013 -0500

    Make two new helper functions:
    gr_is_global_root() and gr_is_global_nonroot()

 grsecurity/gracl.c      |   10 +++++-----
 grsecurity/gracl_segv.c |    2 +-
 grsecurity/grsec_link.c |    4 ++--
 grsecurity/grsec_sig.c  |   10 +++++-----
 grsecurity/grsec_tpe.c  |    6 +++---
 include/linux/uidgid.h  |    2 ++
 6 files changed, 18 insertions(+), 16 deletions(-)

commit d45d88eddd4998b280b1e5b5384289ee11ca7088
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 6 12:14:41 2013 -0500

    convert remaining task->pid to task_pid_nr(task)

 grsecurity/gracl.c        |   22 +++++++++++-----------
 grsecurity/gracl_shm.c    |    2 +-
 grsecurity/grsec_chroot.c |    4 ++--
 grsecurity/grsec_sig.c    |    4 ++--
 4 files changed, 16 insertions(+), 16 deletions(-)

commit c877f2ece03ee2232dd281c1977ae59507297124
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 5 17:29:54 2013 -0500

    compat-log is only used anymore by vm86-on-64bit and allows unlimited
    spamming of the kernel log buffer (and since it includes the changable
    process name, can avoid syslog log deduplication)
    Turn it off by default

 fs/compat.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 7c1964c4b7276889d7967bee70e46918cdca1b14
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 4 17:19:10 2013 -0500

    fix compilation error reported on IRC and forums when GRKERNSEC_PROC_USERGROUP
    is enabled, introduced with recent userns support

 init/main.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit c3ce01b94d8dd42b9c7942c0d513b152613e0656
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 3 18:46:12 2013 -0500

    Prevent TOMOYO from auto-loading modules by unprivileged users
    (Only reachable if TOMOYO is actually used)

 security/tomoyo/mount.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

commit 79e142f9455b398759ff9d93d4963a21b98dddda
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 3 18:28:45 2013 -0500

    For now, don't permit any special access to /proc in a user namespace
    Later we can go back and allow a userns-uid0 special access to a /proc
    with a non-global pid namespace

 fs/proc/base.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 8b91fb393049ce5f3c0a86f62247409853fd9700
Merge: d931eb8 603ef05
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 3 17:42:09 2013 -0500

    Merge branch 'pax-test' into grsec-test

commit 603ef0579b9c3765d999c1938cb7a120d8c8e00b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 3 17:41:31 2013 -0500

    Fix compilation error on ARM reported by Michael Tremer

 arch/arm/mach-omap2/wd_timer.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

commit b4c9ce81fdd7839a150c97873c710c479e788280
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 3 17:39:53 2013 -0500

    Fix compilation error on ARM reported by Michael Tremer

 arch/arm/kernel/armksyms.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit d931eb81ab3da46896268fd61373a6aa7bbea930
Merge: bfa7f44 5948f93
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 3 17:34:36 2013 -0500

    Merge branch 'pax-test' into grsec-test

commit 5948f930bc1c2d22138c1c76ca7e1bc94b6a3ce0
Merge: ab30472 19b00d2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 3 17:34:08 2013 -0500

    Merge branch 'linux-3.8.y' into pax-test

commit bfa7f445c5d484de51a5828b92ad2ff65053cc87
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 3 15:12:12 2013 -0500

    Initial support for user namespaces, as we previously didn't allow
    the option to be enabled at all.
    
    RBAC will act on the global uids/gids only, so all uids/gids in user
    namespaces will be converted
    
    Because Eric Biederman is insulted that I didn't support his
    backdoor prior to it receiving proper review.  I still have the CAP_SYS_ADMIN
    check in for user namespaces, so this is generally irrelevant.

 fs/exec.c                   |    6 +-
 fs/proc/base.c              |    2 +-
 fs/proc/proc_net.c          |    4 +-
 grsecurity/gracl.c          |  128 +++++++++++++++++++++++++++++-------------
 grsecurity/gracl_cap.c      |    4 +-
 grsecurity/gracl_ip.c       |   16 +++---
 grsecurity/gracl_segv.c     |   12 +++-
 grsecurity/gracl_shm.c      |    4 +-
 grsecurity/grsec_disabled.c |   10 ++--
 grsecurity/grsec_fifo.c     |    6 +-
 grsecurity/grsec_init.c     |   24 ++++----
 grsecurity/grsec_log.c      |    3 -
 grsecurity/grsec_tpe.c      |    6 +-
 include/linux/grinternal.h  |   12 ++--
 include/linux/grsecurity.h  |   12 ++--
 include/linux/uidgid.h      |    3 +
 init/Kconfig                |    2 -
 ipc/shm.c                   |    2 +-
 kernel/cred.c               |    5 +-
 kernel/kallsyms.c           |    2 +-
 kernel/kmod.c               |    6 +-
 kernel/sys.c                |   12 ++--
 22 files changed, 166 insertions(+), 115 deletions(-)

commit 27a8cc1a9f22f95de6fe8740bdc900a160274dff
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date:   Wed Feb 27 08:36:04 2013 -0800

    Upstream commit: 09884964335e85e897876d17783c2ad33cf8a2e0
    
    mm: do not grow the stack vma just because of an overrun on preceding vma
    
    The stack vma is designed to grow automatically (marked with VM_GROWSUP
    or VM_GROWSDOWN depending on architecture) when an access is made beyond
    the existing boundary.  However, particularly if you have not limited
    your stack at all ("ulimit -s unlimited"), this can cause the stack to
    grow even if the access was really just one past *another* segment.
    
    And that's wrong, especially since we first grow the segment, but then
    immediately later enforce the stack guard page on the last page of the
    segment.  So _despite_ first growing the stack segment as a result of
    the access, the kernel will then make the access cause a SIGSEGV anyway!
    
    So do the same logic as the guard page check does, and consider an
    access to within one page of the next segment to be a bad access, rather
    than growing the stack to abut the next segment.
    
    Reported-and-tested-by: Heiko Carstens <heiko.carstens@de.ibm.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 mm/mmap.c |   27 +++++++++++++++++++++++++++
 1 files changed, 27 insertions(+), 0 deletions(-)

commit 5596211af754867ca825f58e6e0300a8439950fe
Author: H. Peter Anvin <hpa@linux.intel.com>
Date:   Wed Feb 27 12:46:40 2013 -0800

    Upstream commit: 7c10093692ed2e6f318387d96b829320aa0ca64c
    
    x86: Make sure we can boot in the case the BDA contains pure garbage
    
    On non-BIOS platforms it is possible that the BIOS data area contains
    garbage instead of being zeroed or something equivalent (firmware
    people: we are talking of 1.5K here, so please do the sane thing.)
    
    We need on the order of 20-30K of low memory in order to boot, which
    may grow up to < 64K in the future.  We probably want to avoid the
    lowest of the low memory.  At the same time, it seems extremely
    unlikely that a legitimate EBDA would ever reach down to the 128K
    (which would require it to be over half a megabyte in size.)  Thus,
    pick 128K as the cutoff for "this is insane, ignore."  We may still
    end up reserving a bunch of extra memory on the low megabyte, but that
    is not really a major issue these days.  In the worst case we lose
    512K of RAM.
    
    This code really should be merged with trim_bios_range() in
    arch/x86/kernel/setup.c, but that is a bigger patch for a later merge
    window.
    
    Reported-by: Darren Hart <dvhart@linux.intel.com>
    Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
    Cc: Matt Fleming <matt.fleming@intel.com>
    Cc: <stable@vger.kernel.org>
    Link: http://lkml.kernel.org/n/tip-oebml055yyfm8yxmria09rja@git.kernel.org

 arch/x86/kernel/head.c |   53 ++++++++++++++++++++++++++++++-----------------
 1 files changed, 34 insertions(+), 19 deletions(-)

commit 10eb1dabfb743fb22dcbcf186bb8d2192d2d55ea
Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Date:   Wed Feb 27 17:05:46 2013 -0800

    Upstream commit: 940da353a83e895ea600cb8ab17dceefb1bcb469
    
    memstick: move the dereference below the NULL test
    
    The dereference should be moved below the NULL test.
    
    spatch with a semantic match is used to found this.
    (http://coccinelle.lip6.fr/)
    
    Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
    Cc: Maxim Levitsky <maximlevitsky@gmail.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 drivers/memstick/host/r592.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 1a63cb1ca50a10748cbf766894ecedf34a89baa3
Author: Xi Wang <xi.wang@gmail.com>
Date:   Wed Feb 27 17:05:21 2013 -0800

    Upstream commit: df1778be1a33edffa51d094eeda87c858ded6560
    
    sysctl: fix null checking in bin_dn_node_address()
    
    The null check of `strchr() + 1' is broken, which is always non-null,
    leading to OOB read.  Instead, check the result of strchr().
    
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Cc: "Eric W. Biederman" <ebiederm@xmission.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 kernel/sysctl_binary.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 7ca96db0817416fd40761e7437d1939fc0731380
Author: Tejun Heo <tj@kernel.org>
Date:   Wed Feb 27 17:03:34 2013 -0800

    Upstream commit: 6cdae7416a1c45c2ce105a78187d9b7e8feb9e24
    
    idr: fix a subtle bug in idr_get_next()
    
    The iteration logic of idr_get_next() is borrowed mostly verbatim from
    idr_for_each().  It walks down the tree looking for the slot matching
    the current ID.  If the matching slot is not found, the ID is
    incremented by the distance of single slot at the given level and
    repeats.
    
    The implementation assumes that during the whole iteration id is aligned
    to the layer boundaries of the level closest to the leaf, which is true
    for all iterations starting from zero or an existing element and thus is
    fine for idr_for_each().
    
    However, idr_get_next() may be given any point and if the starting id
    hits in the middle of a non-existent layer, increment to the next layer
    will end up skipping the same offset into it.  For example, an IDR with
    IDs filled between [64, 127] would look like the following.
    
              [  0  64 ... ]
           /----/   |
           |        |
          NULL    [ 64 ... 127 ]
    
    If idr_get_next() is called with 63 as the starting point, it will try
    to follow down the pointer from 0.  As it is NULL, it will then try to
    proceed to the next slot in the same level by adding the slot distance
    at that level which is 64 - making the next try 127.  It goes around the
    loop and finds and returns 127 skipping [64, 126].
    
    Note that this bug also triggers in idr_for_each_entry() loop which
    deletes during iteration as deletions can make layers go away leaving
    the iteration with unaligned ID into missing layers.
    
    Fix it by ensuring proceeding to the next slot doesn't carry over the
    unaligned offset - ie.  use round_up(id + 1, slot_distance) instead of
    id += slot_distance.
    
    Signed-off-by: Tejun Heo <tj@kernel.org>
    Reported-by: David Teigland <teigland@redhat.com>
    Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 lib/idr.c |    9 ++++++++-
 1 files changed, 8 insertions(+), 1 deletions(-)

commit 745362f28034f54242ba2e64eaa7374ab9869613
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 1 20:31:42 2013 -0500

    Fix dentry use-after-free after failed complete_walk() with RBAC enabled
    Many thanks to zakalwe from #grsecurity for the report and debugging help

 fs/namei.c |    8 +++-----
 1 files changed, 3 insertions(+), 5 deletions(-)

commit b53b3b14330920c6f7cfb74c8508a3026e1be620
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 28 18:29:26 2013 -0500

    Fix bad git merge

 fs/namespace.c |    8 --------
 1 files changed, 0 insertions(+), 8 deletions(-)

commit 71886f69ea10fa22e593dba1bdbe5c0334c6fede
Merge: 1cce1dd ab30472
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 28 17:45:14 2013 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        net/core/sock_diag.c

commit ab3047280e1dfb43f1b301a296123757b4ac4f6e
Merge: 4b61d21 4c91a0e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 28 17:43:56 2013 -0500

    Merge branch 'linux-3.8.y' into pax-test

commit 1cce1ddd17c584c80465521834c3faf1a7c607d7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 27 22:20:22 2013 -0500

    add compiler.h to sysrq.h to fix compilation problem reported by micu on forums

 include/linux/sysrq.h |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 9f1e7fe130803fde83eb903b575335f59cd2bd18
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 27 17:52:31 2013 -0500

    declare check_syslog_permissions() earlier in file, fix bug in syslog_action_restricted() in upstream kernel

 kernel/printk.c |   12 +++++++-----
 1 files changed, 7 insertions(+), 5 deletions(-)

commit 11dd499888fa76f3466821ce4daa5e0c55e43d39
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 27 17:23:46 2013 -0500

    Fix upstream vulnerability from addition of a /dev/kmsg device
    while neglecting to add the same set of existing permission checks
    from do_syslog.  This bit both dmesg_restrict and GRKERNSEC_DMESG.
    A temporary workaround without this patch would be to
    chmod 0600 /dev/kmsg (and is likely a good idea anyway).
    
    Notified in #grsecurity IRC by Jason A. Donenfeld and Petr Matousek
    Initially reported to Redhat bugzilla by Christian Kujau:
    https://bugzilla.redhat.com/show_bug.cgi?id=903192

 kernel/printk.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

commit 66c04806f5660988c3cb4855e60de294e77e3d0e
Author: David Howells <dhowells@redhat.com>
Date:   Thu Feb 21 12:00:25 2013 +0000

    Upstream commit: fe9453a1dcb5fb146f9653267e78f4a558066f6f
    
    KEYS: Revert one application of "Fix unreachable code" patch
    
    A patch to fix some unreachable code in search_my_process_keyrings() got
    applied twice by two different routes upstream as commits e67eab39bee2
    and b010520ab3d2 (both "fix unreachable code").
    
    Unfortunately, the second application removed something it shouldn't
    have and this wasn't detected by GIT.  This is due to the patch not
    having sufficient lines of context to distinguish the two places of
    application.
    
    The effect of this is relatively minor: inside the kernel, the keyring
    search routines may search multiple keyrings and then prioritise the
    errors if no keys or negative keys are found in any of them.  With the
    extra deletion, the presence of a negative key in the thread keyring
    (causing ENOKEY) is incorrectly overridden by an error searching the
    process keyring.
    
    So revert the second application of the patch.
    
    Signed-off-by: David Howells <dhowells@redhat.com>
    Cc: Jiri Kosina <jkosina@suse.cz>
    Cc: Andrew Morton <akpm@linux-foundation.org>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 security/keys/process_keys.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 954b0c8a95b08c09c3d15ec38106ce403bf714da
Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Date:   Thu Feb 21 16:42:43 2013 -0800

    Upstream commit: 49deb4bc227cb9db5b8ebf9434367f8bed057c7a
    
    configfs: move the dereference below the NULL test
    
    The dereference should be moved below the NULL test.
    
    spatch with a semantic match is used to found this.
    (http://coccinelle.lip6.fr/)
    
    Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
    Cc: Joel Becker <jlbec@evilplan.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 fs/configfs/dir.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

commit d16d42c4fdc8baca5816d75b4a115102bf3d3423
Author: Nicolas Pitre <nicolas.pitre@linaro.org>
Date:   Sun Feb 24 20:06:09 2013 -0500

    Upstream commit: a883b70d8e0a88278c0a1f80753b4dc99962b541
    
    tty vt: fix character insertion overflow
    
    Commit 81732c3b2fed ("tty vt: Fix line garbage in virtual console on
    command line edition") broke insert_char() in multiple ways.  Then
    commit b1a925f44a3a ("tty vt: Fix a regression in command line edition")
    partially fixed it.  However, the buffer being moved is still too large
    and overflowing beyond the end of the current line, corrupting existing
    characters on the next line.
    
    Example test case:
    
    echo -e "abc\nde\x1b[A\x1b[4h \x1b[4l\x1b[B"
    
    Expected result:
    
    ab c
    de
    
    Current result:
    
    ab c
     e
    
    Needless to say that this is very annoying when inserting words in the
    middle of paragraphs with certain text editors.
    
    Signed-off-by: Nicolas Pitre <nico@linaro.org>
    Cc: Jean-François Moine <moinejf@free.fr>
    Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 drivers/tty/vt/vt.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 6cda35071669b4aabde081bd039e0ffea36f997a
Author: Robin Holt <holt@sgi.com>
Date:   Fri Feb 22 16:35:34 2013 -0800

    Upstream commit: 751efd8610d3d7d67b7bdf7f62646edea7365dd7
    
    mmu_notifier_unregister NULL Pointer deref and multiple ->release() callouts
    
    There is a race condition between mmu_notifier_unregister() and
    __mmu_notifier_release().
    
    Assume two tasks, one calling mmu_notifier_unregister() as a result of a
    filp_close() ->flush() callout (task A), and the other calling
    mmu_notifier_release() from an mmput() (task B).
    
                    A                               B
    t1                                              srcu_read_lock()
    t2              if (!hlist_unhashed())
    t3                                              srcu_read_unlock()
    t4              srcu_read_lock()
    t5                                              hlist_del_init_rcu()
    t6                                              synchronize_srcu()
    t7              srcu_read_unlock()
    t8              hlist_del_rcu()  <--- NULL pointer deref.
    
    Additionally, the list traversal in __mmu_notifier_release() is not
    protected by the by the mmu_notifier_mm->hlist_lock which can result in
    callouts to the ->release() notifier from both mmu_notifier_unregister()
    and __mmu_notifier_release().
    
    -stable suggestions:
    
    The stable trees prior to 3.7.y need commits 21a92735f660 and
    70400303ce0c cherry-picked in that order prior to cherry-picking this
    commit.  The 3.7.y tree already has those two commits.
    
    Signed-off-by: Robin Holt <holt@sgi.com>
    Cc: Andrea Arcangeli <aarcange@redhat.com>
    Cc: Wanpeng Li <liwanp@linux.vnet.ibm.com>
    Cc: Xiao Guangrong <xiaoguangrong@linux.vnet.ibm.com>
    Cc: Avi Kivity <avi@redhat.com>
    Cc: Hugh Dickins <hughd@google.com>
    Cc: Marcelo Tosatti <mtosatti@redhat.com>
    Cc: Sagi Grimberg <sagig@mellanox.co.il>
    Cc: Haggai Eran <haggaie@mellanox.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 mm/mmu_notifier.c |   82 +++++++++++++++++++++++++++--------------------------
 1 files changed, 42 insertions(+), 40 deletions(-)

commit bf5167ed78ba6131c6874887f714bda50c2cab83
Author: Mike Galbraith <bitbucket@online.de>
Date:   Mon Jan 28 12:19:25 2013 +0100

    Upstream commit: e0a79f529d5ba2507486d498b25da40911d95cf6
    
    sched: Fix select_idle_sibling() bouncing cow syndrome
    
    If the previous CPU is cache affine and idle, select it.
    
    The current implementation simply traverses the sd_llc domain,
    taking the first idle CPU encountered, which walks buddy pairs
    hand in hand over the package, inflicting excruciating pain.
    
    1 tbench pair (worst case) in a 10 core + SMT package:
    
      pre   15.22 MB/sec 1 procs
      post 252.01 MB/sec 1 procs
    
    Signed-off-by: Mike Galbraith <bitbucket@online.de>
    Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
    Link: http://lkml.kernel.org/r/1359371965.5783.127.camel@marge.simpson.net
    Signed-off-by: Ingo Molnar <mingo@kernel.org>

 kernel/sched/fair.c |   21 +++++++--------------
 1 files changed, 7 insertions(+), 14 deletions(-)

commit cf7c2d257836fdcb5d51ad142cbc56ac12f7a37c
Author: Eric W. Biederman <ebiederm@xmission.com>
Date:   Fri Dec 28 18:58:39 2012 -0800

    Upstream commit: c61a2810a2161986353705b44d9503e6bb079f4f
    
    userns: Avoid recursion in put_user_ns
    
    When freeing a deeply nested user namespace free_user_ns calls
    put_user_ns on it's parent which may in turn call free_user_ns again.
    When -fno-optimize-sibling-calls is passed to gcc one stack frame per
    user namespace is left on the stack, potentially overflowing the
    kernel stack.  CONFIG_FRAME_POINTER forces -fno-optimize-sibling-calls
    so we can't count on gcc to optimize this code.
    
    Remove struct kref and use a plain atomic_t.  Making the code more
    flexible and easier to comprehend.  Make the loop in free_user_ns
    explict to guarantee that the stack does not overflow with
    CONFIG_FRAME_POINTER enabled.
    
    I have tested this fix with a simple program that uses unshare to
    create a deeply nested user namespace structure and then calls exit.
    With 1000 nesteuser namespaces before this change running my test
    program causes the kernel to die a horrible death.  With 10,000,000
    nested user namespaces after this change my test program runs to
    completion and causes no harm.
    
    Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
    Pointed-out-by: Vasily Kulikov <segoon@openwall.com>
    Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>

 include/linux/user_namespace.h |   10 +++++-----
 kernel/user.c                  |    4 +---
 kernel/user_namespace.c        |   17 +++++++++--------
 3 files changed, 15 insertions(+), 16 deletions(-)

commit 81501c7106ccc186c94806f4db954626295b5ebe
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Feb 26 17:12:30 2013 -0500

    Pass the same flags to kern_path_create as the original function

 fs/namei.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit a677c8eee35afe48868f92c7d6745bfe809cd481
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Fri Feb 22 22:45:42 2013 -0500

    Upstream commit: 9b40bc90abd126bcc5da5658059b8e72e285e559
    
    get rid of unprotected dereferencing of mnt->mnt_ns
    
    It's safe only under namespace_sem or vfsmount_lock; all places
    in fs/namespace.c that want mnt->mnt_ns->user_ns actually want to use
    current->nsproxy->mnt_ns->user_ns (note the calls of check_mnt() in
    there).
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

 fs/namespace.c |   29 +++++++++++++++++------------
 1 files changed, 17 insertions(+), 12 deletions(-)

commit 89298124d0c96dc34a60377e7a1308f8f532ff75
Author: Greg Thelen <gthelen@google.com>
Date:   Fri Feb 22 16:36:01 2013 -0800

    Upstream fix: 5f00110f7273f9ff04ac69a5f85bb535a4fd0987
    
    tmpfs: fix use-after-free of mempolicy object
    
    The tmpfs remount logic preserves filesystem mempolicy if the mpol=M
    option is not specified in the remount request.  A new policy can be
    specified if mpol=M is given.
    
    Before this patch remounting an mpol bound tmpfs without specifying
    mpol= mount option in the remount request would set the filesystem's
    mempolicy object to a freed mempolicy object.
    
    To reproduce the problem boot a DEBUG_PAGEALLOC kernel and run:
        # mkdir /tmp/x
    
        # mount -t tmpfs -o size=100M,mpol=interleave nodev /tmp/x
    
        # grep /tmp/x /proc/mounts
        nodev /tmp/x tmpfs rw,relatime,size=102400k,mpol=interleave:0-3 0 0
    
        # mount -o remount,size=200M nodev /tmp/x
    
        # grep /tmp/x /proc/mounts
        nodev /tmp/x tmpfs rw,relatime,size=204800k,mpol=??? 0 0
            # note ? garbage in mpol=... output above
    
        # dd if=/dev/zero of=/tmp/x/f count=1
            # panic here
    
    Panic:
        BUG: unable to handle kernel NULL pointer dereference at           (null)
        IP: [<          (null)>]           (null)
        [...]
        Oops: 0010 [#1] SMP DEBUG_PAGEALLOC
        Call Trace:
          mpol_shared_policy_init+0xa5/0x160
          shmem_get_inode+0x209/0x270
          shmem_mknod+0x3e/0xf0
          shmem_create+0x18/0x20
          vfs_create+0xb5/0x130
          do_last+0x9a1/0xea0
          path_openat+0xb3/0x4d0
          do_filp_open+0x42/0xa0
          do_sys_open+0xfe/0x1e0
          compat_sys_open+0x1b/0x20
          cstar_dispatch+0x7/0x1f
    
    Non-debug kernels will not crash immediately because referencing the
    dangling mpol will not cause a fault.  Instead the filesystem will
    reference a freed mempolicy object, which will cause unpredictable
    behavior.
    
    The problem boils down to a dropped mpol reference below if
    shmem_parse_options() does not allocate a new mpol:
    
        config = *sbinfo
        shmem_parse_options(data, &config, true)
        mpol_put(sbinfo->mpol)
        sbinfo->mpol = config.mpol  /* BUG: saves unreferenced mpol */
    
    This patch avoids the crash by not releasing the mempolicy if
    shmem_parse_options() doesn't create a new mpol.
    
    How far back does this issue go? I see it in both 2.6.36 and 3.3.  I did
    not look back further.
    
    Signed-off-by: Greg Thelen <gthelen@google.com>
    Acked-by: Hugh Dickins <hughd@google.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 mm/shmem.c |   10 ++++++++--
 1 files changed, 8 insertions(+), 2 deletions(-)

commit 614943c76d9e49f12f3e1154f1dea80dc4bb2743
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 23 11:08:05 2013 -0500

    Userland can send a netlink message requesting SOCK_DIAG_BY_FAMILY
    with a family greater or equal then AF_MAX -- the array size of
    sock_diag_handlers[]. The current code does not test for this
    condition therefore is vulnerable to an out-of-bound access opening
    doors for a privilege escalation.
    
    Signed-off-by: Mathias Krause <minipli@googlemail.com>
    
    The sock_diag_lock_handler() and sock_diag_unlock_handler() actually
    make the code less readable. Get rid of them and make the lock usage
    and access to sock_diag_handlers[] clear on the first sight.
    
    Signed-off-by: Mathias Krause <minipli@googlemail.com>

 net/core/sock_diag.c |   27 ++++++++++-----------------
 1 files changed, 10 insertions(+), 17 deletions(-)

commit e8d44970f8ac5ceda7b0e3f2c2ab33cefb800990
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 23 10:58:52 2013 -0500

    Fix compilation failure reported by Hinnerk van Bruinehsen when CPU_USE_DOMAINS is not defined

 arch/arm/include/asm/domain.h |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 7b729586eb81f344fdedf0942fab0acc738a6725
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 22 19:02:51 2013 -0500

    Add back capability check for user namespaces.  They have not seen enough proper review and needlessly exposes additional attack surface for all users.

 kernel/fork.c |   17 +++++++++++++++++
 1 files changed, 17 insertions(+), 0 deletions(-)

commit fadc560d0c486af88da83177735f5515e88acdcc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 21 23:06:48 2013 -0500

    put is_hugetlbfs_mnt inside ifdefs

 grsecurity/gracl.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 8252176922d405484f986eb2cc350b7cd3ae586e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 21 23:02:07 2013 -0500

    remove unused label

 kernel/module.c |    1 -
 1 files changed, 0 insertions(+), 1 deletions(-)

commit dad4a980f0b625059e215d13da728aa7fd02a374
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 21 23:00:52 2013 -0500

    compile fix

 fs/open.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 13e3266c41b98a40f3d8a4a7fb8ee5c0983156b7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 21 22:57:49 2013 -0500

    remove kmalloc_array_error for the same reasons as kcalloc_error

 include/linux/slab.h |    9 ---------
 1 files changed, 0 insertions(+), 9 deletions(-)

commit 0c24df0e81ae880c4523cc78ff91609b9aa6133a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 21 22:49:35 2013 -0500

    Initial port of grsecurity for Linux 3.8

 Documentation/kernel-parameters.txt                |    4 +
 Makefile                                           |   10 +-
 arch/alpha/include/asm/cache.h                     |    4 +-
 arch/alpha/kernel/osf_sys.c                        |   14 +-
 arch/arm/include/asm/cache.h                       |    2 +
 arch/arm/include/asm/thread_info.h                 |    9 +-
 arch/arm/kernel/process.c                          |    4 +-
 arch/arm/kernel/ptrace.c                           |    9 +
 arch/arm/kernel/traps.c                            |    7 +-
 arch/arm/mm/fault.c                                |   27 +-
 arch/arm/mm/mmap.c                                 |    6 +-
 arch/avr32/include/asm/cache.h                     |    4 +-
 arch/blackfin/include/asm/cache.h                  |    3 +-
 arch/cris/include/arch-v10/arch/cache.h            |    3 +-
 arch/cris/include/arch-v32/arch/cache.h            |    3 +-
 arch/frv/include/asm/cache.h                       |    3 +-
 arch/frv/mm/elf-fdpic.c                            |    7 +-
 arch/hexagon/include/asm/cache.h                   |    6 +-
 arch/ia64/include/asm/cache.h                      |    3 +-
 arch/ia64/kernel/sys_ia64.c                        |    3 +-
 arch/ia64/mm/hugetlbpage.c                         |    3 +-
 arch/m32r/include/asm/cache.h                      |    4 +-
 arch/m68k/include/asm/cache.h                      |    4 +-
 arch/microblaze/include/asm/cache.h                |    3 +-
 arch/mips/include/asm/cache.h                      |    3 +-
 arch/mips/include/asm/thread_info.h                |    9 +-
 arch/mips/kernel/ptrace.c                          |    9 +
 arch/mips/kernel/scall32-o32.S                     |    2 +-
 arch/mips/kernel/scall64-64.S                      |    2 +-
 arch/mips/kernel/scall64-n32.S                     |    2 +-
 arch/mips/kernel/scall64-o32.S                     |    2 +-
 arch/mips/mm/mmap.c                                |    3 +-
 arch/mn10300/proc-mn103e010/include/proc/cache.h   |    4 +-
 arch/mn10300/proc-mn2ws0050/include/proc/cache.h   |    4 +-
 arch/openrisc/include/asm/cache.h                  |    4 +-
 arch/parisc/include/asm/cache.h                    |    5 +-
 arch/parisc/kernel/sys_parisc.c                    |   19 +-
 arch/powerpc/include/asm/cache.h                   |    3 +-
 arch/powerpc/include/asm/thread_info.h             |    8 +-
 arch/powerpc/kernel/process.c                      |   10 +-
 arch/powerpc/kernel/ptrace.c                       |   14 +
 arch/powerpc/kernel/traps.c                        |    5 +
 arch/powerpc/mm/slice.c                            |    8 +-
 arch/s390/include/asm/cache.h                      |    4 +-
 arch/score/include/asm/cache.h                     |    4 +-
 arch/sh/include/asm/cache.h                        |    3 +-
 arch/sh/mm/mmap.c                                  |    6 +-
 arch/sparc/include/asm/cache.h                     |    4 +-
 arch/sparc/include/asm/thread_info_64.h            |    9 +-
 arch/sparc/kernel/process_32.c                     |    6 +-
 arch/sparc/kernel/process_64.c                     |    8 +-
 arch/sparc/kernel/ptrace_64.c                      |   14 +
 arch/sparc/kernel/sys_sparc_64.c                   |    6 +-
 arch/sparc/kernel/syscalls.S                       |    8 +-
 arch/sparc/kernel/traps_32.c                       |    8 +-
 arch/sparc/kernel/traps_64.c                       |   28 +-
 arch/sparc/kernel/unaligned_64.c                   |    2 +-
 arch/sparc/mm/fault_64.c                           |    2 +-
 arch/sparc/mm/hugetlbpage.c                        |    3 +-
 arch/tile/include/asm/cache.h                      |    3 +-
 arch/um/include/asm/cache.h                        |    3 +-
 arch/unicore32/include/asm/cache.h                 |    6 +-
 arch/x86/Kconfig                                   |    5 +-
 arch/x86/Kconfig.debug                             |    2 +-
 arch/x86/ia32/ia32_aout.c                          |    2 +
 arch/x86/include/asm/thread_info.h                 |    8 +-
 arch/x86/kernel/dumpstack.c                        |    8 +
 arch/x86/kernel/entry_32.S                         |    2 +-
 arch/x86/kernel/entry_64.S                         |    2 +-
 arch/x86/kernel/ioport.c                           |   13 +
 arch/x86/kernel/ptrace.c                           |   14 +
 arch/x86/kernel/smpboot.c                          |    3 +
 arch/x86/kernel/sys_i386_32.c                      |   14 +-
 arch/x86/kernel/sys_x86_64.c                       |    3 +-
 arch/x86/kernel/verify_cpu.S                       |    1 +
 arch/x86/kernel/vm86_32.c                          |   16 +
 arch/x86/mm/fault.c                                |   12 +-
 arch/x86/mm/hugetlbpage.c                          |    3 +-
 arch/x86/mm/init.c                                 |   66 +-
 arch/x86/net/bpf_jit_comp.c                        |  126 +-
 arch/xtensa/variants/dc232b/include/variant/core.h |    2 +-
 arch/xtensa/variants/fsf/include/variant/core.h    |    3 +-
 arch/xtensa/variants/s6000/include/variant/core.h  |    3 +-
 crypto/ablkcipher.c                                |   12 +-
 crypto/aead.c                                      |    9 +-
 crypto/ahash.c                                     |    2 +-
 crypto/blkcipher.c                                 |    6 +-
 crypto/crypto_user.c                               |   38 +-
 crypto/pcompress.c                                 |    3 +-
 crypto/rng.c                                       |    2 +-
 crypto/shash.c                                     |    3 +-
 drivers/block/cciss.c                              |    2 +
 drivers/char/Kconfig                               |    4 +-
 drivers/char/genrtc.c                              |    1 +
 drivers/char/mem.c                                 |   17 +
 drivers/char/random.c                              |   12 +
 drivers/gpu/drm/drm_info.c                         |    4 +
 drivers/hid/hid-wiimote-debug.c                    |    2 +-
 drivers/media/radio/radio-cadet.c                  |    2 +-
 drivers/message/fusion/mptbase.c                   |    5 +
 drivers/net/phy/mdio-bitbang.c                     |    1 +
 drivers/pci/proc.c                                 |    9 +
 drivers/rtc/rtc-dev.c                              |    3 +
 drivers/tty/sysrq.c                                |    2 +-
 drivers/tty/vt/keyboard.c                          |   22 +-
 drivers/video/logo/logo_linux_clut224.ppm          | 2721 ++++++--------
 drivers/xen/xenfs/xenstored.c                      |    5 +
 fs/attr.c                                          |    1 +
 fs/autofs4/waitq.c                                 |    9 +
 fs/binfmt_aout.c                                   |    7 +
 fs/binfmt_elf.c                                    |    6 +
 fs/btrfs/inode.c                                   |   10 +-
 fs/btrfs/ioctl.c                                   |    6 +-
 fs/compat.c                                        |   18 +
 fs/coredump.c                                      |   10 +-
 fs/debugfs/inode.c                                 |    4 +
 fs/exec.c                                          |  155 +-
 fs/ext2/balloc.c                                   |    4 +-
 fs/ext3/balloc.c                                   |    4 +-
 fs/ext4/balloc.c                                   |    4 +-
 fs/fcntl.c                                         |    5 +
 fs/file.c                                          |    4 +
 fs/filesystems.c                                   |    5 +
 fs/fs_struct.c                                     |   26 +-
 fs/hugetlbfs/inode.c                               |    5 +-
 fs/namei.c                                         |  269 ++-
 fs/namespace.c                                     |   24 +
 fs/open.c                                          |   38 +
 fs/pipe.c                                          |    2 +-
 fs/proc/Kconfig                                    |   10 +-
 fs/proc/array.c                                    |   59 +-
 fs/proc/base.c                                     |  168 +-
 fs/proc/cmdline.c                                  |    4 +
 fs/proc/devices.c                                  |    4 +
 fs/proc/fd.c                                       |   17 +-
 fs/proc/inode.c                                    |   17 +
 fs/proc/internal.h                                 |    3 +
 fs/proc/kcore.c                                    |    3 +
 fs/proc/proc_net.c                                 |   12 +
 fs/proc/proc_sysctl.c                              |   43 +-
 fs/proc/root.c                                     |    8 +
 fs/proc/task_mmu.c                                 |   75 +-
 fs/readdir.c                                       |   19 +
 fs/select.c                                        |    2 +
 fs/seq_file.c                                      |   12 +-
 fs/stat.c                                          |   19 +-
 fs/sysfs/dir.c                                     |   12 +
 fs/utimes.c                                        |    7 +
 fs/xattr.c                                         |   19 +-
 grsecurity/Kconfig                                 | 1021 +++++
 grsecurity/Makefile                                |   38 +
 grsecurity/gracl.c                                 | 4017 ++++++++++++++++++++
 grsecurity/gracl_alloc.c                           |  105 +
 grsecurity/gracl_cap.c                             |  110 +
 grsecurity/gracl_fs.c                              |  431 +++
 grsecurity/gracl_ip.c                              |  384 ++
 grsecurity/gracl_learn.c                           |  207 +
 grsecurity/gracl_res.c                             |   68 +
 grsecurity/gracl_segv.c                            |  299 ++
 grsecurity/gracl_shm.c                             |   40 +
 grsecurity/grsec_chdir.c                           |   19 +
 grsecurity/grsec_chroot.c                          |  357 ++
 grsecurity/grsec_disabled.c                        |  434 +++
 grsecurity/grsec_exec.c                            |  174 +
 grsecurity/grsec_fifo.c                            |   24 +
 grsecurity/grsec_fork.c                            |   23 +
 grsecurity/grsec_init.c                            |  283 ++
 grsecurity/grsec_link.c                            |   58 +
 grsecurity/grsec_log.c                             |  329 ++
 grsecurity/grsec_mem.c                             |   40 +
 grsecurity/grsec_mount.c                           |   62 +
 grsecurity/grsec_pax.c                             |   36 +
 grsecurity/grsec_ptrace.c                          |   30 +
 grsecurity/grsec_sig.c                             |  222 ++
 grsecurity/grsec_sock.c                            |  244 ++
 grsecurity/grsec_sysctl.c                          |  469 +++
 grsecurity/grsec_time.c                            |   16 +
 grsecurity/grsec_tpe.c                             |   73 +
 grsecurity/grsum.c                                 |   61 +
 include/linux/capability.h                         |    5 +
 include/linux/cred.h                               |    3 +
 include/linux/fs.h                                 |   10 +
 include/linux/fsnotify.h                           |    6 +
 include/linux/gracl.h                              |  319 ++
 include/linux/gralloc.h                            |    9 +
 include/linux/grdefs.h                             |  140 +
 include/linux/grinternal.h                         |  215 ++
 include/linux/grmsg.h                              |  111 +
 include/linux/grsecurity.h                         |  257 ++
 include/linux/grsock.h                             |   19 +
 include/linux/kallsyms.h                           |   14 +-
 include/linux/kmod.h                               |    2 +
 include/linux/netfilter/xt_gradm.h                 |    9 +
 include/linux/printk.h                             |    3 +-
 include/linux/proc_fs.h                            |   12 +
 include/linux/sched.h                              |   66 +-
 include/linux/security.h                           |    1 +
 include/linux/seq_file.h                           |    3 +
 include/linux/shm.h                                |    4 +
 include/linux/sysctl.h                             |    2 +
 include/linux/thread_info.h                        |    2 +
 include/linux/vermagic.h                           |    9 +-
 include/trace/events/fs.h                          |   53 +
 include/uapi/linux/personality.h                   |    1 +
 init/Kconfig                                       |    5 +-
 init/main.c                                        |   14 +
 ipc/mqueue.c                                       |    1 +
 ipc/shm.c                                          |   28 +
 kernel/capability.c                                |   39 +-
 kernel/cgroup.c                                    |    2 +-
 kernel/compat.c                                    |    1 +
 kernel/configs.c                                   |   11 +
 kernel/cred.c                                      |  109 +-
 kernel/exit.c                                      |   10 +-
 kernel/fork.c                                      |   24 +-
 kernel/futex.c                                     |    1 +
 kernel/kallsyms.c                                  |    9 +
 kernel/kcmp.c                                      |    4 +
 kernel/kmod.c                                      |   71 +-
 kernel/kprobes.c                                   |    4 +-
 kernel/ksysfs.c                                    |    2 +
 kernel/lockdep_proc.c                              |   10 +-
 kernel/module.c                                    |   80 +-
 kernel/panic.c                                     |    4 +-
 kernel/pid.c                                       |   19 +-
 kernel/posix-timers.c                              |    8 +
 kernel/printk.c                                    |    5 +
 kernel/ptrace.c                                    |   20 +-
 kernel/resource.c                                  |   10 +
 kernel/sched/core.c                                |    6 +-
 kernel/signal.c                                    |   37 +-
 kernel/sys.c                                       |   38 +-
 kernel/sysctl.c                                    |   39 +-
 kernel/taskstats.c                                 |    6 +
 kernel/time.c                                      |    5 +
 kernel/time/timekeeping.c                          |    3 +
 kernel/time/timer_list.c                           |   12 +
 kernel/time/timer_stats.c                          |   10 +-
 lib/Kconfig.debug                                  |    5 +-
 lib/is_single_threaded.c                           |    3 +
 lib/vsprintf.c                                     |   35 +-
 localversion-grsec                                 |    1 +
 mm/Kconfig                                         |    4 +-
 mm/filemap.c                                       |    1 +
 mm/kmemleak.c                                      |    4 +-
 mm/mempolicy.c                                     |   12 +-
 mm/migrate.c                                       |    3 +-
 mm/mlock.c                                         |    3 +
 mm/mmap.c                                          |   62 +-
 mm/mprotect.c                                      |    8 +
 mm/page_alloc.c                                    |    6 +
 mm/process_vm_access.c                             |    6 +
 mm/shmem.c                                         |    2 +-
 mm/slab.c                                          |    2 +-
 mm/slub.c                                          |   14 +-
 mm/vmalloc.c                                       |    4 +
 mm/vmstat.c                                        |   18 +-
 net/core/dev.c                                     |    9 +
 net/core/sock_diag.c                               |    7 +
 net/ipv4/inet_hashtables.c                         |    5 +
 net/ipv4/ip_sockglue.c                             |    3 +-
 net/ipv4/tcp_input.c                               |    4 +-
 net/ipv4/tcp_ipv4.c                                |   24 +-
 net/ipv4/tcp_minisocks.c                           |    9 +-
 net/ipv4/tcp_timer.c                               |   11 +
 net/ipv4/udp.c                                     |   24 +
 net/ipv6/tcp_ipv6.c                                |   23 +-
 net/ipv6/udp.c                                     |    7 +
 net/netfilter/Kconfig                              |   10 +
 net/netfilter/Makefile                             |    1 +
 net/netfilter/nf_conntrack_core.c                  |    8 +
 net/netfilter/xt_gradm.c                           |   51 +
 net/netrom/af_netrom.c                             |    2 +-
 net/phonet/af_phonet.c                             |    4 +-
 net/sctp/proc.c                                    |    3 +-
 net/socket.c                                       |   62 +-
 net/sysctl_net.c                                   |    2 +-
 net/unix/af_unix.c                                 |   19 +
 security/Kconfig                                   |  320 ++-
 security/apparmor/lsm.c                            |    2 +-
 security/commoncap.c                               |   29 +
 security/min_addr.c                                |    2 +
 security/security.c                                |    2 -
 security/selinux/hooks.c                           |    2 -
 security/yama/Kconfig                              |    2 +-
 tools/gcc/Makefile                                 |    2 +-
 286 files changed, 15083 insertions(+), 2067 deletions(-)

commit 4b61d2188de70da9dc9b3e67fc0565077370eb27
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 20 21:00:42 2013 -0500

    Initial import of pax-linux-3.8-test3.patch

 Documentation/dontdiff                           |   43 +-
 Documentation/kernel-parameters.txt              |    7 +
 Makefile                                         |   97 +-
 arch/alpha/include/asm/atomic.h                  |   10 +
 arch/alpha/include/asm/elf.h                     |    7 +
 arch/alpha/include/asm/pgalloc.h                 |    6 +
 arch/alpha/include/asm/pgtable.h                 |   11 +
 arch/alpha/kernel/module.c                       |    2 +-
 arch/alpha/kernel/osf_sys.c                      |   10 +-
 arch/alpha/mm/fault.c                            |  141 +-
 arch/arm/Kconfig                                 |    2 +-
 arch/arm/include/asm/atomic.h                    |  421 +++-
 arch/arm/include/asm/cache.h                     |    3 +-
 arch/arm/include/asm/cacheflush.h                |    2 +-
 arch/arm/include/asm/checksum.h                  |   14 +-
 arch/arm/include/asm/cmpxchg.h                   |    2 +
 arch/arm/include/asm/delay.h                     |    8 +-
 arch/arm/include/asm/domain.h                    |   32 +-
 arch/arm/include/asm/elf.h                       |   13 +-
 arch/arm/include/asm/fncpy.h                     |    2 +
 arch/arm/include/asm/futex.h                     |   10 +
 arch/arm/include/asm/kmap_types.h                |    2 +-
 arch/arm/include/asm/mach/dma.h                  |    2 +-
 arch/arm/include/asm/mach/map.h                  |    7 +-
 arch/arm/include/asm/outercache.h                |    2 +-
 arch/arm/include/asm/page.h                      |    2 +-
 arch/arm/include/asm/pgalloc.h                   |   22 +-
 arch/arm/include/asm/pgtable-2level-hwdef.h      |    5 +
 arch/arm/include/asm/pgtable-2level.h            |    1 +
 arch/arm/include/asm/pgtable-3level-hwdef.h      |    4 +
 arch/arm/include/asm/pgtable-3level.h            |    2 +
 arch/arm/include/asm/pgtable.h                   |   56 +-
 arch/arm/include/asm/proc-fns.h                  |    2 +-
 arch/arm/include/asm/processor.h                 |    5 +-
 arch/arm/include/asm/smp.h                       |    2 +-
 arch/arm/include/asm/thread_info.h               |    6 +-
 arch/arm/include/asm/uaccess.h                   |   92 +-
 arch/arm/include/uapi/asm/ptrace.h               |    2 +-
 arch/arm/kernel/armksyms.c                       |    4 +-
 arch/arm/kernel/entry-armv.S                     |  107 +-
 arch/arm/kernel/entry-common.S                   |   41 +-
 arch/arm/kernel/entry-header.S                   |   60 +
 arch/arm/kernel/fiq.c                            |    2 +
 arch/arm/kernel/head.S                           |    6 +-
 arch/arm/kernel/hw_breakpoint.c                  |    2 +-
 arch/arm/kernel/module.c                         |   29 +-
 arch/arm/kernel/perf_event_cpu.c                 |    2 +-
 arch/arm/kernel/process.c                        |   10 +-
 arch/arm/kernel/setup.c                          |   22 +-
 arch/arm/kernel/smp.c                            |    2 +-
 arch/arm/kernel/traps.c                          |    8 +-
 arch/arm/kernel/vmlinux.lds.S                    |   20 +-
 arch/arm/lib/clear_user.S                        |    6 +-
 arch/arm/lib/copy_from_user.S                    |    6 +-
 arch/arm/lib/copy_page.S                         |    1 +
 arch/arm/lib/copy_to_user.S                      |    6 +-
 arch/arm/lib/csumpartialcopyuser.S               |    4 +-
 arch/arm/lib/delay.c                             |   14 +-
 arch/arm/lib/uaccess_with_memcpy.c               |    2 +-
 arch/arm/mach-kirkwood/common.c                  |   19 +-
 arch/arm/mach-omap2/board-n8x0.c                 |    2 +-
 arch/arm/mach-omap2/omap-wakeupgen.c             |    2 +-
 arch/arm/mach-omap2/omap_hwmod.c                 |    4 +-
 arch/arm/mach-ux500/include/mach/setup.h         |    7 -
 arch/arm/mm/Kconfig                              |    3 +-
 arch/arm/mm/fault.c                              |   78 +
 arch/arm/mm/fault.h                              |   12 +
 arch/arm/mm/init.c                               |   41 +
 arch/arm/mm/ioremap.c                            |    4 +-
 arch/arm/mm/mmap.c                               |   36 +-
 arch/arm/mm/mmu.c                                |  186 +-
 arch/arm/mm/proc-v7-2level.S                     |    3 +
 arch/arm/plat-omap/sram.c                        |    2 +
 arch/arm/plat-orion/include/plat/addr-map.h      |    2 +-
 arch/arm/plat-samsung/include/plat/dma-ops.h     |    2 +-
 arch/arm64/kernel/debug-monitors.c               |    2 +-
 arch/arm64/kernel/hw_breakpoint.c                |    2 +-
 arch/avr32/include/asm/elf.h                     |    8 +-
 arch/avr32/include/asm/kmap_types.h              |    4 +-
 arch/avr32/mm/fault.c                            |   27 +
 arch/frv/include/asm/atomic.h                    |   10 +
 arch/frv/include/asm/kmap_types.h                |    2 +-
 arch/frv/mm/elf-fdpic.c                          |    7 +-
 arch/ia64/include/asm/atomic.h                   |   10 +
 arch/ia64/include/asm/elf.h                      |    7 +
 arch/ia64/include/asm/pgalloc.h                  |   12 +
 arch/ia64/include/asm/pgtable.h                  |   13 +-
 arch/ia64/include/asm/spinlock.h                 |    2 +-
 arch/ia64/include/asm/uaccess.h                  |   28 +-
 arch/ia64/kernel/err_inject.c                    |    2 +-
 arch/ia64/kernel/mca.c                           |    2 +-
 arch/ia64/kernel/module.c                        |   48 +-
 arch/ia64/kernel/palinfo.c                       |    2 +-
 arch/ia64/kernel/salinfo.c                       |    2 +-
 arch/ia64/kernel/sys_ia64.c                      |   13 +-
 arch/ia64/kernel/topology.c                      |    2 +-
 arch/ia64/kernel/vmlinux.lds.S                   |    2 +-
 arch/ia64/mm/fault.c                             |   32 +-
 arch/ia64/mm/hugetlbpage.c                       |    2 +-
 arch/ia64/mm/init.c                              |   13 +
 arch/m32r/lib/usercopy.c                         |    6 +
 arch/mips/include/asm/atomic.h                   |   14 +
 arch/mips/include/asm/elf.h                      |   11 +-
 arch/mips/include/asm/exec.h                     |    2 +-
 arch/mips/include/asm/page.h                     |    2 +-
 arch/mips/include/asm/pgalloc.h                  |    5 +
 arch/mips/kernel/binfmt_elfn32.c                 |    7 +
 arch/mips/kernel/binfmt_elfo32.c                 |    7 +
 arch/mips/kernel/process.c                       |   12 -
 arch/mips/mm/fault.c                             |   17 +
 arch/mips/mm/mmap.c                              |   51 +-
 arch/parisc/include/asm/atomic.h                 |   10 +
 arch/parisc/include/asm/elf.h                    |    7 +
 arch/parisc/include/asm/pgalloc.h                |    6 +
 arch/parisc/include/asm/pgtable.h                |   11 +
 arch/parisc/include/asm/uaccess.h                |    4 +-
 arch/parisc/kernel/module.c                      |   50 +-
 arch/parisc/kernel/sys_parisc.c                  |    6 +-
 arch/parisc/kernel/traps.c                       |    4 +-
 arch/parisc/mm/fault.c                           |  140 +-
 arch/powerpc/include/asm/atomic.h                |   10 +
 arch/powerpc/include/asm/elf.h                   |   19 +-
 arch/powerpc/include/asm/exec.h                  |    2 +-
 arch/powerpc/include/asm/kmap_types.h            |    2 +-
 arch/powerpc/include/asm/mman.h                  |    2 +-
 arch/powerpc/include/asm/page.h                  |    8 +-
 arch/powerpc/include/asm/page_64.h               |    7 +-
 arch/powerpc/include/asm/pgalloc-64.h            |    7 +
 arch/powerpc/include/asm/pgtable.h               |    1 +
 arch/powerpc/include/asm/pte-hash32.h            |    1 +
 arch/powerpc/include/asm/reg.h                   |    1 +
 arch/powerpc/include/asm/uaccess.h               |  142 +-
 arch/powerpc/kernel/exceptions-64e.S             |    4 +-
 arch/powerpc/kernel/exceptions-64s.S             |    2 +-
 arch/powerpc/kernel/module_32.c                  |   13 +-
 arch/powerpc/kernel/process.c                    |   55 -
 arch/powerpc/kernel/signal_32.c                  |    2 +-
 arch/powerpc/kernel/signal_64.c                  |    2 +-
 arch/powerpc/kernel/sysfs.c                      |    2 +-
 arch/powerpc/kernel/vdso.c                       |    5 +-
 arch/powerpc/lib/usercopy_64.c                   |   18 -
 arch/powerpc/mm/fault.c                          |   54 +-
 arch/powerpc/mm/mmap_64.c                        |   16 +
 arch/powerpc/mm/mmu_context_nohash.c             |    2 +-
 arch/powerpc/mm/numa.c                           |    2 +-
 arch/powerpc/mm/slice.c                          |   23 +-
 arch/powerpc/platforms/powermac/smp.c            |    2 +-
 arch/s390/include/asm/atomic.h                   |   10 +
 arch/s390/include/asm/elf.h                      |   13 +-
 arch/s390/include/asm/exec.h                     |    2 +-
 arch/s390/include/asm/uaccess.h                  |   15 +-
 arch/s390/kernel/module.c                        |   22 +-
 arch/s390/kernel/process.c                       |   36 -
 arch/s390/mm/mmap.c                              |   24 +
 arch/score/include/asm/exec.h                    |    2 +-
 arch/score/kernel/process.c                      |    5 -
 arch/sh/kernel/cpu/sh4a/smp-shx3.c               |    2 +-
 arch/sh/mm/mmap.c                                |   22 +-
 arch/sparc/include/asm/atomic_64.h               |  106 +-
 arch/sparc/include/asm/cache.h                   |    2 +-
 arch/sparc/include/asm/elf_32.h                  |    7 +
 arch/sparc/include/asm/elf_64.h                  |    7 +
 arch/sparc/include/asm/pgalloc_32.h              |    1 +
 arch/sparc/include/asm/pgalloc_64.h              |    1 +
 arch/sparc/include/asm/pgtable_32.h              |   15 +-
 arch/sparc/include/asm/pgtsrmmu.h                |    5 +
 arch/sparc/include/asm/spinlock_64.h             |   35 +-
 arch/sparc/include/asm/thread_info_32.h          |    2 +
 arch/sparc/include/asm/thread_info_64.h          |    2 +
 arch/sparc/include/asm/uaccess.h                 |    8 +
 arch/sparc/include/asm/uaccess_32.h              |   27 +-
 arch/sparc/include/asm/uaccess_64.h              |   19 +-
 arch/sparc/kernel/Makefile                       |    2 +-
 arch/sparc/kernel/sys_sparc_32.c                 |    2 +-
 arch/sparc/kernel/sys_sparc_64.c                 |   48 +-
 arch/sparc/kernel/sysfs.c                        |    2 +-
 arch/sparc/kernel/traps_64.c                     |   13 +-
 arch/sparc/lib/Makefile                          |    2 +-
 arch/sparc/lib/atomic_64.S                       |  136 +-
 arch/sparc/lib/ksyms.c                           |    6 +
 arch/sparc/mm/Makefile                           |    2 +-
 arch/sparc/mm/fault_32.c                         |  292 ++
 arch/sparc/mm/fault_64.c                         |  486 +++
 arch/sparc/mm/hugetlbpage.c                      |   21 +-
 arch/tile/include/asm/atomic_64.h                |   10 +
 arch/tile/include/asm/uaccess.h                  |    4 +-
 arch/um/Makefile                                 |    4 +
 arch/um/include/asm/kmap_types.h                 |    2 +-
 arch/um/include/asm/page.h                       |    3 +
 arch/um/include/asm/pgtable-3level.h             |    1 +
 arch/um/kernel/process.c                         |   16 -
 arch/x86/Kconfig                                 |   10 +-
 arch/x86/Kconfig.cpu                             |    6 +-
 arch/x86/Kconfig.debug                           |    6 +-
 arch/x86/Makefile                                |   10 +
 arch/x86/boot/Makefile                           |    3 +
 arch/x86/boot/bitops.h                           |    4 +-
 arch/x86/boot/boot.h                             |    4 +-
 arch/x86/boot/compressed/Makefile                |    3 +
 arch/x86/boot/compressed/eboot.c                 |    2 -
 arch/x86/boot/compressed/head_32.S               |    7 +-
 arch/x86/boot/compressed/head_64.S               |    4 +-
 arch/x86/boot/compressed/misc.c                  |    4 +-
 arch/x86/boot/cpucheck.c                         |   28 +-
 arch/x86/boot/header.S                           |    6 +-
 arch/x86/boot/memory.c                           |    2 +-
 arch/x86/boot/video-vesa.c                       |    1 +
 arch/x86/boot/video.c                            |    2 +-
 arch/x86/crypto/aes-x86_64-asm_64.S              |    4 +
 arch/x86/crypto/aesni-intel_asm.S                |   31 +
 arch/x86/crypto/blowfish-x86_64-asm_64.S         |    8 +
 arch/x86/crypto/camellia-x86_64-asm_64.S         |    8 +
 arch/x86/crypto/cast5-avx-x86_64-asm_64.S        |    8 +
 arch/x86/crypto/cast6-avx-x86_64-asm_64.S        |    8 +
 arch/x86/crypto/salsa20-x86_64-asm_64.S          |    5 +
 arch/x86/crypto/serpent-avx-x86_64-asm_64.S      |    8 +
 arch/x86/crypto/serpent-sse2-x86_64-asm_64.S     |    5 +
 arch/x86/crypto/sha1_ssse3_asm.S                 |    3 +
 arch/x86/crypto/twofish-avx-x86_64-asm_64.S      |    8 +
 arch/x86/crypto/twofish-x86_64-asm_64-3way.S     |    5 +
 arch/x86/crypto/twofish-x86_64-asm_64.S          |    3 +
 arch/x86/ia32/ia32_signal.c                      |   14 +-
 arch/x86/ia32/ia32entry.S                        |  141 +-
 arch/x86/ia32/sys_ia32.c                         |   12 +-
 arch/x86/include/asm/alternative-asm.h           |   39 +
 arch/x86/include/asm/alternative.h               |    4 +-
 arch/x86/include/asm/apic.h                      |    2 +-
 arch/x86/include/asm/apm.h                       |    4 +-
 arch/x86/include/asm/atomic.h                    |  307 ++-
 arch/x86/include/asm/atomic64_32.h               |  100 +
 arch/x86/include/asm/atomic64_64.h               |  202 ++-
 arch/x86/include/asm/bitops.h                    |    2 +-
 arch/x86/include/asm/boot.h                      |    7 +-
 arch/x86/include/asm/cache.h                     |    5 +-
 arch/x86/include/asm/cacheflush.h                |    2 +-
 arch/x86/include/asm/checksum_32.h               |   12 +-
 arch/x86/include/asm/cmpxchg.h                   |   35 +
 arch/x86/include/asm/cpufeature.h                |    4 +-
 arch/x86/include/asm/desc.h                      |   65 +-
 arch/x86/include/asm/desc_defs.h                 |    6 +
 arch/x86/include/asm/elf.h                       |   31 +-
 arch/x86/include/asm/emergency-restart.h         |    2 +-
 arch/x86/include/asm/fpu-internal.h              |    6 +-
 arch/x86/include/asm/futex.h                     |   16 +-
 arch/x86/include/asm/hw_irq.h                    |    4 +-
 arch/x86/include/asm/io.h                        |   13 +-
 arch/x86/include/asm/irqflags.h                  |    5 +
 arch/x86/include/asm/kprobes.h                   |    9 +-
 arch/x86/include/asm/local.h                     |  142 +-
 arch/x86/include/asm/mman.h                      |   15 +
 arch/x86/include/asm/mmu.h                       |   16 +-
 arch/x86/include/asm/mmu_context.h               |   76 +-
 arch/x86/include/asm/module.h                    |   17 +-
 arch/x86/include/asm/page_64_types.h             |    2 +-
 arch/x86/include/asm/paravirt.h                  |   44 +-
 arch/x86/include/asm/paravirt_types.h            |   17 +-
 arch/x86/include/asm/pgalloc.h                   |   23 +
 arch/x86/include/asm/pgtable-2level.h            |    2 +
 arch/x86/include/asm/pgtable-3level.h            |    4 +
 arch/x86/include/asm/pgtable.h                   |  110 +-
 arch/x86/include/asm/pgtable_32.h                |   14 +-
 arch/x86/include/asm/pgtable_32_types.h          |   15 +-
 arch/x86/include/asm/pgtable_64.h                |   19 +-
 arch/x86/include/asm/pgtable_64_types.h          |    5 +
 arch/x86/include/asm/pgtable_types.h             |   36 +-
 arch/x86/include/asm/processor.h                 |   39 +-
 arch/x86/include/asm/ptrace.h                    |   26 +-
 arch/x86/include/asm/realmode.h                  |    4 +-
 arch/x86/include/asm/reboot.h                    |   10 +-
 arch/x86/include/asm/rwsem.h                     |   60 +-
 arch/x86/include/asm/segment.h                   |   24 +-
 arch/x86/include/asm/smp.h                       |   14 +-
 arch/x86/include/asm/spinlock.h                  |   36 +-
 arch/x86/include/asm/stackprotector.h            |    4 +-
 arch/x86/include/asm/stacktrace.h                |   32 +-
 arch/x86/include/asm/switch_to.h                 |    4 +-
 arch/x86/include/asm/thread_info.h               |   83 +-
 arch/x86/include/asm/uaccess.h                   |   96 +-
 arch/x86/include/asm/uaccess_32.h                |  106 +-
 arch/x86/include/asm/uaccess_64.h                |  232 +-
 arch/x86/include/asm/word-at-a-time.h            |    2 +-
 arch/x86/include/asm/x86_init.h                  |   10 +-
 arch/x86/include/asm/xsave.h                     |   10 +-
 arch/x86/include/uapi/asm/e820.h                 |    2 +-
 arch/x86/kernel/Makefile                         |    2 +-
 arch/x86/kernel/acpi/sleep.c                     |    4 +
 arch/x86/kernel/acpi/wakeup_32.S                 |    6 +-
 arch/x86/kernel/alternative.c                    |   65 +-
 arch/x86/kernel/apic/apic.c                      |    6 +-
 arch/x86/kernel/apic/apic_flat_64.c              |    4 +-
 arch/x86/kernel/apic/bigsmp_32.c                 |    2 +-
 arch/x86/kernel/apic/es7000_32.c                 |    5 +-
 arch/x86/kernel/apic/io_apic.c                   |    8 +-
 arch/x86/kernel/apic/numaq_32.c                  |    3 +-
 arch/x86/kernel/apic/probe_32.c                  |    2 +-
 arch/x86/kernel/apic/summit_32.c                 |    2 +-
 arch/x86/kernel/apic/x2apic_cluster.c            |    4 +-
 arch/x86/kernel/apic/x2apic_phys.c               |    2 +-
 arch/x86/kernel/apic/x2apic_uv_x.c               |    2 +-
 arch/x86/kernel/apm_32.c                         |   19 +-
 arch/x86/kernel/asm-offsets.c                    |   20 +
 arch/x86/kernel/asm-offsets_64.c                 |    1 +
 arch/x86/kernel/cpu/Makefile                     |    4 -
 arch/x86/kernel/cpu/amd.c                        |    2 +-
 arch/x86/kernel/cpu/common.c                     |   75 +-
 arch/x86/kernel/cpu/intel.c                      |    2 +-
 arch/x86/kernel/cpu/intel_cacheinfo.c            |   50 +-
 arch/x86/kernel/cpu/mcheck/mce.c                 |   29 +-
 arch/x86/kernel/cpu/mcheck/p5.c                  |    3 +
 arch/x86/kernel/cpu/mcheck/therm_throt.c         |    2 +-
 arch/x86/kernel/cpu/mcheck/winchip.c             |    3 +
 arch/x86/kernel/cpu/mtrr/main.c                  |    2 +-
 arch/x86/kernel/cpu/mtrr/mtrr.h                  |    2 +-
 arch/x86/kernel/cpu/perf_event.c                 |    4 +-
 arch/x86/kernel/cpu/perf_event_intel.c           |    6 +-
 arch/x86/kernel/cpu/perf_event_intel_uncore.c    |    2 +-
 arch/x86/kernel/cpuid.c                          |    2 +-
 arch/x86/kernel/crash.c                          |    4 +-
 arch/x86/kernel/doublefault_32.c                 |    8 +-
 arch/x86/kernel/dumpstack.c                      |   30 +-
 arch/x86/kernel/dumpstack_32.c                   |   34 +-
 arch/x86/kernel/dumpstack_64.c                   |   63 +-
 arch/x86/kernel/early_printk.c                   |    1 +
 arch/x86/kernel/entry_32.S                       |  354 ++-
 arch/x86/kernel/entry_64.S                       |  512 +++-
 arch/x86/kernel/ftrace.c                         |   14 +-
 arch/x86/kernel/head32.c                         |    4 +-
 arch/x86/kernel/head_32.S                        |  237 ++-
 arch/x86/kernel/head_64.S                        |  158 +-
 arch/x86/kernel/i386_ksyms_32.c                  |    8 +
 arch/x86/kernel/i387.c                           |    2 +-
 arch/x86/kernel/i8259.c                          |    2 +-
 arch/x86/kernel/ioport.c                         |    2 +-
 arch/x86/kernel/irq.c                            |   10 +-
 arch/x86/kernel/irq_32.c                         |   69 +-
 arch/x86/kernel/irq_64.c                         |    2 +-
 arch/x86/kernel/kdebugfs.c                       |    2 +-
 arch/x86/kernel/kgdb.c                           |   25 +-
 arch/x86/kernel/kprobes-opt.c                    |   12 +-
 arch/x86/kernel/kprobes.c                        |   30 +-
 arch/x86/kernel/kvm.c                            |    2 +-
 arch/x86/kernel/ldt.c                            |   31 +-
 arch/x86/kernel/machine_kexec_32.c               |    6 +-
 arch/x86/kernel/microcode_core.c                 |    2 +-
 arch/x86/kernel/microcode_intel.c                |    4 +-
 arch/x86/kernel/module.c                         |   76 +-
 arch/x86/kernel/msr.c                            |    2 +-
 arch/x86/kernel/nmi.c                            |   11 +
 arch/x86/kernel/paravirt-spinlocks.c             |    2 +-
 arch/x86/kernel/paravirt.c                       |   43 +-
 arch/x86/kernel/pci-iommu_table.c                |    2 +-
 arch/x86/kernel/process.c                        |   57 +-
 arch/x86/kernel/process_32.c                     |   29 +-
 arch/x86/kernel/process_64.c                     |   15 +-
 arch/x86/kernel/ptrace.c                         |   25 +-
 arch/x86/kernel/pvclock.c                        |    8 +-
 arch/x86/kernel/reboot.c                         |   44 +-
 arch/x86/kernel/relocate_kernel_64.S             |    4 +-
 arch/x86/kernel/setup.c                          |   14 +-
 arch/x86/kernel/setup_percpu.c                   |   27 +-
 arch/x86/kernel/signal.c                         |   15 +-
 arch/x86/kernel/smp.c                            |    2 +-
 arch/x86/kernel/smpboot.c                        |   15 +-
 arch/x86/kernel/step.c                           |   10 +-
 arch/x86/kernel/sys_i386_32.c                    |  247 ++
 arch/x86/kernel/sys_x86_64.c                     |   19 +-
 arch/x86/kernel/tboot.c                          |   14 +-
 arch/x86/kernel/time.c                           |   10 +-
 arch/x86/kernel/tls.c                            |    7 +-
 arch/x86/kernel/traps.c                          |   64 +-
 arch/x86/kernel/uprobes.c                        |    2 +-
 arch/x86/kernel/vm86_32.c                        |    6 +-
 arch/x86/kernel/vmlinux.lds.S                    |  148 +-
 arch/x86/kernel/vsyscall_64.c                    |   12 +-
 arch/x86/kernel/x8664_ksyms_64.c                 |    2 -
 arch/x86/kernel/x86_init.c                       |    8 +-
 arch/x86/kernel/xsave.c                          |    2 +
 arch/x86/kvm/cpuid.c                             |   21 +-
 arch/x86/kvm/emulate.c                           |    4 +-
 arch/x86/kvm/lapic.c                             |    2 +-
 arch/x86/kvm/paging_tmpl.h                       |    2 +-
 arch/x86/kvm/svm.c                               |    8 +
 arch/x86/kvm/vmx.c                               |   47 +-
 arch/x86/kvm/x86.c                               |   10 +-
 arch/x86/lguest/boot.c                           |    3 +-
 arch/x86/lib/atomic64_386_32.S                   |  164 +
 arch/x86/lib/atomic64_cx8_32.S                   |  103 +-
 arch/x86/lib/checksum_32.S                       |  100 +-
 arch/x86/lib/clear_page_64.S                     |    5 +-
 arch/x86/lib/cmpxchg16b_emu.S                    |    2 +
 arch/x86/lib/copy_page_64.S                      |   24 +-
 arch/x86/lib/copy_user_64.S                      |   47 +-
 arch/x86/lib/copy_user_nocache_64.S              |   20 +-
 arch/x86/lib/csum-copy_64.S                      |    2 +
 arch/x86/lib/csum-wrappers_64.c                  |    4 +-
 arch/x86/lib/getuser.S                           |   68 +-
 arch/x86/lib/insn.c                              |    6 +-
 arch/x86/lib/iomap_copy_64.S                     |    2 +
 arch/x86/lib/memcpy_64.S                         |   18 +-
 arch/x86/lib/memmove_64.S                        |   34 +-
 arch/x86/lib/memset_64.S                         |    7 +-
 arch/x86/lib/mmx_32.c                            |  243 +-
 arch/x86/lib/msr-reg.S                           |   18 +-
 arch/x86/lib/putuser.S                           |   90 +-
 arch/x86/lib/rwlock.S                            |   42 +
 arch/x86/lib/rwsem.S                             |    6 +-
 arch/x86/lib/thunk_64.S                          |    2 +
 arch/x86/lib/usercopy_32.c                       |  376 ++-
 arch/x86/lib/usercopy_64.c                       |   25 +-
 arch/x86/mm/extable.c                            |   25 +-
 arch/x86/mm/fault.c                              |  555 +++-
 arch/x86/mm/gup.c                                |    2 +-
 arch/x86/mm/highmem_32.c                         |    4 +
 arch/x86/mm/hugetlbpage.c                        |   30 +-
 arch/x86/mm/init.c                               |   92 +-
 arch/x86/mm/init_32.c                            |  122 +-
 arch/x86/mm/init_64.c                            |   48 +-
 arch/x86/mm/iomap_32.c                           |    4 +
 arch/x86/mm/ioremap.c                            |   12 +-
 arch/x86/mm/kmemcheck/kmemcheck.c                |    4 +-
 arch/x86/mm/mmap.c                               |   41 +-
 arch/x86/mm/mmio-mod.c                           |   10 +-
 arch/x86/mm/pageattr-test.c                      |    2 +-
 arch/x86/mm/pageattr.c                           |   33 +-
 arch/x86/mm/pat.c                                |   12 +-
 arch/x86/mm/pf_in.c                              |   10 +-
 arch/x86/mm/pgtable.c                            |  137 +-
 arch/x86/mm/pgtable_32.c                         |    3 +
 arch/x86/mm/setup_nx.c                           |    7 +
 arch/x86/mm/tlb.c                                |    4 +
 arch/x86/net/bpf_jit.S                           |   14 +
 arch/x86/net/bpf_jit_comp.c                      |   37 +-
 arch/x86/oprofile/backtrace.c                    |    8 +-
 arch/x86/pci/amd_bus.c                           |    2 +-
 arch/x86/pci/mrst.c                              |    4 +-
 arch/x86/pci/pcbios.c                            |  144 +-
 arch/x86/platform/efi/efi_32.c                   |   19 +
 arch/x86/platform/efi/efi_stub_32.S              |   64 +-
 arch/x86/platform/efi/efi_stub_64.S              |    8 +
 arch/x86/platform/mrst/mrst.c                    |    6 +-
 arch/x86/platform/olpc/olpc_dt.c                 |    2 +-
 arch/x86/power/cpu.c                             |    4 +-
 arch/x86/realmode/init.c                         |    8 +-
 arch/x86/realmode/rm/Makefile                    |    3 +
 arch/x86/realmode/rm/header.S                    |    4 +-
 arch/x86/realmode/rm/trampoline_32.S             |   12 +-
 arch/x86/realmode/rm/trampoline_64.S             |    2 +-
 arch/x86/tools/relocs.c                          |   95 +-
 arch/x86/vdso/Makefile                           |    2 +-
 arch/x86/vdso/vdso32-setup.c                     |   23 +-
 arch/x86/vdso/vma.c                              |   29 +-
 arch/x86/xen/enlighten.c                         |   47 +-
 arch/x86/xen/mmu.c                               |    9 +
 arch/x86/xen/smp.c                               |   18 +-
 arch/x86/xen/xen-asm_32.S                        |   12 +-
 arch/x86/xen/xen-head.S                          |   11 +
 arch/x86/xen/xen-ops.h                           |    2 -
 block/blk-iopoll.c                               |    4 +-
 block/blk-map.c                                  |    2 +-
 block/blk-softirq.c                              |    4 +-
 block/bsg.c                                      |   12 +-
 block/compat_ioctl.c                             |    2 +-
 block/partitions/efi.c                           |    8 +-
 block/scsi_ioctl.c                               |   27 +-
 crypto/cryptd.c                                  |    4 +-
 drivers/acpi/apei/cper.c                         |    8 +-
 drivers/acpi/ec_sys.c                            |   12 +-
 drivers/acpi/processor_driver.c                  |    2 +-
 drivers/ata/libata-core.c                        |    8 +-
 drivers/ata/pata_arasan_cf.c                     |    4 +-
 drivers/atm/adummy.c                             |    2 +-
 drivers/atm/ambassador.c                         |    8 +-
 drivers/atm/atmtcp.c                             |   14 +-
 drivers/atm/eni.c                                |   10 +-
 drivers/atm/firestream.c                         |    8 +-
 drivers/atm/fore200e.c                           |   14 +-
 drivers/atm/he.c                                 |   18 +-
 drivers/atm/horizon.c                            |    4 +-
 drivers/atm/idt77252.c                           |   36 +-
 drivers/atm/iphase.c                             |   34 +-
 drivers/atm/lanai.c                              |   12 +-
 drivers/atm/nicstar.c                            |   46 +-
 drivers/atm/solos-pci.c                          |    4 +-
 drivers/atm/suni.c                               |    4 +-
 drivers/atm/uPD98402.c                           |   16 +-
 drivers/atm/zatm.c                               |    6 +-
 drivers/base/devtmpfs.c                          |    2 +-
 drivers/base/power/wakeup.c                      |    8 +-
 drivers/block/cciss.c                            |   28 +-
 drivers/block/cciss.h                            |    2 +-
 drivers/block/cpqarray.c                         |   28 +-
 drivers/block/cpqarray.h                         |    2 +-
 drivers/block/drbd/drbd_int.h                    |    6 +-
 drivers/block/drbd/drbd_main.c                   |    8 +-
 drivers/block/drbd/drbd_receiver.c               |   18 +-
 drivers/block/loop.c                             |    2 +-
 drivers/cdrom/cdrom.c                            |    9 +-
 drivers/cdrom/gdrom.c                            |    1 -
 drivers/char/agp/frontend.c                      |    2 +-
 drivers/char/hpet.c                              |    2 +-
 drivers/char/ipmi/ipmi_msghandler.c              |    8 +-
 drivers/char/ipmi/ipmi_si_intf.c                 |    8 +-
 drivers/char/mem.c                               |   41 +-
 drivers/char/nvram.c                             |    2 +-
 drivers/char/pcmcia/synclink_cs.c                |   18 +-
 drivers/char/random.c                            |    8 +-
 drivers/char/sonypi.c                            |    9 +-
 drivers/char/tpm/tpm.c                           |    2 +-
 drivers/char/tpm/tpm_acpi.c                      |    3 +-
 drivers/char/tpm/tpm_eventlog.c                  |    7 +-
 drivers/char/virtio_console.c                    |    4 +-
 drivers/clocksource/arm_generic.c                |    2 +-
 drivers/cpufreq/cpufreq.c                        |    2 +-
 drivers/cpufreq/cpufreq_stats.c                  |    2 +-
 drivers/dma/sh/shdma.c                           |    2 +-
 drivers/edac/edac_pci_sysfs.c                    |   20 +-
 drivers/edac/mce_amd.h                           |    2 +-
 drivers/firewire/core-card.c                     |    2 +-
 drivers/firewire/core-cdev.c                     |    3 +-
 drivers/firewire/core-transaction.c              |    1 +
 drivers/firewire/core.h                          |    1 +
 drivers/firmware/dmi_scan.c                      |    7 +-
 drivers/firmware/efivars.c                       |    2 +-
 drivers/gpio/gpio-vr41xx.c                       |    2 +-
 drivers/gpu/drm/drm_crtc_helper.c                |    2 +-
 drivers/gpu/drm/drm_drv.c                        |    4 +-
 drivers/gpu/drm/drm_fops.c                       |   18 +-
 drivers/gpu/drm/drm_global.c                     |   14 +-
 drivers/gpu/drm/drm_info.c                       |   14 +-
 drivers/gpu/drm/drm_ioc32.c                      |    4 +-
 drivers/gpu/drm/drm_ioctl.c                      |    2 +-
 drivers/gpu/drm/drm_lock.c                       |    4 +-
 drivers/gpu/drm/drm_stub.c                       |    2 +-
 drivers/gpu/drm/i810/i810_dma.c                  |    8 +-
 drivers/gpu/drm/i810/i810_drv.h                  |    4 +-
 drivers/gpu/drm/i915/i915_debugfs.c              |    2 +-
 drivers/gpu/drm/i915/i915_dma.c                  |    2 +-
 drivers/gpu/drm/i915/i915_drv.h                  |    6 +-
 drivers/gpu/drm/i915/i915_gem_execbuffer.c       |    6 +-
 drivers/gpu/drm/i915/i915_irq.c                  |   22 +-
 drivers/gpu/drm/i915/intel_display.c             |    9 +-
 drivers/gpu/drm/mga/mga_drv.h                    |    4 +-
 drivers/gpu/drm/mga/mga_irq.c                    |    8 +-
 drivers/gpu/drm/nouveau/nouveau_bios.c           |    2 +-
 drivers/gpu/drm/nouveau/nouveau_drm.h            |    2 +-
 drivers/gpu/drm/nouveau/nouveau_fence.h          |    2 +-
 drivers/gpu/drm/nouveau/nouveau_gem.c            |    2 +-
 drivers/gpu/drm/nouveau/nouveau_vga.c            |    2 +-
 drivers/gpu/drm/r128/r128_cce.c                  |    2 +-
 drivers/gpu/drm/r128/r128_drv.h                  |    4 +-
 drivers/gpu/drm/r128/r128_irq.c                  |    4 +-
 drivers/gpu/drm/r128/r128_state.c                |    4 +-
 drivers/gpu/drm/radeon/mkregtable.c              |    4 +-
 drivers/gpu/drm/radeon/radeon_device.c           |    2 +-
 drivers/gpu/drm/radeon/radeon_drv.h              |    2 +-
 drivers/gpu/drm/radeon/radeon_ioc32.c            |    2 +-
 drivers/gpu/drm/radeon/radeon_irq.c              |    6 +-
 drivers/gpu/drm/radeon/radeon_state.c            |    4 +-
 drivers/gpu/drm/radeon/radeon_ttm.c              |    4 +-
 drivers/gpu/drm/radeon/rs690.c                   |    4 +-
 drivers/gpu/drm/ttm/ttm_page_alloc.c             |    4 +-
 drivers/gpu/drm/via/via_drv.h                    |    4 +-
 drivers/gpu/drm/via/via_irq.c                    |   18 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_drv.h              |    2 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c             |    8 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_irq.c              |    4 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_marker.c           |    2 +-
 drivers/hid/hid-core.c                           |    4 +-
 drivers/hv/channel.c                             |    4 +-
 drivers/hv/hv.c                                  |    2 +-
 drivers/hv/hyperv_vmbus.h                        |    2 +-
 drivers/hv/vmbus_drv.c                           |    4 +-
 drivers/hwmon/coretemp.c                         |    2 +-
 drivers/hwmon/sht15.c                            |   12 +-
 drivers/hwmon/via-cputemp.c                      |    2 +-
 drivers/i2c/busses/i2c-amd756-s4882.c            |    2 +-
 drivers/i2c/busses/i2c-nforce2-s4985.c           |    2 +-
 drivers/ide/ide-cd.c                             |    2 +-
 drivers/infiniband/core/cm.c                     |   32 +-
 drivers/infiniband/core/fmr_pool.c               |   20 +-
 drivers/infiniband/hw/cxgb4/mem.c                |    4 +-
 drivers/infiniband/hw/ipath/ipath_rc.c           |    6 +-
 drivers/infiniband/hw/ipath/ipath_ruc.c          |    6 +-
 drivers/infiniband/hw/nes/nes.c                  |    4 +-
 drivers/infiniband/hw/nes/nes.h                  |   40 +-
 drivers/infiniband/hw/nes/nes_cm.c               |   62 +-
 drivers/infiniband/hw/nes/nes_mgt.c              |    8 +-
 drivers/infiniband/hw/nes/nes_nic.c              |   40 +-
 drivers/infiniband/hw/nes/nes_verbs.c            |   10 +-
 drivers/infiniband/hw/qib/qib.h                  |    1 +
 drivers/input/gameport/gameport.c                |    4 +-
 drivers/input/input.c                            |    4 +-
 drivers/input/joystick/sidewinder.c              |    1 +
 drivers/input/joystick/xpad.c                    |    4 +-
 drivers/input/mousedev.c                         |    2 +-
 drivers/input/serio/serio.c                      |    4 +-
 drivers/isdn/capi/capi.c                         |   10 +-
 drivers/isdn/gigaset/interface.c                 |    8 +-
 drivers/isdn/hardware/avm/b1.c                   |    4 +-
 drivers/isdn/i4l/isdn_tty.c                      |   22 +-
 drivers/isdn/icn/icn.c                           |    2 +-
 drivers/lguest/core.c                            |   10 +-
 drivers/lguest/x86/core.c                        |   12 +-
 drivers/lguest/x86/switcher_32.S                 |   27 +-
 drivers/md/bitmap.c                              |    2 +-
 drivers/md/dm-ioctl.c                            |    2 +-
 drivers/md/dm-raid1.c                            |   16 +-
 drivers/md/dm-stripe.c                           |   10 +-
 drivers/md/dm-table.c                            |    2 +-
 drivers/md/dm-thin-metadata.c                    |    4 +-
 drivers/md/dm.c                                  |   16 +-
 drivers/md/md.c                                  |   26 +-
 drivers/md/md.h                                  |    6 +-
 drivers/md/persistent-data/dm-space-map.h        |    1 +
 drivers/md/raid1.c                               |    4 +-
 drivers/md/raid10.c                              |   16 +-
 drivers/md/raid5.c                               |   10 +-
 drivers/media/dvb-core/dvbdev.c                  |    2 +-
 drivers/media/dvb-frontends/dib3000.h            |    2 +-
 drivers/media/platform/omap/omap_vout.c          |   11 +-
 drivers/media/platform/s5p-tv/mixer.h            |    2 +-
 drivers/media/platform/s5p-tv/mixer_grp_layer.c  |    2 +-
 drivers/media/platform/s5p-tv/mixer_reg.c        |    2 +-
 drivers/media/platform/s5p-tv/mixer_video.c      |   24 +-
 drivers/media/platform/s5p-tv/mixer_vp_layer.c   |    2 +-
 drivers/media/radio/radio-cadet.c                |    2 +
 drivers/media/usb/dvb-usb/cxusb.c                |    2 +-
 drivers/media/usb/dvb-usb/dw2102.c               |    2 +-
 drivers/message/fusion/mptsas.c                  |   34 +-
 drivers/message/fusion/mptscsih.c                |   19 +-
 drivers/message/i2o/i2o_proc.c                   |   51 +-
 drivers/message/i2o/iop.c                        |    8 +-
 drivers/mfd/janz-cmodio.c                        |    1 +
 drivers/misc/kgdbts.c                            |    4 +-
 drivers/misc/lis3lv02d/lis3lv02d.c               |    8 +-
 drivers/misc/lis3lv02d/lis3lv02d.h               |    2 +-
 drivers/misc/sgi-gru/gruhandles.c                |    4 +-
 drivers/misc/sgi-gru/gruprocfs.c                 |    8 +-
 drivers/misc/sgi-gru/grutables.h                 |  154 +-
 drivers/misc/sgi-xp/xp.h                         |    2 +-
 drivers/misc/sgi-xp/xpc.h                        |    3 +-
 drivers/misc/sgi-xp/xpc_main.c                   |    4 +-
 drivers/mmc/core/mmc_ops.c                       |    2 +-
 drivers/mmc/host/dw_mmc.h                        |    2 +-
 drivers/mmc/host/sdhci-s3c.c                     |    8 +-
 drivers/mtd/devices/doc2000.c                    |    2 +-
 drivers/mtd/nand/denali.c                        |    1 +
 drivers/mtd/nftlmount.c                          |    1 +
 drivers/net/ethernet/8390/ax88796.c              |    4 +-
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h  |    2 +-
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c   |   11 +-
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h   |    3 +-
 drivers/net/ethernet/broadcom/tg3.h              |    1 +
 drivers/net/ethernet/chelsio/cxgb3/l2t.h         |    2 +-
 drivers/net/ethernet/dec/tulip/de4x5.c           |    4 +-
 drivers/net/ethernet/emulex/benet/be_main.c      |    2 +-
 drivers/net/ethernet/faraday/ftgmac100.c         |    2 +
 drivers/net/ethernet/faraday/ftmac100.c          |    2 +
 drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c     |    2 +-
 drivers/net/ethernet/neterion/vxge/vxge-config.c |    7 +-
 drivers/net/ethernet/realtek/r8169.c             |    8 +-
 drivers/net/ethernet/sfc/ptp.c                   |    2 +-
 drivers/net/ethernet/stmicro/stmmac/mmc_core.c   |    4 +-
 drivers/net/hyperv/hyperv_net.h                  |    2 +-
 drivers/net/hyperv/rndis_filter.c                |    4 +-
 drivers/net/ieee802154/fakehard.c                |    2 +-
 drivers/net/macvlan.c                            |    2 +-
 drivers/net/macvtap.c                            |    2 +-
 drivers/net/ppp/ppp_generic.c                    |    4 +-
 drivers/net/team/team.c                          |    2 +-
 drivers/net/tun.c                                |    5 +-
 drivers/net/usb/hso.c                            |   23 +-
 drivers/net/wireless/ath/ath9k/ar9002_mac.c      |   30 +-
 drivers/net/wireless/ath/ath9k/ar9003_mac.c      |   58 +-
 drivers/net/wireless/ath/ath9k/hw.h              |    4 +-
 drivers/net/wireless/iwlegacy/3945-mac.c         |    4 +-
 drivers/net/wireless/iwlwifi/dvm/debugfs.c       |   26 +-
 drivers/net/wireless/iwlwifi/pcie/trans.c        |    4 +-
 drivers/net/wireless/mac80211_hwsim.c            |   32 +-
 drivers/net/wireless/rndis_wlan.c                |    2 +-
 drivers/net/wireless/rt2x00/rt2x00.h             |    2 +-
 drivers/net/wireless/rt2x00/rt2x00queue.c        |    4 +-
 drivers/net/wireless/ti/wl1251/sdio.c            |   12 +-
 drivers/net/wireless/ti/wl12xx/main.c            |    8 +-
 drivers/net/wireless/ti/wl18xx/main.c            |    6 +-
 drivers/oprofile/buffer_sync.c                   |    8 +-
 drivers/oprofile/event_buffer.c                  |    2 +-
 drivers/oprofile/oprof.c                         |    2 +-
 drivers/oprofile/oprofile_stats.c                |   10 +-
 drivers/oprofile/oprofile_stats.h                |   10 +-
 drivers/oprofile/oprofilefs.c                    |    2 +-
 drivers/oprofile/timer_int.c                     |    2 +-
 drivers/parport/procfs.c                         |    4 +-
 drivers/pci/hotplug/cpcihp_generic.c             |    6 +-
 drivers/pci/hotplug/cpcihp_zt5550.c              |   14 +-
 drivers/pci/hotplug/cpqphp_nvram.c               |    4 +
 drivers/pci/pcie/aspm.c                          |    6 +-
 drivers/pci/probe.c                              |    2 +-
 drivers/platform/x86/thinkpad_acpi.c             |   70 +-
 drivers/pnp/pnpbios/bioscalls.c                  |   14 +-
 drivers/pnp/resource.c                           |    4 +-
 drivers/power/pda_power.c                        |    7 +-
 drivers/regulator/max8660.c                      |    6 +-
 drivers/regulator/max8973-regulator.c            |    8 +-
 drivers/regulator/mc13892-regulator.c            |    6 +-
 drivers/scsi/bfa/bfa.h                           |    2 +-
 drivers/scsi/bfa/bfa_fcpim.h                     |    2 +-
 drivers/scsi/bfa/bfa_ioc.h                       |    4 +-
 drivers/scsi/hosts.c                             |    4 +-
 drivers/scsi/hpsa.c                              |   30 +-
 drivers/scsi/hpsa.h                              |    2 +-
 drivers/scsi/libfc/fc_exch.c                     |   50 +-
 drivers/scsi/libsas/sas_ata.c                    |    2 +-
 drivers/scsi/lpfc/lpfc.h                         |    8 +-
 drivers/scsi/lpfc/lpfc_debugfs.c                 |   18 +-
 drivers/scsi/lpfc/lpfc_init.c                    |    6 +-
 drivers/scsi/lpfc/lpfc_scsi.c                    |   16 +-
 drivers/scsi/pmcraid.c                           |   20 +-
 drivers/scsi/pmcraid.h                           |    8 +-
 drivers/scsi/qla2xxx/qla_attr.c                  |    4 +-
 drivers/scsi/qla2xxx/qla_gbl.h                   |    4 +-
 drivers/scsi/qla2xxx/qla_os.c                    |    6 +-
 drivers/scsi/qla4xxx/ql4_def.h                   |    2 +-
 drivers/scsi/qla4xxx/ql4_os.c                    |    6 +-
 drivers/scsi/scsi.c                              |    2 +-
 drivers/scsi/scsi_lib.c                          |    6 +-
 drivers/scsi/scsi_sysfs.c                        |    2 +-
 drivers/scsi/scsi_tgt_lib.c                      |    2 +-
 drivers/scsi/scsi_transport_fc.c                 |    8 +-
 drivers/scsi/scsi_transport_iscsi.c              |    6 +-
 drivers/scsi/scsi_transport_srp.c                |    6 +-
 drivers/scsi/sd.c                                |    2 +-
 drivers/scsi/sg.c                                |    2 +-
 drivers/spi/spi.c                                |    2 +-
 drivers/staging/octeon/ethernet-rx.c             |   12 +-
 drivers/staging/octeon/ethernet.c                |    8 +-
 drivers/staging/ramster/tmem.c                   |   54 +-
 drivers/staging/rtl8712/rtl871x_io.h             |    2 +-
 drivers/staging/sbe-2t3e3/netdev.c               |    2 +-
 drivers/staging/usbip/vhci.h                     |    2 +-
 drivers/staging/usbip/vhci_hcd.c                 |    6 +-
 drivers/staging/usbip/vhci_rx.c                  |    2 +-
 drivers/staging/vt6655/hostap.c                  |    7 +-
 drivers/staging/vt6656/hostap.c                  |    7 +-
 drivers/staging/zcache/tmem.c                    |    4 +-
 drivers/staging/zcache/tmem.h                    |    2 +
 drivers/target/target_core_device.c              |    2 +-
 drivers/target/target_core_transport.c           |    2 +-
 drivers/tty/cyclades.c                           |    6 +-
 drivers/tty/hvc/hvc_console.c                    |   14 +-
 drivers/tty/hvc/hvcs.c                           |   21 +-
 drivers/tty/ipwireless/tty.c                     |   27 +-
 drivers/tty/moxa.c                               |    2 +-
 drivers/tty/n_gsm.c                              |    4 +-
 drivers/tty/n_tty.c                              |    3 +-
 drivers/tty/pty.c                                |    4 +-
 drivers/tty/rocket.c                             |    6 +-
 drivers/tty/serial/kgdboc.c                      |   32 +-
 drivers/tty/serial/samsung.c                     |    9 +-
 drivers/tty/serial/serial_core.c                 |    8 +-
 drivers/tty/synclink.c                           |   34 +-
 drivers/tty/synclink_gt.c                        |   28 +-
 drivers/tty/synclinkmp.c                         |   34 +-
 drivers/tty/tty_io.c                             |    2 +-
 drivers/tty/tty_ldisc.c                          |   10 +-
 drivers/tty/tty_port.c                           |   22 +-
 drivers/uio/uio.c                                |   21 +-
 drivers/usb/atm/cxacru.c                         |    2 +-
 drivers/usb/atm/usbatm.c                         |   24 +-
 drivers/usb/core/devices.c                       |    6 +-
 drivers/usb/core/hcd.c                           |    4 +-
 drivers/usb/core/sysfs.c                         |    2 +-
 drivers/usb/core/usb.c                           |    2 +-
 drivers/usb/early/ehci-dbgp.c                    |   16 +-
 drivers/usb/gadget/u_serial.c                    |   22 +-
 drivers/usb/serial/console.c                     |    6 +-
 drivers/usb/wusbcore/wa-hc.h                     |    4 +-
 drivers/usb/wusbcore/wa-xfer.c                   |    2 +-
 drivers/video/aty/aty128fb.c                     |    2 +-
 drivers/video/fbcmap.c                           |    3 +-
 drivers/video/fbmem.c                            |    6 +-
 drivers/video/i810/i810_accel.c                  |    1 +
 drivers/video/udlfb.c                            |   32 +-
 drivers/video/uvesafb.c                          |   39 +-
 drivers/video/vesafb.c                           |   51 +-
 drivers/video/via/via_clock.h                    |    2 +-
 fs/9p/vfs_inode.c                                |    2 +-
 fs/Kconfig.binfmt                                |    2 +-
 fs/aio.c                                         |   11 +-
 fs/autofs4/waitq.c                               |    2 +-
 fs/befs/linuxvfs.c                               |    2 +-
 fs/binfmt_aout.c                                 |   23 +-
 fs/binfmt_elf.c                                  |  604 ++++-
 fs/binfmt_flat.c                                 |    6 +
 fs/bio.c                                         |    6 +-
 fs/block_dev.c                                   |    2 +-
 fs/btrfs/ctree.c                                 |    9 +-
 fs/btrfs/relocation.c                            |    2 +-
 fs/btrfs/super.c                                 |    2 +-
 fs/cachefiles/bind.c                             |    6 +-
 fs/cachefiles/daemon.c                           |    8 +-
 fs/cachefiles/internal.h                         |   12 +-
 fs/cachefiles/namei.c                            |    2 +-
 fs/cachefiles/proc.c                             |   12 +-
 fs/cachefiles/rdwr.c                             |    2 +-
 fs/ceph/dir.c                                    |    2 +-
 fs/cifs/cifs_debug.c                             |   12 +-
 fs/cifs/cifsfs.c                                 |    8 +-
 fs/cifs/cifsglob.h                               |   54 +-
 fs/cifs/link.c                                   |    2 +-
 fs/cifs/misc.c                                   |    4 +-
 fs/cifs/smb1ops.c                                |   80 +-
 fs/cifs/smb2ops.c                                |   84 +-
 fs/cifs/smb2pdu.c                                |    3 +-
 fs/coda/cache.c                                  |   10 +-
 fs/compat.c                                      |    6 +-
 fs/compat_binfmt_elf.c                           |    2 +
 fs/compat_ioctl.c                                |    8 +-
 fs/configfs/dir.c                                |   10 +-
 fs/coredump.c                                    |   24 +-
 fs/dcache.c                                      |    2 +-
 fs/ecryptfs/inode.c                              |    4 +-
 fs/ecryptfs/miscdev.c                            |    2 +-
 fs/ecryptfs/read_write.c                         |    4 +-
 fs/exec.c                                        |  356 ++-
 fs/ext4/ext4.h                                   |   20 +-
 fs/ext4/mballoc.c                                |   44 +-
 fs/fhandle.c                                     |    3 +-
 fs/fifo.c                                        |   22 +-
 fs/fs_struct.c                                   |    8 +-
 fs/fscache/cookie.c                              |   36 +-
 fs/fscache/internal.h                            |  196 +-
 fs/fscache/object.c                              |   28 +-
 fs/fscache/operation.c                           |   30 +-
 fs/fscache/page.c                                |  110 +-
 fs/fscache/stats.c                               |  344 +-
 fs/fuse/cuse.c                                   |   10 +-
 fs/fuse/dev.c                                    |    2 +-
 fs/fuse/dir.c                                    |    2 +-
 fs/gfs2/inode.c                                  |    2 +-
 fs/hugetlbfs/inode.c                             |   13 +-
 fs/inode.c                                       |    4 +-
 fs/jffs2/erase.c                                 |    3 +-
 fs/jffs2/wbuf.c                                  |    3 +-
 fs/jfs/super.c                                   |    2 +-
 fs/libfs.c                                       |   10 +-
 fs/lockd/clntproc.c                              |    4 +-
 fs/locks.c                                       |    8 +-
 fs/namei.c                                       |   15 +-
 fs/namespace.c                                   |    2 +-
 fs/nfs/inode.c                                   |    6 +-
 fs/nfsd/vfs.c                                    |    6 +-
 fs/notify/fanotify/fanotify_user.c               |    4 +-
 fs/notify/notification.c                         |    4 +-
 fs/ntfs/dir.c                                    |    2 +-
 fs/ntfs/file.c                                   |    4 +-
 fs/ocfs2/localalloc.c                            |    2 +-
 fs/ocfs2/ocfs2.h                                 |   10 +-
 fs/ocfs2/suballoc.c                              |   12 +-
 fs/ocfs2/super.c                                 |   20 +-
 fs/pipe.c                                        |   33 +-
 fs/proc/array.c                                  |   20 +
 fs/proc/kcore.c                                  |   32 +-
 fs/proc/meminfo.c                                |    2 +-
 fs/proc/nommu.c                                  |    2 +-
 fs/proc/self.c                                   |    2 +-
 fs/proc/task_mmu.c                               |   39 +-
 fs/proc/task_nommu.c                             |    4 +-
 fs/quota/netlink.c                               |    4 +-
 fs/readdir.c                                     |    2 +-
 fs/reiserfs/do_balan.c                           |    2 +-
 fs/reiserfs/procfs.c                             |    2 +-
 fs/reiserfs/reiserfs.h                           |    4 +-
 fs/seq_file.c                                    |    2 +-
 fs/splice.c                                      |   36 +-
 fs/sysfs/file.c                                  |   10 +-
 fs/sysfs/symlink.c                               |    2 +-
 fs/udf/misc.c                                    |    2 +-
 fs/xattr_acl.c                                   |    4 +-
 fs/xfs/xfs_bmap.c                                |    2 +-
 fs/xfs/xfs_dir2_sf.c                             |   10 +-
 fs/xfs/xfs_ioctl.c                               |    2 +-
 fs/xfs/xfs_iops.c                                |    2 +-
 include/asm-generic/4level-fixup.h               |    2 +
 include/asm-generic/atomic-long.h                |  210 ++
 include/asm-generic/atomic.h                     |    2 +-
 include/asm-generic/atomic64.h                   |   12 +
 include/asm-generic/cache.h                      |    4 +-
 include/asm-generic/emergency-restart.h          |    2 +-
 include/asm-generic/kmap_types.h                 |    4 +-
 include/asm-generic/local.h                      |   13 +
 include/asm-generic/pgtable-nopmd.h              |   18 +-
 include/asm-generic/pgtable-nopud.h              |   15 +-
 include/asm-generic/pgtable.h                    |    8 +
 include/asm-generic/vmlinux.lds.h                |   10 +-
 include/crypto/algapi.h                          |    2 +-
 include/drm/drmP.h                               |    5 +-
 include/drm/drm_crtc_helper.h                    |    2 +-
 include/drm/ttm/ttm_memory.h                     |    2 +-
 include/linux/atmdev.h                           |    2 +-
 include/linux/binfmts.h                          |    1 +
 include/linux/blkdev.h                           |    2 +-
 include/linux/blktrace_api.h                     |    2 +-
 include/linux/cache.h                            |    4 +
 include/linux/cdrom.h                            |    1 -
 include/linux/cleancache.h                       |    2 +-
 include/linux/compiler-gcc4.h                    |   20 +
 include/linux/compiler.h                         |   72 +-
 include/linux/cpu.h                              |    2 +-
 include/linux/crypto.h                           |    6 +-
 include/linux/decompress/mm.h                    |    2 +-
 include/linux/dma-mapping.h                      |    2 +-
 include/linux/dmaengine.h                        |    4 +-
 include/linux/efi.h                              |    1 +
 include/linux/elf.h                              |    2 +
 include/linux/filter.h                           |    4 +
 include/linux/frontswap.h                        |    2 +-
 include/linux/fs.h                               |    3 +-
 include/linux/fs_struct.h                        |    2 +-
 include/linux/fscache-cache.h                    |    4 +-
 include/linux/fsnotify.h                         |    2 +-
 include/linux/ftrace_event.h                     |    2 +-
 include/linux/genhd.h                            |    2 +-
 include/linux/gfp.h                              |   12 +-
 include/linux/highmem.h                          |   12 +
 include/linux/i2c.h                              |    1 +
 include/linux/i2o.h                              |    2 +-
 include/linux/if_pppox.h                         |    2 +-
 include/linux/init.h                             |   33 +-
 include/linux/init_task.h                        |    7 +
 include/linux/interrupt.h                        |    8 +-
 include/linux/kgdb.h                             |    6 +-
 include/linux/kobject.h                          |    2 +-
 include/linux/kref.h                             |    2 +-
 include/linux/kvm_host.h                         |    4 +-
 include/linux/libata.h                           |    2 +-
 include/linux/list.h                             |    3 +
 include/linux/mm.h                               |   91 +-
 include/linux/mm_types.h                         |   22 +-
 include/linux/mmiotrace.h                        |    4 +-
 include/linux/mmzone.h                           |    2 +-
 include/linux/mod_devicetable.h                  |    4 +-
 include/linux/module.h                           |   55 +-
 include/linux/moduleloader.h                     |   18 +-
 include/linux/moduleparam.h                      |    4 +-
 include/linux/namei.h                            |    6 +-
 include/linux/netdevice.h                        |    3 +-
 include/linux/netfilter/ipset/ip_set.h           |    2 +-
 include/linux/netfilter/nfnetlink.h              |    2 +-
 include/linux/notifier.h                         |    3 +-
 include/linux/oprofile.h                         |    4 +-
 include/linux/perf_event.h                       |   10 +-
 include/linux/pipe_fs_i.h                        |    6 +-
 include/linux/platform_data/usb-ehci-s5p.h       |    2 +-
 include/linux/pm_runtime.h                       |    2 +-
 include/linux/poison.h                           |    4 +-
 include/linux/power/smartreflex.h                |    2 +-
 include/linux/random.h                           |    5 +
 include/linux/reboot.h                           |   14 +-
 include/linux/regset.h                           |    3 +-
 include/linux/relay.h                            |    2 +-
 include/linux/rio.h                              |    2 +-
 include/linux/rmap.h                             |    4 +-
 include/linux/sched.h                            |   64 +-
 include/linux/seq_file.h                         |    1 +
 include/linux/skbuff.h                           |   12 +-
 include/linux/slab.h                             |   36 +-
 include/linux/slab_def.h                         |   33 +-
 include/linux/slob_def.h                         |    4 +-
 include/linux/slub_def.h                         |   10 +-
 include/linux/sonet.h                            |    2 +-
 include/linux/sunrpc/clnt.h                      |    8 +-
 include/linux/sunrpc/svc_rdma.h                  |   18 +-
 include/linux/sysrq.h                            |    2 +-
 include/linux/thread_info.h                      |    7 +
 include/linux/tty.h                              |    4 +-
 include/linux/tty_driver.h                       |    2 +-
 include/linux/tty_ldisc.h                        |    2 +-
 include/linux/types.h                            |   16 +
 include/linux/uaccess.h                          |    6 +-
 include/linux/unaligned/access_ok.h              |   12 +-
 include/linux/usb.h                              |    2 +-
 include/linux/usb/renesas_usbhs.h                |    2 +-
 include/linux/vermagic.h                         |   21 +-
 include/linux/vmalloc.h                          |   11 +-
 include/linux/vmstat.h                           |   20 +-
 include/media/v4l2-dev.h                         |    2 +-
 include/media/v4l2-ioctl.h                       |    1 -
 include/net/caif/cfctrl.h                        |    6 +-
 include/net/flow.h                               |    2 +-
 include/net/gro_cells.h                          |    6 +-
 include/net/inet_connection_sock.h               |    2 +-
 include/net/inetpeer.h                           |    8 +-
 include/net/ip_fib.h                             |    2 +-
 include/net/ip_vs.h                              |    4 +-
 include/net/irda/ircomm_tty.h                    |    1 +
 include/net/iucv/af_iucv.h                       |    2 +-
 include/net/neighbour.h                          |    2 +-
 include/net/net_namespace.h                      |    6 +-
 include/net/netdma.h                             |    2 +-
 include/net/netlink.h                            |    2 +-
 include/net/netns/ipv4.h                         |    2 +-
 include/net/protocol.h                           |    4 +-
 include/net/sctp/sctp.h                          |    6 +-
 include/net/sctp/structs.h                       |    4 +-
 include/net/sock.h                               |    6 +-
 include/net/tcp.h                                |    8 +-
 include/net/xfrm.h                               |    4 +-
 include/rdma/iw_cm.h                             |    2 +-
 include/scsi/libfc.h                             |    3 +-
 include/scsi/scsi_device.h                       |    6 +-
 include/scsi/scsi_transport_fc.h                 |    3 +-
 include/sound/soc.h                              |    4 +-
 include/target/target_core_base.h                |    2 +-
 include/trace/events/irq.h                       |    4 +-
 include/uapi/linux/a.out.h                       |    8 +
 include/uapi/linux/byteorder/little_endian.h     |   24 +-
 include/uapi/linux/elf.h                         |   28 +
 include/uapi/linux/screen_info.h                 |    3 +-
 include/uapi/linux/sysctl.h                      |    6 +-
 include/uapi/linux/xattr.h                       |    4 +
 include/video/udlfb.h                            |    8 +-
 include/video/uvesafb.h                          |    1 +
 init/Kconfig                                     |    2 +-
 init/Makefile                                    |    3 +
 init/do_mounts.c                                 |   14 +-
 init/do_mounts.h                                 |    8 +-
 init/do_mounts_initrd.c                          |   22 +-
 init/do_mounts_md.c                              |    6 +-
 init/init_task.c                                 |    4 +
 init/initramfs.c                                 |   40 +-
 init/main.c                                      |   78 +-
 ipc/msg.c                                        |   11 +-
 ipc/sem.c                                        |   11 +-
 ipc/shm.c                                        |   17 +-
 kernel/acct.c                                    |    2 +-
 kernel/audit.c                                   |    8 +-
 kernel/auditsc.c                                 |    4 +-
 kernel/capability.c                              |    3 +
 kernel/compat.c                                  |   40 +-
 kernel/debug/debug_core.c                        |   16 +-
 kernel/debug/kdb/kdb_main.c                      |    4 +-
 kernel/events/core.c                             |   28 +-
 kernel/exit.c                                    |    4 +-
 kernel/fork.c                                    |  167 +-
 kernel/futex.c                                   |    9 +
 kernel/gcov/base.c                               |    7 +-
 kernel/hrtimer.c                                 |    4 +-
 kernel/jump_label.c                              |    5 +
 kernel/kallsyms.c                                |   39 +-
 kernel/kexec.c                                   |    3 +-
 kernel/kmod.c                                    |    2 +-
 kernel/kprobes.c                                 |    8 +-
 kernel/lockdep.c                                 |    7 +-
 kernel/module.c                                  |  333 ++-
 kernel/mutex-debug.c                             |   12 +-
 kernel/mutex-debug.h                             |    4 +-
 kernel/mutex.c                                   |    7 +-
 kernel/notifier.c                                |   17 +-
 kernel/panic.c                                   |    3 +-
 kernel/pid.c                                     |    2 +-
 kernel/posix-cpu-timers.c                        |    4 +-
 kernel/posix-timers.c                            |   20 +-
 kernel/power/process.c                           |   12 +-
 kernel/profile.c                                 |   14 +-
 kernel/ptrace.c                                  |    6 +-
 kernel/rcutiny.c                                 |    4 +-
 kernel/rcutiny_plugin.h                          |    2 +-
 kernel/rcutorture.c                              |   56 +-
 kernel/rcutree.c                                 |   72 +-
 kernel/rcutree.h                                 |   24 +-
 kernel/rcutree_plugin.h                          |   18 +-
 kernel/rcutree_trace.c                           |   22 +-
 kernel/rtmutex-tester.c                          |   24 +-
 kernel/sched/auto_group.c                        |    4 +-
 kernel/sched/core.c                              |    2 +-
 kernel/sched/fair.c                              |    4 +-
 kernel/signal.c                                  |   12 +-
 kernel/smp.c                                     |    2 +-
 kernel/softirq.c                                 |   16 +-
 kernel/srcu.c                                    |    6 +-
 kernel/stop_machine.c                            |    2 +-
 kernel/sys.c                                     |   12 +-
 kernel/sysctl.c                                  |   37 +-
 kernel/sysctl_binary.c                           |   14 +-
 kernel/time/alarmtimer.c                         |    2 +-
 kernel/time/tick-broadcast.c                     |    2 +-
 kernel/time/timer_stats.c                        |   10 +-
 kernel/timer.c                                   |    4 +-
 kernel/trace/blktrace.c                          |    6 +-
 kernel/trace/ftrace.c                            |   20 +-
 kernel/trace/ring_buffer.c                       |   76 +-
 kernel/trace/trace.c                             |    6 +-
 kernel/trace/trace_events.c                      |   25 +-
 kernel/trace/trace_mmiotrace.c                   |    8 +-
 kernel/trace/trace_output.c                      |   12 +-
 kernel/trace/trace_stack.c                       |    2 +-
 lib/Makefile                                     |    2 +-
 lib/bitmap.c                                     |    8 +-
 lib/bug.c                                        |    2 +
 lib/debugobjects.c                               |    2 +-
 lib/devres.c                                     |    4 +-
 lib/dma-debug.c                                  |    4 +-
 lib/inflate.c                                    |    2 +-
 lib/ioremap.c                                    |    4 +-
 lib/list_debug.c                                 |   89 +-
 lib/radix-tree.c                                 |    2 +-
 lib/strncpy_from_user.c                          |    2 +-
 lib/strnlen_user.c                               |    2 +-
 lib/vsprintf.c                                   |   12 +-
 mm/Kconfig                                       |    6 +-
 mm/filemap.c                                     |    2 +-
 mm/fremap.c                                      |    5 +
 mm/highmem.c                                     |    7 +-
 mm/hugetlb.c                                     |   54 +
 mm/internal.h                                    |    1 +
 mm/maccess.c                                     |    4 +-
 mm/madvise.c                                     |   41 +
 mm/memory-failure.c                              |   18 +-
 mm/memory.c                                      |  404 ++-
 mm/mempolicy.c                                   |   26 +
 mm/mlock.c                                       |   16 +-
 mm/mmap.c                                        |  573 +++-
 mm/mprotect.c                                    |  138 +-
 mm/mremap.c                                      |   44 +-
 mm/nommu.c                                       |   11 +-
 mm/page-writeback.c                              |    2 +-
 mm/page_alloc.c                                  |   14 +-
 mm/percpu.c                                      |    2 +-
 mm/process_vm_access.c                           |   14 +-
 mm/rmap.c                                        |   38 +-
 mm/shmem.c                                       |   19 +-
 mm/slab.c                                        |  104 +-
 mm/slab.h                                        |    5 +-
 mm/slab_common.c                                 |    9 +-
 mm/slob.c                                        |  200 +-
 mm/slub.c                                        |   98 +-
 mm/sparse-vmemmap.c                              |    4 +-
 mm/sparse.c                                      |    2 +-
 mm/swap.c                                        |    3 +
 mm/swapfile.c                                    |   12 +-
 mm/util.c                                        |    6 +
 mm/vmalloc.c                                     |   82 +-
 mm/vmstat.c                                      |   12 +-
 net/8021q/vlan.c                                 |    5 +-
 net/9p/trans_fd.c                                |    2 +-
 net/atm/atm_misc.c                               |    8 +-
 net/atm/lec.h                                    |    2 +-
 net/atm/proc.c                                   |    6 +-
 net/atm/resources.c                              |    4 +-
 net/batman-adv/bat_iv_ogm.c                      |    8 +-
 net/batman-adv/hard-interface.c                  |    4 +-
 net/batman-adv/soft-interface.c                  |    4 +-
 net/batman-adv/types.h                           |    6 +-
 net/batman-adv/unicast.c                         |    2 +-
 net/bluetooth/hci_sock.c                         |    2 +-
 net/bluetooth/l2cap_core.c                       |    6 +-
 net/bluetooth/l2cap_sock.c                       |   12 +-
 net/bluetooth/rfcomm/sock.c                      |    4 +-
 net/bluetooth/rfcomm/tty.c                       |   10 +-
 net/bridge/netfilter/ebtables.c                  |    6 +-
 net/caif/cfctrl.c                                |   11 +-
 net/can/af_can.c                                 |    2 +-
 net/can/gw.c                                     |    6 +-
 net/compat.c                                     |   34 +-
 net/core/datagram.c                              |    2 +-
 net/core/dev.c                                   |   16 +-
 net/core/flow.c                                  |    8 +-
 net/core/iovec.c                                 |    4 +-
 net/core/rtnetlink.c                             |    2 +-
 net/core/scm.c                                   |    8 +-
 net/core/sock.c                                  |   24 +-
 net/decnet/sysctl_net_decnet.c                   |    4 +-
 net/ipv4/ah4.c                                   |    2 +-
 net/ipv4/esp4.c                                  |    2 +-
 net/ipv4/fib_frontend.c                          |    6 +-
 net/ipv4/fib_semantics.c                         |    2 +-
 net/ipv4/inetpeer.c                              |    4 +-
 net/ipv4/ip_fragment.c                           |    2 +-
 net/ipv4/ip_sockglue.c                           |    2 +-
 net/ipv4/ipcomp.c                                |    2 +-
 net/ipv4/ipconfig.c                              |    6 +-
 net/ipv4/netfilter/arp_tables.c                  |   12 +-
 net/ipv4/netfilter/ip_tables.c                   |   12 +-
 net/ipv4/ping.c                                  |    2 +-
 net/ipv4/raw.c                                   |   14 +-
 net/ipv4/route.c                                 |    2 +-
 net/ipv4/tcp_input.c                             |    2 +-
 net/ipv4/tcp_probe.c                             |    2 +-
 net/ipv4/udp.c                                   |   10 +-
 net/ipv6/addrconf.c                              |    2 +-
 net/ipv6/ip6_gre.c                               |    2 +-
 net/ipv6/ipv6_sockglue.c                         |    2 +-
 net/ipv6/netfilter/ip6_tables.c                  |   12 +-
 net/ipv6/raw.c                                   |   19 +-
 net/ipv6/udp.c                                   |    8 +-
 net/irda/ircomm/ircomm_tty.c                     |   18 +-
 net/iucv/af_iucv.c                               |    4 +-
 net/iucv/iucv.c                                  |    2 +-
 net/key/af_key.c                                 |    4 +-
 net/mac80211/cfg.c                               |    4 +-
 net/mac80211/ieee80211_i.h                       |    3 +-
 net/mac80211/iface.c                             |   14 +-
 net/mac80211/main.c                              |    2 +-
 net/mac80211/pm.c                                |    6 +-
 net/mac80211/rate.c                              |    2 +-
 net/mac80211/rc80211_pid_debugfs.c               |    2 +-
 net/mac80211/util.c                              |    2 +-
 net/netfilter/ipvs/ip_vs_conn.c                  |    6 +-
 net/netfilter/ipvs/ip_vs_core.c                  |    4 +-
 net/netfilter/ipvs/ip_vs_ctl.c                   |   10 +-
 net/netfilter/ipvs/ip_vs_sync.c                  |    6 +-
 net/netfilter/ipvs/ip_vs_xmit.c                  |    4 +-
 net/netfilter/nfnetlink_log.c                    |    4 +-
 net/netfilter/xt_statistic.c                     |    8 +-
 net/netlink/af_netlink.c                         |    4 +-
 net/packet/af_packet.c                           |   12 +-
 net/phonet/pep.c                                 |    6 +-
 net/phonet/socket.c                              |    2 +-
 net/rds/cong.c                                   |    6 +-
 net/rds/ib.h                                     |    2 +-
 net/rds/ib_cm.c                                  |    2 +-
 net/rds/ib_recv.c                                |    4 +-
 net/rds/iw.h                                     |    2 +-
 net/rds/iw_cm.c                                  |    2 +-
 net/rds/iw_recv.c                                |    4 +-
 net/rds/tcp.c                                    |    2 +-
 net/rds/tcp_send.c                               |    2 +-
 net/rxrpc/af_rxrpc.c                             |    2 +-
 net/rxrpc/ar-ack.c                               |   14 +-
 net/rxrpc/ar-call.c                              |    2 +-
 net/rxrpc/ar-connection.c                        |    2 +-
 net/rxrpc/ar-connevent.c                         |    2 +-
 net/rxrpc/ar-input.c                             |    4 +-
 net/rxrpc/ar-internal.h                          |    8 +-
 net/rxrpc/ar-local.c                             |    2 +-
 net/rxrpc/ar-output.c                            |    4 +-
 net/rxrpc/ar-peer.c                              |    2 +-
 net/rxrpc/ar-proc.c                              |    4 +-
 net/rxrpc/ar-transport.c                         |    2 +-
 net/rxrpc/rxkad.c                                |    4 +-
 net/sctp/ipv6.c                                  |    2 +-
 net/sctp/protocol.c                              |    8 +-
 net/sctp/socket.c                                |    2 +
 net/socket.c                                     |   34 +-
 net/sunrpc/sched.c                               |    4 +-
 net/sunrpc/xprtrdma/svc_rdma.c                   |   38 +-
 net/sunrpc/xprtrdma/svc_rdma_recvfrom.c          |    6 +-
 net/sunrpc/xprtrdma/svc_rdma_sendto.c            |    2 +-
 net/sunrpc/xprtrdma/svc_rdma_transport.c         |   10 +-
 net/tipc/link.c                                  |    6 +-
 net/tipc/msg.c                                   |    2 +-
 net/tipc/subscr.c                                |    2 +-
 net/wireless/wext-core.c                         |   19 +-
 net/xfrm/xfrm_policy.c                           |   16 +-
 net/xfrm/xfrm_state.c                            |    4 +-
 scripts/Makefile.build                           |    2 +-
 scripts/Makefile.clean                           |    3 +-
 scripts/Makefile.host                            |   28 +-
 scripts/basic/fixdep.c                           |   12 +-
 scripts/gcc-plugin.sh                            |   17 +
 scripts/link-vmlinux.sh                          |    2 +-
 scripts/mod/file2alias.c                         |   14 +-
 scripts/mod/modpost.c                            |   25 +-
 scripts/mod/modpost.h                            |    6 +-
 scripts/mod/sumversion.c                         |    2 +-
 scripts/pnmtologo.c                              |    6 +-
 security/Kconfig                                 |  654 ++++-
 security/integrity/ima/ima.h                     |    4 +-
 security/integrity/ima/ima_api.c                 |    2 +-
 security/integrity/ima/ima_fs.c                  |    4 +-
 security/integrity/ima/ima_queue.c               |    2 +-
 security/keys/compat.c                           |    2 +-
 security/keys/keyctl.c                           |    8 +-
 security/keys/keyring.c                          |    6 +-
 security/security.c                              |    9 +-
 security/selinux/hooks.c                         |    2 +-
 security/selinux/include/xfrm.h                  |    2 +-
 security/smack/smack_lsm.c                       |    2 +-
 security/tomoyo/tomoyo.c                         |    2 +-
 sound/aoa/codecs/onyx.c                          |    7 +-
 sound/aoa/codecs/onyx.h                          |    1 +
 sound/core/oss/pcm_oss.c                         |   18 +-
 sound/core/pcm_compat.c                          |    2 +-
 sound/core/pcm_native.c                          |    4 +-
 sound/core/seq/seq_device.c                      |    8 +-
 sound/drivers/mts64.c                            |   14 +-
 sound/drivers/opl4/opl4_lib.c                    |    2 +-
 sound/drivers/portman2x4.c                       |    3 +-
 sound/firewire/amdtp.c                           |    4 +-
 sound/firewire/amdtp.h                           |    2 +-
 sound/firewire/isight.c                          |   10 +-
 sound/firewire/scs1x.c                           |    8 +-
 sound/oss/sb_audio.c                             |    2 +-
 sound/oss/swarm_cs4297a.c                        |    6 +-
 sound/pci/ymfpci/ymfpci.h                        |    2 +-
 sound/pci/ymfpci/ymfpci_main.c                   |   12 +-
 tools/gcc/.gitignore                             |    1 +
 tools/gcc/Makefile                               |   43 +
 tools/gcc/checker_plugin.c                       |  171 +
 tools/gcc/colorize_plugin.c                      |  151 +
 tools/gcc/constify_plugin.c                      |  359 +++
 tools/gcc/generate_size_overflow_hash.sh         |   94 +
 tools/gcc/kallocstat_plugin.c                    |  170 +
 tools/gcc/kernexec_plugin.c                      |  465 +++
 tools/gcc/latent_entropy_plugin.c                |  321 ++
 tools/gcc/size_overflow_hash.data                | 3713 ++++++++++++++++++++++
 tools/gcc/size_overflow_plugin.c                 | 1941 +++++++++++
 tools/gcc/stackleak_plugin.c                     |  327 ++
 tools/perf/util/include/asm/alternative-asm.h    |    3 +
 virt/kvm/kvm_main.c                              |   32 +-
 1311 files changed, 26668 insertions(+), 6394 deletions(-)
commit a00016a11e35e91aec8e2d9b6ec4c6fbb11d6d2b
Merge: 0949bd4 fc53d63
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 22 19:03:44 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit fc53d6338964741b368070ec5c935bc579b8c2a6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 22 19:02:45 2012 -0400

    Update to pax-linux-3.2.12-test33.patch

commit 0949bd46a6455b308f66ad7c993bfee62412db35
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 22 16:56:09 2012 -0400

    Use current_umask() instead of current->fs->umask

commit 22f6432d0fe733619cfcb523782ed7d80c46d645
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 21 19:42:42 2012 -0400

    compile fix

commit 0cad49d6b8fbb32395da924c1665a1110a9a9eef
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 21 19:34:56 2012 -0400

    Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain
    uses of domains with particular hash collisions

commit 47fc52e0a068a29d6cca2f809daf0679cba33c44
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 20:25:49 2012 -0400

    zero kernel_role

commit b00953b43c69238d181d21121ef1577c988d5f6b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 19:29:34 2012 -0400

    zero real_root after releasing it

commit 0b3ab73ce5d34a2c3206955cd65eddd6bdfd32a1
Merge: b724f59 273f98e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 19:11:26 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit 273f98e58cdac555d3b5dce5c1ca168349f95878
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 19:10:52 2012 -0400

    Temporary workaround for (most) size_overflow plugin false-positives
    Increase randomization for brk-managed heap to 21 bits
    Update to pax-linux-3.2.12-test32.patch

commit b724f59125304460c2af8bd4b02921993afbb5d3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 18:58:53 2012 -0400

    compile fix

commit 329f1a9d0f137d0a973316c53bbec18a6eeecd4f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 18:52:23 2012 -0400

    Require default and kernel role

commit a7c5c4f55bdd61cfcd0fb1be7a67160429409878
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 18:47:28 2012 -0400

    Allow policies without special roles
    don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles)

commit 402ec3d24d66d38403dc543c84851f5e72d39e22
Merge: 8e012dc f14661a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 19 18:06:59 2012 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        fs/namei.c

commit f14661aaf202155c97f66626cea0269017bb7775
Merge: eae671f 058b017
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 19 18:05:44 2012 -0400

    Merge branch 'linux-3.2.y' into pax-test

commit 8e012dcf7a50b7cde34c2cec93ecedd049123b75
Author: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
Date:   Fri Mar 16 17:08:39 2012 -0700

    nilfs2: fix NULL pointer dereference in nilfs_load_super_block()
    
    According to the report from Slicky Devil, nilfs caused kernel oops at
    nilfs_load_super_block function during mount after he shrank the
    partition without resizing the filesystem:
    
     BUG: unable to handle kernel NULL pointer dereference at 00000048
     IP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2]
     *pde = 00000000
     Oops: 0000 [#1] PREEMPT SMP
     ...
     Call Trace:
      [<d0d7a87b>] init_nilfs+0x4b/0x2e0 [nilfs2]
      [<d0d6f707>] nilfs_mount+0x447/0x5b0 [nilfs2]
      [<c0226636>] mount_fs+0x36/0x180
      [<c023d961>] vfs_kern_mount+0x51/0xa0
      [<c023ddae>] do_kern_mount+0x3e/0xe0
      [<c023f189>] do_mount+0x169/0x700
      [<c023fa9b>] sys_mount+0x6b/0xa0
      [<c04abd1f>] sysenter_do_call+0x12/0x28
     Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43
     20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72
     48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00
     EIP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc
     CR2: 0000000000000048
    
    This turned out due to a defect in an error path which runs if the
    calculated location of the secondary super block was invalid.
    
    This patch fixes it and eliminates the reported oops.
    
    Reported-by: Slicky Devil <slicky.dvl@gmail.com>
    Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
    Tested-by: Slicky Devil <slicky.dvl@gmail.com>
    Cc: <stable@vger.kernel.org>        [2.6.30+]
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 8067d7f69bf27dc08057a771cf125e71e4575bf2
Author: Haogang Chen <haogangchen@gmail.com>
Date:   Fri Mar 16 17:08:38 2012 -0700

    nilfs2: clamp ns_r_segments_percentage to [1, 99]
    
    ns_r_segments_percentage is read from the disk.  Bogus or malicious
    value could cause integer overflow and malfunction due to meaningless
    disk usage calculation.  This patch reports error when mounting such
    bogus volumes.
    
    Signed-off-by: Haogang Chen <haogangchen@gmail.com>
    Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit e1a90645643f9b0194a5984ec8febd06360d5c8b
Author: Eric Dumazet <eric.dumazet@gmail.com>
Date:   Sat Mar 10 09:20:21 2012 +0000

    tcp: fix syncookie regression
    
    commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit())
    added a serious regression on synflood handling.
    
    Simon Kirby discovered a successful connection was delayed by 20 seconds
    before being responsive.
    
    In my tests, I discovered that xmit frames were lost, and needed ~4
    retransmits and a socket dst rebuild before being really sent.
    
    In case of syncookie initiated connection, we use a different path to
    initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared.
    
    As ip_queue_xmit() now depends on inet flow being setup, fix this by
    copying the temp flowi4 we use in cookie_v4_check().
    
    Reported-by: Simon Kirby <sim@netnation.com>
    Bisected-by: Simon Kirby <sim@netnation.com>
    Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
    Tested-by: Eric Dumazet <eric.dumazet@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 06c6c8628bf38b08b4d97f4c55cde9fdecfb5d65
Author: Stanislav Kinsbursky <skinsbursky@parallels.com>
Date:   Mon Mar 12 02:59:41 2012 +0000

    tun: don't hold network namespace by tun sockets
    
    v3: added previously removed sock_put() to the tun_release() callback, because
    sk_release_kernel() doesn't drop the socket reference.
    
    v2: sk_release_kernel() used for socket release. Dummy tun_release() is
    required for sk_release_kernel() ---> sock_release() ---> sock->ops->release()
    call.
    
    TUN was designed to destroy it's socket on network namesapce shutdown. But this
    will never happen for persistent device, because it's socket holds network
    namespace.
    This patch removes of holding network namespace by TUN socket and replaces it
    by creating socket in init_net and then changing it's net it to desired one. On
    shutdown socket is moved back to init_net prior to final put.
    
    Signed-off-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 46ae7374bd387c58d673a9e58852a9fd31042c5c
Author: Tyler Hicks <tyhicks@canonical.com>
Date:   Mon Dec 12 10:02:30 2011 -0600

    vfs: Correctly set the dir i_mutex lockdep class
    
    9a7aa12f3911853a introduced additional logic around setting the i_mutex
    lockdep class for directory inodes. The idea was that some filesystems
    may want their own special lockdep class for different directory
    inodes and calling unlock_new_inode() should not clobber one of
    those special classes.
    
    I believe that the added conditional, around the *negated* return value
    of lockdep_match_class(), caused directory inodes to be placed in the
    wrong lockdep class.
    
    inode_init_always() sets the i_mutex lockdep class with i_mutex_key for
    all inodes. If the filesystem did not change the class during inode
    initialization, then the conditional mentioned above was false and the
    directory inode was incorrectly left in the non-directory lockdep class.
    If the filesystem did set a special lockdep class, then the conditional
    mentioned above was true and that class was clobbered with
    i_mutex_dir_key.
    
    This patch removes the negation from the conditional so that the i_mutex
    lockdep class is properly set for directory inodes. Special classes are
    preserved and directory inodes with unmodified classes are set with
    i_mutex_dir_key.
    
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Reviewed-by: Jan Kara <jack@suse.cz>
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

commit 603590b0d2eca61ce26499eac9c563bc567a18c9
Author: Jan Kara <jack@suse.cz>
Date:   Mon Feb 20 17:54:00 2012 +0100

    udf: Fix deadlock in udf_release_file()
    
    udf_release_file() can be called from munmap() path with mmap_sem held.  Thus
    we cannot take i_mutex there because that ranks above mmap_sem. Luckily,
    i_mutex is not needed in udf_release_file() anymore since protection by
    i_data_sem is enough to protect from races with write and truncate.
    
    Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
    Reviewed-by: Namjae Jeon <linkinjeon@gmail.com>
    Signed-off-by: Jan Kara <jack@suse.cz>
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

commit ca79ab9034f3c2f7e3f65c35e0d9ed3ecea529bf
Author: Miklos Szeredi <mszeredi@suse.cz>
Date:   Tue Mar 6 13:56:33 2012 +0100

    vfs: fix double put after complete_walk()
    
    complete_walk() already puts nd->path, no need to do it again at cleanup time.
    
    This would result in Oopses if triggered, apparently the codepath is not too
    well exercised.
    
    Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
    CC: stable@vger.kernel.org
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

commit 13885ba2b18400f3ef6540497d30f1af896605e5
Author: Miklos Szeredi <mszeredi@suse.cz>
Date:   Tue Mar 6 13:56:34 2012 +0100

    vfs: fix return value from do_last()
    
    complete_walk() returns either ECHILD or ESTALE.  do_last() turns this into
    ECHILD unconditionally.  If not in RCU mode, this error will reach userspace
    which is complete nonsense.
    
    Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
    CC: stable@vger.kernel.org
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    
    Conflicts:
    
        fs/namei.c

commit f5ab7572c99ffb58953eb1070622307e904c3b7f
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Sat Mar 10 17:07:28 2012 -0500

    restore smp_mb() in unlock_new_inode()
    
    wait_on_inode() doesn't have ->i_lock
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

commit f3e758cd08e3881982d4b78eb72fe8a1ead6b872
Author: David S. Miller <davem@davemloft.net>
Date:   Tue Mar 13 18:19:51 2012 -0700

    sparc32: Add -Av8 to assembler command line.
    
    Newer version of binutils are more strict about specifying the
    correct options to enable certain classes of instructions.
    
    The sparc32 build is done for v7 in order to support sun4c systems
    which lack hardware integer multiply and divide instructions.
    
    So we have to pass -Av8 when building the assembler routines that
    use these instructions and get patched into the kernel when we find
    out that we have a v8 capable cpu.
    
    Reported-by: Paul Gortmaker <paul.gortmaker@windriver.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 66276ec78b2a971d2e704e5ef963cdc8b6a049a4
Author: Thomas Gleixner <tglx@linutronix.de>
Date:   Fri Mar 9 20:55:10 2012 +0100

    x86: Derandom delay_tsc for 64 bit
    
    Commit f0fbf0abc093 ("x86: integrate delay functions") converted
    delay_tsc() into a random delay generator for 64 bit.  The reason is
    that it merged the mostly identical versions of delay_32.c and
    delay_64.c.  Though the subtle difference of the result was:
    
     static void delay_tsc(unsigned long loops)
     {
    -   unsigned bclock, now;
    +   unsigned long bclock, now;
    
    Now the function uses rdtscl() which returns the lower 32bit of the
    TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64
    bit this fails when the lower 32bit are close to wrap around when
    bclock is read, because the following check
    
           if ((now - bclock) >= loops)
                        break;
    
    evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0
    because the unsigned long (now - bclock) of these values results in
    0xffffffff00000001 which is definitely larger than the loops
    value. That explains Tvortkos observation:
    
    "Because I am seeing udelay(500) (_occasionally_) being short, and
     that by delaying for some duration between 0us (yep) and 491us."
    
    Make those variables explicitely u32 again, so this works for both 32
    and 64 bit.
    
    Reported-by: Tvrtko Ursulin <tvrtko.ursulin@onelan.co.uk>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Cc: stable@vger.kernel.org # >= 2.6.27
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 2d0ddb60f5031bdf79b4d51225f9f2d5856255bf
Author: Al Viro <viro@ZenIV.linux.org.uk>
Date:   Thu Mar 8 17:51:19 2012 +0000

    aio: fix the "too late munmap()" race
    
    Current code has put_ioctx() called asynchronously from aio_fput_routine();
    that's done *after* we have killed the request that used to pin ioctx,
    so there's nothing to stop io_destroy() waiting in wait_for_all_aios()
    from progressing.  As the result, we can end up with async call of
    put_ioctx() being the last one and possibly happening during exit_mmap()
    or elf_core_dump(), neither of which expects stray munmap() being done
    to them...
    
    We do need to prevent _freeing_ ioctx until aio_fput_routine() is done
    with that, but that's all we care about - neither io_destroy() nor
    exit_aio() will progress past wait_for_all_aios() until aio_fput_routine()
    does really_put_req(), so the ioctx teardown won't be done until then
    and we don't care about the contents of ioctx past that point.
    
    Since actual freeing of these suckers is RCU-delayed, we don't need to
    bump ioctx refcount when request goes into list for async removal.
    All we need is rcu_read_lock held just over the ->ctx_lock-protected
    area in aio_fput_routine().
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
    Acked-by: Benjamin LaHaise <bcrl@kvack.org>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 002124c055afbf09b52226af65621999e8316448
Author: Al Viro <viro@ZenIV.linux.org.uk>
Date:   Wed Mar 7 05:16:35 2012 +0000

    aio: fix io_setup/io_destroy race
    
    Have ioctx_alloc() return an extra reference, so that caller would drop it
    on success and not bother with re-grabbing it on failure exit.  The current
    code is obviously broken - io_destroy() from another thread that managed
    to guess the address io_setup() would've returned would free ioctx right
    under us; gets especially interesting if aio_context_t * we pass to
    io_setup() points to PROT_READ mapping, so put_user() fails and we end
    up doing io_destroy() on kioctx another thread has just got freed...
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Acked-by: Benjamin LaHaise <bcrl@kvack.org>
    Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit a1cd2719b8ed8e40dbd98c87713ac23a2169f6d8
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Thu Mar 15 15:17:12 2012 -0700

    drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode
    
    strict_strtoul() writes a long but ->gamma_mode only has space to store an
    int, so on 64 bit systems we end up scribbling over ->gamma_table_count as
    well.  I've changed it to use kstrtouint() instead.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Acked-by: Inki Dae <inki.dae@samsung.com>
    Signed-off-by: Florian Tobias Schandinat <FlorianSchandinat@gmx.de>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit cf83f735a5571f4341ee6eab947a1f7d833cea6e
Merge: e4b05b6 eae671f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 16 21:04:27 2012 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        security/Kconfig

commit eae671fafe93f04685c04a089cc13efebc05d600
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 16 20:58:01 2012 -0400

    Update to pax-linux-3.2.11-test31.patch
    Introduction of the size_overflow plugin from Emese Revfy
    Many thanks to Emese for her hard work :)

commit e4b05b65c645c412eceb9c950ee7b4771627e6b1
Merge: e55aa68 258c015
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 15 20:59:19 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit 258c0159fa6dd5044ca984eeaad57bb6e21bacea
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 15 20:59:05 2012 -0400

    fix ARM compilation

commit e55aa68f4bb20e75cd7423123aa612c2a69590c0
Merge: 8f95ea9 55b7573
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 14 19:33:41 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit 55b7573f6c2f3be26fb39c7bd6a9d742d02811ca
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 14 19:33:15 2012 -0400

    Update to pax-linux-3.2.10-test28.patch

commit 8f95ea9f718c293794a1f6bdd2a5f5f336f7bd64
Merge: c8786a2 886ac5e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 13 17:38:13 2012 -0400

    Merge branch 'pax-test' into grsec-test
    
    Greets and thanks to snq for his assistance in testing/debugging REFCOUNT on ARM :)

commit 886ac5eeb1835e87cf7398b8aae9e9ba6b36bf77
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 13 17:37:44 2012 -0400

    Update to pax-linux-3.2.10-test26.patch

commit c8786a2abed5e5327f68efa520c04db99bb6a63a
Merge: 219c982 c061fcf
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 13 17:25:06 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit c061fcfa6b78f3774800821144d8ac2d94d7da3e
Merge: 89373d2 3f4b3b2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 13 17:25:02 2012 -0400

    Merge branch 'linux-3.2.y' into pax-test

commit 219c982a05abe47be4ea7d749e1b408e0cb86f1f
Merge: 54e19a3 89373d2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 12 17:23:57 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit 89373d2abafb9bda97f78bdb157d1d05cf21e008
Merge: a778588 7459f11
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 12 17:23:49 2012 -0400

    Merge branch 'linux-3.2.y' into pax-test

commit 54e19a3979978fca902b14ae25125f26fbbbc7a7
Merge: c4650f1 a778588
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 12 16:51:25 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit a778588c9d1b75c48c1f09aac98c1b28bd87a749
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 12 16:51:12 2012 -0400

    Update to pax-linux-3.2.9-test24.patch

commit c4650f14b13f84735fe3de06a1f3ff5776473eff
Merge: fb2abee 1015790
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 11 21:08:28 2012 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        security/Kconfig

commit 101579028a736c224e590c7e12a7357018c424e1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 11 21:07:27 2012 -0400

    Update to pax-linux-3.2.9-test22.patch

commit fb2abee4b9b49f5f18342a8cdf7aa3ba2b7c9100
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 11 11:02:17 2012 -0400

    Allow 4096 CPUs

commit 96bae28cbe6a41d48e3b56e5904814096e956000
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 11 10:25:58 2012 -0400

    Use a per-cpu 48-bit counter instead of a global atomic64
    Initialize each counter to have the cpu number in the lower 16 bits
    instead of incrementing the counter each time by 1, perform the increments
    above the cpu number so that wrapping/exhausting the counter doesn't corrupt
    any state
    idea from PaX Team

commit b975688101da6e966aebb1bc6b8c5c5983974f9c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 10 20:33:12 2012 -0500

    Special vnsec edition! :)
    Further reduce argv/env allowance for suid/sgid apps to 512KB
    Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap)
    Clear 3GB personality on suid/sgid binaries
    Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64)
      with the main purpose of throwing off program stack -> arg/env alignment
    Update documentation

commit e5cfa902c4e891d11dd2086543d2555aa0c27d33
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 10 19:54:47 2012 -0500

    Resolve skbuff.h warnings that turn into errors during compilation in
    the grsecurity directory with -Werror

commit 2023210ad43a944033fcacc660ce410888f562ee
Merge: ece4383 5f66adf
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 9 19:48:01 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 5f66adf72f83730a07bc79a2fab56afed6dbbd0e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 9 19:47:06 2012 -0500

    Add colorize plugin

commit ece4383e5e91c92d138c4df84225a70b552f4d69
Merge: a366d0e ab4a5a1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 9 17:56:46 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit ab4a5a1a67289c3585e2ff8aa64ecece7bd17eea
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 9 17:56:26 2012 -0500

    Update to pax-linux-3.2.9-test21.patch

commit a366d0ed963ce93fce10121c1100989d5f064e75
Author: Mikulas Patocka <mpatocka@redhat.com>
Date:   Sun Mar 4 19:52:03 2012 -0500

    mm: fix find_vma_prev
    
    Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory
    management on PA-RISC.
    
    After application of the patch, programs that allocate big arrays on the
    stack crash with segfault, for example, this will crash if compiled
    without optimization:
    
      int main()
      {
        char array[200000];
        array[199999] = 0;
        return 0;
      }
    
    The reason is that PA-RISC has up-growing stack and the stack is usually
    the last memory area.  In the above example, a page fault happens above
    the stack.
    
    Previously, if we passed too high address to find_vma_prev, it returned
    NULL and stored the last VMA in *pprev.  After "simplify find_vma_prev"
    change, it stores NULL in *pprev.  Consequently, the stack area is not
    found and it is not expanded, as it used to be before the change.
    
    This patch restores the old behavior and makes it return the last VMA in
    *pprev if the requested address is higher than address of any other VMA.
    
    Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
    Acked-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 9cd8dd4d56051099f11563f72fcd91cd0ce19604
Author: Hugh Dickins <hughd@google.com>
Date:   Tue Mar 6 12:28:52 2012 -0800

    mmap: EINVAL not ENOMEM when rejecting VM_GROWS
    
    Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP
    from shared anonymous: hoist the file case's -EINVAL up for both.
    
    Signed-off-by: Hugh Dickins <hughd@google.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 97745dce6c87f9d9ca5b4be9bd4c2fc1684ca04c
Author: Al Viro <viro@ZenIV.linux.org.uk>
Date:   Mon Mar 5 06:38:42 2012 +0000

    aout: move setup_arg_pages() prior to reading/mapping the binary
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 3b20ce55ae8cffee43cb4afdf5be438b5ac4fef0
Author: Jan Beulich <JBeulich@suse.com>
Date:   Mon Mar 5 16:49:24 2012 +0000

    vsprintf: make %pV handling compatible with kasprintf()
    
    kasprintf() (and potentially other functions that I didn't run across so
    far) want to evaluate argument lists twice.  Caring to do so for the
    primary list is obviously their job, but they can't reasonably be
    expected to check the format string for instances of %pV, which however
    need special handling too: On architectures like x86-64 (as opposed to
    e.g.  ix86), using the same argument list twice doesn't produce the
    expected results, as an internally managed cursor gets updated during
    the first run.
    
    Fix the problem by always acting on a copy of the original list when
    handling %pV.
    
    Signed-off-by: Jan Beulich <jbeulich@suse.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 4146896ab9674f51d4909f3a52bc7fe80f04e4cb
Author: Al Viro <viro@ZenIV.linux.org.uk>
Date:   Mon Mar 5 06:39:47 2012 +0000

    VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit a831bd53764695ea680cc1fa3c98759a610ed2ac
Author: Christian König <deathsimple@vodafone.de>
Date:   Tue Feb 28 23:19:20 2012 +0100

    drm/radeon: fix uninitialized variable
    
    Without this fix the driver randomly treats
    textures as arrays and I'm really wondering
    why gcc isn't complaining about it.
    
    Signed-off-by: Christian König <deathsimple@vodafone.de>
    Reviewed-by: Jerome Glisse <jglisse@redhat.com>
    Signed-off-by: Dave Airlie <airlied@redhat.com>

commit aa2cd55f97f3cc03bdd895b6e8ba99619ee69dfc
Author: H. Peter Anvin <hpa@zytor.com>
Date:   Fri Mar 2 10:43:48 2012 -0800

    regset: Prevent null pointer reference on readonly regsets
    
    The regset common infrastructure assumed that regsets would always
    have .get and .set methods, but not necessarily .active methods.
    Unfortunately people have since written regsets without .set methods.
    
    Rather than putting in stub functions everywhere, handle regsets with
    null .get or .set methods explicitly.
    
    Signed-off-by: H. Peter Anvin <hpa@zytor.com>
    Reviewed-by: Oleg Nesterov <oleg@redhat.com>
    Acked-by: Roland McGrath <roland@hack.frob.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 072ddd99401c79b53c6bf6bff9deb93022124c79
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 5 18:12:57 2012 -0500

    Fix compiler errors reported on forums

commit 1606774b48af24e6f99d99c624c0e447d4b66474
Merge: 3127bd5 4ca2ffd
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 5 17:31:35 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 4ca2ffd9da024f4ba2d0cb6245ba1b2726169452
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 5 17:31:21 2012 -0500

    Update to pax-linux-3.2.9-test20.patch

commit 3127bd581a292966b1057c7433219dac188c3720
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 2 21:30:37 2012 -0500

    Fix memory leak on logged exec_id check failure in /proc/pid/statm
    Thanks to Djalal Harouni for the report

commit d9f1a3be0e97e0632f97379322712d8deeb3ce23
Merge: 0a56be8 9aa8288
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 2 18:38:22 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 9aa8288a09e6e03ce37c08136b26bff17a093b5c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 2 18:37:43 2012 -0500

    Update to pax-linux-3.2.9-test19.patch

commit 0a56be884bbd7ce733cac0b879c45383494d73b0
Merge: 9e66745 3f5c52a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 1 20:18:01 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 3f5c52aba100b3bb252980f9d363aafde52da1a2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 1 20:16:56 2012 -0500

    Update to pax-linux-3.2.9-test18.patch

commit ae53ec231d12719a36bf871f8c5841020ed692ee
Merge: b255baf 44fb317
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 1 20:15:31 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test

commit 9e667456c03eadea2f305be761abe4de9a5877a3
Merge: 5e4e200 b255baf
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 27 20:53:59 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit b255baf50365d39b406f43aab2c64745607baaa2
Merge: 340ce90 1de504e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 27 20:53:29 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test
    Update to pax-linux-3.2.8-test17.patch
    
    Conflicts:
        arch/x86/include/asm/i387.h
        arch/x86/kernel/process_32.c
        arch/x86/kernel/traps.c

commit 5e4e200ac530452884b625cb75de240e1e98c731
Merge: 44306d7 340ce90
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 27 18:02:13 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 340ce90d98a043fa8e4ed9ffc229d4c1f86e2fec
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 27 18:01:48 2012 -0500

    Update to pax-linux-3.2.7-test17.patch

commit 44306d7b3097f77e73040dd25f4f6750751bae7a
Merge: 29d0b07 521c411
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 26 19:04:15 2012 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        Makefile

commit 521c411bb4ca66ce01146fde8bac9dd22414076d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 26 19:03:33 2012 -0500

    Update to pax-linux-3.2.7-test16.patch

commit 29d0b07290bb9a10cdfcc3c30058e16265330dea
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 26 17:12:44 2012 -0500

    fix typo

commit 344f6d84e5d3fdc6ec40a078fc2f5861d340b2ef
Merge: f45b3be caa8f83
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 20:59:27 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit caa8f83456c4d0b204beefffaa1d1993f2348d08
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 20:59:12 2012 -0500

    Update to pax-linux-3.2.7-test15.patch

commit f45b3be34a345502a302e736af9a65742ddef7cb
Merge: 62f35fd 9f1309b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 11:40:15 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 9f1309b0b935e3b30fc87a9e3009b84cf943ef47
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 11:39:57 2012 -0500

    Update to pax-linux-3.2.7-test14.patch

commit 62f35fdbecc58f2988fe13638d907b87a15776bb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 09:08:55 2012 -0500

    We could log on attempted exploits of writing /proc/self/mem, but the current
    log function declares the access a read, so just swap the ordering for now

commit 066ee8f9c26f1549b4ad893508777b549c8d4b79
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 08:46:14 2012 -0500

    Log /proc/pid/mem attempts

commit 674471e581893a94d475acac3e3c4496209b3ac9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 08:15:00 2012 -0500

    Make use of f_version for protecting /proc file structs (fine since we're not a directory
    or seq_file)

commit eab42cfdd237ffcdd8ec24bedecc275a3a9e987f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 24 20:02:19 2012 -0500

    Fix ia64 compilation

commit 50dfea412fd395e0183c2ade368efa525d38b267
Merge: 12db845 4c6f99b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 24 19:00:53 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 4c6f99bf338e03966356b147d0360cb3b522a44f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 24 19:00:36 2012 -0500

    (6:57:09 PM) pipacs: but you can be proactive
    (Fix other-arch atomic64/REFCOUNT compilation failures)

commit 12db8453f6bb0a756f369c9151668ba1249bc478
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 23 21:10:12 2012 -0500

    Remove unnecessary copies, as suggested by solar

commit cc02cab84368467ea03cb35f861a8a7092d91ab4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 23 20:59:35 2012 -0500

    Make global_exec_counter static, as suggested by solar

commit e642091a475ebb3a30e81f85e7751233d0c2af43
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 23 19:00:26 2012 -0500

    sync with stable tree

commit 6df09c3d8e371905b7b8fe90c4188f23614c6be5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 23 18:48:47 2012 -0500

    Remove unneeded gr_acl_handle_fchmod, as the code is shared now by gr_acl_handle_chmod
    Remove handling of old kludge in chmod/fchmod

commit 815cb62f2ca7b58efc39778b3a855feb675ab56c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 23 18:18:49 2012 -0500

    Apply umask checks to chmod/fchmod as well, as requested by sponsor
    Union the enforced umask with the existing one to produce minimal privilege
    Change umask type to u16

commit 0e7668c6abbdbcd3f7f9759e3994d6f4bc9953f0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 22 18:16:11 2012 -0500

    Add per-role umask enforcement to RBAC, requested by a sponsor

commit ad5ac943fe58199f1cc475912a39edb157acb77b
Merge: dda0bb5 41722e3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 20 20:04:42 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 41722e342e116d95f3d3556d66c97c888d752d39
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 20 20:04:00 2012 -0500

    Merge changes from pax-linux-3.2.7-test12.patch, fixes KVM incompatibility with
    KERNEXEC plugin

commit dda0bb57137846a476a866c60db2681aaf6052c0
Merge: 4fd554e d70927a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 20 20:01:41 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit d70927afec977d489a54c106a3c3ddc32e953050
Merge: 1daebf1 9d0231c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 20 20:01:33 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test

commit 4fd554e3a097b22c5049fcdc423897477deff5ef
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 20 09:17:57 2012 -0500

    Fix wrong logic on capability checks for switching roles, broke policies
    Thanks to Richard Kojedzinszky for reporting

commit 12f97d52ac603f24344f8d71569c412a307e9422
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 21:20:10 2012 -0500

    sparc64 compile fix

commit 07af3d8e76a6a47ce1836e5b20ed8c0f879c8201
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 18:38:32 2012 -0500

    Update configuration help and name for GRKERNSEC_PROC_MEMMAP

commit 5ced6f8def06c2176b40b5fa07345fc723dc4dcb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 18:18:01 2012 -0500

    optimize the check a bit

commit 03159050f64989be44ae03be769cbed62a7cd2e5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 18:00:45 2012 -0500

    smile VUPEN :D
    (limit argv+env to 1MB for suid/sgid binaries)

commit dd759d8800d225a397e4de49fe729c7d601298d2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 17:49:33 2012 -0500

    Address Space Protection -> Memory Protections (suggested on IRC for consistency)

commit 4de635bda8ebfb85312e3bf851bdbff93de400da
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 17:45:06 2012 -0500

    Change the long long type for exec_id to the proper u64

commit 4feb07e7cb64b3d0f0f8cca1aef70bc725cae6fa
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Thu Feb 9 00:46:47 2012 +0000

    isdn: type bug in isdn_net_header()
    
    We use len to store the return value from eth_header().  eth_header()
    can return -ETH_HLEN (-14).  We want to pass this back instead of
    truncating it to 65522 and returning that.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Acked-by: Neil Horman <nhorman@tuxdriver.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 134ac8545b47f0f27d550ea6e1edb3a1ed7a9748
Author: Heiko Carstens <heiko.carstens@de.ibm.com>
Date:   Sat Feb 4 10:47:10 2012 +0100

    exec: fix use-after-free bug in setup_new_exec()
    
    Setting the task name is done within setup_new_exec() by accessing
    bprm->filename. However this happens after flush_old_exec().
    This may result in a use after free bug, flush_old_exec() may
    "complete" vfork_done, which will wake up the parent which in turn
    may free the passed in filename.
    To fix this add a new tcomm field in struct linux_binprm which
    contains the now early generated task name until it is used.
    
    Fixes this bug on s390:
    
      Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000
      Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818)
      Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374)
      Call Trace:
      ([<0000000000282e2c>] setup_new_exec+0x38/0x374)
       [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4
       [<0000000000280a42>] search_binary_handler+0x38e/0x5bc
       [<0000000000282b6c>] do_execve_common+0x410/0x514
       [<0000000000282cb6>] do_execve+0x46/0x58
       [<00000000005bce58>] kernel_execve+0x28/0x70
       [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140
       [<00000000005bc8da>] kernel_thread_starter+0x6/0xc
       [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc
      Last Breaking-Event-Address:
       [<00000000002830f0>] setup_new_exec+0x2fc/0x374
    
      Kernel panic - not syncing: Fatal exception: panic_on_oops
    
    Reported-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
    Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit d758ee9f5230893dabb5aab737b3109684bde196
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Fri Feb 10 09:03:58 2012 +0100

    relay: prevent integer overflow in relay_open()
    
    "subbuf_size" and "n_subbufs" come from the user and they need to be
    capped to prevent an integer overflow.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Cc: stable@kernel.org
    Signed-off-by: Jens Axboe <axboe@kernel.dk>

commit 40ed7b34848b8e0d7bf9a3fc21a7c75ce1ae507c
Merge: b1baadf 1daebf1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 13 17:47:04 2012 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        fs/proc/base.c

commit 1daebf1d623fe5b0efdd329f78562eb7078bc772
Merge: 1413df2 c2db2e2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 13 17:45:54 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test

commit b1baadf5047ab67cf61cd20bf58c6afb09c37c7d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 12 16:44:05 2012 -0500

    add missing declaration

commit 3981059c35e8463002517935c28f3d74b8e3703c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 12 16:36:04 2012 -0500

    Require CAP_SETUID/CAP_SETGID in a subject in order to change roles
    in addition to existing checks (this handles the setresuid ruid = euid case)

commit 0beab03263c773f463412c350ad9064b44b6ede0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 12 16:13:40 2012 -0500

    Revert setreuid changes when RBAC is enabled, breaks freeradius
    I'll fix the learning issue Lavish reported a different way through
    gradm modifications
    
    This reverts commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111.

commit 0c61cb1cfbbfec7d07647268c922d51434d22621
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 11 14:22:46 2012 -0500

    copy exec_id on fork

commit 000c08e0890630086b2ed04084050ed856a7ec31
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 10 20:00:36 2012 -0500

    compile fix

commit 54b8c8f54484e5ee18040657827158bc4b63bccc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 10 19:19:52 2012 -0500

    Introduce enhancement to CONFIG_GRKERNSEC_PROC_MEMMAP
    denies reading of sensitive /proc/pid entries where the file descriptor
    was opened in a different task than the one performing the read

commit dd19579049186e2648b9ae5e42af04cfda7ab2dc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 10 17:43:24 2012 -0500

    Remove duplicate signal check

commit 6ff60c34155bb73a4eec7bbfe6f59e9d35e1c0c6
Merge: 4eba97e 1413df2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 8 19:24:34 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 1413df258d4664d928b876ffb57e1bdc1ccd06f6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 8 19:24:08 2012 -0500

    Merge changes from pax-linux-3.2.4-test11.patch

commit 4eba97eda7f7d25b7ab6ad5c9de094545e749044
Merge: 0e058dd 8dd90a2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 6 17:50:12 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 8dd90a21adfeefd86134d1fedf77b958bc59eaa3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 6 17:49:07 2012 -0500

    Merge changes from pax-linux-3.2.4-test10.patch, fixes BPF JIT double-free

commit a6b5dfed0937a0eb386b4b519a387f8e8177ffdc
Merge: 7e4169c 6133971
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 6 17:48:57 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test

commit 0e058dd6d14e0c67c44dd332a871f1fe1bb06095
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 5 19:24:45 2012 -0500

    We now allow configurations with no PaX markings, giving the system no way to override the defaults

commit 9afb0110287e31c3c56d861b4927f64f8dbd7857
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 5 10:01:23 2012 -0500

    Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory

commit a6a0ad24a5f7bef90236d94c1bdfe21d291fc834
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 4 21:01:16 2012 -0500

    Improve security of ptrace-based monitoring/sandboxing
    See:
    http://article.gmane.org/gmane.linux.kernel.lsm/15156

commit ca4ca5a1027b41f9528794e52a53ce9c47926101
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 20:42:55 2012 -0500

    fix typo

commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 20:25:38 2012 -0500

    Reported by lavish on IRC:
    If a suid/sgid binary did not learn any setuid/setgid call during learning,
    we would not any CAP_SETUID/CAP_SETGID capability to the task, nor
    any restrictions on uid/gid changes.  uid and gid can however be changed
    within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to
    euid/egid.
    
    My fix:
    POSIX doesn't specify whether unprivileged users can perform the above
    setresuid/setresgid as an unprivileged user, though Linux has historically
    permitted them.  Modify this behavior when RBAC is enabled to require
    CAP_SETUID/CAP_SETGID for these operations.
    
    Thanks to Lavish for the report!
    
    Conflicts:
    
        kernel/sys.c

commit e55be1f30908f1ad4450cb0558cde71ff5c7247f
Merge: ba586eb 7e4169c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 20:10:21 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 7e4169c6c880ec9641f1178c88545913c8a21e1f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 20:10:05 2012 -0500

    Merge changes from pax-linux-3.2.4-test9.patch

commit ba586ebbcd0ed781e38a99c580a757a00347c6eb
Author: Christopher Yeoh <cyeoh@au1.ibm.com>
Date:   Thu Feb 2 11:34:09 2012 +1030

    Fix race in process_vm_rw_core
    
    This fixes the race in process_vm_core found by Oleg (see
    
      http://article.gmane.org/gmane.linux.kernel/1235667/
    
    for details).
    
    This has been updated since I last sent it as the creation of the new
    mm_access() function did almost exactly the same thing as parts of the
    previous version of this patch did.
    
    In order to use mm_access() even when /proc isn't enabled, we move it to
    kernel/fork.c where other related process mm access functions already
    are.
    
    Signed-off-by: Chris Yeoh <yeohc@au1.ibm.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    Conflicts:
    
        fs/proc/base.c
        mm/process_vm_access.c

commit b9194d60fb9fe579f5c34817ed822abde18939a0
Author: Oleg Nesterov <oleg@redhat.com>
Date:   Tue Jan 31 17:15:11 2012 +0100

    proc: make sure mem_open() doesn't pin the target's memory
    
    Once /proc/pid/mem is opened, the memory can't be released until
    mem_release() even if its owner exits.
    
    Change mem_open() to do atomic_inc(mm_count) + mmput(), this only
    pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count)
    before access_remote_vm(), this verifies that this mm is still alive.
    
    I am not sure what should mem_rw() return if atomic_inc_not_zero()
    fails. With this patch it returns zero to match the "mm == NULL" case,
    may be it should return -EINVAL like it did before e268337d.
    
    Perhaps it makes sense to add the additional fatal_signal_pending()
    check into the main loop, to ensure we do not hold this memory if
    the target task was oom-killed.
    
    Cc: stable@kernel.org
    Signed-off-by: Oleg Nesterov <oleg@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit d4500134f9363bc79556e0e7a1fd811cd8552cc4
Author: Oleg Nesterov <oleg@redhat.com>
Date:   Tue Jan 31 17:14:38 2012 +0100

    proc: mem_release() should check mm != NULL
    
    mem_release() can hit mm == NULL, add the necessary check.
    
    Cc: stable@kernel.org
    Signed-off-by: Oleg Nesterov <oleg@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 5d1c11221a86f233fdbb232312a561f85d0a3a05
Author: Oleg Nesterov <oleg@redhat.com>
Date:   Tue Jan 31 17:14:54 2012 +0100

    note: redisabled mem_write
    
    proc: unify mem_read() and mem_write()
    
    No functional changes, cleanup and preparation.
    
    mem_read() and mem_write() are very similar. Move this code into the
    new common helper, mem_rw(), which takes the additional "int write"
    argument.
    
    Cc: stable@kernel.org
    Signed-off-by: Oleg Nesterov <oleg@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    Conflicts:
    
        fs/proc/base.c

commit af966b421d9f55ab7e1a8b2741beba44b22bc2e0
Merge: 3903f01 01fee18
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 19:50:40 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 01fee1851aef26b898ccba5312cabf1f919b74cb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 19:49:46 2012 -0500

    Merge changes from pax-linux-3.2.4-test8.patch

commit c2490ddbfc3f5dd664dd0e1b8575856c3be01879
Merge: 201c0db 141936c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 19:49:01 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test

commit 3903f0172ecadf7a575ba3535402a1506133640a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jan 30 23:26:44 2012 -0500

    Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT
    
    We'll whitelist required directories for compatibility instead of requiring
    that people disable the feature entirely if they use SELinux, fuse, etc
    
    Conflicts:
    
        fs/sysfs/mount.c

commit e3618feaa7e63807f1b88c199882075b3ec9bd05
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 29 01:12:19 2012 -0500

    perform RBAC check if TPE is on but match fails, matches previous behavior

commit 627b7fe22799a86e2f81a74f0e0c53474bec3100
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jan 28 13:17:06 2012 -0500

    log more information about the reason for a TPE denial for novice users, requested by a sponsor

commit efefd67008cbad8a8591e2484410966a300a39a5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:58:53 2012 -0500

    merge upstream sha512 changes

commit 8a79280377db78fb2091fe01eddb9e24f75d9fe1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:49:07 2012 -0500

    drop lock on error in xfs_readlink
    
    http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0

commit aa5f2f63e37f426bf2211c5fb8f7bc70de14f08a
Author: Li Wang <liwang@nudt.edu.cn>
Date:   Thu Jan 19 09:44:36 2012 +0800

    eCryptfs: Infinite loop due to overflow in ecryptfs_write()
    
    ecryptfs_write() can enter an infinite loop when truncating a file to a
    size larger than 4G. This only happens on architectures where size_t is
    represented by 32 bits.
    
    This was caused by a size_t overflow due to it incorrectly being used to
    store the result of a calculation which uses potentially large values of
    type loff_t.
    
    [tyhicks@canonical.com: rewrite subject and commit message]
    Signed-off-by: Li Wang <liwang@nudt.edu.cn>
    Signed-off-by: Yunchuan Wen <wenyunchuan@kylinos.com.cn>
    Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>

commit a7607747d0f74f357d78bb796d70635dd05f46e8
Author: Tyler Hicks <tyhicks@canonical.com>
Date:   Thu Jan 19 20:33:44 2012 -0600

    eCryptfs: Check inode changes in setattr
    
    Most filesystems call inode_change_ok() very early in ->setattr(), but
    eCryptfs didn't call it at all. It allowed the lower filesystem to make
    the call in its ->setattr() function. Then, eCryptfs would copy the
    appropriate inode attributes from the lower inode to the eCryptfs inode.
    
    This patch changes that and actually calls inode_change_ok() on the
    eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call
    would happen earlier in ecryptfs_setattr(), but there are some possible
    inode initialization steps that must happen first.
    
    Since the call was already being made on the lower inode, the change in
    functionality should be minimal, except for the case of a file extending
    truncate call. In that case, inode_newsize_ok() was never being
    called on the eCryptfs inode. Rather than inode_newsize_ok() catching
    maximum file size errors early on, eCryptfs would encrypt zeroed pages
    and write them to the lower filesystem until the lower filesystem's
    write path caught the error in generic_write_checks(). This patch
    introduces a new function, called ecryptfs_inode_newsize_ok(), which
    checks if the new lower file size is within the appropriate limits when
    the truncate operation will be growing the lower file.
    
    In summary this change prevents eCryptfs truncate operations (and the
    resulting page encryptions), which would exceed the lower filesystem
    limits or FSIZE rlimits, from ever starting.
    
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Reviewed-by: Li Wang <liwang@nudt.edu.cn>
    Cc: <stable@vger.kernel.org>

commit 0d96f190a39505254ace4e9330219aaeda9b64e3
Author: Tyler Hicks <tyhicks@canonical.com>
Date:   Wed Jan 18 18:30:04 2012 -0600

    eCryptfs: Make truncate path killable
    
    ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a
    page, zeroes out the appropriate portions, and then encrypts the page
    before writing it to the lower filesystem. It was unkillable and due to
    the lack of sparse file support could result in tying up a large portion
    of system resources, while encrypting pages of zeros, with no way for
    the truncate operation to be stopped from userspace.
    
    This patch adds the ability for ecryptfs_write() to detect a pending
    fatal signal and return as gracefully as possible. The intent is to
    leave the lower file in a useable state, while still allowing a user to
    break out of the encryption loop. If a pending fatal signal is detected,
    the eCryptfs inode size is updated to reflect the modified inode size
    and then -EINTR is returned.
    
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Cc: <stable@vger.kernel.org>

commit a02d0d2516b9e92edffeb8fca87462bca49c1f6f
Author: Tyler Hicks <tyhicks@canonical.com>
Date:   Tue Jan 24 10:02:22 2012 -0600

    eCryptfs: Fix oops when printing debug info in extent crypto functions
    
    If pages passed to the eCryptfs extent-based crypto functions are not
    mapped and the module parameter ecryptfs_verbosity=1 was specified at
    loading time, a NULL pointer dereference will occur.
    
    Note that this wouldn't happen on a production system, as you wouldn't
    pass ecryptfs_verbosity=1 on a production system. It leaks private
    information to the system logs and is for debugging only.
    
    The debugging info printed in these messages is no longer very useful
    and rather than doing a kmap() in these debugging paths, it will be
    better to simply remove the debugging paths completely.
    
    https://launchpad.net/bugs/913651
    
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Reported-by: Daniel DeFreez
    Cc: <stable@vger.kernel.org>

commit b1c44d3054dc7f293b2e0a98c0e9e5e03e01f04c
Author: Tyler Hicks <tyhicks@canonical.com>
Date:   Thu Jan 12 11:30:44 2012 +0100

    eCryptfs: Sanitize write counts of /dev/ecryptfs
    
    A malicious count value specified when writing to /dev/ecryptfs may
    result in a a very large kernel memory allocation.
    
    This patch peeks at the specified packet payload size, adds that to the
    size of the packet headers and compares the result with the write count
    value. The resulting maximum memory allocation size is approximately 532
    bytes.
    
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Reported-by: Sasha Levin <levinsasha928@gmail.com>
    Cc: <stable@vger.kernel.org>

commit 96dcb7282d323813181a1791f51c0ab7696b675b
Merge: 6c09fa5 201c0db
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:44:15 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 201c0dbf177527367676028151e36d340923f033
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:43:24 2012 -0500

    Merge changes from pax-linux-3.2.2-test6.patch, fixes 0 order vmalloc allocation errors
    on loading modules with empty sections

commit 6c09fa566a7c29f00556ca12f343f2db91c4f42b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:42:13 2012 -0500

    compile fix

commit 917ae526b4fcec2b3e1afefa13de9dff7d8a5423
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:39:28 2012 -0500

    use LSM flags instead of duplicating checks

commit 0cf3be2ea2ae43c9dd4933fb26c0429041b8acb8
Merge: 44b9f11 558718b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 18:56:23 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 558718b2217beff69edf60f34a6f9893d910e9ac
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 18:56:04 2012 -0500

    Merge changes from pax-linux-3.2.2-test6.patch

commit 44b9f1132b2de7cbf5f57525fe0f7f9fb0a76507
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 18:53:55 2012 -0500

    don't increase the size of task_struct when unnecessary
    change ptrace_readexec log message

commit a9c9626e054adb885883aa64f85506852894dd33
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 18:16:28 2012 -0500

    Update documentation for CONFIG_GRKERNSEC_PTRACE_READEXEC --
    the protection applies to all unreadable binaries.

commit 98fdf4ab69eba7a72efb2054295daafdbbc2fb8f
Merge: 7b3f3af 05a1349
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 25 20:52:09 2012 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        block/scsi_ioctl.c
        drivers/scsi/sd.c
        fs/proc/base.c

commit 05a134966efb9cb9346ad3422888969ffc79ac1d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 25 20:47:36 2012 -0500

    Resync with pax-linux-3.2.2-test5.patch

commit 5ecaafd81b229aeeb5656df36f9c8da86307f82a
Merge: c6d443d 3499d64
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 25 20:45:16 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test (and pax-linux-3.2.2-test5.patch)
    
    Conflicts:
        ipc/shm.c

commit 7b3f3afd7444613c759d68ff8c2efaebfae3bab1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 24 19:42:01 2012 -0500

    Add two new features, one is automatic by enabling CONFIG_GRKERNSEC
    (may be changed if it breaks some userland), the other has its own
    config option
    
    First feature requires CAP_SYS_ADMIN to write to any sysctl entry via
    the syscall or /proc/sys.
    
    Second feature requires read access to a suid/sgid binary in order
    to ptrace it, preventing infoleaking of binaries in situations where
    the admin has specified 4711 or 2711 perms.  Feature has been
    given the config option CONFIG_GRKERNSEC_PTRACE_READEXEC and
    a sysctl entry of ptrace_readexec

commit 11a7bb25c411c9dccfdca5718639b4becdffd388
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 22 14:37:10 2012 -0500

    Compilation fixes

commit cd400e21c7c352baba47d6f375297a7847afb33a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 22 14:20:27 2012 -0500

    Initial port of grsecurity 2.2.2 for Linux 3.2.1
    Note that the new syscalls added to this kernel for remote process read/write
    are subject to ptrace hardening/other relevant RBAC features
    /proc/slabinfo is S_IRUSR via mainline now, so I made slab_allocators S_IRUSR by default
    as well
    pax_track_stack has been removed from support for this kernel -- if you're running this kernel
    you should be using a version of gcc with plugin support

commit c6d443d1270f455c56a4ffe0f1dd3d3e7ec12a2f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 22 11:47:31 2012 -0500

    Import pax-linux-3.2.1-test5.patch
commit bfd7db842f835f9837cd43644459b3a95b0b488d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 22 11:02:02 2012 -0500

    Allow processes to access others' /proc/pid/maps files (subject to the normal modification of data)
    instead of returning -EACCES
    thanks to Wraith from irc for the report

commit 873ac13576506cd48ddb527c2540f274e249da50
Merge: 34083dd 8a44fcc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 20 18:04:02 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 8a44fcc90cf3368003dc84e1ed013b2e4248c9b2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 20 18:02:15 2012 -0500

    Merge the diff between pax-linux-3.2.1-test4.patch and pax-linux-3.2.1-test5.patch
    Denies executable shared memory when MPROTECT is active
    Fixes ia32 emulation crash on 64bit host introduced in a recent patch

commit 34083ddf5c0b2b1c0f5e9f7d9e32ddcba223446b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jan 19 20:23:14 2012 -0500

    Introduce new GRKERNSEC_SETXID implementation
    We're not able to change the credentials of other threads in the process until at most
    one syscall after the first thread does it, since we mark the threads as needing rescheduling
    and such work occurs on syscall exit.
    This does however ensure that we're only modifying the current task's credentials
    which upholds RCU expectations
    
    Many thanks to corsac for testing

commit 5f900ad54d3992a4e1cda88273acc2f897a42e71
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jan 19 17:42:48 2012 -0500

    Simplify backport

commit f02e444f7b2fb286f99d3b4031ff4e44a4606c37
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jan 19 17:08:16 2012 -0500

    Commit the latest silent fix for a local privilege escalation from Linus
    Also disable writing to /proc/pid/mem
    http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc

commit 814d38c72b1ee3338294576a05af4f6ca9cffa6c
Merge: 0394a3f 7e6299b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 18 20:22:09 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 7e6299b4733c082dde930375dd207b63237751ec
Merge: 83555fb 9bb1282
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 18 20:21:37 2012 -0500

    Merge branch 'linux-3.1.y' into pax-test

commit 0394a3f36c6195dcaf22e265c94d11bb7338c6f7
Author: Jesper Juhl <jj@chaosbits.net>
Date:   Sun Jan 8 22:44:29 2012 +0100

    audit: always follow va_copy() with va_end()
    
    A call to va_copy() should always be followed by a call to va_end() in
    the same function.  In kernel/autit.c::audit_log_vformat() this is not
    always done.  This patch makes sure va_end() is always called.
    
    Signed-off-by: Jesper Juhl <jj@chaosbits.net>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: Eric Paris <eparis@redhat.com>
    Cc: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit fcbb39319e88bfdf70efe3931cf80a9f23b1a4d9
Author: Andi Kleen <ak@linux.intel.com>
Date:   Thu Jan 12 17:20:30 2012 -0800

    panic: don't print redundant backtraces on oops
    
    When an oops causes a panic and panic prints another backtrace it's pretty
    common to have the original oops data be scrolled away on a 80x50 screen.
    
    The second backtrace is quite redundant and not needed anyways.
    
    So don't print the panic backtrace when oops_in_progress is true.
    
    [akpm@linux-foundation.org: add comment]
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
    Cc: Michael Holzheu <holzheu@linux.vnet.ibm.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 22e4717d04333e2aff6d5d1b2c1b16045f367a1f
Author: Miklos Szeredi <mszeredi@suse.cz>
Date:   Thu Jan 12 17:59:46 2012 +0100

    fsnotify: don't BUG in fsnotify_destroy_mark()
    
    Removing the parent of a watched file results in "kernel BUG at
    fs/notify/mark.c:139".
    
    To reproduce
    
      add "-w /tmp/audit/dir/watched_file" to audit.rules
      rm -rf /tmp/audit/dir
    
    This is caused by fsnotify_destroy_mark() being called without an
    extra reference taken by the caller.
    
    Reported by Francesco Cosoleto here:
    
      https://bugzilla.novell.com/show_bug.cgi?id=689860
    
    Fix by removing the BUG_ON and adding a comment about not accessing mark after
    the iput.
    
    Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
    CC: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 1a90cff66ed00cd57bf00a990d13e95060fa362c
Author: Paolo Bonzini <pbonzini@redhat.com>
Date:   Thu Jan 12 16:01:28 2012 +0100

    block: fail SCSI passthrough ioctls on partition devices
    
    Linux allows executing the SG_IO ioctl on a partition or LVM volume, and
    will pass the command to the underlying block device.  This is
    well-known, but it is also a large security problem when (via Unix
    permissions, ACLs, SELinux or a combination thereof) a program or user
    needs to be granted access only to part of the disk.
    
    This patch lets partitions forward a small set of harmless ioctls;
    others are logged with printk so that we can see which ioctls are
    actually sent.  In my tests only CDROM_GET_CAPABILITY actually occurred.
    Of course it was being sent to a (partition on a) hard disk, so it would
    have failed with ENOTTY and the patch isn't changing anything in
    practice.  Still, I'm treating it specially to avoid spamming the logs.
    
    In principle, this restriction should include programs running with
    CAP_SYS_RAWIO.  If for example I let a program access /dev/sda2 and
    /dev/sdb, it still should not be able to read/write outside the
    boundaries of /dev/sda2 independent of the capabilities.  However, for
    now programs with CAP_SYS_RAWIO will still be allowed to send the
    ioctls.  Their actions will still be logged.
    
    This patch does not affect the non-libata IDE driver.  That driver
    however already tests for bd != bd->bd_contains before issuing some
    ioctl; it could be restricted further to forbid these ioctls even for
    programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO.
    
    Cc: linux-scsi@vger.kernel.org
    Cc: Jens Axboe <axboe@kernel.dk>
    Cc: James Bottomley <JBottomley@parallels.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    [ Make it also print the command name when warning - Linus ]
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit b41a1178caa15bd7d6d5b36c04c7b1ead05717e2
Author: Paolo Bonzini <pbonzini@redhat.com>
Date:   Thu Jan 12 16:01:27 2012 +0100

    block: add and use scsi_blk_cmd_ioctl
    
    Introduce a wrapper around scsi_cmd_ioctl that takes a block device.
    
    The function will then be enhanced to detect partition block devices
    and, in that case, subject the ioctls to whitelisting.
    
    Cc: linux-scsi@vger.kernel.org
    Cc: Jens Axboe <axboe@kernel.dk>
    Cc: James Bottomley <JBottomley@parallels.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 97a79814903fc350e1d13704ea31528a42705401
Author: Kees Cook <keescook@chromium.org>
Date:   Sat Jan 7 10:41:04 2012 -0800

    audit: treat s_id as an untrusted string
    
    The use of s_id should go through the untrusted string path, just to be
    extra careful.
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Acked-by: Mimi Zohar <zohar@us.ibm.com>
    Signed-off-by: Eric Paris <eparis@redhat.com>

commit 2d3f39e9dd73f26a8248fd4442f110d983c5b419
Author: Xi Wang <xi.wang@gmail.com>
Date:   Tue Dec 20 18:39:41 2011 -0500

    audit: fix signedness bug in audit_log_execve_info()
    
    In the loop, a size_t "len" is used to hold the return value of
    audit_log_single_execve_arg(), which returns -1 on error.  In that
    case the error handling (len <= 0) will be bypassed since "len" is
    unsigned, and the loop continues with (p += len) being wrapped.
    Change the type of "len" to signed int to fix the error handling.
    
        size_t len;
        ...
        for (...) {
                len = audit_log_single_execve_arg(...);
                if (len <= 0)
                        break;
                p += len;
        }
    
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Signed-off-by: Eric Paris <eparis@redhat.com>

commit 1b3dc2ea3204fb22b9d0d30b2b7953991f5be594
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Tue Jan 17 03:28:51 2012 -0300

    [media] ds3000: using logical && instead of bitwise &
    
    The intent here was to test if the FE_HAS_LOCK was set.  The current
    test is equivalent to "if (status) { ..."
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>

commit 36522330dc59d2fc70c042f3f081d75c32b6259a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jan 16 13:10:38 2012 -0500

    Ignore the 0 signal for protected task RBAC checks

commit d513acd55f7a683f6e146a4f570cdb63300479ab
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jan 16 11:56:13 2012 -0500

    whitespace cleanup

commit ced261c4b82818c700aff8487f647f6f3e5b5122
Merge: d48751f 83555fb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 13 20:12:54 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 83555fb431e5be6c0e09687ff3bdc583f0caf9d9
Merge: fcd8129 93dad39
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 13 20:12:43 2012 -0500

    Merge branch 'linux-3.1.y' into pax-test

commit d48751f3919ae855fda0ff6c149db82442329253
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 11 19:05:47 2012 -0500

    Call our own set_user when forcing change to new id

commit 26d9d497f6b926bc1699980aa18c360a3d3c52a0
Merge: e6578ff fcd8129
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 10 16:00:10 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit fcd8129277601f2e2d5a2066120cf8b2472d7d1f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 10 15:58:43 2012 -0500

    Merge changes from pax-linux-3.1.8-test23.patch

commit e6578ff3e7629c432ed9b99bde6af2a1c00279b5
Merge: 8859ec3 a120549
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 21:45:56 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit a12054967a77090de1caa07c41e694a77db4e237
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 21:45:30 2012 -0500

    Merge changes from pax-linux-3.1.8-test22.patch

commit 8859ec32f9815c274df65448f9f2960176c380d3
Merge: a5016b4 ddd4114
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 21:26:08 2012 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        fs/binfmt_elf.c
        security/Kconfig

commit ddd41147e158a79704983a409b7433eba797cf66
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 21:12:42 2012 -0500

    Resync with PaX patch (whitespace difference)

commit 29e569df8205c5f0e043fe4803aa984406c8b118
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 21:09:47 2012 -0500

    Merge changes from pax-linux-3.1.8-test21.patch

commit a5016b4f9c09c337b17e063a7f369af1e86d944d
Merge: 0124c92 04231d5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 18:52:20 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 04231d52dc8d0d6788a6bc6709dc046d3eb37097
Merge: 7bdddeb a919904
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 18:51:50 2012 -0500

    Merge branch 'linux-3.1.y' into pax-test
    
    Conflicts:
        include/net/flow.h

commit 0124c9264234c450904a0a5fa2f8c608ab8e3796
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 18:33:05 2012 -0500

    Make GRKERNSEC_SETXID option compatible with credential debugging

commit 69919c6da7cf8a781439da15b597a7d6bc9b3abe
Author: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Date:   Wed Dec 28 15:57:11 2011 -0800

    mm/mempolicy.c: refix mbind_range() vma issue
    
    commit 8aacc9f550 ("mm/mempolicy.c: fix pgoff in mbind vma merge") is the
    slightly incorrect fix.
    
    Why? Think following case.
    
    1. map 4 pages of a file at offset 0
    
       [0123]
    
    2. map 2 pages just after the first mapping of the same file but with
       page offset 2
    
       [0123][23]
    
    3. mbind() 2 pages from the first mapping at offset 2.
       mbind_range() should treat new vma is,
    
       [0123][23]
         |23|
         mbind vma
    
       but it does
    
       [0123][23]
         |01|
         mbind vma
    
       Oops. then, it makes wrong vma merge and splitting ([01][0123] or similar).
    
    This patch fixes it.
    
    [testcase]
      test result - before the patch
    
        case4: 126: test failed. expect '2,4', actual '2,2,2'
                case5: passed
        case6: passed
        case7: passed
        case8: passed
        case_n: 246: test failed. expect '4,2', actual '1,4'
    
        ------------[ cut here ]------------
        kernel BUG at mm/filemap.c:135!
        invalid opcode: 0000 [#4] SMP DEBUG_PAGEALLOC
    
        (snip long bug on messages)
    
      test result - after the patch
    
        case4: passed
                case5: passed
        case6: passed
        case7: passed
        case8: passed
        case_n: passed
    
      source:  mbind_vma_test.c
    ============================================================
     #include <numaif.h>
     #include <numa.h>
     #include <sys/mman.h>
     #include <stdio.h>
     #include <unistd.h>
     #include <stdlib.h>
     #include <string.h>
    
    static unsigned long pagesize;
    void* mmap_addr;
    struct bitmask *nmask;
    char buf[1024];
    FILE *file;
    char retbuf[10240] = "";
    int mapped_fd;
    
    char *rubysrc = "ruby -e '\
      pid = %d; \
      vstart = 0x%llx; \
      vend = 0x%llx; \
      s = `pmap -q #{pid}`; \
      rary = []; \
      s.each_line {|line|; \
        ary=line.split(\" \"); \
        addr = ary[0].to_i(16); \
        if(vstart <= addr && addr < vend) then \
          rary.push(ary[1].to_i()/4); \
        end; \
      }; \
      print rary.join(\",\"); \
    '";
    
    void init(void)
    {
        void* addr;
        char buf[128];
    
        nmask = numa_allocate_nodemask();
        numa_bitmask_setbit(nmask, 0);
    
        pagesize = getpagesize();
    
        sprintf(buf, "%s", "mbind_vma_XXXXXX");
        mapped_fd = mkstemp(buf);
        if (mapped_fd == -1)
                perror("mkstemp "), exit(1);
        unlink(buf);
    
        if (lseek(mapped_fd, pagesize*8, SEEK_SET) < 0)
                perror("lseek "), exit(1);
        if (write(mapped_fd, "\0", 1) < 0)
                perror("write "), exit(1);
    
        addr = mmap(NULL, pagesize*8, PROT_NONE,
                    MAP_SHARED, mapped_fd, 0);
        if (addr == MAP_FAILED)
                perror("mmap "), exit(1);
    
        if (mprotect(addr+pagesize, pagesize*6, PROT_READ|PROT_WRITE) < 0)
                perror("mprotect "), exit(1);
    
        mmap_addr = addr + pagesize;
    
        /* make page populate */
        memset(mmap_addr, 0, pagesize*6);
    }
    
    void fin(void)
    {
        void* addr = mmap_addr - pagesize;
        munmap(addr, pagesize*8);
    
        memset(buf, 0, sizeof(buf));
        memset(retbuf, 0, sizeof(retbuf));
    }
    
    void mem_bind(int index, int len)
    {
        int err;
    
        err = mbind(mmap_addr+pagesize*index, pagesize*len,
                    MPOL_BIND, nmask->maskp, nmask->size, 0);
        if (err)
                perror("mbind "), exit(err);
    }
    
    void mem_interleave(int index, int len)
    {
        int err;
    
        err = mbind(mmap_addr+pagesize*index, pagesize*len,
                    MPOL_INTERLEAVE, nmask->maskp, nmask->size, 0);
        if (err)
                perror("mbind "), exit(err);
    }
    
    void mem_unbind(int index, int len)
    {
        int err;
    
        err = mbind(mmap_addr+pagesize*index, pagesize*len,
                    MPOL_DEFAULT, NULL, 0, 0);
        if (err)
                perror("mbind "), exit(err);
    }
    
    void Assert(char *expected, char *value, char *name, int line)
    {
        if (strcmp(expected, value) == 0) {
                fprintf(stderr, "%s: passed\n", name);
                return;
        }
        else {
                fprintf(stderr, "%s: %d: test failed. expect '%s', actual '%s'\n",
                        name, line,
                        expected, value);
    //          exit(1);
        }
    }
    
    /*
          AAAA
        PPPPPPNNNNNN
        might become
        PPNNNNNNNNNN
        case 4 below
    */
    void case4(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        mem_bind(0, 4);
        mem_unbind(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("2,4", retbuf, "case4", __LINE__);
    
        fin();
    }
    
    /*
           AAAA
     PPPPPPNNNNNN
     might become
     PPPPPPPPPPNN
     case 5 below
    */
    void case5(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        mem_bind(0, 2);
        mem_bind(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("4,2", retbuf, "case5", __LINE__);
    
        fin();
    }
    
    /*
            AAAA
        PPPPNNNNXXXX
        might become
        PPPPPPPPPPPP 6
    */
    void case6(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        mem_bind(0, 2);
        mem_bind(4, 2);
        mem_bind(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("6", retbuf, "case6", __LINE__);
    
        fin();
    }
    
    /*
        AAAA
    PPPPNNNNXXXX
    might become
    PPPPPPPPXXXX 7
    */
    void case7(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        mem_bind(0, 2);
        mem_interleave(4, 2);
        mem_bind(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("4,2", retbuf, "case7", __LINE__);
    
        fin();
    }
    
    /*
        AAAA
    PPPPNNNNXXXX
    might become
    PPPPNNNNNNNN 8
    */
    void case8(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        mem_bind(0, 2);
        mem_interleave(4, 2);
        mem_interleave(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("2,4", retbuf, "case8", __LINE__);
    
        fin();
    }
    
    void case_n(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        /* make redundunt mappings [0][1234][34][7] */
        mmap(mmap_addr + pagesize*4, pagesize*2, PROT_READ|PROT_WRITE,
             MAP_FIXED|MAP_SHARED, mapped_fd, pagesize*3);
    
        /* Expect to do nothing. */
        mem_unbind(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("4,2", retbuf, "case_n", __LINE__);
    
        fin();
    }
    
    int main(int argc, char** argv)
    {
        case4();
        case5();
        case6();
        case7();
        case8();
        case_n();
    
        return 0;
    }
    =============================================================
    
    Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
    Acked-by: Johannes Weiner <hannes@cmpxchg.org>
    Cc: Minchan Kim <minchan.kim@gmail.com>
    Cc: Caspar Zhang <caspar@casparzhang.com>
    Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
    Cc: Christoph Lameter <cl@linux.com>
    Cc: Hugh Dickins <hugh.dickins@tiscali.co.uk>
    Cc: Mel Gorman <mel@csn.ul.ie>
    Cc: Lee Schermerhorn <lee.schermerhorn@hp.com>
    Cc: <stable@vger.kernel.org>                [3.1.x]
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit f3a1082005781777086df235049f8c0b7efe524e
Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Date:   Tue Dec 27 22:32:41 2011 -0500

    packet: fix possible dev refcnt leak when bind fail
    
    If bind is fail when bind is called after set PACKET_FANOUT
    sock option, the dev refcnt will leak.
    
    Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 915f8b08dac68839dc7204ee81cf9852fda16d24
Author: Haogang Chen <haogangchen@gmail.com>
Date:   Mon Dec 19 17:11:56 2011 -0800

    nilfs2: potential integer overflow in nilfs_ioctl_clean_segments()
    
    There is a potential integer overflow in nilfs_ioctl_clean_segments().
    When a large argv[n].v_nmembs is passed from the userspace, the subsequent
    call to vmalloc() will allocate a buffer smaller than expected, which
    leads to out-of-bound access in nilfs_ioctl_move_blocks() and
    lfs_clean_segments().
    
    The following check does not prevent the overflow because nsegs is also
    controlled by the userspace and could be very large.
    
                if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment)
                        goto out_free;
    
    This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and
    returns -EINVAL when overflow.
    
    Signed-off-by: Haogang Chen <haogangchen@gmail.com>
    Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 006afb6eb7a7398edc0068c3a7b9510ffaf80f72
Author: Kautuk Consul <consul.kautuk@gmail.com>
Date:   Mon Dec 19 17:12:04 2011 -0800

    mm/vmalloc.c: remove static declaration of va from __get_vm_area_node
    
    Static storage is not required for the struct vmap_area in
    __get_vm_area_node.
    
    Removing "static" to store this variable on the stack instead.
    
    Signed-off-by: Kautuk Consul <consul.kautuk@gmail.com>
    Acked-by: David Rientjes <rientjes@google.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 461ecdf221edb089e5fa0d5563e1688cd0a36f66
Author: Michel Lespinasse <walken@google.com>
Date:   Mon Dec 19 17:12:06 2011 -0800

    binary_sysctl(): fix memory leak
    
    binary_sysctl() calls sysctl_getname() which allocates from names_cache
    slab usin __getname()
    
    The matching function to free the name is __putname(), and not putname()
    which should be used only to match getname() allocations.
    
    This is because when auditing is enabled, putname() calls audit_putname
    *instead* (not in addition) to __putname().  Then, if a syscall is in
    progress, audit_putname does not release the name - instead, it expects
    the name to get released when the syscall completes, but that will happen
    only if audit_getname() was called previously, i.e.  if the name was
    allocated with getname() rather than the naked __getname().  So,
    __getname() followed by putname() ends up leaking memory.
    
    Signed-off-by: Michel Lespinasse <walken@google.com>
    Acked-by: Al Viro <viro@zeniv.linux.org.uk>
    Cc: Christoph Hellwig <hch@infradead.org>
    Cc: Eric Paris <eparis@redhat.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 0a2cd3ef50c0bae70d59c74a77db0455d26fde56
Author: Sean Hefty <sean.hefty@intel.com>
Date:   Tue Dec 6 21:17:11 2011 +0000

    RDMA/cma: Verify private data length
    
    private_data_len is defined as a u8.  If the user specifies a large
    private_data size (> 220 bytes), we will calculate a total length that
    exceeds 255, resulting in private_data_len wrapping back to 0.  This
    can lead to overwriting random kernel memory.  Avoid this by verifying
    that the resulting size fits into a u8.
    
    Reported-by: B. Thery <benjamin.thery@bull.net>
    Addresses: <http://bugs.openfabrics.org/bugzilla/show_bug.cgi?id=2335>
    Signed-off-by: Sean Hefty <sean.hefty@intel.com>
    Signed-off-by: Roland Dreier <roland@purestorage.com>

commit 6b618c54aaec99078629ec5b9575cb7d6fc31176
Author: Xi Wang <xi.wang@gmail.com>
Date:   Sun Dec 11 23:40:56 2011 -0800

    Input: cma3000_d0x - fix signedness bug in cma3000_thread_irq()
    
    The error check (intr_status < 0) didn't work because intr_status is
    a u8.  Change its type to signed int.
    
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Signed-off-by: Dmitry Torokhov <dtor@mail.ru>

commit e27f34e383d7863b2528a63b81b23db09781f6b6
Author: Xi Wang <xi.wang@gmail.com>
Date:   Fri Dec 16 12:44:15 2011 +0000

    sctp: fix incorrect overflow check on autoclose
    
    Commit 8ffd3208 voids the previous patches f6778aab and 810c0719 for
    limiting the autoclose value.  If userspace passes in -1 on 32-bit
    platform, the overflow check didn't work and autoclose would be set
    to 0xffffffff.
    
    This patch defines a max_autoclose (in seconds) for limiting the value
    and exposes it through sysctl, with the following intentions.
    
    1) Avoid overflowing autoclose * HZ.
    
    2) Keep the default autoclose bound consistent across 32- and 64-bit
       platforms (INT_MAX / HZ in this patch).
    
    3) Keep the autoclose value consistent between setsockopt() and
       getsockopt() calls.
    
    Suggested-by: Vlad Yasevich <vladislav.yasevich@hp.com>
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 8ebdfaad2f46ff0ac9fef9858e436bcc712a1ac8
Author: Xi Wang <xi.wang@gmail.com>
Date:   Wed Dec 21 05:18:33 2011 -0500

    vmwgfx: fix incorrect VRAM size check in vmw_kms_fb_create()
    
    Commit e133e737 didn't correctly fix the integer overflow issue.
    
    -   unsigned int required_size;
    +   u64 required_size;
        ...
        required_size = mode_cmd->pitch * mode_cmd->height;
    -   if (unlikely(required_size > dev_priv->vram_size)) {
    +   if (unlikely(required_size > (u64) dev_priv->vram_size)) {
    
    Note that both pitch and height are u32.  Their product is still u32 and
    would overflow before being assigned to required_size.  A correct way is
    to convert pitch and height to u64 before the multiplication.
    
        required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height;
    
    This patch calls the existing vmw_kms_validate_mode_vram() for
    validation.
    
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Reviewed-and-tested-by: Thomas Hellstrom <thellstrom@vmware.com>
    Signed-off-by: Dave Airlie <airlied@redhat.com>
    
    Conflicts:
    
        drivers/gpu/drm/vmwgfx/vmwgfx_kms.c

commit eb8f0bd01fb994c9abc77dc84729794cd841753d
Author: Xi Wang <xi.wang@gmail.com>
Date:   Thu Dec 22 13:35:22 2011 +0000

    rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt()
    
    Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will
    cause a kernel oops due to insufficient bounds checking.
    
        if (count > 1<<30) {
                /* Enforce a limit to prevent overflow */
                return -EINVAL;
        }
        count = roundup_pow_of_two(count);
        table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count));
    
    Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as:
    
        ... + (count * sizeof(struct rps_dev_flow))
    
    where sizeof(struct rps_dev_flow) is 8.  (1 << 30) * 8 will overflow
    32 bits.
    
    This patch replaces the magic number (1 << 30) with a symbolic bound.
    
    Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 648188958672024b616c42c1f6c98c8cfc85619d
Author: Xi Wang <xi.wang@gmail.com>
Date:   Fri Dec 30 10:40:17 2011 -0500

    netfilter: ctnetlink: fix timeout calculation
    
    The sanity check (timeout < 0) never works; the dividend is unsigned
    and so is the division, which should have been a signed division.
    
        long timeout = (ct->timeout.expires - jiffies) / HZ;
        if (timeout < 0)
                timeout = 0;
    
    This patch converts the time values to signed for the division.
    
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

commit ab03a0973cee73f88655ff4981812ad316a6cd59
Merge: 76f82df 7bdddeb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 3 17:42:50 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 7bdddebd9d274a344a1c57a561152160c9e9a32a
Merge: 3e59cb5 55cc81a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 3 17:42:36 2012 -0500

    Merge branch 'linux-3.1.y' into pax-test

commit 76f82df18ba181687f454426fa9ced7a92b2ac1f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 22 20:15:02 2011 -0500

    Only further restrict futex targeting another process -- our modified
    permission check also happened to allow a case where a process retaining
    uid 0 could issue futex syscalls against other uid 0 tasks, despite the euid
    being non-zero (reported on forums by ben_w)

commit 6b235a4450a5fea41663ec35fa0608988b6078c6
Merge: 97c16f0 3e59cb5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 22 19:11:06 2011 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        fs/hfs/btree.c

commit 3e59cb503d4ca6ce0954b8d3eb508cf7d1a31f50
Merge: 285eb4e c26f60b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 22 19:09:57 2011 -0500

    Merge branch 'linux-3.1.y' into pax-test
    
    Conflicts:
        arch/x86/kernel/process.c

commit 97c16f0fcff592160c1787bd1c56ae7ad070ac17
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Dec 19 21:54:01 2011 -0500

    Add new option: "Enforce consistent multithreaded privileges"

commit 7d125a16a5245b2bafc9184b8f93e864394ba1cb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Dec 7 19:58:31 2011 -0500

    Remove harmless duplicate code -- exec_file would be null already so the
    second check would never pass.

commit 4e3304e94aa72737810bc50169519af157dce4ce
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Dec 7 19:50:39 2011 -0500

    Revert back to (possibly?) undocumented /proc/pid behavior that gdb
    depended on for attaching to a thread.  Entries exist in /proc for
    threads, but are not visible in a readdir.

commit 1bd899335f23815cfe8deac44c6b346398f3b95e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 18:03:28 2011 -0500

    Put the already-walked path if in RCU-walk mode

commit ec7ae36b7159f10649709779443a988662965d66
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 17:35:21 2011 -0500

    Fix memory leak introduced by recent (unpublished) commit
    75ab998b94a29d464518d6d501bdde3fbfcbfa14

commit 1e2318a8ea2e67eaf17236be374b5da8a5ba5e04
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 13:56:10 2011 -0500

    Explicitly check size copied to userland in override_release to silence gcc

commit c30a85d0fff67e0724e726febb934c0b6fa01c6c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 13:54:02 2011 -0500

    Initialize variable to silence erroneous gcc warning

commit 2cf8e7a3bf4e97b2cd3de9ebc453bc505dc7eb78
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 13:47:47 2011 -0500

    Future-proof other potential RCU-aware locations where we can log.

commit 0c904e8c7ea0338c47c7ae825e093a152dc8f8a8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 13:02:54 2011 -0500

    Fix freeze reported by 'vs' on the forums.  Bug occurred due to
    MAY_NOT_BLOCK added to Linux 3.1.  Our logging code, when a capability used
    in generic_permission() was in the task's effective set but disallowed by
    RBAC, would block when acquiring locks resulting in the freeze.
    
    Also update the ordering of checks so that CAP_DAC_READ_SEARCH isn't logged
    as being required when CAP_DAC_OVERRIDE is present (consistent with
    older patches).

commit ab694e5eccfbc369baa593ebc1269d1908cf16dc
Author: Xi Wang <xi.wang@gmail.com>
Date:   Tue Nov 29 09:26:30 2011 +0000

    sctp: better integer overflow check in sctp_auth_create_key()
    
    The check from commit 30c2235c is incomplete and cannot prevent
    cases like key_len = 0x80000000 (INT_MAX + 1).  In that case, the
    left-hand side of the check (INT_MAX - key_len), which is unsigned,
    becomes 0xffffffff (UINT_MAX) and bypasses the check.
    
    However this shouldn't be a security issue.  The function is called
    from the following two code paths:
    
     1) setsockopt()
    
     2) sctp_auth_asoc_set_secret()
    
    In case (1), sca_keylength is never going to exceed 65535 since it's
    bounded by a u16 from the user API.  As such, the key length will
    never overflow.
    
    In case (2), sca_keylength is computed based on the user key (1 short)
    and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still
    will not overflow.
    
    In other words, this overflow check is not really necessary.  Just
    make it more correct.
    
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Cc: Vlad Yasevich <vladislav.yasevich@hp.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit e565e28c3635a1d50f80541fbf6b606d742fec76
Author: Josh Boyer <jwboyer@redhat.com>
Date:   Fri Aug 19 14:50:26 2011 -0400

    fs/minix: Verify bitmap block counts before mounting
    
    Newer versions of MINIX can create filesystems that allocate an extra
    bitmap block.  Mounting of this succeeds, but doing a statfs call will
    result in an oops in count_free because of a negative number being used
    for the bh index.
    
    Avoid this by verifying the number of allocated blocks at mount time,
    erroring out if there are not enough and make statfs ignore the extras
    if there are too many.
    
    This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792
    
    Signed-off-by: Josh Boyer <jwboyer@redhat.com>
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

commit 6e134e398ec1a3f428261680e83df4319e64bed9
Author: Julia Lawall <julia@diku.dk>
Date:   Tue Nov 15 14:53:11 2011 -0800

    drivers/gpu/vga/vgaarb.c: add missing kfree
    
    kbuf is a buffer that is local to this function, so all of the error paths
    leaving the function should release it.
    
    Signed-off-by: Julia Lawall <julia@diku.dk>
    Cc: Jesper Juhl <jj@chaosbits.net>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Dave Airlie <airlied@redhat.com>

commit 2b9057b321e36860e8d63985b5c4e496f254b717
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Dec 3 21:33:28 2011 -0500

    Import changes between pax-linux-3.1.4-test18.patch and grsecurity-2.2.2-3.1.4-201112021740.patch

commit 5dfe6091dca281a456eaff5e7b4692d768a05cfd
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Dec 3 21:29:37 2011 -0500

    Import pax-linux-3.1.4-test18.patch

commit 285eb4ea45d853ae00426b3315a61c1368080dad
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Dec 10 18:33:46 2011 -0500

    Import changes from pax-linux-3.1.5-test20.patch

commit a6bda918fc90ec1d5c387e978d147ad2044153f1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 8 20:55:54 2011 -0500

    Import changes from pax-linux-3.1.4-test19.patch

commit e6d987bdb782b280f882cc20055e3d9cb28ad3a5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Dec 3 21:29:37 2011 -0500

    Import pax-linux-3.1.4-test18.patch
commit 4c61dba17c53d0a775c77aed0c0ddb15a12daa3c
Merge: c3ccfb2 777e08c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Sep 8 19:49:04 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 777e08c6a87ef43439f4431d8d458732ca5e17c6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Sep 8 19:47:32 2013 -0400

    Update to pax-linux-3.10.11-test26.patch:
    - reworked __SC_LONG to care about only int and smaller types, this eliminates size overflow false positives reported by hunger
    - fixed an uninitialized read in splice, reported by hunger

 fs/splice.c                       |    1 +
 include/linux/syscalls.h          |   14 +-
 tools/gcc/size_overflow_hash.data |  426 +++++++++++++++++++++----------------
 3 files changed, 247 insertions(+), 194 deletions(-)

commit 5c3161364270c842d901789faac731f79a9f9cd6
Merge: cf9c476 85cdabb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Sep 8 19:24:25 2013 -0400

    Merge branch 'linux-3.10.y' into pax-test

commit c3ccfb29794a03413095422100ce90d40ef7df0f
Author: Jakob Bornecrantz <jakob@vmware.com>
Date:   Thu Aug 29 02:32:53 2013 +0200

    Upstream commit: 6e4dcff3adbf25acb87e74500a58e3c07bdec40f
    
    drm/vmwgfx: Split GMR2_REMAP commands if they are to large
    
    This fixes the piglit test texturing/max-texture-size
    causing the VM to die due to a too large SVGA command.
    
    Signed-off-by: Jakob Bornecrantz <jakob@vmware.com>
    Reviewed-by: Biran Paul <brianp@vmware.com>
    Reviewed-by: Zack Rusin <zackr@vmware.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Dave Airlie <airlied@gmail.com>

 drivers/gpu/drm/vmwgfx/vmwgfx_gmr.c |   58 +++++++++++++++++++++++-----------
 1 files changed, 39 insertions(+), 19 deletions(-)

commit d260badf708d6aa16c44f56f54727532dcae826e
Author: Daniel Borkmann <dborkman@redhat.com>
Date:   Tue Sep 3 19:29:12 2013 +0200

    Upstream commit: 3a1c756590633c0e86df606e5c618c190926a0df
    
    net: ipv6: tcp: fix potential use after free in tcp_v6_do_rcv
    
    In tcp_v6_do_rcv() code, when processing pkt options, we soley work
    on our skb clone opt_skb that we've created earlier before entering
    tcp_rcv_established() on our way. However, only in condition ...
    
      if (np->rxopt.bits.rxtclass)
        np->rcv_tclass = ipv6_get_dsfield(ipv6_hdr(skb));
    
    ... we work on skb itself. As we extract every other information out
    of opt_skb in ipv6_pktoptions path, this seems wrong, since skb can
    already be released by tcp_rcv_established() earlier on. When we try
    to access it in ipv6_hdr(), we will dereference freed skb.
    
    [ Bug added by commit 4c507d2897bd9b ("net: implement IP_RECVTOS for
      IP_PKTOPTIONS") ]
    
    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
    Cc: Eric Dumazet <eric.dumazet@gmail.com>
    Acked-by: Eric Dumazet <edumazet@google.com>
    Acked-by: Jiri Benc <jbenc@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv6/tcp_ipv6.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit ee3db7a4fb3619d70b8e0c1a8de07402a67e8d31
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Thu Aug 29 11:47:00 2013 +0300

    Upstream commit: 0d63c27d9e879a0b54eb405636d60ab12040ca46
    
    mISDN: return -EINVAL on error in dsp_control_req()
    
    If skb->len is too short then we should return an error.  Otherwise we
    read beyond the end of skb->data for several bytes.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/isdn/mISDN/dsp_core.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

commit af7c2bc789c8fe5ef7474f22dacf212be22fd0af
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Sep 5 19:36:23 2013 -0400

    fix dependencies for GRKERNSEC_ROFS / GRKERNSEC_DENYUSB

 grsecurity/Kconfig |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit da68dbcd96c617923a0aedb177d36b2701f9c858
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Sep 5 19:17:02 2013 -0400

    Allow the deny_new_usb sysctl to be toggled off by a user with
    CAP_SYS_ADMIN.  This allows for more inventive uses of the feature
    that would be impossible otherwise (like toggling it while the screen is
    locked, etc)

 grsecurity/grsec_sysctl.c |    4 +---
 1 files changed, 1 insertions(+), 3 deletions(-)

commit ce0e893adc830ee110f97071cc17e661fb35ae3d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Sep 5 18:41:49 2013 -0400

    Add a new GRKERNSEC_DENYUSB_FORCE option that achieves what
    GRKERNSEC_DENYUSB does without the need for a sysctl toggle, for
    users who know they want the functionality but don't want to bother
    with modifying init scripts
    
    Also eliminate reset_security_ops() as a ROP target when
    SECURITY_SELINUX_DISABLE is disabled as it's the only user

 grsecurity/Kconfig        |   17 ++++++++++++++++-
 grsecurity/grsec_init.c   |    3 +++
 grsecurity/grsec_sysctl.c |    2 +-
 security/security.c       |    4 ++++
 4 files changed, 24 insertions(+), 2 deletions(-)

commit 0d5ca3a057ae48b5fdccb2f0a7a841a5cc76d3dd
Merge: 7ee3899 cf9c476
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Sep 1 13:56:57 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit cf9c47690fa0f3da590de766ea8c6a543984ee3c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Sep 1 13:56:16 2013 -0400

    Update to pax-linux-3.10.10-test25.patch:
    - fixed a few more REFCOUNT false positives, by Mathias Krause <minipli@googlemail.com>
    - got inet_getid and ipv6_select_ident rid of the cmpxchg loop

 block/blk-cgroup.c                |    4 ++--
 drivers/video/hyperv_fb.c         |    4 ++--
 fs/namespace.c                    |    4 ++--
 include/net/inetpeer.h            |   13 +++++--------
 kernel/trace/trace_clock.c        |    4 ++--
 net/ipv6/output_core.c            |   15 ++++++---------
 net/sunrpc/auth_gss/svcauth_gss.c |    4 ++--
 7 files changed, 21 insertions(+), 27 deletions(-)

commit 7ee3899312d611b85cadd3eda173f7a3952bb8aa
Merge: fd0338c 2bdeae7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 31 22:07:38 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 2bdeae76eab5c34e4b88c7090a435b969037a3c1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 31 22:06:55 2013 -0400

    Update to pax-linux-3.10.10-test24.patch:
    - fixed a REFCOUNT false positive, by Mathias Krause <minipli@googlemail.com>
    - fixed a bunch more after a quick audit of atomic_inc_return users

 drivers/acpi/apei/ghes.c                      |    4 ++--
 drivers/ata/libata-core.c                     |    4 ++--
 drivers/ata/libata-scsi.c                     |    2 +-
 drivers/ata/libata.h                          |    2 +-
 drivers/block/drbd/drbd_nl.c                  |    4 ++--
 drivers/crypto/hifn_795x.c                    |    4 ++--
 drivers/edac/edac_device.c                    |    4 ++--
 drivers/edac/edac_pci.c                       |    4 ++--
 drivers/firewire/core-card.c                  |    4 ++--
 drivers/hv/hv_balloon.c                       |   18 +++++++++---------
 drivers/infiniband/hw/mlx4/mad.c              |    2 +-
 drivers/infiniband/hw/mlx4/mlx4_ib.h          |    2 +-
 drivers/input/misc/ims-pcu.c                  |    4 ++--
 drivers/input/serio/serio_raw.c               |    4 ++--
 drivers/media/pci/ivtv/ivtv-driver.c          |    2 +-
 drivers/media/radio/radio-maxiradio.c         |    2 +-
 drivers/media/radio/radio-shark.c             |    2 +-
 drivers/media/radio/radio-shark2.c            |    2 +-
 drivers/media/radio/radio-si476x.c            |    2 +-
 drivers/media/rc/rc-main.c                    |    4 ++--
 drivers/media/v4l2-core/v4l2-device.c         |    4 ++--
 drivers/net/usb/sierra_net.c                  |    4 ++--
 drivers/pci/hotplug/pciehp_hpc.c              |    4 +---
 drivers/regulator/core.c                      |    4 ++--
 drivers/scsi/fcoe/fcoe_sysfs.c                |   12 ++++++------
 drivers/staging/android/timed_output.c        |    6 +++---
 drivers/staging/media/solo6x10/solo6x10-p2m.c |    2 +-
 drivers/staging/media/solo6x10/solo6x10.h     |    2 +-
 drivers/target/sbp/sbp_target.c               |    4 ++--
 drivers/tty/hvc/hvsi.c                        |   12 ++++++------
 drivers/tty/hvc/hvsi_lib.c                    |    6 +++---
 drivers/tty/serial/ioc4_serial.c              |    6 +++---
 drivers/tty/serial/msm_serial.c               |    4 ++--
 drivers/usb/misc/appledisplay.c               |    4 ++--
 fs/afs/inode.c                                |    4 ++--
 fs/btrfs/delayed-inode.c                      |    6 +++---
 fs/btrfs/delayed-inode.h                      |    4 ++--
 fs/fscache/cookie.c                           |    4 ++--
 include/media/v4l2-device.h                   |    2 +-
 net/ceph/messenger.c                          |    4 ++--
 net/core/netpoll.c                            |    4 ++--
 net/xfrm/xfrm_state.c                         |    4 ++--
 security/selinux/avc.c                        |    6 +++---
 43 files changed, 93 insertions(+), 95 deletions(-)

commit fd0338c8877c47789a9cc61f3a26c83e68aa3d37
Merge: 1bdf7ec 85099d2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 31 21:07:29 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 85099d220fb014b6e4c6ffe18a55b20c61f6daed
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 31 21:06:55 2013 -0400

    Update to pax-linux-3.10.10-test23.patch:
    - added the necessary atomic_unchecked_t conversion for mips
    - audited and fixed arm and sparc for proper atomic_unchecked_t usage

 arch/arm/kvm/arm.c            |    8 ++++----
 arch/arm/mm/context.c         |   10 +++++-----
 arch/mips/kernel/irq.c        |    6 +++---
 arch/mips/kernel/sync-r4k.c   |   24 ++++++++++++------------
 arch/mips/sgi-ip27/ip27-nmi.c |    6 +++---
 arch/sparc/kernel/smp_64.c    |   12 ++++++------
 arch/sparc/kernel/traps_64.c  |   14 +++++++-------
 arch/sparc/mm/init_64.c       |   10 +++++-----
 8 files changed, 45 insertions(+), 45 deletions(-)

commit 1bdf7ec39027ffd7c3099b78ff20c39295448b34
Merge: 995a168 38ee86c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Aug 30 19:23:36 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 38ee86c05df0f8db582df8776b9f23f317d42bbb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Aug 30 19:23:11 2013 -0400

    Update to pax-linux-3.10.10-test22.patch:
    - fixed !REFCOUNT/mips compilation, by Corey Minyard <cminyard@mvista.com>
    - fixed a few more format strings

 arch/mips/include/asm/atomic.h          |   20 ++++++++++++++++----
 drivers/md/bcache/super.c               |    2 +-
 drivers/net/wireless/iwlwifi/dvm/main.c |    3 +--
 drivers/pci/hotplug/pciehp_hpc.c        |    2 +-
 drivers/platform/x86/wmi.c              |    2 +-
 drivers/scsi/sd.c                       |    2 +-
 drivers/vfio/vfio.c                     |    4 ++--
 fs/ntfs/super.c                         |    6 +++---
 include/linux/workqueue.h               |    6 +++---
 net/mac80211/main.c                     |    2 +-
 sound/pci/hda/hda_codec.c               |    8 ++------
 11 files changed, 32 insertions(+), 25 deletions(-)

commit 995a16841e2097c3a9dfc652e856469679c4a0ba
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Aug 30 17:11:11 2013 -0400

    fix compilation with GRKERNSEC_DENYUSB as reported by slashbeast

 grsecurity/grsec_sysctl.c |    7 ++++---
 1 files changed, 4 insertions(+), 3 deletions(-)

commit 8ba1cc35ec5216383369ddf3ef2cde5e4aaacb57
Merge: be2497c 1052971
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Aug 29 20:44:29 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        include/linux/sched.h

commit 10529710192fe7f7d42ad7bb1dfef2143cca8ad2
Merge: e902dad 8bf3379
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Aug 29 20:39:50 2013 -0400

    Update to pax-linux-3.10.10-test21.patch
    
    Merge branch 'linux-3.10.y' into pax-test
    
    Conflicts:
        arch/x86/kernel/sys_x86_64.c
        arch/x86/mm/mmap.c
        include/linux/sched.h

commit be2497c1b629a5ad604a8b0ec265ef5d801c7de8
Merge: 081c22b e902dad
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Aug 28 20:52:44 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit e902dad6b609a176f58c1b9393b3a98f14bd4b74
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Aug 28 20:51:21 2013 -0400

    Update to pax-linux-3.10.9-test21.patch:
    - removed unnecessary type cast in do_PrefetchAbort, noticed by spender
    - since pax_report_refcount_overflow disables preemption inside, no need to do it explicitly in do_ov
    - fixed a REFCOUNT false positive in UHID
    - inspired by Dan Carpenter's recent fix (http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=909bd5926d474e275599094acad986af79671ac9)
      Emese Revfy wrote a gcc plugin to find other instances of the same error, here's the fallout
      (come to the 10th H2HC if you want to learn about the magic behind this and other plugins):
      - icmpv6_filter: no memory corruption, probably just some logical error in the caller
      - dccp_new/dccp_packet/dccp_error: probably remote kernel stack overflow (12 byte network data overwriting a local ptr variable)
      - gigaset_brkchars: causes DMA on the kernel stack, some archs don't like it (more of this is to come)
      - isdn_ioctl/IIOCDBGVAR: kernel heap address leak (by design), restricted to CAP_SYS_RAWIO now
      - __dwc3_gadget_ep_enable: probably forgotten memset, seems harmless
      - lowpan_header_create: leaks 3 bytes of a kernel heap address over the network

 arch/arm/mm/fault.c                        |    2 +-
 arch/mips/kernel/traps.c                   |    2 --
 drivers/hid/uhid.c                         |    6 +++---
 drivers/isdn/gigaset/usb-gigaset.c         |    2 +-
 drivers/isdn/i4l/isdn_common.c             |    2 ++
 drivers/net/wireless/hostap/hostap_ioctl.c |    4 ++--
 drivers/usb/dwc3/gadget.c                  |    2 --
 net/ieee802154/6lowpan.c                   |    2 +-
 net/ipv6/raw.c                             |    2 +-
 net/netfilter/nf_conntrack_proto_dccp.c    |    6 +++---
 10 files changed, 14 insertions(+), 16 deletions(-)

commit 081c22b436d4d4ac8c9ef7c3f3b9587cfb02d804
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Aug 28 20:42:39 2013 -0400

    add export of gr_handle_new_usb()

 grsecurity/grsec_usb.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 2e708ca9984ef74536d1d9b1d4e6e73d27561ed6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Aug 28 19:24:47 2013 -0400

    Add new GRKERNSEC_DENYUSB feature that I've been sitting on for a bit
    Kees' recent findings are motivation enough to publish it

 drivers/usb/core/hub.c     |    5 +++++
 grsecurity/Kconfig         |   20 ++++++++++++++++++++
 grsecurity/Makefile        |    3 ++-
 grsecurity/grsec_init.c    |    1 +
 grsecurity/grsec_sysctl.c  |   11 +++++++++++
 grsecurity/grsec_usb.c     |   13 +++++++++++++
 include/linux/grinternal.h |    1 +
 include/linux/grsecurity.h |    2 ++
 8 files changed, 55 insertions(+), 1 deletions(-)

commit 8044382257ec75a03f3d784ce048ef14e94b90ca
Author: Kees Cook <keescook@chromium.org>
Date:   Wed Aug 14 09:35:07 2013 -0700

    HID: zeroplus: validate output report details
    
    The zeroplus HID driver was not checking the size of allocated values
    in fields it used. A HID device could send a malicious output report
    that would cause the driver to write beyond the output report allocation
    during initialization, causing a heap overflow:
    
    [ 1442.728680] usb 1-1: New USB device found, idVendor=0c12, idProduct=0005
    ...
    [ 1466.243173] BUG kmalloc-192 (Tainted: G        W   ): Redzone overwritten
    
    CVE-2013-2889
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org

 drivers/hid/hid-zpff.c |   14 ++------------
 1 files changed, 2 insertions(+), 12 deletions(-)

commit 1ead832874dde8c45c3d4c8c704f2cd7ad6a328f
Author: Kees Cook <keescook@chromium.org>
Date:   Wed Aug 14 14:36:15 2013 -0700

    HID: provide a helper for validating hid reports
    
    Many drivers need to validate the characteristics of their HID report
    during initialization to avoid misusing the reports. This adds a common
    helper to perform validation of the report, its field count, and the
    value count within the fields.
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org

 drivers/hid/hid-core.c |   50 ++++++++++++++++++++++++++++++++++++++++++++++++
 include/linux/hid.h    |    4 +++
 2 files changed, 54 insertions(+), 0 deletions(-)

commit 270ba9096ddecdc3cf6c4d76e6892184820116be
Author: Kees Cook <keescook@chromium.org>
Date:   Wed Aug 14 09:14:34 2013 -0700

    HID: steelseries: validate output report details
    
    A HID device could send a malicious output report that would cause the
    steelseries HID driver to write beyond the output report allocation
    during initialization, causing a heap overflow:
    
    [  167.981534] usb 1-1: New USB device found, idVendor=1038, idProduct=1410
    ...
    [  182.050547] BUG kmalloc-256 (Tainted: G        W   ): Redzone overwritten
    
    CVE-2013-2891
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org

 drivers/hid/hid-steelseries.c |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

commit 366e6cf394366e4bb2598e5d3763c6ca53fb7248
Author: Kees Cook <keescook@chromium.org>
Date:   Wed Aug 14 08:49:21 2013 -0700

    HID: pantherlord: validate output report details
    
    A HID device could send a malicious output report that would cause the
    pantherlord HID driver to write beyond the output report allocation
    during initialization, causing a heap overflow:
    
    [  310.939483] usb 1-1: New USB device found, idVendor=0e8f, idProduct=0003
    ...
    [  315.980774] BUG kmalloc-192 (Tainted: G        W   ): Redzone overwritten
    
    CVE-2013-2892
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org

 drivers/hid/hid-pl.c |   10 ++++++++--
 1 files changed, 8 insertions(+), 2 deletions(-)

commit 60115e8108e508060815bce5ef9504233c81898c
Author: Kees Cook <keescook@chromium.org>
Date:   Tue Aug 13 16:49:01 2013 -0700

    HID: LG: validate HID output report details
    
    A HID device could send a malicious output report that would cause the
    lg, lg3, and lg4 HID drivers to write beyond the output report allocation
    during an event, causing a heap overflow:
    
    [  325.245240] usb 1-1: New USB device found, idVendor=046d, idProduct=c287
    ...
    [  414.518960] BUG kmalloc-4096 (Not tainted): Redzone overwritten
    
    Additionally, while lg2 did correctly validate the report details, it was
    cleaned up and shortened.
    
    CVE-2013-2893
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org

 drivers/hid/hid-lg2ff.c |   19 +++----------------
 drivers/hid/hid-lg3ff.c |   29 ++++++-----------------------
 drivers/hid/hid-lg4ff.c |   20 +-------------------
 drivers/hid/hid-lgff.c  |   17 ++---------------
 4 files changed, 12 insertions(+), 73 deletions(-)

commit 1814f6ffbd0d5feccce1f03e8cc17882528e8a9f
Author: Kees Cook <keescook@chromium.org>
Date:   Thu Aug 15 23:21:23 2013 -0700

    HID: lenovo-tpkbd: validate output report details
    
    A HID device could send a malicious output report that would cause the
    lenovo-tpkbd HID driver to write just beyond the output report allocation
    during initialization, causing a heap overflow:
    
    [   76.109807] usb 1-1: New USB device found, idVendor=17ef, idProduct=6009
    ...
    [   80.462540] BUG kmalloc-192 (Tainted: G        W   ): Redzone overwritten
    
    CVE-2013-2894
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org

 drivers/hid/hid-lenovo-tpkbd.c |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

commit 38627769bb2b9a550e251b2caf1babda7566fb4a
Author: Kees Cook <keescook@chromium.org>
Date:   Thu Aug 15 23:45:03 2013 -0700

    HID: logitech-dj: validate output report details
    
    A HID device could send a malicious output report that would cause the
    logitech-dj HID driver to leak kernel memory contents to the device, or
    trigger a NULL dereference during initialization:
    
    [  304.424553] usb 1-1: New USB device found, idVendor=046d, idProduct=c52b
    ...
    [  304.780467] BUG: unable to handle kernel NULL pointer dereference at 0000000000000028
    [  304.781409] IP: [<ffffffff815d50aa>] logi_dj_recv_send_report.isra.11+0x1a/0x90
    
    CVE-2013-2895
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org

 drivers/hid/hid-logitech-dj.c |   12 ++++++++++--
 1 files changed, 10 insertions(+), 2 deletions(-)

commit db334388c9d3f95aeb6aacdcec72169b6edd6f07
Author: Kees Cook <keescook@chromium.org>
Date:   Fri Aug 16 00:18:15 2013 -0700

    HID: ntrig: validate feature report details
    
    A HID device could send a malicious feature report that would cause the
    ntrig HID driver to trigger a NULL dereference during initialization:
    
    [57383.031190] usb 3-1: New USB device found, idVendor=1b96, idProduct=0001
    ...
    [57383.315193] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
    [57383.315308] IP: [<ffffffffa08102de>] ntrig_probe+0x25e/0x420 [hid_ntrig]
    
    CVE-2013-2896
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org

 drivers/hid/hid-ntrig.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 86adcfe96ceefd7d64593a493abe07c155bb8f88
Author: Kees Cook <keescook@chromium.org>
Date:   Fri Aug 16 00:11:32 2013 -0700

    HID: multitouch: validate feature report details
    
    When working on report indexes, always validate that they are in bounds.
    Without this, a HID device could report a malicious feature report that
    could trick the driver into a heap overflow:
    
    [  634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500
    ...
    [  676.469629] BUG kmalloc-192 (Tainted: G        W   ): Redzone overwritten
    
    CVE-2013-2897
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org

 drivers/hid/hid-multitouch.c |   25 ++++++++++++++++++++-----
 1 files changed, 20 insertions(+), 5 deletions(-)

commit 813f51e0881e4ea6d221da828b1cced02ad9694d
Author: Kees Cook <keescook@chromium.org>
Date:   Fri Aug 16 08:12:45 2013 -0700

    HID: sensor-hub: validate feature report details
    
    A HID device could send a malicious feature report that would cause the
    sensor-hub HID driver to read past the end of heap allocation, leaking
    kernel memory contents to the caller.
    
    CVE-2013-2898
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org

 drivers/hid/hid-sensor-hub.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 6ed7d602e322c67adcfa3ebe79ca2c4a3376330c
Author: Kees Cook <keescook@chromium.org>
Date:   Fri Aug 16 08:05:10 2013 -0700

    HID: picolcd_core: validate output report details
    
    A HID device could send a malicious output report that would cause the
    picolcd HID driver to trigger a NULL dereference during attr file writing.
    
    CVE-2013-2899
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org

 drivers/hid/hid-picolcd_core.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 95e3cfb5a995dabe45b98cafb77e59d074de151f
Author: Kees Cook <keescook@chromium.org>
Date:   Fri Aug 16 08:09:54 2013 -0700

    HID: check for NULL field when setting values
    
    Defensively check that the field to be worked on is not NULL.
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org

 drivers/hid/hid-core.c |    7 ++++++-
 1 files changed, 6 insertions(+), 1 deletions(-)

commit 96a55ce1b2f3af376c400a02059174e79ce4399c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Aug 28 18:09:18 2013 -0400

    http://marc.info/?l=linux-input&m=137772180514608&q=raw
    
    From: Kees Cook <keescook@chromium.org>
    
    The "Report ID" field of a HID report is used to build indexes of
    reports. The kernel's index of these is limited to 256 entries, so any
    malicious device that sets a Report ID greater than 255 will trigger
    memory corruption on the host:
    
    [ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878
    [ 1347.156261] IP: [<ffffffff813e4da0>] hid_register_report+0x2a/0x8b
    
    CVE-2013-2888
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org
    ---
     drivers/hid/hid-core.c |   10 +++++++---
     include/linux/hid.h    |    4 +++-
     2 files changed, 10 insertions(+), 4 deletions(-)

 drivers/hid/hid-core.c |   10 +++++++---
 include/linux/hid.h    |    4 +++-
 2 files changed, 10 insertions(+), 4 deletions(-)

commit eb1106eef5f17bfda833ca3cf89e315919173257
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Fri Aug 9 12:52:31 2013 +0300

    Upstream commit: 909bd5926d474e275599094acad986af79671ac9
    
    Hostap: copying wrong data prism2_ioctl_giwaplist()
    
    We want the data stored in "addr" and "qual", but the extra ampersands
    mean we are copying stack data instead.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: John W. Linville <linville@tuxdriver.com>

 drivers/net/wireless/hostap/hostap_ioctl.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit b12fdddbc01b0d855dd56fa6fea6b4100aae7af4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Aug 28 17:01:21 2013 -0400

    fix typo in ipv6 backport

 net/ipv6/addrconf.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit b42367d45ce67de82c38c5c7cb6f4cf521cca2f4
Author: Andy Lutomirski <luto@amacapital.net>
Date:   Thu Aug 22 11:39:15 2013 -0700

    Upstream commit: d661684cf6820331feae71146c35da83d794467e
    
    net: Check the correct namespace when spoofing pid over SCM_RIGHTS
    
    This is a security bug.
    
    The follow-up will fix nsproxy to discourage this type of issue from
    happening again.
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Andy Lutomirski <luto@amacapital.net>
    Reviewed-by: "Eric W. Biederman" <ebiederm@xmission.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/core/scm.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 10b2e7e1f75d1da2e0bbe0bff04233ea2ec1bed9
Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
Date:   Fri Aug 16 13:02:27 2013 +0200

    Upstream commit: 4b08a8f1bd8cb4541c93ec170027b4d0782dab52
    
    ipv6: remove max_addresses check from ipv6_create_tempaddr
    
    Because of the max_addresses check attackers were able to disable privacy
    extensions on an interface by creating enough autoconfigured addresses:
    
    <http://seclists.org/oss-sec/2012/q4/292>
    
    But the check is not actually needed: max_addresses protects the
    kernel to install too many ipv6 addresses on an interface and guards
    addrconf_prefix_rcv to install further addresses as soon as this limit
    is reached. We only generate temporary addresses in direct response of
    a new address showing up. As soon as we filled up the maximum number of
    addresses of an interface, we stop installing more addresses and thus
    also stop generating more temp addresses.
    
    Even if the attacker tries to generate a lot of temporary addresses
    by announcing a prefix and removing it again (lifetime == 0) we won't
    install more temp addresses, because the temporary addresses do count
    to the maximum number of addresses, thus we would stop installing new
    autoconfigured addresses when the limit is reached.
    
    This patch fixes CVE-2013-0343 (but other layer-2 attacks are still
    possible).
    
    Thanks to Ding Tianhong to bring this topic up again.
    
    Cc: Ding Tianhong <dingtianhong@huawei.com>
    Cc: George Kargiotakis <kargig@void.gr>
    Cc: P J P <ppandit@redhat.com>
    Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
    Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Acked-by: Ding Tianhong <dingtianhong@huawei.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    
    Conflicts:
    
        net/ipv6/addrconf.c

 net/ipv6/addrconf.c |   10 ++++------
 1 files changed, 4 insertions(+), 6 deletions(-)

commit 8333e0981469a226a47d0142ff31090a48db95a4
Author: David Vrabel <david.vrabel@citrix.com>
Date:   Thu Aug 15 13:21:06 2013 +0100

    Upstream commit: 84ca7a8e45dafb49cd5ca90a343ba033e2885c17
    
    xen/events: initialize local per-cpu mask for all possible events
    
    The sizeof() argument in init_evtchn_cpu_bindings() is incorrect
    resulting in only the first 64 (or 32 in 32-bit guests) ports having
    their bindings being initialized to VCPU 0.
    
    In most cases this does not cause a problem as request_irq() will set
    the irq affinity which will set the correct local per-cpu mask.
    However, if the request_irq() is called on a VCPU other than 0, there
    is a window between the unmasking of the event and the affinity being
    set were an event may be lost because it is not locally unmasked on
    any VCPU. If request_irq() is called on VCPU 0 then local irqs are
    disabled during the window and the race does not occur.
    
    Fix this by initializing all NR_EVENT_CHANNEL bits in the local
    per-cpu masks.
    
    Signed-off-by: David Vrabel <david.vrabel@citrix.com>
    Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
    CC: stable@vger.kernel.org

 drivers/xen/events.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 2a9a83768433937a2b7a97001ba1627156c0efed
Author: Roland Dreier <roland@purestorage.com>
Date:   Mon Aug 5 17:55:01 2013 -0700

    Upstream commit: 35dc248383bbab0a7203fca4d722875bc81ef091
    
    [SCSI] sg: Fix user memory corruption when SG_IO is interrupted by a signal
    
    There is a nasty bug in the SCSI SG_IO ioctl that in some circumstances
    leads to one process writing data into the address space of some other
    random unrelated process if the ioctl is interrupted by a signal.
    What happens is the following:
    
     - A process issues an SG_IO ioctl with direction DXFER_FROM_DEV (ie the
       underlying SCSI command will transfer data from the SCSI device to
       the buffer provided in the ioctl)
    
     - Before the command finishes, a signal is sent to the process waiting
       in the ioctl.  This will end up waking up the sg_ioctl() code:
    
                result = wait_event_interruptible(sfp->read_wait,
                        (srp_done(sfp, srp) || sdp->detached));
    
       but neither srp_done() nor sdp->detached is true, so we end up just
       setting srp->orphan and returning to userspace:
    
                srp->orphan = 1;
                write_unlock_irq(&sfp->rq_list_lock);
                return result;  /* -ERESTARTSYS because signal hit process */
    
       At this point the original process is done with the ioctl and
       blithely goes ahead handling the signal, reissuing the ioctl, etc.
    
     - Eventually, the SCSI command issued by the first ioctl finishes and
       ends up in sg_rq_end_io().  At the end of that function, we run through:
    
        write_lock_irqsave(&sfp->rq_list_lock, iflags);
        if (unlikely(srp->orphan)) {
                if (sfp->keep_orphan)
                        srp->sg_io_owned = 0;
                else
                        done = 0;
        }
        srp->done = done;
        write_unlock_irqrestore(&sfp->rq_list_lock, iflags);
    
        if (likely(done)) {
                /* Now wake up any sg_read() that is waiting for this
                 * packet.
                 */
                wake_up_interruptible(&sfp->read_wait);
                kill_fasync(&sfp->async_qp, SIGPOLL, POLL_IN);
                kref_put(&sfp->f_ref, sg_remove_sfp);
        } else {
                INIT_WORK(&srp->ew.work, sg_rq_end_io_usercontext);
                schedule_work(&srp->ew.work);
        }
    
       Since srp->orphan *is* set, we set done to 0 (assuming the
       userspace app has not set keep_orphan via an SG_SET_KEEP_ORPHAN
       ioctl), and therefore we end up scheduling sg_rq_end_io_usercontext()
       to run in a workqueue.
    
     - In workqueue context we go through sg_rq_end_io_usercontext() ->
       sg_finish_rem_req() -> blk_rq_unmap_user() -> ... ->
       bio_uncopy_user() -> __bio_copy_iov() -> copy_to_user().
    
       The key point here is that we are doing copy_to_user() on a
       workqueue -- that is, we're on a kernel thread with current->mm
       equal to whatever random previous user process was scheduled before
       this kernel thread.  So we end up copying whatever data the SCSI
       command returned to the virtual address of the buffer passed into
       the original ioctl, but it's quite likely we do this copying into a
       different address space!
    
    As suggested by James Bottomley <James.Bottomley@hansenpartnership.com>,
    add a check for current->mm (which is NULL if we're on a kernel thread
    without a real userspace address space) in bio_uncopy_user(), and skip
    the copy if we're on a kernel thread.
    
    There's no reason that I can think of for any caller of bio_uncopy_user()
    to want to do copying on a kernel thread with a random active userspace
    address space.
    
    Huge thanks to Costa Sapuntzakis <costa@purestorage.com> for the
    original pointer to this bug in the sg code.
    
    Signed-off-by: Roland Dreier <roland@purestorage.com>
    Tested-by: David Milburn <dmilburn@redhat.com>
    Cc: Jens Axboe <axboe@kernel.dk>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: James Bottomley <JBottomley@Parallels.com>

 fs/bio.c |   20 +++++++++++++++-----
 1 files changed, 15 insertions(+), 5 deletions(-)

commit e6fe57dee152671afd618d6bc8cbf23155be6c34
Merge: cdc8f7d f2095a4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Aug 27 18:13:35 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        arch/arm/mm/fault.c
        security/Kconfig

commit f2095a4787f7d332e5919f0bd00f8de6021ad612
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Aug 27 18:08:23 2013 -0400

    Update to pax-linux-3.10.9-test20.patch:
    - removed unnecessary mark_sym_for_renaming calls from the gcc plugins, reported by Emese Revfy
    - made some KERNEXEC/UDEREF induced fault handling on arm more robust (IFAR isn't always set on v7), by Corey Minyard <cminyard@mvista.com>
    - converted some mips atomic accessor macros to functions in preparation of REFCOUNT support, by Corey Minyard <cminyard@mvista.com>
    - __copy_from_user_inatomic on amd64 will now return unsigned long like other userland accessors do
    - added REFCOUNT support for mips, by Corey Minyard <cminyard@mvista.com>
    - fixed arm compilation with UDEREF disabled, reported by fabled (http://forums.grsecurity.net/viewtopic.php?f=1&t=3720)
    - fixed early boot panic due to a INVCPID/PCID mismatch, reported by Patrick McLean (https://bugs.gentoo.org/show_bug.cgi?id=482010)

 arch/arm/mm/fault.c               |   11 +-
 arch/mips/include/asm/atomic.h    |  722 +++++++++++++++++++++++++++++++++++--
 arch/mips/kernel/traps.c          |   14 +-
 arch/x86/include/asm/tlbflush.h   |    4 +
 arch/x86/include/asm/uaccess_64.h |    2 +-
 fs/ntfs/file.c                    |    2 +-
 kernel/events/internal.h          |    4 +-
 kernel/events/uprobes.c           |    2 +-
 kernel/futex.c                    |    2 +-
 mm/filemap.c                      |    8 +-
 security/Kconfig                  |    2 +-
 tools/gcc/kernexec_plugin.c       |   18 +-
 tools/gcc/latent_entropy_plugin.c |   26 +-
 tools/gcc/size_overflow_plugin.c  |    3 +-
 14 files changed, 750 insertions(+), 70 deletions(-)

commit cdc8f7d7a0d09f5ccec1717d1378ac284b5bb4e9
Merge: 5a9ae57 745975e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Aug 26 20:27:33 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 745975e3b3b74b64e00e85778f9a22714d1274f2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Aug 26 20:26:33 2013 -0400

    Fix compilation when UDEREF is enabled and KERNEXEC is disabled,
    as reported by fabled on the forums:
    http://forums.grsecurity.net/viewtopic.php?f=1&t=3720

 arch/arm/include/asm/pgtable.h |    4 +---
 1 files changed, 1 insertions(+), 3 deletions(-)

commit 5a9ae577def10802fc8ad6957f05ce2a180dfa36
Merge: 486ec00 f68df21
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Aug 20 20:15:20 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit f68df215c8bf7fada2710c14b3f3a0ea53fd9e43
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Aug 20 20:14:50 2013 -0400

    Update to pax-linux-3.10.9-test18.patch:
    - fixed missing export of cpu_pgd, reported by Alexander Tsoy (https://bugs.gentoo.org/show_bug.cgi?id=481786)
    - fixed UDEREF regression on !PCID processors, reported by Alexander Tsoy (https://bugs.gentoo.org/show_bug.cgi?id=481790)
    - forward port to 3.10.9

 arch/x86/kernel/entry_64.S       |   18 +++++++++---------
 arch/x86/kernel/i386_ksyms_32.c  |    4 ++++
 arch/x86/kernel/x8664_ksyms_64.c |    4 ++++
 3 files changed, 17 insertions(+), 9 deletions(-)

commit 486ec00945b5dd8826f625e4af8995c5c8cb2a6f
Merge: f47a293 d8fed0e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Aug 20 20:12:47 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit d8fed0eba89a7607afe296c0caf17bc72311d6e9
Merge: f6ace8e 0a4b6d4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Aug 20 20:12:33 2013 -0400

    Merge branch 'linux-3.10.y' into pax-test

commit f47a293a1440da2a3e2c239d43d636e37ca74f10
Merge: f1e8ec7 f6ace8e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Aug 20 18:20:05 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        arch/arm/kernel/perf_event.c
        include/linux/sched.h

commit f6ace8e1804aadc296bec38b4c4a2d711b9e7c72
Merge: b4fa847 6f54059
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Aug 20 18:18:02 2013 -0400

    Update to pax-linux-3.10.8-test18.patch
    
    Merge branch 'linux-3.10.y' into pax-test
    
    Conflicts:
        arch/x86/kernel/sys_x86_64.c
        arch/x86/mm/mmap.c
        include/linux/sched.h

commit f1e8ec79b6019ca0aa6a6cdde5668c1bbd9f51ca
Merge: 6f88011 b4fa847
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Aug 20 18:05:12 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit b4fa84790ec760430818ab9b74a8b5acc6b40e63
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Aug 20 18:04:14 2013 -0400

    Update to pax-linux-3.10.7-test18.patch:
    - reverted constification of zcache, problem reported by Marcin Mirosław (https://bugs.gentoo.org/show_bug.cgi?id=481752)
    - fixed a UDEREF resume regression due to the constification of clone_pgd_mask
    - fixed suspend/resume regression due to the recent constification of mmu_cr4_features, reported by Mathias Krause

 arch/arm/kernel/process.c        |    2 +-
 arch/x86/include/asm/processor.h |   25 ++-----------------------
 arch/x86/kernel/cpu/common.c     |    4 ++++
 arch/x86/kernel/setup.c          |   36 ++++++++++++++++++++++++++++++++++++
 drivers/staging/zcache/tmem.c    |    4 ++--
 drivers/staging/zcache/tmem.h    |    6 ++----
 6 files changed, 47 insertions(+), 30 deletions(-)

commit 6f88011297cb3b1b79ff4d96f8a9b8e2ed5a025f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Aug 19 22:10:04 2013 -0400

    fix bad git merge (call to __cpu_disable_lazy_restore was duplicated)
    as reported by pipacs

 arch/x86/kernel/smpboot.c |    3 ---
 1 files changed, 0 insertions(+), 3 deletions(-)

commit 07f718e061bc4696b64a98ac1cf56e9ca1275dc3
Merge: 6eba999 5de93c8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Aug 18 22:03:19 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 5de93c8e2a86865f7a2d62dbcf8702dbf12494db
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Aug 18 22:02:47 2013 -0400

    Update to pax-linux-3.10.7-test15.patch:
    - fixed more PCID fallout, reported by spender, Negres and GBit (http://forums.grsecurity.net/viewtopic.php?f=3&t=3705)
    - fixed some new REFCOUNT false positives, caught by inspection

 arch/x86/kernel/cpu/common.c |    5 +++--
 arch/x86/kernel/entry_64.S   |   11 +++++++----
 fs/ceph/super.c              |    4 ++--
 mm/backing-dev.c             |    4 ++--
 4 files changed, 14 insertions(+), 10 deletions(-)

commit 94c119587c76723c1072237b98fff9886ccb7689
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Aug 18 20:49:39 2013 -0400

    fix pipacs' DEMORGAN typo

 arch/x86/include/asm/tlbflush.h |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 6eba999a3263c2ed3f7e87222a5c9c55315c7f00
Merge: df347f6 64a293e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Aug 18 18:13:04 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 64a293ebd17bf4a7ce6bd921ed879673e79fe128
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Aug 18 18:12:37 2013 -0400

    Update to pax-linux-3.10.7-test14.patch:
    - fixed compile error introduced by the previous PCID change
    - fixed timer_create kernel stack leak, reported by Roman Žilka (https://bugs.gentoo.org/show_bug.cgi?id=470214)

 arch/x86/include/asm/tlbflush.h |    2 +-
 kernel/posix-timers.c           |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

commit df347f6db6cc0aaa40406d8a8b7284b7c15bc685
Merge: d8efbc5 e11b314
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Aug 18 08:15:00 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit e11b314734c5b7317f5468be75305ad812e78c2b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Aug 18 08:14:26 2013 -0400

    Update to pax-linux-3.10.7-test13.patch:
    - always enable the use of PCID and INVPCID when available in the CPU
      - kvm guest kernels can use these features even if the host kernel lacks UDEREF

 arch/x86/include/asm/tlbflush.h |   69 ++++++++++++++++++++++----------------
 arch/x86/kernel/cpu/common.c    |   48 +++++++++++++++++----------
 2 files changed, 70 insertions(+), 47 deletions(-)

commit d8efbc54f5c8aba589d4d12eed9257a754a67de8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 17 12:00:20 2013 -0400

    make kallsyms_lookup_size_offset available to approved source files

 include/linux/kallsyms.h |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit 6c8feffa95ce2db280160015027b52bb41a344c8
Merge: dbf6930 0bb1c2b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 17 11:57:50 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 0bb1c2b2d9ba9a15fb504d47270499e8e2764106
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 17 11:56:43 2013 -0400

    Update to pax-linux-3.10.7-test12.patch:
    - fixed superfluous initializer in __native_flush_tlb_single, reported by Mathias Krause
    - fixed some arm compile problems

 arch/x86/include/asm/tlbflush.h      |    2 +-
 drivers/clocksource/bcm_kona_timer.c |    2 +-
 kernel/signal.c                      |    4 ++++
 3 files changed, 6 insertions(+), 2 deletions(-)

commit dbf69305ad4f8a037aae95af90f9201f556dcb48
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 17 11:18:09 2013 -0400

    allow use of kallsyms_lookup_name to approved source files

 include/linux/kallsyms.h |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit a566c5f4dec33f410678c257e95ab6726ce8e4f9
Merge: 68bd16f f562e3e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 17 10:35:02 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit f562e3ef7737ea8d80431a722479b36a12504ace
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 17 10:34:51 2013 -0400

    add uderef_64.c

 arch/x86/mm/uderef_64.c |   37 +++++++++++++++++++++++++++++++++++++
 1 files changed, 37 insertions(+), 0 deletions(-)

commit 68bd16fce3cf51c4c407e2ac6bc3db0629783622
Author: Asbjoern Sloth Toennesen <ast@fiberby.net>
Date:   Mon Aug 12 16:30:09 2013 +0000

    Upstream commit: 3e805ad288c524bb65aad3f1e004402223d3d504
    
    rtnetlink: rtnl_bridge_getlink: Call nlmsg_find_attr() with ifinfomsg header
    
    Fix the iproute2 command `bridge vlan show`, after switching from
    rtgenmsg to ifinfomsg.
    
    Let's start with a little history:
    
    Feb 20:   Vlad Yasevich got his VLAN-aware bridge patchset included in
              the 3.9 merge window.
              In the kernel commit 6cbdceeb, he added attribute support to
              bridge GETLINK requests sent with rtgenmsg.
    
    Mar 6th:  Vlad got this iproute2 reference implementation of the bridge
              vlan netlink interface accepted (iproute2 9eff0e5c)
    
    Apr 25th: iproute2 switched from using rtgenmsg to ifinfomsg (63338dca)
              http://patchwork.ozlabs.org/patch/239602/
              http://marc.info/?t=136680900700007
    
    Apr 28th: Linus released 3.9
    
    Apr 30th: Stephen released iproute2 3.9.0
    
    The `bridge vlan show` command haven't been working since the switch to
    ifinfomsg, or in a released version of iproute2. Since the kernel side
    only supports rtgenmsg, which iproute2 switched away from just prior to
    the iproute2 3.9.0 release.
    
    I haven't been able to find any documentation, about neither rtgenmsg
    nor ifinfomsg, and in which situation to use which, but kernel commit
    88c5b5ce seams to suggest that ifinfomsg should be used.
    
    Fixing this in kernel will break compatibility, but I doubt that anybody
    have been using it due to this bug in the user space reference
    implementation, at least not without noticing this bug. That said the
    functionality is still fully functional in 3.9, when reversing iproute2
    commit 63338dca.
    
    This could also be fixed in iproute2, but thats an ugly patch that would
    reintroduce rtgenmsg in iproute2, and from searching in netdev it seams
    like rtgenmsg usage is discouraged. I'm assuming that the only reason
    that Vlad implemented the kernel side to use rtgenmsg, was because
    iproute2 was using it at the time.
    
    Signed-off-by: Asbjoern Sloth Toennesen <ast@fiberby.net>
    Reviewed-by: Vlad Yasevich <vyasevich@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/core/rtnetlink.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 8c7bc5bafddddff55ed4687203a977e96f72540a
Author: Johannes Berg <johannes.berg@intel.com>
Date:   Tue Aug 13 09:04:05 2013 +0200

    Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db
    
    genetlink: fix family dump race
    
    When dumping generic netlink families, only the first dump call
    is locked with genl_lock(), which protects the list of families,
    and thus subsequent calls can access the data without locking,
    racing against family addition/removal. This can cause a crash.
    Fix it - the locking needs to be conditional because the first
    time around it's already locked.
    
    A similar bug was reported to me on an old kernel (3.4.47) but
    the exact scenario that happened there is no longer possible,
    on those kernels the first round wasn't locked either. Looking
    at the current code I found the race described above, which had
    also existed on the old kernel.
    
    Cc: stable@vger.kernel.org
    Reported-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/netlink/genetlink.c |    7 +++++++
 1 files changed, 7 insertions(+), 0 deletions(-)

commit 0aef405c4f269d1e35abb5393cee4e7d452ed4bb
Author: Daniel Borkmann <dborkman@redhat.com>
Date:   Fri Aug 9 16:25:21 2013 +0200

    Upstream commit: 771085d6bf3c52de29fc213e5bad07a82e57c23e
    
    net: sctp: sctp_transport_destroy{, _rcu}: fix potential pointer corruption
    
    Probably this one is quite unlikely to be triggered, but it's more safe
    to do the call_rcu() at the end after we have dropped the reference on
    the asoc and freed sctp packet chunks. The reason why is because in
    sctp_transport_destroy_rcu() the transport is being kfree()'d, and if
    we're unlucky enough we could run into corrupted pointers. Probably
    that's more of theoretical nature, but it's safer to have this simple fix.
    
    Introduced by commit 8c98653f ("sctp: sctp_close: fix release of bindings
    for deferred call_rcu's"). I also did the 8c98653f regression test and
    it's fine that way.
    
    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
    Acked-by: Vlad Yasevich <vyasevich@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/sctp/transport.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 3925eab5483946fd746575a46f97bee9d566bb77
Author: Stephane Grosjean <s.grosjean@peak-system.com>
Date:   Fri Aug 9 11:44:06 2013 +0200

    Upstream commit: 3c322a56b01695df15c70bfdc2d02e0ccd80654e
    
    can: pcan_usb: fix wrong memcpy() bytes length
    
    Fix possibly wrong memcpy() bytes length since some CAN records received from
    PCAN-USB could define a DLC field in range [9..15].
    In that case, the real DLC value MUST be used to move forward the record pointer
    but, only 8 bytes max. MUST be copied into the data field of the struct
    can_frame object of the skb given to the network core.
    
    Cc: linux-stable <stable@vger.kernel.org>
    Signed-off-by: Stephane Grosjean <s.grosjean@peak-system.com>
    Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/can/usb/peak_usb/pcan_usb.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit c1ac6642baae4a400d1f87115024d1bb1ef53598
Author: Linus Lüssing <linus.luessing@web.de>
Date:   Tue Aug 6 20:21:15 2013 +0200

    Upstream commit: 9d2c9488cedb666bc8206fbdcdc1575e0fbc5929
    
    batman-adv: fix potential kernel paging errors for unicast transmissions
    
    There are several functions which might reallocate skb data. Currently
    some places keep reusing their old ethhdr pointer regardless of whether
    they became invalid after such a reallocation or not. This potentially
    leads to kernel paging errors.
    
    This patch fixes these by refetching the ethdr pointer after the
    potential reallocations.
    
    Signed-off-by: Linus Lüssing <linus.luessing@web.de>
    Signed-off-by: Marek Lindner <lindner_marek@yahoo.de>
    Signed-off-by: Antonio Quartulli <ordex@autistici.org>

 net/batman-adv/bridge_loop_avoidance.c |    2 ++
 net/batman-adv/gateway_client.c        |   13 ++++++++++++-
 net/batman-adv/gateway_client.h        |    3 +--
 net/batman-adv/soft-interface.c        |    9 ++++++++-
 net/batman-adv/unicast.c               |   13 ++++++++++---
 5 files changed, 33 insertions(+), 7 deletions(-)

commit d11ebb55757d366b2e445dea5a96e3ef1b4d22eb
Author: Yuchung Cheng <ycheng@google.com>
Date:   Fri Aug 9 17:21:27 2013 -0700

    Upstream commit: 356d7d88e088687b6578ca64601b0a2c9d145296
    
    netfilter: nf_conntrack: fix tcp_in_window for Fast Open
    
    Currently the conntrack checks if the ending sequence of a packet
    falls within the observed receive window. However it does so even
    if it has not observe any packet from the remote yet and uses an
    uninitialized receive window (td_maxwin).
    
    If a connection uses Fast Open to send a SYN-data packet which is
    dropped afterward in the network. The subsequent SYNs retransmits
    will all fail this check and be discarded, leading to a connection
    timeout. This is because the SYN retransmit does not contain data
    payload so
    
    end == initial sequence number (isn) + 1
    sender->td_end == isn + syn_data_len
    receiver->td_maxwin == 0
    
    The fix is to only apply this check after td_maxwin is initialized.
    
    Reported-by: Michael Chan <mcfchan@stanford.edu>
    Signed-off-by: Yuchung Cheng <ycheng@google.com>
    Acked-by: Eric Dumazet <edumazet@google.com>
    Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

 net/netfilter/nf_conntrack_proto_tcp.c |   12 ++++++++----
 1 files changed, 8 insertions(+), 4 deletions(-)

commit 94462727d1f151aa2e3f7fbf0dedb19d8545d2ec
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Thu Aug 1 12:36:57 2013 +0300

    Upstream commit: e4d091d7bf787cd303383725b8071d0bae76f981
    
    netfilter: nfnetlink_{log,queue}: fix information leaks in netlink message
    
    These structs have a "_pad" member.  Also the "phw" structs have an 8
    byte "hw_addr[]" array but sometimes only the first 6 bytes are
    initialized.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

 net/netfilter/nfnetlink_log.c        |    6 +++++-
 net/netfilter/nfnetlink_queue_core.c |    5 ++++-
 2 files changed, 9 insertions(+), 2 deletions(-)

commit c5b469d0a0b480a8b2dcac9b4e6532c0ac17f81f
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date:   Thu Jul 25 10:46:46 2013 +0200

    Upstream commit: a206bcb3b02025b23137f3228109d72e0f835c05
    
    netfilter: xt_TCPOPTSTRIP: fix possible off by one access
    
    Fix a possible off by one access since optlen()
    touches opt[offset+1] unsafely when i == tcp_hdrlen(skb) - 1.
    
    This patch replaces tcp_hdrlen() by the local variable tcp_hdrlen
    that stores the TCP header length, to save some cycles.
    
    Reported-by: Julian Anastasov <ja@ssi.bg>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

 net/netfilter/xt_TCPOPTSTRIP.c |   10 ++++++----
 1 files changed, 6 insertions(+), 4 deletions(-)

commit 4634def261cf5f635bc60afe8a6ad436b3ec151e
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date:   Thu Jul 25 10:37:49 2013 +0200

    Upstream commit: 71ffe9c77dd7a2b62207953091efa8dafec958dd
    
    netfilter: xt_TCPMSS: fix handling of malformed TCP header and options
    
    Make sure the packet has enough room for the TCP header and
    that it is not malformed.
    
    While at it, store tcph->doff*4 in a variable, as it is used
    several times.
    
    This patch also fixes a possible off by one in case of malformed
    TCP options.
    
    Reported-by: Julian Anastasov <ja@ssi.bg>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

 net/netfilter/xt_TCPMSS.c |   28 ++++++++++++++++------------
 1 files changed, 16 insertions(+), 12 deletions(-)

commit dc552b7b377b8b0cba23513ee09a2341d6714ae8
Author: Dave Jones <davej@redhat.com>
Date:   Fri Aug 9 11:16:34 2013 -0700

    Upstream commit: d06f5187469eee1b2932c02fd093d113cfc60d5e
    
    8139cp: Fix skb leak in rx_status_loop failure path.
    
    Introduced in cf3c4c03060b688cbc389ebc5065ebcce5653e96
    ("8139cp: Add dma_mapping_error checking")
    
    Signed-off-by: Dave Jones <davej@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/ethernet/realtek/8139cp.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 227b279491a0bbcc70ca3654f34903282c378600
Author: Timo Teräs <timo.teras@iki.fi>
Date:   Tue Aug 6 13:45:43 2013 +0300

    Upstream commit: 77a482bdb2e68d13fae87541b341905ba70d572b
    
    ip_gre: fix ipgre_header to return correct offset
    
    Fix ipgre_header() (header_ops->create) to return the correct
    amount of bytes pushed. Most callers of dev_hard_header() seem
    to care only if it was success, but af_packet.c uses it as
    offset to the skb to copy from userspace only once. In practice
    this fixes packet socket sendto()/sendmsg() to gre tunnels.
    
    Regression introduced in c54419321455631079c7d6e60bc732dd0c5914c5
    ("GRE: Refactor GRE tunneling code.")
    
    Cc: Pravin B Shelar <pshelar@nicira.com>
    Signed-off-by: Timo Teräs <timo.teras@iki.fi>
    Acked-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/ip_gre.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 4b37d11c0ebb440d9335861ce8f1e690a34c10fb
Author: Eric Dumazet <edumazet@google.com>
Date:   Mon Aug 5 11:18:49 2013 -0700

    Upstream commit: aab515d7c32a34300312416c50314e755ea6f765
    
    fib_trie: remove potential out of bound access
    
    AddressSanitizer [1] dynamic checker pointed a potential
    out of bound access in leaf_walk_rcu()
    
    We could allocate one more slot in tnode_new() to leave the prefetch()
    in-place but it looks not worth the pain.
    
    Bug added in commit 82cfbb008572b ("[IPV4] fib_trie: iterator recode")
    
    [1] :
    https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerForKernel
    
    Reported-by: Andrey Konovalov <andreyknvl@google.com>
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Cc: Dmitry Vyukov <dvyukov@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/fib_trie.c |    5 +----
 1 files changed, 1 insertions(+), 4 deletions(-)

commit 3928184d65fdaf3eef446f0e6c5f305352c1fd02
Author: Daniel Borkmann <dborkman@redhat.com>
Date:   Mon Aug 5 12:49:35 2013 +0200

    Upstream commit: 7921895a5e852fc99de347bc0600659997de9298
    
    net: esp{4,6}: fix potential MTU calculation overflows
    
    Commit 91657eafb ("xfrm: take net hdr len into account for esp payload
    size calculation") introduced a possible interger overflow in
    esp{4,6}_get_mtu() handlers in case of x->props.mode equals
    XFRM_MODE_TUNNEL. Thus, the following expression will overflow
    
      unsigned int net_adj;
      ...
      <case ipv{4,6} XFRM_MODE_TUNNEL>
             net_adj = 0;
      ...
      return ((mtu - x->props.header_len - crypto_aead_authsize(esp->aead) -
               net_adj) & ~(align - 1)) + (net_adj - 2);
    
    where (net_adj - 2) would be evaluated as <foo> + (0 - 2) in an unsigned
    context. Fix it by simply removing brackets as those operations here
    do not need to have special precedence.
    
    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
    Cc: Benjamin Poirier <bpoirier@suse.de>
    Cc: Steffen Klassert <steffen.klassert@secunet.com>
    Acked-by: Benjamin Poirier <bpoirier@suse.de>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/esp4.c |    2 +-
 net/ipv6/esp6.c |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

commit f02bce292d1c2fe610be509c96593e70b3de387b
Author: Julia Lawall <Julia.Lawall@lip6.fr>
Date:   Mon Aug 5 16:47:38 2013 +0200

    Upstream commit: d9af2d67e490b48f0d36f448d34e7bab9425f142
    
    net/vmw_vsock/af_vsock.c: drop unneeded semicolon
    
    Drop the semicolon at the end of the list_for_each_entry loop header.
    
    Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/vmw_vsock/af_vsock.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 4b62f0cbc3f949056e8bbe0af036acfc20e8e049
Author: Tiger Yang <tiger.yang@oracle.com>
Date:   Tue Aug 13 16:00:58 2013 -0700

    Upstream commit: c7dd3392ad469e6ba125170ad29f881bed85b678
    
    ocfs2: fix NULL pointer dereference in ocfs2_duplicate_clusters_by_page
    
    Since ocfs2_cow_file_pos will invoke ocfs2_refcount_icow with a NULL as
    the struct file pointer, it finally result in a null pointer dereference
    in ocfs2_duplicate_clusters_by_page.
    
    This patch replace file pointer with inode pointer in
    cow_duplicate_clusters to fix this issue.
    
    [jeff.liu@oracle.com: rebased patch against linux-next tree]
    Signed-off-by: Tiger Yang <tiger.yang@oracle.com>
    Signed-off-by: Jie Liu <jeff.liu@oracle.com>
    Cc: Joel Becker <jlbec@evilplan.org>
    Cc: Mark Fasheh <mfasheh@suse.com>
    Acked-by: Tao Ma <tm@tao.ma>
    Tested-by: David Weber <wb@munzinger.de>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 fs/ocfs2/aops.c         |    2 +-
 fs/ocfs2/file.c         |    6 ++--
 fs/ocfs2/move_extents.c |    2 +-
 fs/ocfs2/refcounttree.c |   53 +++++++---------------------------------------
 fs/ocfs2/refcounttree.h |    6 ++--
 5 files changed, 16 insertions(+), 53 deletions(-)

commit 433bf493c7472435b328b2bc85b6e54f6dd3d0d3
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Thu Aug 15 15:52:57 2013 +0300

    Upstream commit: 15718ea0d844e4816dbd95d57a8a0e3e264ba90e
    
    tun: signedness bug in tun_get_user()
    
    The recent fix d9bf5f1309 "tun: compare with 0 instead of total_len" is
    not totally correct.  Because "len" and "sizeof()" are size_t type, that
    means they are never less than zero.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Acked-by: Michael S. Tsirkin <mst@redhat.com>
    Acked-by: Neil Horman <nhorman@tuxdriver.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/tun.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

commit 26ad267ddda451919357965a0cf271ca24d1bcf2
Author: Weiping Pan <wpan@redhat.com>
Date:   Tue Aug 13 21:46:56 2013 +0800

    Upstream commit: d9bf5f130946695063469749bfd190087b7fad39
    
    tun: compare with 0 instead of total_len
    
    Since we set "len = total_len" in the beginning of tun_get_user(),
    so we should compare the new len with 0, instead of total_len,
    or the if statement always returns false.
    
    Signed-off-by: Weiping Pan <wpan@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/tun.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 70023d3ea40fae8b6b6a142a7a5c3db0bcc283f9
Author: Guenter Roeck <linux@roeck-us.net>
Date:   Fri Aug 16 20:50:55 2013 -0700

    Upstream commit: 215b28a5308f3d332df2ee09ef11fda45d7e4a92
    
    s390: Fix broken build
    
    Fix this build error:
    
      In file included from fs/exec.c:61:0:
      arch/s390/include/asm/tlb.h:35:23: error: expected identifier or '(' before 'unsigned'
      arch/s390/include/asm/tlb.h:36:1: warning: no semicolon at end of struct or union [enabled by default]
      arch/s390/include/asm/tlb.h: In function 'tlb_gather_mmu':
      arch/s390/include/asm/tlb.h:57:5: error: 'struct mmu_gather' has no member named 'end'
    
    Broken due to commit 2b047252d0 ("Fix TLB gather virtual address range
    invalidation corner cases").
    
    Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Cc: stable@vger.kernel.org
    Signed-off-by: Guenter Roeck <linux@roeck-us.net>
    [ Oh well. We had build testing for ppc amd um, but no s390  - Linus ]
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 arch/s390/include/asm/tlb.h |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 4e57312c2de2a25ddb181d129dafbc0251062c33
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date:   Thu Aug 15 11:42:25 2013 -0700

    Upstream commit: 2b047252d087be7f2ba088b4933cd904f92e6fce
    
    Fix TLB gather virtual address range invalidation corner cases
    
    Ben Tebulin reported:
    
     "Since v3.7.2 on two independent machines a very specific Git
      repository fails in 9/10 cases on git-fsck due to an SHA1/memory
      failures.  This only occurs on a very specific repository and can be
      reproduced stably on two independent laptops.  Git mailing list ran
      out of ideas and for me this looks like some very exotic kernel issue"
    
    and bisected the failure to the backport of commit 53a59fc67f97 ("mm:
    limit mmu_gather batching to fix soft lockups on !CONFIG_PREEMPT").
    
    That commit itself is not actually buggy, but what it does is to make it
    much more likely to hit the partial TLB invalidation case, since it
    introduces a new case in tlb_next_batch() that previously only ever
    happened when running out of memory.
    
    The real bug is that the TLB gather virtual memory range setup is subtly
    buggered.  It was introduced in commit 597e1c3580b7 ("mm/mmu_gather:
    enable tlb flush range in generic mmu_gather"), and the range handling
    was already fixed at least once in commit e6c495a96ce0 ("mm: fix the TLB
    range flushed when __tlb_remove_page() runs out of slots"), but that fix
    was not complete.
    
    The problem with the TLB gather virtual address range is that it isn't
    set up by the initial tlb_gather_mmu() initialization (which didn't get
    the TLB range information), but it is set up ad-hoc later by the
    functions that actually flush the TLB.  And so any such case that forgot
    to update the TLB range entries would potentially miss TLB invalidates.
    
    Rather than try to figure out exactly which particular ad-hoc range
    setup was missing (I personally suspect it's the hugetlb case in
    zap_huge_pmd(), which didn't have the same logic as zap_pte_range()
    did), this patch just gets rid of the problem at the source: make the
    TLB range information available to tlb_gather_mmu(), and initialize it
    when initializing all the other tlb gather fields.
    
    This makes the patch larger, but conceptually much simpler.  And the end
    result is much more understandable; even if you want to play games with
    partial ranges when invalidating the TLB contents in chunks, now the
    range information is always there, and anybody who doesn't want to
    bother with it won't introduce subtle bugs.
    
    Ben verified that this fixes his problem.
    
    Reported-bisected-and-tested-by: Ben Tebulin <tebulin@googlemail.com>
    Build-testing-by: Stephen Rothwell <sfr@canb.auug.org.au>
    Build-testing-by: Richard Weinberger <richard.weinberger@gmail.com>
    Reviewed-by: Michal Hocko <mhocko@suse.cz>
    Acked-by: Peter Zijlstra <peterz@infradead.org>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 arch/arm/include/asm/tlb.h   |    7 +++++--
 arch/arm64/include/asm/tlb.h |    7 +++++--
 arch/ia64/include/asm/tlb.h  |    9 ++++++---
 arch/s390/include/asm/tlb.h  |    8 ++++++--
 arch/sh/include/asm/tlb.h    |    6 ++++--
 arch/um/include/asm/tlb.h    |    6 ++++--
 fs/exec.c                    |    4 ++--
 include/asm-generic/tlb.h    |    2 +-
 mm/hugetlb.c                 |    2 +-
 mm/memory.c                  |   36 +++++++++++++++++++++---------------
 mm/mmap.c                    |    4 ++--
 11 files changed, 57 insertions(+), 34 deletions(-)

commit 771ed01c6027772eca1a0df8de65043e7f0d94f8
Merge: 5568c80 ffceabf
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 17 09:11:41 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit ffceabfcc65c60109ba5fca694d78d4dc7047809
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 17 09:10:44 2013 -0400

    Update to pax-linux-3.10.7-test11.patch:
    - simplified some arm code
    - disabled preemption when calling show_regs, reported by Corey Minyard
    - added PCID based support for UDEREF on amd64 (blog will have more details)
      - requires Westmere/Sandy Bridge/Ivy Bridge/Haswell/etc
      - nopcid turns it off
      - by default a strong form of UDEREF is used under PCID
      - pax_weakuderef switches to the older, less secure UDEREF
      - fixed several bugs that would also have manifested under SMAP
      - INVPCID is used when available (Haswell)
    - added a few more return insn instrumentation in new amd64 crypto code

 Documentation/kernel-parameters.txt          |    7 +
 arch/arm/include/asm/uaccess.h               |    3 +
 arch/x86/crypto/blowfish-avx2-asm_64.S       |    6 +
 arch/x86/crypto/camellia-aesni-avx-asm_64.S  |   10 ++
 arch/x86/crypto/camellia-aesni-avx2-asm_64.S |   10 ++
 arch/x86/crypto/crc32c-pcl-intel-asm_64.S    |    2 +
 arch/x86/crypto/ghash-clmulni-intel_asm.S    |    5 +
 arch/x86/crypto/serpent-avx2-asm_64.S        |    9 ++
 arch/x86/crypto/sha256-avx-asm.S             |    2 +
 arch/x86/crypto/sha256-avx2-asm.S            |    2 +
 arch/x86/crypto/sha256-ssse3-asm.S           |    2 +
 arch/x86/crypto/sha512-avx-asm.S             |    2 +
 arch/x86/crypto/sha512-avx2-asm.S            |    2 +
 arch/x86/crypto/sha512-ssse3-asm.S           |    2 +
 arch/x86/crypto/twofish-avx2-asm_64.S        |    8 ++
 arch/x86/ia32/ia32_signal.c                  |    2 +-
 arch/x86/ia32/ia32entry.S                    |   24 ++++-
 arch/x86/include/asm/cpufeature.h            |    3 +-
 arch/x86/include/asm/fpu-internal.h          |    2 +
 arch/x86/include/asm/futex.h                 |    4 +
 arch/x86/include/asm/mmu_context.h           |   80 +++++++++++---
 arch/x86/include/asm/pgtable.h               |   10 +-
 arch/x86/include/asm/processor.h             |   15 +++-
 arch/x86/include/asm/segment.h               |    5 +-
 arch/x86/include/asm/smap.h                  |   64 +++++++++++-
 arch/x86/include/asm/tlbflush.h              |   63 +++++++++--
 arch/x86/include/asm/uaccess.h               |   18 +++-
 arch/x86/include/asm/xsave.h                 |    4 +
 arch/x86/kernel/cpu/common.c                 |   38 +++++++
 arch/x86/kernel/entry_32.S                   |    2 +-
 arch/x86/kernel/entry_64.S                   |  152 +++++++++++++++++++++++---
 arch/x86/kernel/head_32.S                    |    2 +-
 arch/x86/kernel/head_64.S                    |    8 +-
 arch/x86/kernel/process_64.c                 |    5 +
 arch/x86/kernel/setup.c                      |    8 +-
 arch/x86/kernel/signal.c                     |    4 +-
 arch/x86/kernel/smpboot.c                    |   15 ++-
 arch/x86/lib/copy_user_64.S                  |   50 +--------
 arch/x86/lib/copy_user_nocache_64.S          |    2 +
 arch/x86/lib/csum-wrappers_64.c              |   11 ++-
 arch/x86/lib/memcpy_64.S                     |    4 +-
 arch/x86/lib/memmove_64.S                    |    2 +-
 arch/x86/lib/memset_64.S                     |    4 +-
 arch/x86/lib/usercopy_64.c                   |    5 +-
 arch/x86/mm/Makefile                         |    4 +
 arch/x86/mm/fault.c                          |   29 ++++--
 arch/x86/mm/init.c                           |    7 +-
 arch/x86/mm/init_64.c                        |    9 ++-
 arch/x86/mm/pageattr.c                       |    2 +-
 arch/x86/mm/pgtable.c                        |    3 +
 arch/x86/platform/efi/efi_32.c               |    2 +-
 arch/x86/platform/efi/efi_64.c               |    2 +-
 arch/x86/realmode/rm/trampoline_64.S         |    1 +
 fs/exec.c                                    |    2 +
 include/asm-generic/uaccess.h                |    8 ++
 include/linux/compat.h                       |    1 +
 include/linux/preempt.h                      |   19 +++
 include/linux/signal.h                       |    1 +
 include/linux/smp.h                          |    2 +
 init/main.c                                  |   14 ++-
 kernel/signal.c                              |   16 +++
 security/Kconfig                             |    5 +
 tools/lib/lk/Makefile                        |    2 +-
 tools/perf/Makefile                          |    2 +-
 64 files changed, 673 insertions(+), 136 deletions(-)

commit 5568c8059e78d6d002815409df4e90c83b3b08a8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 17 08:58:34 2013 -0400

    Fix two harmless compiler warnings

 arch/arm/kernel/process.c |    4 ++--
 fs/exec.c                 |    2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

commit e4a41a3eef8c6bdebdbe273cc0fbe372bcb62806
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Aug 16 22:55:24 2013 -0400

    Upstream commit: c95eb3184ea1a3a2551df57190c81da695e2144b

 arch/arm/kernel/perf_event.c |    5 ++++-
 1 files changed, 4 insertions(+), 1 deletions(-)

commit 3637bc893b57a227b01852fe34685ab237285b10
Author: Stephen Boyd <sboyd@codeaurora.org>
Date:   Wed Aug 7 16:18:08 2013 -0700

    Upstream commit: b88a2595b6d8aedbd275c07dfa784657b4f757eb
    
    perf/arm: Fix armpmu_map_hw_event()
    
    Fix constraint check in armpmu_map_hw_event().
    
    Reported-and-tested-by: Vince Weaver <vincent.weaver@maine.edu>
    Cc: <stable@kernel.org>
    Signed-off-by: Ingo Molnar <mingo@kernel.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 arch/arm/kernel/perf_event.c |    7 ++++++-
 1 files changed, 6 insertions(+), 1 deletions(-)

commit 11802e1f961a088c39af58d1c1b14d861eedfb35
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Aug 16 22:53:30 2013 -0400

    More ARM backports

 arch/arm/kernel/entry-armv.S |    3 ++-
 arch/arm/kernel/fiq.c        |    8 ++------
 2 files changed, 4 insertions(+), 7 deletions(-)

commit bf89938c71ddbd6efb2c2e43bf4f3f99fef623ea
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Aug 16 22:46:01 2013 -0400

    Fix HIDESYM compatibility with kprobes, as reported by feandil at:
    http://forums.grsecurity.net/viewtopic.php?t=3701&p=13376#p13376

 include/linux/kallsyms.h |    2 +-
 kernel/kprobes.c         |    3 +++
 2 files changed, 4 insertions(+), 1 deletions(-)

commit 3d1cf88bbdbe4c0e83dd7d731ecaf1741209d6b7
Author: yonghua zheng <younghua.zheng@gmail.com>
Date:   Tue Aug 13 16:01:03 2013 -0700

    fs/proc/task_mmu.c: fix buffer overflow in add_page_map()
    
    Recently we met quite a lot of random kernel panic issues after enabling
    CONFIG_PROC_PAGE_MONITOR.  After debuggind we found this has something
    to do with following bug in pagemap:
    
    In struct pagemapread:
    
      struct pagemapread {
          int pos, len;
          pagemap_entry_t *buffer;
          bool v2;
      };
    
    pos is number of PM_ENTRY_BYTES in buffer, but len is the size of
    buffer, it is a mistake to compare pos and len in add_page_map() for
    checking buffer is full or not, and this can lead to buffer overflow and
    random kernel panic issue.
    
    Correct len to be total number of PM_ENTRY_BYTES in buffer.
    
    [akpm@linux-foundation.org: document pagemapread.pos and .len units, fix PM_ENTRY_BYTES definition]
    Signed-off-by: Yonghua Zheng <younghua.zheng@gmail.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    Conflicts:
    
        fs/proc/task_mmu.c

 fs/proc/task_mmu.c |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

commit 0a3dac834746de241c10d4978bf61b4f146ba89d
Merge: dc19474 e12de30
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Aug 16 17:39:01 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit e12de30aa6b575fc3c9f5cd098dd03623598cb33
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Aug 16 17:34:47 2013 -0400

    Update to pax-linux-3.10.7-test9.patch:
    - Emese fixed a size overflow false positive reported by Sven Vermeulen
    - fixed some arm compile problems reported by spender
    - added empty unchecked wrappers for local_t accessors on mips, by Corey Minyard <cminyard@mvista.com>
      eventually we'll have full REFCOUNT support on mips

 arch/arm/kernel/process.c     |    5 ++-
 arch/arm/mm/Kconfig           |    2 +-
 arch/arm/mm/fault.c           |    3 ++
 arch/mips/include/asm/local.h |   57 +++++++++++++++++++++++++++++++++++++++++
 mm/internal.h                 |    2 +-
 5 files changed, 65 insertions(+), 4 deletions(-)

commit dc19474d0ea6ea3c939544ae5f906067b1784a10
Merge: 51b78c0 82266f9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Aug 15 21:47:37 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 82266f90a3f87ab5017329fb539aebf94c42253a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Aug 15 21:14:47 2013 -0400

    Update to pax-linux-3.10.7-test9.patch

 arch/arm/kernel/process.c |    6 ++----
 1 files changed, 2 insertions(+), 4 deletions(-)

commit 51b78c06d1f41614f593cd36456b4af559e9d7fa
Merge: e32d904 cb77ead
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Aug 15 20:53:45 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        security/Kconfig

commit cb77ead0eccb5abb75f7e437a3725d0254558ccd
Merge: 13675b8 519be45
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Aug 15 20:50:47 2013 -0400

    Update to pax-linux-3.10.7-test8.patch
    
    Merge branch 'linux-3.10.y' into pax-test

commit e32d904b87292288e74e2637b900fd1115687b8e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 10 09:41:40 2013 -0400

    propagate the threadstack offset through to the topdown/bottomup allocators
    on sparc64 hugepages

 arch/sparc/mm/hugetlbpage.c |   12 ++++++++----
 1 files changed, 8 insertions(+), 4 deletions(-)

commit cefa30759f6c977fff5cc1634ecfbfe0ee44391c
Author: Oleg Nesterov <oleg@redhat.com>
Date:   Thu Aug 8 18:55:32 2013 +0200

    Upstream commit: 8742f229b635bf1c1c84a3dfe5e47c814c20b5c8
    
    another local DoS found in reaction to the one I reported,
    we don't allow unpriv user ns use so this doesn't matter much to us
    
    userns: limit the maximum depth of user_namespace->parent chain
    
    Ensure that user_namespace->parent chain can't grow too much.
    Currently we use the hardroded 32 as limit.
    
    Reported-by: Andy Lutomirski <luto@amacapital.net>
    Signed-off-by: Oleg Nesterov <oleg@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 include/linux/user_namespace.h |    1 +
 kernel/user_namespace.c        |    4 ++++
 2 files changed, 5 insertions(+), 0 deletions(-)

commit 223ac007ef18bf3a5095ba0a56675c1f16200149
Merge: 1c92de4 13675b8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Aug 8 20:45:24 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        security/Kconfig

commit 13675b848cf02bffd26924b2b84d927095bc253d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Aug 8 20:43:52 2013 -0400

    Update to pax-linux-3.10.5-test8.patch:
    - Emese fixed a size overflow false positive, reported by markusle (http://forums.grsecurity.net/viewtopic.php?f=3&t=3692)
    - fixed the use of PXN for 2-level pages tables on arm, by Corey Minyard <cminyard@mvista.com>
    - added PAGEEXEC/XI violation reporting on mips, by Corey Minyard <cminyard@mvista.com>

 arch/arm/include/asm/pgtable-2level.h |    4 +++-
 arch/arm/mm/proc-v7-2level.S          |    3 ---
 arch/mips/mm/fault.c                  |    8 ++++++++
 arch/x86/include/asm/processor.h      |    3 ++-
 include/linux/math64.h                |    2 +-
 security/Kconfig                      |    2 --
 6 files changed, 14 insertions(+), 8 deletions(-)

commit 1c92de4b8811c330af033c31d83c9c45e3d064b2
Merge: e65aa3d 1660f49
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Aug 5 18:50:45 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 1660f496848b8400d263f7920989dae15e72185a
Merge: 7f91ba1 dc51cd2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Aug 5 18:50:12 2013 -0400

    Update to pax-linux-3.10.5-test7.patch
    
    Merge branch 'linux-3.10.y' into pax-test
    
    Conflicts:
        arch/x86/kernel/head_64.S
        mm/mempolicy.c

commit e65aa3dd447115cb79b4815bc1ceac7b3cacef15
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Aug 5 17:58:42 2013 -0400

    Disable RANDKSTACK for a VirtualBox host as mentioned on the
    gentoo-hardened bugzilla:
    https://bugs.gentoo.org/show_bug.cgi?id=382793

 security/Kconfig |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 60d8cffd7740fd1d527790caf9a24a35d8c45858
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Tue Jul 30 13:23:39 2013 +0300

    Upstream commit: 8cb3b9c3642c0263d48f31d525bcee7170eedc20
    
    net_sched: info leak in atm_tc_dump_class()
    
    The "pvc" struct has a hole after pvc.sap_family which is not cleared.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Reviewed-by: Jiri Pirko <jiri@resnulli.us>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/sched/sch_atm.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 50d20ebce56b6e0b9622685930e007e46c7c04bb
Author: Daniel Borkmann <dborkman@redhat.com>
Date:   Fri Aug 2 11:32:43 2013 +0200

    Upstream commit: 446266b0c742a2c9ee8f0dce759a0117bce58a86
    
    net: rtm_to_ifaddr: free ifa if ifa_cacheinfo processing fails
    
    Commit 5c766d642 ("ipv4: introduce address lifetime") leaves the ifa
    resource that was allocated via inet_alloc_ifa() unfreed when returning
    the function with -EINVAL. Thus, free it first via inet_free_ifa().
    
    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
    Reviewed-by: Jiri Pirko <jiri@resnulli.us>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/devinet.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

commit 0acaba4eea12097cc59bc61a46ba1ef4a468b260
Author: Himanshu Madhani <himanshu.madhani@qlogic.com>
Date:   Fri Aug 2 23:15:56 2013 -0400

    Upstream commit: f91bbcb0b82186b4d5669021b142c263b66505e1
    
    qlcnic: Free up memory in error path.
    
    Signed-off-by: Himanshu Madhani <himanshu.madhani@qlogic.com>
    Signed-off-by: Shahed Shaikh <shahed.shaikh@qlogic.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/ethernet/qlogic/qlcnic/qlcnic_ctx.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

commit 3626ec32c8b24cb38b8db2a1b2f5430bd898408a
Author: Shahed Shaikh <shahed.shaikh@qlogic.com>
Date:   Fri Aug 2 23:15:54 2013 -0400

    Upstream commit: 4a99ab56cea66f9f67b9d07ace5cd40a336c8e6f
    
    qlcnic: Fix MAC address filter issue on 82xx adapter
    
    Driver was passing the address of a pointer instead of
    the pointer itself.
    
    Signed-off-by: Shahed Shaikh <shahed.shaikh@qlogic.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/ethernet/qlogic/qlcnic/qlcnic_io.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 5570df953d6c143e05f1d60d9c23210e60dbbe81
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Aug 5 17:26:40 2013 -0400

    Move user namespace capability check to shared create_user_ns code so we
    cover unshare() as well.
    
    Also kill a trivial 1-line, 22-character upstream kernel DoS, thanks to
    user namespaces!

 kernel/fork.c           |   17 -----------------
 kernel/user_namespace.c |   24 ++++++++++++++++++++++--
 2 files changed, 22 insertions(+), 19 deletions(-)

commit 97112fe30de4ca84e79c82ebfa2353b9c9988ca1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Aug 5 16:05:41 2013 -0400

    silence a warning on older gcc

 grsecurity/gracl.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit b8966a5d577e9220fbc63306eee978f819f24e2e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 3 08:31:08 2013 -0400

    we only care about mmaps of the beginning of an ELF, filter out
    all others as suggested by pipacs

 mm/mmap.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 8aea9fe5866dec3c847a34f743f343e18cf1cdcb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Aug 2 23:54:51 2013 -0400

    add include

 grsecurity/grsec_log.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit d48425ef8cb3761ab6130e52f1f8e401f5b5a295
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Aug 2 23:49:13 2013 -0400

    fix compilation

 include/linux/grinternal.h |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 1704c23fdc55b68f512dc9927940e72237f3f43e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Aug 2 23:34:35 2013 -0400

    Improve PaX reporting (tells when anon mapping is stack or heap)
    Remove textrel logging option, combine into rwx logging option
    Enhance RWX logging option to display when PT_GNU_STACK-enabled library
    is loaded under an MPROTECTed binary
    Enhance RWX mprotect logging to display stack/heap instead of just
    anon mapping

 fs/binfmt_elf.c            |   37 +++++++++++++++++++++++++++++++++++++
 fs/exec.c                  |    4 ++++
 grsecurity/Kconfig         |   21 +++++----------------
 grsecurity/grsec_init.c    |    4 ----
 grsecurity/grsec_log.c     |   14 ++++++++++++++
 grsecurity/grsec_pax.c     |   19 ++++++++++++++-----
 grsecurity/grsec_sysctl.c  |    9 ---------
 include/linux/binfmts.h    |    1 +
 include/linux/grinternal.h |    2 +-
 include/linux/grmsg.h      |    3 ++-
 include/linux/grsecurity.h |    3 ++-
 mm/mmap.c                  |    7 +++++++
 mm/mprotect.c              |    2 +-
 13 files changed, 88 insertions(+), 38 deletions(-)

commit faf81c100c8565524e21c9af780a0ad2ce3fd925
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Aug 1 18:52:02 2013 -0400

    add missing #define

 grsecurity/gracl.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit e87232d1fcb4da72df971cbc623aac6c9b3871a0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Aug 1 18:43:53 2013 -0400

    fix compilation for !COMPAT as reported on the forums

 grsecurity/gracl.c |  195 ++++++++++++++++++++++++++--------------------------
 1 files changed, 97 insertions(+), 98 deletions(-)

commit 65c9b9c6c42939dc55be1b8842e7c2e05733056c
Merge: 65019c9 7f91ba1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jul 31 17:47:31 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 65019c9bd05f860437071cbf00e2027fd2d68615
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jul 31 17:47:20 2013 -0400

    Revert "revert recent PaX change that causes boot failures with 32bit userland"
    
    This reverts commit 23278a1ee1c7738dd1e7005241394d32b82196e4.

 arch/x86/include/asm/processor.h |    4 ++--
 arch/x86/kernel/cpu/common.c     |    2 +-
 arch/x86/kernel/process_64.c     |    2 +-
 arch/x86/kernel/smpboot.c        |    2 +-
 arch/x86/xen/smp.c               |    2 +-
 5 files changed, 6 insertions(+), 6 deletions(-)

commit 7f91ba11122fcaa96fc2dca42bddcd5f8db3b945
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jul 31 17:46:00 2013 -0400

    Update to pax-linux-3.10.4-test7.patch:
    - added a few more missing format strings
    - added reporting of mismatched MPROTECT/EMUTRAMP flags between libraries and the main executable
    - reverted the recent amd64 kstack alignment fix, it'll be done the harder way another time
    - fixed a UDEREF/i386 regression, __get_user_8 would always fail

 arch/x86/include/asm/processor.h           |    4 +-
 arch/x86/kernel/cpu/common.c               |    2 +-
 arch/x86/kernel/dumpstack.c                |    2 +-
 arch/x86/kernel/process_64.c               |    2 +-
 arch/x86/kernel/reboot_fixups_32.c         |    2 +-
 arch/x86/kernel/smpboot.c                  |    2 +-
 arch/x86/lib/getuser.S                     |    4 +-
 arch/x86/xen/smp.c                         |    2 +-
 drivers/net/wireless/iwlwifi/dvm/debugfs.c |    8 ++--
 drivers/video/backlight/backlight.c        |    2 +-
 drivers/video/backlight/lcd.c              |    2 +-
 fs/binfmt_elf.c                            |   51 +++++++++++++++++++++++++---
 fs/exec.c                                  |   50 +++++++++++++--------------
 include/linux/sched.h                      |    2 +
 14 files changed, 88 insertions(+), 47 deletions(-)

commit 043130da54cb7cc8dc44e0ce889d426e889a0532
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jul 31 16:26:58 2013 -0400

    compile fix for !COMPAT as mentioned on forums

 grsecurity/gracl.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit ed0a195abd4e41c2449a020a53a19c74dc866d78
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 22:33:14 2013 -0400

    perform compat conversion of rlimit infinity

 grsecurity/gracl_compat.c |   10 ++++++++--
 1 files changed, 8 insertions(+), 2 deletions(-)

commit a99c1b9f31678c1c72a63bea65aed1b2d3205259
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 22:21:40 2013 -0400

    remove debugging

 grsecurity/gracl_compat.c |   44 +++++++++++---------------------------------
 1 files changed, 11 insertions(+), 33 deletions(-)

commit e75b3f504692b97960a7530ad0855d91441d79c0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 22:20:32 2013 -0400

    eliminate compat_dev_t

 include/linux/gracl_compat.h |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit e5abbaf95313066a724e1a843d4fc902a9a6450e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 22:13:22 2013 -0400

    fix compat rlimit size

 grsecurity/gracl_compat.c    |   68 +++++++++++++++++++++++++++++-------------
 include/linux/gracl_compat.h |    4 +-
 2 files changed, 49 insertions(+), 23 deletions(-)

commit 877d6c2f8b3518ff39601084560bb33c58d35a1f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 21:20:18 2013 -0400

    compile fix

 grsecurity/gracl.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit a2062eae8d1dc48d338480e599fedee2dc5e2f98
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 21:14:29 2013 -0400

    copy correct pointer size in new compat code

 grsecurity/gracl.c        |    8 ++++----
 grsecurity/gracl_compat.c |    4 ++--
 2 files changed, 6 insertions(+), 6 deletions(-)

commit 23278a1ee1c7738dd1e7005241394d32b82196e4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 19:48:58 2013 -0400

    revert recent PaX change that causes boot failures with 32bit userland

 arch/x86/include/asm/processor.h |    4 ++--
 arch/x86/kernel/cpu/common.c     |    2 +-
 arch/x86/kernel/process_64.c     |    2 +-
 arch/x86/kernel/smpboot.c        |    2 +-
 arch/x86/xen/smp.c               |    2 +-
 5 files changed, 6 insertions(+), 6 deletions(-)

commit ec27f71a813656fea8ab37faecb2b485fe99d08e
Merge: 3a11bcf 05f0a61
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 19:42:21 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 05f0a610373fa95df838f97c3fcfb59a3d79c5b8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 19:41:44 2013 -0400

    Update to pax-linux-3.10.4-test6.patch:
    - fixed some size_overflow false positives on i386 caused by __SC_LONG, reported by spender

 include/linux/syscalls.h |    8 ++++++--
 1 files changed, 6 insertions(+), 2 deletions(-)

commit 3a11bcfcc738ed5dbf0d56713db872ed36351a26
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 19:15:50 2013 -0400

    compile fix

 grsecurity/gracl_compat.c |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

commit 1dbd99b5cb0b6757eadf22309501e7fdd84f5de7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 19:12:46 2013 -0400

    remove BUILD_BUG_ONs

 grsecurity/gracl_compat.c |   20 --------------------
 1 files changed, 0 insertions(+), 20 deletions(-)

commit a283b21cbd77622383a1dcb1f7bf1080db3bae88
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 00:18:36 2013 -0400

    compile fixes

 grsecurity/gracl_compat.c    |    8 ++++----
 include/linux/gracl_compat.h |    2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

commit 8b744005f8bae565e24c1fd88af77e6e619b9434
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 00:16:42 2013 -0400

    compile fixes

 grsecurity/gracl.c        |    4 ++--
 grsecurity/gracl_compat.c |    2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

commit 5cd86afa393bf9bf38c2e9063191709ac2beff2c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 00:13:51 2013 -0400

    compile fixes

 grsecurity/gracl.c |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

commit b93b829afcc98b6108b18d99ff63c53642d0b951
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 00:11:03 2013 -0400

    compile fixes

 grsecurity/gracl_compat.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit 7da096415fa633c4ad2b1f74bd43d3a58a63b5c0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 30 00:08:21 2013 -0400

    more compile fixes

 grsecurity/gracl.c |   28 ++++++++++++++--------------
 1 files changed, 14 insertions(+), 14 deletions(-)

commit 6c1fd80e19f1449b6895f1ed77f23f1245470b3b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jul 29 23:59:50 2013 -0400

    more compile fixes

 grsecurity/gracl.c |   10 +++++++++-
 1 files changed, 9 insertions(+), 1 deletions(-)

commit 89dda536f276dd4bb55fa0f9ea8980ac8b750d29
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jul 29 23:56:47 2013 -0400

    additional compile fixes

 grsecurity/gracl.c |   59 +++++++++++++++++++++++++++++++++++++++++++--------
 1 files changed, 49 insertions(+), 10 deletions(-)

commit ac695a081d1124fb28bec46814535d34c5e40611
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jul 29 23:47:15 2013 -0400

    fix typo

 grsecurity/gracl.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit d95dd21a8d6d00c5cf34fee3f45dd914b6da6093
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jul 29 23:46:59 2013 -0400

    compile fixes

 grsecurity/gracl.c |   53 ++++++++++++++++++++++++++++++++++++++-------------
 1 files changed, 39 insertions(+), 14 deletions(-)

commit 82631f451cc7432b6c5578cf8d24155473feb25c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jul 29 23:22:44 2013 -0400

    Initial commit of compat RBAC loading
    Permits 32bit gradm to load policy for a 64bit kernel
    
    Also removed code duplication for copying strings into the kernel
    
    Work performed as part of sponsorship

 grsecurity/Makefile          |    4 +
 grsecurity/gracl.c           |  315 +++++++++++++++++++++++-------------------
 grsecurity/gracl_compat.c    |  270 ++++++++++++++++++++++++++++++++++++
 include/linux/gracl_compat.h |  156 +++++++++++++++++++++
 4 files changed, 603 insertions(+), 142 deletions(-)

commit 84c4a433dfb096e4a1162ee5e68025122c70b421
Merge: c9d3ed3 9fe5897
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jul 29 17:08:56 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 9fe58978938e357642885866ca48090a7753d403
Merge: 8f693ad 6f7bb6b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jul 29 17:08:43 2013 -0400

    Merge branch 'linux-3.10.y' into pax-test

commit c9d3ed33c5370bbacfadf86f6a1566828a3d7775
Merge: d5e5bfd 8f693ad
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 28 10:03:08 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 8f693ade9b3e448f92706d34148b00a087637f70
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 28 10:02:16 2013 -0400

    Update to pax-linux-3.10.3-test5.patch:
    - fixed amd64 kstack alignment (caught by some crazy codegen by clang/llvm)
    - fixed handling of faulting userland accesses for UDEREF/arm, from spender
    - updated the size overflow hash table, from Emese

 arch/arm/kernel/entry-armv.S      |    3 +-
 arch/x86/include/asm/processor.h  |    4 +-
 arch/x86/kernel/cpu/common.c      |    2 +-
 arch/x86/kernel/process_64.c      |    2 +-
 arch/x86/kernel/smpboot.c         |    2 +-
 arch/x86/xen/smp.c                |    2 +-
 tools/gcc/size_overflow_hash.data |  553 +++++++++++++++++++++++++++++++++----
 7 files changed, 513 insertions(+), 55 deletions(-)

commit d5e5bfd6ecc1fc7e86d070df8eb0ce8d0643c558
Merge: 19e077b 8a8a0d0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 25 21:05:18 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 8a8a0d0b22a86bf65302d03bb6732e42bc0a2e56
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 25 21:04:09 2013 -0400

    Update to pax-linux-3.10.3-test4.patch:
    - introduced per-slab object sanitization, contributed by Mathias Krause and secunet.
      this is finer grained sanitization than the existing per-page based approach (which
      is still done) at a somewhat higher performance cost. the pax_sanitize_slab command
      line option can be used to enable/disable it on boot (it's enabled by default when
      CONFIG_PAX_MEMORY_SANITIZE is enabled).

 Documentation/kernel-parameters.txt |    4 ++++
 fs/buffer.c                         |    2 +-
 fs/dcache.c                         |    3 ++-
 include/linux/slab.h                |    7 +++++++
 include/linux/slab_def.h            |    4 ++++
 kernel/fork.c                       |    2 +-
 mm/rmap.c                           |    6 ++++--
 mm/slab.c                           |   27 +++++++++++++++++++++++++++
 mm/slab.h                           |   12 +++++++++++-
 mm/slab_common.c                    |   14 ++++++++++++++
 mm/slob.c                           |    5 +++++
 mm/slub.c                           |   11 +++++++++++
 net/core/skbuff.c                   |    6 ++++--
 security/Kconfig                    |   23 +++++++++++++++++------
 14 files changed, 112 insertions(+), 14 deletions(-)

commit 19e077bfff54ca211d0142c07cb6dd88069a390c
Merge: 960ec51 c8f7f51
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 25 19:53:34 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit c8f7f51591207b82530214300e86277028919286
Merge: d5142e3 81a4648
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 25 19:52:29 2013 -0400

    Update to pax-linux-3.10.3-test3.patch:
    - fixed some compile issues reported by Michael Tremer and spender
    - fixed an i386 regression with the lower address space gap on i386, reported by cnu
    
    Merge branch 'linux-3.10.y' into pax-test
    
    Conflicts:
        kernel/time/tick-broadcast.c

commit 960ec51ab2142544fbae563d4fd5744775408965
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Sat Jul 20 03:13:55 2013 +0400

    Upstream commit: acfec9a5a892f98461f52ed5770de99a3e571ae2
    
    livelock avoidance in sget()
    
    Eric Sandeen has found a nasty livelock in sget() - take a mount(2) about
    to fail.  The superblock is on ->fs_supers, ->s_umount is held exclusive,
    ->s_active is 1.  Along comes two more processes, trying to mount the same
    thing; sget() in each is picking that superblock, bumping ->s_count and
    trying to grab ->s_umount.  ->s_active is 3 now.  Original mount(2)
    finally gets to deactivate_locked_super() on failure; ->s_active is 2,
    superblock is still ->fs_supers because shutdown will *not* happen until
    ->s_active hits 0.  ->s_umount is dropped and now we have two processes
    chasing each other:
    s_active = 2, A acquired ->s_umount, B blocked
    A sees that the damn thing is stillborn, does deactivate_locked_super()
    s_active = 1, A drops ->s_umount, B gets it
    A restarts the search and finds the same superblock.  And bumps it ->s_active.
    s_active = 2, B holds ->s_umount, A blocked on trying to get it
    ... and we are in the earlier situation with A and B switched places.
    
    The root cause, of course, is that ->s_active should not grow until we'd
    got MS_BORN.  Then failing ->mount() will have deactivate_locked_super()
    shut the damn thing down.  Fortunately, it's easy to do - the key point
    is that grab_super() is called only for superblocks currently on ->fs_supers,
    so it can bump ->s_count and grab ->s_umount first, then check MS_BORN and
    bump ->s_active; we must never increment ->s_count for superblocks past
    ->kill_sb(), but grab_super() is never called for those.
    
    The bug is pretty old; we would've caught it by now, if not for accidental
    exclusion between sget() for block filesystems; the things like cgroup or
    e.g. mtd-based filesystems don't have anything of that sort, so they get
    bitten.  The right way to deal with that is obviously to fix sget()...
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

 fs/super.c |   25 ++++++++++---------------
 1 files changed, 10 insertions(+), 15 deletions(-)

commit 3540cebbbfa4aef94527ad3e0e49097848147fb9
Merge: ab95b58 d5142e3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 21 22:47:46 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit d5142e31785f8c32c7338c51fcc27313bdd4a84e
Merge: f36ae8c 0f4a56e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 21 22:47:34 2013 -0400

    Merge branch 'linux-3.10.y' into pax-test

commit ab95b5842899d61ff5c30f4582e72029b3155be8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 21 22:28:40 2013 -0400

    compile fix with constification reported by Michael Tremer

 drivers/gpu/host1x/drm/dc.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 817cd2d1e7a55720326599dd8f542578eef30927
Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
Date:   Fri Jul 12 23:46:33 2013 +0200

    Upstream commit: 307f2fb95e9b96b3577916e73d92e104f8f26494
    
    ipv6: only static routes qualify for equal cost multipathing
    
    Static routes in this case are non-expiring routes which did not get
    configured by autoconf or by icmpv6 redirects.
    
    To make sure we actually get an ecmp route while searching for the first
    one in this fib6_node's leafs, also make sure it matches the ecmp route
    assumptions.
    
    v2:
    a) Removed RTF_EXPIRE check in dst.from chain. The check of RTF_ADDRCONF
       already ensures that this route, even if added again without
       RTF_EXPIRES (in case of a RA announcement with infinite timeout),
       does not cause the rt6i_nsiblings logic to go wrong if a later RA
       updates the expiration time later.
    
    v3:
    a) Allow RTF_EXPIRES routes to enter the ecmp route set. We have to do so,
       because an pmtu event could update the RTF_EXPIRES flag and we would
       not count this route, if another route joins this set. We now filter
       only for RTF_GATEWAY|RTF_ADDRCONF|RTF_DYNAMIC, which are flags that
       don't get changed after rt6_info construction.
    
    Cc: Nicolas Dichtel <nicolas.dichtel@6wind.com>
    Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv6/ip6_fib.c |   15 +++++++++++----
 1 files changed, 11 insertions(+), 4 deletions(-)

commit 77db8196d51b043e2e2d124094da101b0f01bccb
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Fri Jul 12 09:39:03 2013 +0300

    Upstream commit: b2781e1021525649c0b33fffd005ef219da33926
    
    svcrdma: underflow issue in decode_write_list()
    
    My static checker marks everything from ntohl() as untrusted and it
    complains we could have an underflow problem doing:
    
        return (u32 *)&ary->wc_array[nchunks];
    
    Also on 32 bit systems the upper bound check could overflow.
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: J. Bruce Fields <bfields@redhat.com>

 net/sunrpc/xprtrdma/svc_rdma_marshal.c |   20 ++++++++++++++------
 1 files changed, 14 insertions(+), 6 deletions(-)

commit 926473317fd7953137ef97835edd36dabc584b01
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jul 17 21:29:02 2013 -0400

    add missing asm/pgtable.h include, reported by Michael Tremer

 drivers/clk/socfpga/clk.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit c592ae0001b31932ef1491784dfa374058797c66
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 16 20:40:24 2013 -0400

    allow viewing of ecryptfs version under SYSFS_RESTRICT

 fs/sysfs/dir.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 36db325ef3b07ea8cdb47f549e706e5d71398e14
Merge: 9c96441 f36ae8c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 14 19:23:13 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit f36ae8c741ae32b1caff10825be12c327792c925
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 14 19:22:15 2013 -0400

    Update to pax-linux-3.10-test2.patch:
    - spender fixed a compile regression in a recent arm/UDEREF change, reported by Michael Tremer
    - spender fixed arm/KERNEXEC for v5 and older CPUs, reported by Michael Tremer
    - spender fixed a new CONSTIFY victim on arm, reported by Michael Tremer
    - spender fixed an madvise regression, reported by Peter Keel
    - spender fixed a SLAB regression, reported by Thorsten (http://forums.grsecurity.net/viewtopic.php?f=3&t=3614) and Jens (http://forums.grsecurity.net/viewtopic.php?f=1&t=3616)
    - fixed a headers_install regression, reported by Mathias Krause
    - fixed a SLOB compile regression, reported by Mathias Krause

 arch/arm/include/asm/uaccess.h |    4 ++--
 arch/arm/mm/mmu.c              |   15 +++++++++++++--
 drivers/clk/socfpga/clk.c      |    6 ++++--
 mm/madvise.c                   |    4 ++--
 mm/slab.c                      |    4 ++--
 mm/slob.c                      |    4 ++--
 scripts/headers_install.sh     |    2 +-
 7 files changed, 26 insertions(+), 13 deletions(-)

commit 9c9644156a49637050741d9165df79174e59b0ef
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 14 19:19:54 2013 -0400

    Fix sparc64 compilation, reported by Blake Self

 arch/sparc/kernel/sys_sparc_64.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 7bcd3db081454768542c3d741bcf32cd61a50cf5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 14 11:49:17 2013 -0400

    Update PaX fix, just return the error

 mm/madvise.c |   15 +++++++--------
 1 files changed, 7 insertions(+), 8 deletions(-)

commit a10e377d0eddd37e8a3665b135e546ab03d9d171
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 14 11:36:00 2013 -0400

    Fix madvise oops reported by Peter Keel

 mm/madvise.c |   11 ++++++-----
 1 files changed, 6 insertions(+), 5 deletions(-)

commit 08c5adca34d408772255b313f90d82c250c1d967
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 14 11:26:34 2013 -0400

    don't make high vector mapping non-present on old ARM architectures, no
    point in emulating some vector entries when the processor doesn't even support XN

 arch/arm/mm/mmu.c |    7 +++++--
 1 files changed, 5 insertions(+), 2 deletions(-)

commit 2b40781d4197a89a003616af584884e36361c5b2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 14 09:51:58 2013 -0400

    Temporary compile fix for code incorrectly modifying const data
    Wrap a cast version of the code with open/close
    
    Thanks to Michael Tremer for the report

 drivers/clk/socfpga/clk.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

commit a8258c1b4098c396cd4ea719e20858182feac1c1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 14 09:41:16 2013 -0400

    Fix missing right parens in pipacs' "improvement" of my ARM code ;)
    Thanks to Michael Tremer for reporting

 arch/arm/include/asm/uaccess.h |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 8542e1e973be7cc9a009d2ada8033576b2890e6f
Merge: 86f446e 2577f8e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jul 13 20:46:58 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        mm/memcontrol.c

commit 2577f8e4ec41efb347706a59c6838de20f0c90da
Merge: 75a36f0 cb5d8be
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jul 13 20:43:42 2013 -0400

    Merge branch 'linux-3.10.y' into pax-test
    
    Conflicts:
        crypto/algapi.c
        drivers/block/nbd.c

commit 86f446e9d5c6b475d2e9360cc04f4361ad1b19b8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jul 12 23:02:11 2013 -0400

    we always want the vector page to be noaccess for userland
    therefore, when kernexec is disabled, instead of L_PTE_USER | L_PTE_RDONLY
    which turns into supervisor rwx, userland rx, we instead omit that entirely,
    leaving it as supervisor rwx only
    
    Fixes booting on ARMv5 and earlier, which need to write directly
    to the high vector mapping via set_tls when context switching
    
    Thanks to Michael Tremer for the bugreport

 arch/arm/mm/mmu.c |   12 ++++++++++--
 1 files changed, 10 insertions(+), 2 deletions(-)

commit 90cd0827eef656ec884f19c977873fefe2f2e47d
Author: Cong Wang <amwang@redhat.com>
Date:   Sat Jun 29 12:02:59 2013 +0800

    Upstream commit: 6c734fb8592f6768170e48e7102cb2f0a1bb9759
    
    gre: fix a regression in ioctl
    
    When testing GRE tunnel, I got:
    
     # ip tunnel show
     get tunnel gre0 failed: Invalid argument
     get tunnel gre1 failed: Invalid argument
    
    This is a regression introduced by commit c54419321455631079c7d
    ("GRE: Refactor GRE tunneling code.") because previously we
    only check the parameters for SIOCADDTUNNEL and SIOCCHGTUNNEL,
    after that commit, the check is moved for all commands.
    
    So, just check for SIOCADDTUNNEL and SIOCCHGTUNNEL.
    
    After this patch I got:
    
     # ip tunnel show
     gre0: gre/ip  remote any  local any  ttl inherit  nopmtudisc
     gre1: gre/ip  remote 192.168.122.101  local 192.168.122.45  ttl inherit
    
    Cc: Pravin B Shelar <pshelar@nicira.com>
    Cc: "David S. Miller" <davem@davemloft.net>
    Signed-off-by: Cong Wang <amwang@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/ip_gre.c |    9 +++++----
 1 files changed, 5 insertions(+), 4 deletions(-)

commit 50d4e90ec8da630eac8840da9c53b8738a2f98b5
Author: Cong Wang <amwang@redhat.com>
Date:   Sat Jun 29 13:00:57 2013 +0800

    Upstream commit: ab6c7a0a43c2eaafa57583822b619b22637b49c7
    
    vti: remove duplicated code to fix a memory leak
    
    vti module allocates dev->tstats twice: in vti_fb_tunnel_init()
    and in vti_tunnel_init(), this lead to a memory leak of
    dev->tstats.
    
    Just remove the duplicated operations in vti_fb_tunnel_init().
    
    (candidate for -stable)
    
    Cc: Stephen Hemminger <stephen@networkplumber.org>
    Cc: Saurabh Mohan <saurabh.mohan@vyatta.com>
    Cc: "David S. Miller" <davem@davemloft.net>
    Signed-off-by: Cong Wang <amwang@redhat.com>
    Acked-by: Stephen Hemminger <stephen@networkplumber.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/ip_vti.c |    7 -------
 1 files changed, 0 insertions(+), 7 deletions(-)

commit af9e57897a8fab9bbeceb984bd0aeaedb36aefcd
Author: Michal Schmidt <mschmidt@redhat.com>
Date:   Mon Jul 1 17:23:05 2013 +0200

    Upstream commit: 058eec4116935c5640299913e1e0715e87ec622a
    
    bnx2x: remove zeroing of dump data buffer
    
    There is no need to initialize the dump data with zeros.
    data is allocated with vzalloc, so it's already zero-filled.
    
    More importantly, the memset is harmful, because dump->len (the length
    requested by userspace) can be bigger than the allocated buffer (whose
    size is determined by asking the driver's .get_dump_flag method).
    
    Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 .../net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c    |    2 --
 1 files changed, 0 insertions(+), 2 deletions(-)

commit c771072b72c261f9bddd6734dca6979c1b96e7df
Author: Michal Schmidt <mschmidt@redhat.com>
Date:   Mon Jul 1 17:23:06 2013 +0200

    Upstream commit: 5bb680d6cbe36de9d7ba12b05f845c91a8692318
    
    bnx2x: fix dump flag handling
    
    bnx2x interprets the dump flag as an index of a register preset.
    It is important to validate the index to avoid out of bounds
    memory accesses.
    
    Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 .../net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c    |    3 +++
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c   |    2 ++
 2 files changed, 5 insertions(+), 0 deletions(-)

commit aed315c8fad9b2044143b46b239574b1b72135ce
Author: Michal Schmidt <mschmidt@redhat.com>
Date:   Mon Jul 1 17:23:30 2013 +0200

    Upstream commit: c590b5e2f05b5e98e614382582b7ae4cddb37599
    
    ethtool: make .get_dump_data() harder to misuse by drivers
    
    As the patch "bnx2x: remove zeroing of dump data buffer" showed,
    it is too easy implement .get_dump_data incorrectly in a driver.
    
    Let's make sure drivers cannot get confused by userspace requesting
    a too big dump.
    
    Also WARN if the driver sets dump->len to something weird and make
    sure the length reported to userspace is the actual length of data
    copied to userspace.
    
    Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
    Reviewed-by: Ben Hutchings <ben@decadent.org.uk>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/core/ethtool.c |   21 ++++++++++++++++++++-
 1 files changed, 20 insertions(+), 1 deletions(-)

commit 5c57991e66216e386dcc875d34c33f0edd038569
Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Date:   Tue Jul 2 09:02:07 2013 +0800

    Upstream commit: e1558a93b61962710733dc8c11a2bc765607f1cd
    
    l2tp: add missing .owner to struct pppox_proto
    
    Add missing .owner of struct pppox_proto. This prevents the
    module from being removed from underneath its users.
    
    Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/l2tp/l2tp_ppp.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 4613b8adae32cc774bb727d2ec71f3d0bd7ff1c4
Author: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Date:   Sun Jun 30 14:37:11 2013 +1000

    Upstream commit: 7cc47d139f9a815a91bd9e7377063238c69a0423
    
    cxgb3: Missing rtnl lock in error recovery
    
    When exercising error injection on IBM pseries machine, I hit the
    following warning:
    
    [  251.450043] RTAS: event: 89, Type: Platform Error, Severity: 2
    [  253.549822] cxgb3 0006:01:00.0: enabling device (0140 -> 0142)
    [  253.713560] cxgb3 0006:01:00.0: adapter recovering, PEX ERR 0x100
    [  254.895437] RTNL: assertion failed at net/core/dev.c (2031)
    [  254.895467] CPU: 6 PID: 5449 Comm: eehd Tainted: G        W    3.10.0-rc7-00157-gea461ab #19
    [  254.895474] Call Trace:
    [  254.895483] [c000000fac56f7d0] [c000000000014dcc] .show_stack+0x7c/0x1f0 (unreliable)
    [  254.895493] [c000000fac56f8a0] [c0000000007ba318] .dump_stack+0x28/0x3c
    [  254.895500] [c000000fac56f910] [c0000000006c0384] .netif_set_real_num_tx_queues+0x224/0x230
    [  254.895515] [c000000fac56f9b0] [d00000000ef35510] .cxgb_open+0x80/0x3f0 [cxgb3]
    [  254.895525] [c000000fac56fa50] [d00000000ef35914] .t3_resume_ports+0x94/0x100 [cxgb3]
    [  254.895533] [c000000fac56fae0] [c00000000005fc8c] .eeh_report_resume+0x8c/0xd0
    [  254.895539] [c000000fac56fb60] [c00000000005e9fc] .eeh_pe_dev_traverse+0x9c/0x190
    [  254.895545] [c000000fac56fc10] [c000000000060000] .eeh_handle_event+0x110/0x330
    [  254.895551] [c000000fac56fca0] [c000000000060350] .eeh_event_handler+0x130/0x1a0
    [  254.895558] [c000000fac56fd30] [c0000000000ad758] .kthread+0xe8/0xf0
    [  254.895566] [c000000fac56fe30] [c00000000000a05c] .ret_from_kernel_thread+0x5c/0x80
    
    It appears that t3_resume_ports() is called with the rtnl_lock held from
    the fatal error task but not from the PCI error callbacks. This fixes it.
    
    Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit ea8f4222cddf3250dbcfc7db0437ebf74c352370
Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
Date:   Mon Jul 1 20:21:30 2013 +0200

    Upstream commit: 8822b64a0fa64a5dd1dfcf837c5b0be83f8c05d1
    
    ipv6: call udp_push_pending_frames when uncorking a socket with AF_INET pending data
    
    We accidentally call down to ip6_push_pending_frames when uncorking
    pending AF_INET data on a ipv6 socket. This results in the following
    splat (from Dave Jones):
    
    skbuff: skb_under_panic: text:ffffffff816765f6 len:48 put:40 head:ffff88013deb6df0 data:ffff88013deb6dec tail:0x2c end:0xc0 dev:<NULL>
    ------------[ cut here ]------------
    kernel BUG at net/core/skbuff.c:126!
    invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
    Modules linked in: dccp_ipv4 dccp 8021q garp bridge stp dlci mpoa snd_seq_dummy sctp fuse hidp tun bnep nfnetlink scsi_transport_iscsi rfcomm can_raw can_bcm af_802154 appletalk caif_socket can caif ipt_ULOG x25 rose af_key pppoe pppox ipx phonet irda llc2 ppp_generic slhc p8023 psnap p8022 llc crc_ccitt atm bluetooth
    +netrom ax25 nfc rfkill rds af_rxrpc coretemp hwmon kvm_intel kvm crc32c_intel snd_hda_codec_realtek ghash_clmulni_intel microcode pcspkr snd_hda_codec_hdmi snd_hda_intel snd_hda_codec snd_hwdep usb_debug snd_seq snd_seq_device snd_pcm e1000e snd_page_alloc snd_timer ptp snd pps_core soundcore xfs libcrc32c
    CPU: 2 PID: 8095 Comm: trinity-child2 Not tainted 3.10.0-rc7+ #37
    task: ffff8801f52c2520 ti: ffff8801e6430000 task.ti: ffff8801e6430000
    RIP: 0010:[<ffffffff816e759c>]  [<ffffffff816e759c>] skb_panic+0x63/0x65
    RSP: 0018:ffff8801e6431de8  EFLAGS: 00010282
    RAX: 0000000000000086 RBX: ffff8802353d3cc0 RCX: 0000000000000006
    RDX: 0000000000003b90 RSI: ffff8801f52c2ca0 RDI: ffff8801f52c2520
    RBP: ffff8801e6431e08 R08: 0000000000000000 R09: 0000000000000000
    R10: 0000000000000001 R11: 0000000000000001 R12: ffff88022ea0c800
    R13: ffff88022ea0cdf8 R14: ffff8802353ecb40 R15: ffffffff81cc7800
    FS:  00007f5720a10740(0000) GS:ffff880244c00000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 0000000005862000 CR3: 000000022843c000 CR4: 00000000001407e0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
    Stack:
     ffff88013deb6dec 000000000000002c 00000000000000c0 ffffffff81a3f6e4
     ffff8801e6431e18 ffffffff8159a9aa ffff8801e6431e90 ffffffff816765f6
     ffffffff810b756b 0000000700000002 ffff8801e6431e40 0000fea9292aa8c0
    Call Trace:
     [<ffffffff8159a9aa>] skb_push+0x3a/0x40
     [<ffffffff816765f6>] ip6_push_pending_frames+0x1f6/0x4d0
     [<ffffffff810b756b>] ? mark_held_locks+0xbb/0x140
     [<ffffffff81694919>] udp_v6_push_pending_frames+0x2b9/0x3d0
     [<ffffffff81694660>] ? udplite_getfrag+0x20/0x20
     [<ffffffff8162092a>] udp_lib_setsockopt+0x1aa/0x1f0
     [<ffffffff811cc5e7>] ? fget_light+0x387/0x4f0
     [<ffffffff816958a4>] udpv6_setsockopt+0x34/0x40
     [<ffffffff815949f4>] sock_common_setsockopt+0x14/0x20
     [<ffffffff81593c31>] SyS_setsockopt+0x71/0xd0
     [<ffffffff816f5d54>] tracesys+0xdd/0xe2
    Code: 00 00 48 89 44 24 10 8b 87 d8 00 00 00 48 89 44 24 08 48 8b 87 e8 00 00 00 48 c7 c7 c0 04 aa 81 48 89 04 24 31 c0 e8 e1 7e ff ff <0f> 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 55
    RIP  [<ffffffff816e759c>] skb_panic+0x63/0x65
     RSP <ffff8801e6431de8>
    
    This patch adds a check if the pending data is of address family AF_INET
    and directly calls udp_push_ending_frames from udp_v6_push_pending_frames
    if that is the case.
    
    This bug was found by Dave Jones with trinity.
    
    (Also move the initialization of fl6 below the AF_INET check, even if
    not strictly necessary.)
    
    Cc: Dave Jones <davej@redhat.com>
    Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
    Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 include/net/udp.h |    1 +
 net/ipv4/udp.c    |    3 ++-
 net/ipv6/udp.c    |    7 ++++++-
 3 files changed, 9 insertions(+), 2 deletions(-)

commit cd83094a85d9bbd5a67332156407d53cf8835432
Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
Date:   Tue Jul 2 08:04:05 2013 +0200

    Upstream commit: 75a493e60ac4bbe2e977e7129d6d8cbb0dd236be
    
    ipv6: ip6_append_data_mtu did not care about pmtudisc and frag_size
    
    If the socket had an IPV6_MTU value set, ip6_append_data_mtu lost track
    of this when appending the second frame on a corked socket. This results
    in the following splat:
    
    [37598.993962] ------------[ cut here ]------------
    [37598.994008] kernel BUG at net/core/skbuff.c:2064!
    [37598.994008] invalid opcode: 0000 [#1] SMP
    [37598.994008] Modules linked in: tcp_lp uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_core videodev media vfat fat usb_storage fuse ebtable_nat xt_CHECKSUM bridge stp llc ipt_MASQUERADE nf_conntrack_netbios_ns nf_conntrack_broadcast ip6table_mangle ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 iptable_nat
    +nf_nat_ipv4 nf_nat iptable_mangle nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ebtable_filter ebtables ip6table_filter ip6_tables be2iscsi iscsi_boot_sysfs bnx2i cnic uio cxgb4i cxgb4 cxgb3i cxgb3 mdio libcxgbi ib_iser rdma_cm ib_addr iw_cm ib_cm ib_sa ib_mad ib_core iscsi_tcp libiscsi_tcp libiscsi
    +scsi_transport_iscsi rfcomm bnep iTCO_wdt iTCO_vendor_support snd_hda_codec_conexant arc4 iwldvm mac80211 snd_hda_intel acpi_cpufreq mperf coretemp snd_hda_codec microcode cdc_wdm cdc_acm
    [37598.994008]  snd_hwdep cdc_ether snd_seq snd_seq_device usbnet mii joydev btusb snd_pcm bluetooth i2c_i801 e1000e lpc_ich mfd_core ptp iwlwifi pps_core snd_page_alloc mei cfg80211 snd_timer thinkpad_acpi snd tpm_tis soundcore rfkill tpm tpm_bios vhost_net tun macvtap macvlan kvm_intel kvm uinput binfmt_misc
    +dm_crypt i915 i2c_algo_bit drm_kms_helper drm i2c_core wmi video
    [37598.994008] CPU 0
    [37598.994008] Pid: 27320, comm: t2 Not tainted 3.9.6-200.fc18.x86_64 #1 LENOVO 27744PG/27744PG
    [37598.994008] RIP: 0010:[<ffffffff815443a5>]  [<ffffffff815443a5>] skb_copy_and_csum_bits+0x325/0x330
    [37598.994008] RSP: 0018:ffff88003670da18  EFLAGS: 00010202
    [37598.994008] RAX: ffff88018105c018 RBX: 0000000000000004 RCX: 00000000000006c0
    [37598.994008] RDX: ffff88018105a6c0 RSI: ffff88018105a000 RDI: ffff8801e1b0aa00
    [37598.994008] RBP: ffff88003670da78 R08: 0000000000000000 R09: ffff88018105c040
    [37598.994008] R10: ffff8801e1b0aa00 R11: 0000000000000000 R12: 000000000000fff8
    [37598.994008] R13: 00000000000004fc R14: 00000000ffff0504 R15: 0000000000000000
    [37598.994008] FS:  00007f28eea59740(0000) GS:ffff88023bc00000(0000) knlGS:0000000000000000
    [37598.994008] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
    [37598.994008] CR2: 0000003d935789e0 CR3: 00000000365cb000 CR4: 00000000000407f0
    [37598.994008] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    [37598.994008] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
    [37598.994008] Process t2 (pid: 27320, threadinfo ffff88003670c000, task ffff88022c162ee0)
    [37598.994008] Stack:
    [37598.994008]  ffff88022e098a00 ffff88020f973fc0 0000000000000008 00000000000004c8
    [37598.994008]  ffff88020f973fc0 00000000000004c4 ffff88003670da78 ffff8801e1b0a200
    [37598.994008]  0000000000000018 00000000000004c8 ffff88020f973fc0 00000000000004c4
    [37598.994008] Call Trace:
    [37598.994008]  [<ffffffff815fc21f>] ip6_append_data+0xccf/0xfe0
    [37598.994008]  [<ffffffff8158d9f0>] ? ip_copy_metadata+0x1a0/0x1a0
    [37598.994008]  [<ffffffff81661f66>] ? _raw_spin_lock_bh+0x16/0x40
    [37598.994008]  [<ffffffff8161548d>] udpv6_sendmsg+0x1ed/0xc10
    [37598.994008]  [<ffffffff812a2845>] ? sock_has_perm+0x75/0x90
    [37598.994008]  [<ffffffff815c3693>] inet_sendmsg+0x63/0xb0
    [37598.994008]  [<ffffffff812a2973>] ? selinux_socket_sendmsg+0x23/0x30
    [37598.994008]  [<ffffffff8153a450>] sock_sendmsg+0xb0/0xe0
    [37598.994008]  [<ffffffff810135d1>] ? __switch_to+0x181/0x4a0
    [37598.994008]  [<ffffffff8153d97d>] sys_sendto+0x12d/0x180
    [37598.994008]  [<ffffffff810dfb64>] ? __audit_syscall_entry+0x94/0xf0
    [37598.994008]  [<ffffffff81020ed1>] ? syscall_trace_enter+0x231/0x240
    [37598.994008]  [<ffffffff8166a7e7>] tracesys+0xdd/0xe2
    [37598.994008] Code: fe 07 00 00 48 c7 c7 04 28 a6 81 89 45 a0 4c 89 4d b8 44 89 5d a8 e8 1b ac b1 ff 44 8b 5d a8 4c 8b 4d b8 8b 45 a0 e9 cf fe ff ff <0f> 0b 66 0f 1f 84 00 00 00 00 00 66 66 66 66 90 55 48 89 e5 48
    [37598.994008] RIP  [<ffffffff815443a5>] skb_copy_and_csum_bits+0x325/0x330
    [37598.994008]  RSP <ffff88003670da18>
    [37599.007323] ---[ end trace d69f6a17f8ac8eee ]---
    
    While there, also check if path mtu discovery is activated for this
    socket. The logic was adapted from ip6_append_data when first writing
    on the corked socket.
    
    This bug was introduced with commit
    0c1833797a5a6ec23ea9261d979aa18078720b74 ("ipv6: fix incorrect ipsec
    fragment").
    
    v2:
    a) Replace IPV6_PMTU_DISC_DO with IPV6_PMTUDISC_PROBE.
    b) Don't pass ipv6_pinfo to ip6_append_data_mtu (suggestion by Gao
       feng, thanks!).
    c) Change mtu to unsigned int, else we get a warning about
       non-matching types because of the min()-macro type-check.
    
    Acked-by: Gao feng <gaofeng@cn.fujitsu.com>
    Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
    Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv6/ip6_output.c |   16 ++++++++++------
 1 files changed, 10 insertions(+), 6 deletions(-)

commit 23151ca7ca80e58d2616dac7be9fd62943c9a72c
Author: Michael S. Tsirkin <mst@redhat.com>
Date:   Sun Jul 7 14:26:53 2013 +0300

    Upstream commit: dd7633ecd553a5e304d349aa6f8eb8a0417098c5
    
    vhost-net: fix use-after-free in vhost_net_flush
    
    vhost_net_ubuf_put_and_wait has a confusing name:
    it will actually also free it's argument.
    Thus since commit 1280c27f8e29acf4af2da914e80ec27c3dbd5c01
        "vhost-net: flush outstanding DMAs on memory change"
    vhost_net_flush tries to use the argument after passing it
    to vhost_net_ubuf_put_and_wait, this results
    in use after free.
    To fix, don't free the argument in vhost_net_ubuf_put_and_wait,
    add an new API for callers that want to free ubufs.
    
    Acked-by: Asias He <asias@redhat.com>
    Acked-by: Jason Wang <jasowang@redhat.com>
    Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/vhost/net.c |    9 +++++++--
 1 files changed, 7 insertions(+), 2 deletions(-)

commit 088806db74ac2f08c106202bc5498585a9ee529f
Author: Michal Hocko <mhocko@suse.cz>
Date:   Mon Jul 8 16:00:29 2013 -0700

    Upstream commit: f37a96914d1aea10fed8d9af10251f0b9caea31b
    
    memcg, kmem: fix reference count handling on the error path
    
    mem_cgroup_css_online calls mem_cgroup_put if memcg_init_kmem fails.
    This is not correct because only memcg_propagate_kmem takes an
    additional reference while mem_cgroup_sockets_init is allowed to fail as
    well (although no current implementation fails) but it doesn't take any
    reference.  This all suggests that it should be memcg_propagate_kmem
    that should clean up after itself so this patch moves mem_cgroup_put
    over there.
    
    Unfortunately this is not that easy (as pointed out by Li Zefan) because
    memcg_kmem_mark_dead marks the group dead (KMEM_ACCOUNTED_DEAD) if it is
    marked active (KMEM_ACCOUNTED_ACTIVE) which is the case even if
    memcg_propagate_kmem fails so the additional reference is dropped in
    that case in kmem_cgroup_destroy which means that the reference would be
    dropped two times.
    
    The easiest way then would be to simply remove mem_cgrroup_put from
    mem_cgroup_css_online and rely on kmem_cgroup_destroy doing the right
    thing.
    
    Signed-off-by: Michal Hocko <mhocko@suse.cz>
    Signed-off-by: Li Zefan <lizefan@huawei.com>
    Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
    Cc: Hugh Dickins <hughd@google.com>
    Cc: Tejun Heo <tj@kernel.org>
    Cc: Glauber Costa <glommer@openvz.org>
    Cc: Johannes Weiner <hannes@cmpxchg.org>
    Cc: <stable@vger.kernel.org>        [3.8]
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 mm/memcontrol.c |    8 --------
 1 files changed, 0 insertions(+), 8 deletions(-)

commit 08bfb6e700d13886ed722c2236e1ec10f03a95df
Author: Michal Hocko <mhocko@suse.cz>
Date:   Mon Jul 8 16:00:27 2013 -0700

    Upstream commit: fa460c2d37870e0a6f94c70e8b76d05ca11b6db0
    
    Revert "memcg: avoid dangling reference count in creation failure"
    
    This reverts commit e4715f01be697a.
    
    mem_cgroup_put is hierarchy aware so mem_cgroup_put(memcg) already drops
    an additional reference from all parents so the additional
    mem_cgrroup_put(parent) potentially causes use-after-free.
    
    Signed-off-by: Michal Hocko <mhocko@suse.cz>
    Signed-off-by: Li Zefan <lizefan@huawei.com>
    Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
    Cc: Hugh Dickins <hughd@google.com>
    Cc: Tejun Heo <tj@kernel.org>
    Cc: Glauber Costa <glommer@openvz.org>
    Cc: Johannes Weiner <hannes@cmpxchg.org>
    Cc: <stable@vger.kernel.org>        [3.9+]
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 mm/memcontrol.c |    2 --
 1 files changed, 0 insertions(+), 2 deletions(-)

commit 3267ec559f48327a1836eccecd53215afc5810d0
Author: Tyler Hicks <tyhicks@canonical.com>
Date:   Thu Jun 20 13:13:59 2013 -0700

    Upstream commit: 2cb33cac622afde897aa02d3dcd9fbba8bae839e
    
    libceph: Fix NULL pointer dereference in auth client code
    
    A malicious monitor can craft an auth reply message that could cause a
    NULL function pointer dereference in the client's kernel.
    
    To prevent this, the auth_none protocol handler needs an empty
    ceph_auth_client_ops->build_request() function.
    
    CVE-2013-1059
    
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Reported-by: Chanam Park <chanam.park@hkpco.kr>
    Reviewed-by: Seth Arnold <seth.arnold@canonical.com>
    Reviewed-by: Sage Weil <sage@inktank.com>
    Cc: stable@vger.kernel.org

 net/ceph/auth_none.c |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

commit cdfeb4049e7cb38702215b2c356ce0407974ac79
Author: Eric Paris <eparis@redhat.com>
Date:   Wed Jul 3 15:08:29 2013 -0700

    Upstream commit: b57922b6c76c3ee401bb32fd3f298409dd6e6a53
    
    fork: reorder permissions when violating number of processes limits
    
    When a task is attempting to violate the RLIMIT_NPROC limit we have a
    check to see if the task is sufficiently priviledged.  The check first
    looks at CAP_SYS_ADMIN, then CAP_SYS_RESOURCE, then if the task is uid=0.
    
    A result is that tasks which are allowed by the uid=0 check are first
    checked against the security subsystem.  This results in the security
    subsystem auditting a denial for sys_admin and sys_resource and then the
    task passing the uid=0 check.
    
    This patch rearranges the code to first check uid=0, since if we pass that
    we shouldn't hit the security system at all.  We then check sys_resource,
    since it is the smallest capability which will solve the problem.  Lastly
    we check the fallback everything cap_sysadmin.  We don't want to give this
    capability many places since it is so powerful.
    
    This will eliminate many of the false positive/needless denial messages we
    get when a root task tries to violate the nproc limit.  (note that
    kthreads count against root, so on a sufficiently large machine we can
    actually get past the default limits before any userspace tasks are
    launched.)
    
    Signed-off-by: Eric Paris <eparis@redhat.com>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 kernel/fork.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 08c87e049c8a50707908785d950fd48c334f4c09
Author: Chen Gang <gang.chen@asianux.com>
Date:   Sat Jun 22 13:26:09 2013 +0800

    Upstream commit: f118e9abddfae94d7ef88858159d7556e1c2f7f6
    
    arch: sparc: kernel: check the memory length before use strcpy().
    
    For the related next strcpy(), the destination length is less than 512,
    but the source maximize length may be 'OPROMMAXPARAM' (4096) which is
    more than 512.
    
    One work flow may:
      openprom_sunos_ioctl() ->  if (cmd == OPROMSETOPT)
        getstrings() ->  will alloc buffer with size 'OPROMMAXPARAM'.
        opromsetopt() ->  devide the buffer into 'var' and 'value'
          of_set_property() -> pass
            prom_setprop() -> pass
              ldom_set_var()
    
    And do not mind the additional 4 alignment buffer increasing, since
    'sizeof(pkt) - sizeof(pkt.header)' is 4 alignment at least.
    
    Signed-off-by: Chen Gang <gang.chen@asianux.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 arch/sparc/kernel/ds.c |   10 ++++++++++
 1 files changed, 10 insertions(+), 0 deletions(-)

commit 0f5d7e1171c65a8d4e9186b3656e1206121efb13
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jul 12 20:38:45 2013 -0400

    Fix SLAB boot errors due to PAX_USERCOPY reported on the forums
    
    Unlike slub, slab can initally create two of the kmalloc_caches
    which will be used later for generic kmallocs of their particular
    aligned size (since the later loop in the unified allocator code
    skips any already-existing kmalloc_caches)

 mm/slab.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 7afc9d07a4c0a676aa5c4ac2b30882f60be6bae3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 9 22:04:59 2013 -0400

    compile fixes

 fs/exec.c |    2 +-
 mm/mmap.c |    4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

commit e2d027c7e0f106be683c0c72482b8285daefcbe6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 9 20:58:40 2013 -0400

    commit successful merges

 Documentation/kernel-parameters.txt                |    4 +
 Makefile                                           |    8 +-
 arch/alpha/include/asm/cache.h                     |    4 +-
 arch/alpha/kernel/osf_sys.c                        |   12 +-
 arch/arm/include/asm/thread_info.h                 |    3 +-
 arch/arm/kernel/ptrace.c                           |    9 +
 arch/arm/kernel/traps.c                            |    7 +-
 arch/arm/mm/fault.c                                |   29 +-
 arch/arm/mm/mmap.c                                 |    8 +-
 arch/avr32/include/asm/cache.h                     |    4 +-
 arch/blackfin/include/asm/cache.h                  |    3 +-
 arch/cris/include/arch-v10/arch/cache.h            |    3 +-
 arch/cris/include/arch-v32/arch/cache.h            |    3 +-
 arch/frv/include/asm/cache.h                       |    3 +-
 arch/frv/mm/elf-fdpic.c                            |    4 +-
 arch/hexagon/include/asm/cache.h                   |    6 +-
 arch/ia64/include/asm/cache.h                      |    3 +-
 arch/ia64/kernel/sys_ia64.c                        |    2 +
 arch/ia64/mm/hugetlbpage.c                         |    2 +
 arch/m32r/include/asm/cache.h                      |    4 +-
 arch/m68k/include/asm/cache.h                      |    4 +-
 arch/metag/mm/hugetlbpage.c                        |    1 +
 arch/microblaze/include/asm/cache.h                |    3 +-
 arch/mips/include/asm/cache.h                      |    3 +-
 arch/mips/include/asm/thread_info.h                |    9 +-
 arch/mips/kernel/ptrace.c                          |    9 +
 arch/mips/kernel/scall32-o32.S                     |    2 +-
 arch/mips/kernel/scall64-64.S                      |    2 +-
 arch/mips/kernel/scall64-n32.S                     |    2 +-
 arch/mips/kernel/scall64-o32.S                     |    2 +-
 arch/mips/mm/mmap.c                                |    4 +-
 arch/mn10300/proc-mn103e010/include/proc/cache.h   |    4 +-
 arch/mn10300/proc-mn2ws0050/include/proc/cache.h   |    4 +-
 arch/openrisc/include/asm/cache.h                  |    4 +-
 arch/parisc/include/asm/cache.h                    |    5 +-
 arch/parisc/kernel/sys_parisc.c                    |   17 +-
 arch/powerpc/include/asm/cache.h                   |    3 +-
 arch/powerpc/kernel/process.c                      |   10 +-
 arch/powerpc/kernel/ptrace.c                       |   14 +
 arch/powerpc/kernel/traps.c                        |    5 +
 arch/s390/include/asm/cache.h                      |    4 +-
 arch/score/include/asm/cache.h                     |    4 +-
 arch/sh/include/asm/cache.h                        |    3 +-
 arch/sh/mm/mmap.c                                  |    6 +-
 arch/sparc/include/asm/cache.h                     |    4 +-
 arch/sparc/include/asm/thread_info_64.h            |    9 +-
 arch/sparc/kernel/process_32.c                     |    6 +-
 arch/sparc/kernel/process_64.c                     |    4 +-
 arch/sparc/kernel/ptrace_64.c                      |   14 +
 arch/sparc/kernel/sys_sparc_64.c                   |    8 +-
 arch/sparc/kernel/syscalls.S                       |    8 +-
 arch/sparc/kernel/traps_32.c                       |    8 +-
 arch/sparc/kernel/traps_64.c                       |   28 +-
 arch/sparc/kernel/unaligned_64.c                   |    2 +-
 arch/sparc/mm/fault_64.c                           |    2 +-
 arch/sparc/mm/hugetlbpage.c                        |    3 +-
 arch/tile/include/asm/cache.h                      |    3 +-
 arch/tile/mm/hugetlbpage.c                         |    2 +
 arch/um/defconfig                                  |    1 -
 arch/um/include/asm/cache.h                        |    3 +-
 arch/unicore32/include/asm/cache.h                 |    6 +-
 arch/x86/Kconfig                                   |    5 +-
 arch/x86/ia32/ia32_aout.c                          |    2 +
 arch/x86/include/asm/thread_info.h                 |    8 +-
 arch/x86/kernel/dumpstack.c                        |    8 +
 arch/x86/kernel/entry_32.S                         |    2 +-
 arch/x86/kernel/entry_64.S                         |    2 +-
 arch/x86/kernel/ioport.c                           |   13 +
 arch/x86/kernel/ptrace.c                           |   14 +
 arch/x86/kernel/signal.c                           |    9 +-
 arch/x86/kernel/smpboot.c                          |    3 +
 arch/x86/kernel/sys_i386_32.c                      |    9 +-
 arch/x86/kernel/sys_x86_64.c                       |    8 +-
 arch/x86/kernel/verify_cpu.S                       |    1 +
 arch/x86/kernel/vm86_32.c                          |    1 +
 arch/x86/mm/fault.c                                |   12 +-
 arch/x86/mm/hugetlbpage.c                          |   15 +-
 arch/x86/mm/init.c                                 |   66 +-
 arch/x86/net/bpf_jit_comp.c                        |  129 +-
 arch/xtensa/variants/dc232b/include/variant/core.h |    2 +-
 arch/xtensa/variants/fsf/include/variant/core.h    |    3 +-
 arch/xtensa/variants/s6000/include/variant/core.h  |    3 +-
 drivers/block/cciss.c                              |    2 +
 drivers/block/cpqarray.c                           |    1 +
 drivers/cdrom/cdrom.c                              |    4 +-
 drivers/char/Kconfig                               |    4 +-
 drivers/char/genrtc.c                              |    1 +
 drivers/char/mem.c                                 |   17 +
 drivers/char/mwave/tp3780i.c                       |    1 +
 drivers/char/random.c                              |   12 +
 drivers/gpu/drm/drm_info.c                         |    4 +
 drivers/hid/hid-wiimote-debug.c                    |    2 +-
 drivers/media/radio/radio-cadet.c                  |    2 +-
 drivers/message/fusion/mptbase.c                   |    9 +
 drivers/net/bonding/bond_main.c                    |    2 +-
 drivers/net/phy/mdio-bitbang.c                     |    1 +
 drivers/net/wireless/zd1211rw/zd_usb.c             |    2 +-
 drivers/pci/proc.c                                 |    9 +
 drivers/rtc/rtc-dev.c                              |    3 +
 drivers/tty/sysrq.c                                |    2 +-
 drivers/tty/vt/keyboard.c                          |   22 +-
 drivers/video/logo/logo_linux_clut224.ppm          | 2721 ++++++++------------
 drivers/xen/xenfs/xenstored.c                      |    5 +
 fs/attr.c                                          |    1 +
 fs/autofs4/waitq.c                                 |    9 +
 fs/binfmt_aout.c                                   |    7 +
 fs/binfmt_elf.c                                    |    8 +-
 fs/btrfs/ioctl.c                                   |    6 +-
 fs/compat.c                                        |   20 +-
 fs/coredump.c                                      |    9 +-
 fs/debugfs/inode.c                                 |    4 +
 fs/exec.c                                          |  184 ++-
 fs/ext2/balloc.c                                   |    4 +-
 fs/ext3/balloc.c                                   |    4 +-
 fs/ext4/resize.c                                   |   17 +-
 fs/fcntl.c                                         |    5 +
 fs/file.c                                          |    4 +
 fs/filesystems.c                                   |    4 +
 fs/fs_struct.c                                     |   13 +-
 fs/hugetlbfs/inode.c                               |    5 +-
 fs/namei.c                                         |  234 ++-
 fs/namespace.c                                     |   16 +
 fs/notify/fanotify/fanotify_user.c                 |    1 +
 fs/open.c                                          |   38 +
 fs/proc/Kconfig                                    |   10 +-
 fs/proc/array.c                                    |   59 +-
 fs/proc/base.c                                     |  168 ++-
 fs/proc/cmdline.c                                  |    4 +
 fs/proc/devices.c                                  |    4 +
 fs/proc/fd.c                                       |   17 +-
 fs/proc/inode.c                                    |    4 +
 fs/proc/kcore.c                                    |    3 +
 fs/proc/proc_net.c                                 |   12 +
 fs/proc/proc_sysctl.c                              |   43 +-
 fs/proc/root.c                                     |    8 +
 fs/proc/task_mmu.c                                 |   75 +-
 fs/readdir.c                                       |   19 +
 fs/select.c                                        |    2 +
 fs/seq_file.c                                      |   12 +-
 fs/stat.c                                          |   19 +-
 fs/sysfs/dir.c                                     |   12 +
 fs/utimes.c                                        |    7 +
 fs/xattr.c                                         |   19 +-
 include/linux/capability.h                         |    5 +
 include/linux/cred.h                               |    3 +
 include/linux/fs.h                                 |   10 +
 include/linux/fsnotify.h                           |    6 +
 include/linux/kallsyms.h                           |   14 +-
 include/linux/kmod.h                               |    2 +
 include/linux/mm.h                                 |    1 +
 include/linux/perf_event.h                         |   13 +-
 include/linux/printk.h                             |    3 +-
 include/linux/sched.h                              |   24 +-
 include/linux/security.h                           |    1 +
 include/linux/seq_file.h                           |    3 +
 include/linux/shm.h                                |    4 +
 include/linux/skbuff.h                             |    3 +
 include/linux/slab.h                               |    9 -
 include/linux/sysctl.h                             |    2 +
 include/linux/thread_info.h                        |    2 +
 include/linux/uidgid.h                             |    5 +
 include/linux/vermagic.h                           |    9 +-
 include/uapi/linux/personality.h                   |    1 +
 init/Kconfig                                       |    3 +-
 init/main.c                                        |   14 +
 ipc/mqueue.c                                       |    1 +
 ipc/shm.c                                          |   28 +
 kernel/capability.c                                |   39 +-
 kernel/cgroup.c                                    |    2 +-
 kernel/compat.c                                    |    1 +
 kernel/configs.c                                   |   11 +
 kernel/cred.c                                      |  110 +-
 kernel/events/core.c                               |   14 +-
 kernel/exit.c                                      |   10 +-
 kernel/fork.c                                      |   41 +-
 kernel/futex.c                                     |    1 +
 kernel/kallsyms.c                                  |    9 +
 kernel/kcmp.c                                      |    4 +
 kernel/kmod.c                                      |   64 +-
 kernel/kprobes.c                                   |    4 +-
 kernel/ksysfs.c                                    |    2 +
 kernel/lockdep_proc.c                              |   10 +-
 kernel/module.c                                    |   81 +-
 kernel/panic.c                                     |    2 +-
 kernel/pid.c                                       |   19 +-
 kernel/posix-timers.c                              |    7 +
 kernel/printk.c                                    |    5 +
 kernel/ptrace.c                                    |   20 +-
 kernel/resource.c                                  |   10 +
 kernel/sched/core.c                                |    6 +-
 kernel/signal.c                                    |   37 +-
 kernel/sys.c                                       |   45 +-
 kernel/sysctl.c                                    |   70 +-
 kernel/taskstats.c                                 |    6 +
 kernel/time.c                                      |    5 +
 kernel/time/timekeeping.c                          |    1 +
 kernel/time/timer_list.c                           |   12 +
 kernel/time/timer_stats.c                          |   10 +-
 lib/Kconfig.debug                                  |    5 +-
 lib/is_single_threaded.c                           |    3 +
 mm/Kconfig                                         |    4 +-
 mm/filemap.c                                       |    1 +
 mm/kmemleak.c                                      |    4 +-
 mm/mempolicy.c                                     |   12 +-
 mm/migrate.c                                       |    3 +-
 mm/mlock.c                                         |    3 +
 mm/mmap.c                                          |   63 +-
 mm/mprotect.c                                      |    8 +
 mm/process_vm_access.c                             |    6 +
 mm/slab.c                                          |    2 +-
 mm/slub.c                                          |   14 +-
 mm/vmalloc.c                                       |    4 +
 mm/vmstat.c                                        |   18 +-
 net/core/dev_ioctl.c                               |    4 +
 net/core/sock_diag.c                               |    7 +
 net/ipv4/inet_hashtables.c                         |    5 +
 net/ipv4/ip_sockglue.c                             |    3 +-
 net/ipv4/tcp_input.c                               |    4 +-
 net/ipv4/tcp_ipv4.c                                |   24 +-
 net/ipv4/tcp_minisocks.c                           |    9 +-
 net/ipv4/tcp_timer.c                               |   11 +
 net/ipv4/udp.c                                     |   24 +
 net/ipv6/tcp_ipv6.c                                |   23 +-
 net/ipv6/udp.c                                     |    4 +
 net/netfilter/Kconfig                              |   10 +
 net/netfilter/Makefile                             |    1 +
 net/netfilter/nf_conntrack_core.c                  |    8 +
 net/netrom/af_netrom.c                             |    1 -
 net/phonet/af_phonet.c                             |    2 +-
 net/sctp/proc.c                                    |    3 +-
 net/socket.c                                       |   66 +-
 net/sysctl_net.c                                   |    2 +-
 net/unix/af_unix.c                                 |   31 +-
 security/Kconfig                                   |  343 +++-
 security/apparmor/Kconfig                          |    9 +
 security/apparmor/apparmorfs.c                     |  231 ++
 security/commoncap.c                               |   29 +
 security/min_addr.c                                |    2 +
 security/security.c                                |    2 -
 security/selinux/hooks.c                           |    2 -
 security/tomoyo/mount.c                            |    4 +
 security/yama/Kconfig                              |    2 +-
 242 files changed, 4385 insertions(+), 2042 deletions(-)

commit 043a378c0f72ed92cc30182c48abce39867ac93f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 9 20:57:40 2013 -0400

    Commit merge of new files and rejected patches

 arch/arm/include/asm/thread_info.h     |    6 +-
 arch/arm/kernel/process.c              |    4 +-
 arch/powerpc/include/asm/thread_info.h |    7 +-
 arch/powerpc/mm/slice.c                |    2 +-
 arch/sparc/kernel/process_64.c         |    4 +-
 arch/x86/kernel/vm86_32.c              |   15 +
 fs/coredump.c                          |    1 +
 fs/ext4/balloc.c                       |    4 +-
 fs/namei.c                             |    7 +
 fs/namespace.c                         |    8 +
 fs/pipe.c                              |    2 +-
 fs/proc/inode.c                        |   13 +
 fs/proc/internal.h                     |    3 +
 grsecurity/Kconfig                     | 1054 +++++++++
 grsecurity/Makefile                    |   38 +
 grsecurity/gracl.c                     | 4073 ++++++++++++++++++++++++++++++++
 grsecurity/gracl_alloc.c               |  105 +
 grsecurity/gracl_cap.c                 |  110 +
 grsecurity/gracl_fs.c                  |  431 ++++
 grsecurity/gracl_ip.c                  |  387 +++
 grsecurity/gracl_learn.c               |  207 ++
 grsecurity/gracl_res.c                 |   68 +
 grsecurity/gracl_segv.c                |  305 +++
 grsecurity/gracl_shm.c                 |   40 +
 grsecurity/grsec_chdir.c               |   19 +
 grsecurity/grsec_chroot.c              |  370 +++
 grsecurity/grsec_disabled.c            |  434 ++++
 grsecurity/grsec_exec.c                |  187 ++
 grsecurity/grsec_fifo.c                |   24 +
 grsecurity/grsec_fork.c                |   23 +
 grsecurity/grsec_init.c                |  283 +++
 grsecurity/grsec_link.c                |   58 +
 grsecurity/grsec_log.c                 |  326 +++
 grsecurity/grsec_mem.c                 |   40 +
 grsecurity/grsec_mount.c               |   62 +
 grsecurity/grsec_pax.c                 |   36 +
 grsecurity/grsec_ptrace.c              |   30 +
 grsecurity/grsec_sig.c                 |  246 ++
 grsecurity/grsec_sock.c                |  244 ++
 grsecurity/grsec_sysctl.c              |  469 ++++
 grsecurity/grsec_time.c                |   16 +
 grsecurity/grsec_tpe.c                 |   73 +
 grsecurity/grsum.c                     |   61 +
 include/linux/gracl.h                  |  319 +++
 include/linux/gralloc.h                |    9 +
 include/linux/grdefs.h                 |  140 ++
 include/linux/grinternal.h             |  227 ++
 include/linux/grmsg.h                  |  112 +
 include/linux/grsecurity.h             |  241 ++
 include/linux/grsock.h                 |   19 +
 include/linux/netfilter/xt_gradm.h     |    9 +
 include/linux/proc_fs.h                |   13 +
 include/linux/sched.h                  |   48 +-
 include/trace/events/fs.h              |   53 +
 kernel/kmod.c                          |    7 +-
 kernel/panic.c                         |    2 +-
 kernel/posix-timers.c                  |    1 +
 kernel/time/timekeeping.c              |    2 +
 lib/Kconfig.debug                      |    2 +-
 lib/vsprintf.c                         |   31 +
 localversion-grsec                     |    1 +
 mm/mmap.c                              |   13 +-
 mm/shmem.c                             |    2 +-
 net/core/net-procfs.c                  |    5 +
 net/ipv6/udp.c                         |    3 +
 net/netfilter/xt_gradm.c               |   51 +
 66 files changed, 11184 insertions(+), 21 deletions(-)

commit 75a36f058b5abbc82f9b94ba5576eef4b40cd5d6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 9 17:35:47 2013 -0400

    Initial import of pax-linux-3.10-test1.patch

 Documentation/dontdiff                             |   46 +-
 Documentation/kernel-parameters.txt                |   12 +
 Makefile                                           |  100 +-
 arch/alpha/include/asm/atomic.h                    |   10 +
 arch/alpha/include/asm/elf.h                       |    7 +
 arch/alpha/include/asm/pgalloc.h                   |    6 +
 arch/alpha/include/asm/pgtable.h                   |   11 +
 arch/alpha/kernel/module.c                         |    2 +-
 arch/alpha/kernel/osf_sys.c                        |    8 +-
 arch/alpha/mm/fault.c                              |  141 +-
 arch/arm/Kconfig                                   |    2 +-
 arch/arm/include/asm/atomic.h                      |  444 ++-
 arch/arm/include/asm/cache.h                       |    5 +-
 arch/arm/include/asm/cacheflush.h                  |    2 +-
 arch/arm/include/asm/checksum.h                    |   14 +-
 arch/arm/include/asm/cmpxchg.h                     |    2 +
 arch/arm/include/asm/domain.h                      |   33 +-
 arch/arm/include/asm/elf.h                         |   13 +-
 arch/arm/include/asm/fncpy.h                       |    2 +
 arch/arm/include/asm/futex.h                       |   10 +
 arch/arm/include/asm/kmap_types.h                  |    2 +-
 arch/arm/include/asm/mach/dma.h                    |    2 +-
 arch/arm/include/asm/mach/map.h                    |    7 +-
 arch/arm/include/asm/outercache.h                  |    2 +-
 arch/arm/include/asm/page.h                        |    2 +-
 arch/arm/include/asm/pgalloc.h                     |   22 +-
 arch/arm/include/asm/pgtable-2level-hwdef.h        |    5 +
 arch/arm/include/asm/pgtable-2level.h              |    1 +
 arch/arm/include/asm/pgtable-3level-hwdef.h        |    2 +
 arch/arm/include/asm/pgtable-3level.h              |    2 +
 arch/arm/include/asm/pgtable.h                     |   56 +-
 arch/arm/include/asm/proc-fns.h                    |    2 +-
 arch/arm/include/asm/processor.h                   |    5 +-
 arch/arm/include/asm/psci.h                        |    2 +-
 arch/arm/include/asm/smp.h                         |    2 +-
 arch/arm/include/asm/thread_info.h                 |    6 +-
 arch/arm/include/asm/uaccess.h                     |   92 +-
 arch/arm/include/uapi/asm/ptrace.h                 |    2 +-
 arch/arm/kernel/armksyms.c                         |    8 +-
 arch/arm/kernel/entry-armv.S                       |  107 +-
 arch/arm/kernel/entry-common.S                     |   41 +-
 arch/arm/kernel/entry-header.S                     |   60 +
 arch/arm/kernel/fiq.c                              |    2 +
 arch/arm/kernel/head.S                             |    6 +-
 arch/arm/kernel/hw_breakpoint.c                    |    2 +-
 arch/arm/kernel/module.c                           |   29 +-
 arch/arm/kernel/patch.c                            |    2 +
 arch/arm/kernel/perf_event_cpu.c                   |    2 +-
 arch/arm/kernel/process.c                          |   14 +-
 arch/arm/kernel/psci.c                             |    2 +-
 arch/arm/kernel/setup.c                            |   22 +-
 arch/arm/kernel/signal.c                           |   24 +-
 arch/arm/kernel/smp.c                              |    2 +-
 arch/arm/kernel/traps.c                            |   15 +-
 arch/arm/kernel/vmlinux.lds.S                      |   22 +-
 arch/arm/lib/clear_user.S                          |    6 +-
 arch/arm/lib/copy_from_user.S                      |    6 +-
 arch/arm/lib/copy_page.S                           |    1 +
 arch/arm/lib/copy_to_user.S                        |    6 +-
 arch/arm/lib/csumpartialcopyuser.S                 |    4 +-
 arch/arm/lib/delay.c                               |    2 +-
 arch/arm/lib/uaccess_with_memcpy.c                 |    2 +-
 arch/arm/mach-kirkwood/common.c                    |   19 +-
 arch/arm/mach-omap2/board-n8x0.c                   |    2 +-
 arch/arm/mach-omap2/gpmc.c                         |   22 +-
 arch/arm/mach-omap2/omap-wakeupgen.c               |    2 +-
 arch/arm/mach-omap2/omap_device.c                  |    4 +-
 arch/arm/mach-omap2/omap_device.h                  |    4 +-
 arch/arm/mach-omap2/omap_hwmod.c                   |    4 +-
 arch/arm/mach-omap2/wd_timer.c                     |    6 +-
 arch/arm/mach-tegra/cpuidle-tegra20.c              |    2 +-
 arch/arm/mach-ux500/setup.h                        |    7 -
 arch/arm/mm/Kconfig                                |    3 +-
 arch/arm/mm/alignment.c                            |    8 +
 arch/arm/mm/fault.c                                |   91 +
 arch/arm/mm/fault.h                                |   12 +
 arch/arm/mm/init.c                                 |   41 +
 arch/arm/mm/ioremap.c                              |    4 +-
 arch/arm/mm/mmap.c                                 |   30 +-
 arch/arm/mm/mmu.c                                  |  187 +-
 arch/arm/mm/proc-v7-2level.S                       |    3 +
 arch/arm/plat-omap/sram.c                          |    2 +
 arch/arm/plat-samsung/include/plat/dma-ops.h       |    2 +-
 arch/arm64/kernel/debug-monitors.c                 |    2 +-
 arch/arm64/kernel/hw_breakpoint.c                  |    2 +-
 arch/avr32/include/asm/elf.h                       |    8 +-
 arch/avr32/include/asm/kmap_types.h                |    4 +-
 arch/avr32/mm/fault.c                              |   27 +
 arch/frv/include/asm/atomic.h                      |   10 +
 arch/frv/include/asm/kmap_types.h                  |    2 +-
 arch/frv/mm/elf-fdpic.c                            |    3 +-
 arch/ia64/include/asm/atomic.h                     |   10 +
 arch/ia64/include/asm/elf.h                        |    7 +
 arch/ia64/include/asm/pgalloc.h                    |   12 +
 arch/ia64/include/asm/pgtable.h                    |   13 +-
 arch/ia64/include/asm/spinlock.h                   |    2 +-
 arch/ia64/include/asm/uaccess.h                    |   26 +-
 arch/ia64/kernel/err_inject.c                      |    2 +-
 arch/ia64/kernel/mca.c                             |    2 +-
 arch/ia64/kernel/module.c                          |   48 +-
 arch/ia64/kernel/palinfo.c                         |    2 +-
 arch/ia64/kernel/salinfo.c                         |    2 +-
 arch/ia64/kernel/sys_ia64.c                        |    7 +
 arch/ia64/kernel/topology.c                        |    2 +-
 arch/ia64/kernel/vmlinux.lds.S                     |    2 +-
 arch/ia64/mm/fault.c                               |   32 +-
 arch/ia64/mm/init.c                                |   13 +
 arch/m32r/lib/usercopy.c                           |    6 +
 arch/mips/include/asm/atomic.h                     |   14 +
 arch/mips/include/asm/elf.h                        |   11 +-
 arch/mips/include/asm/exec.h                       |    2 +-
 arch/mips/include/asm/page.h                       |    2 +-
 arch/mips/include/asm/pgalloc.h                    |    5 +
 arch/mips/kernel/binfmt_elfn32.c                   |    7 +
 arch/mips/kernel/binfmt_elfo32.c                   |    7 +
 arch/mips/kernel/process.c                         |   12 -
 arch/mips/mm/fault.c                               |   17 +
 arch/mips/mm/mmap.c                                |   51 +-
 arch/parisc/include/asm/atomic.h                   |   10 +
 arch/parisc/include/asm/elf.h                      |    7 +
 arch/parisc/include/asm/pgalloc.h                  |    6 +
 arch/parisc/include/asm/pgtable.h                  |   11 +
 arch/parisc/include/asm/uaccess.h                  |    4 +-
 arch/parisc/kernel/module.c                        |   50 +-
 arch/parisc/kernel/sys_parisc.c                    |    9 +-
 arch/parisc/kernel/traps.c                         |    4 +-
 arch/parisc/mm/fault.c                             |  140 +-
 arch/powerpc/include/asm/atomic.h                  |   10 +
 arch/powerpc/include/asm/elf.h                     |   19 +-
 arch/powerpc/include/asm/exec.h                    |    2 +-
 arch/powerpc/include/asm/kmap_types.h              |    2 +-
 arch/powerpc/include/asm/mman.h                    |    2 +-
 arch/powerpc/include/asm/page.h                    |    8 +-
 arch/powerpc/include/asm/page_64.h                 |    7 +-
 arch/powerpc/include/asm/pgalloc-64.h              |    7 +
 arch/powerpc/include/asm/pgtable.h                 |    1 +
 arch/powerpc/include/asm/pte-hash32.h              |    1 +
 arch/powerpc/include/asm/reg.h                     |    1 +
 arch/powerpc/include/asm/smp.h                     |    2 +-
 arch/powerpc/include/asm/uaccess.h                 |  140 +-
 arch/powerpc/kernel/exceptions-64e.S               |    4 +-
 arch/powerpc/kernel/exceptions-64s.S               |    2 +-
 arch/powerpc/kernel/module_32.c                    |   13 +-
 arch/powerpc/kernel/process.c                      |   55 -
 arch/powerpc/kernel/signal_32.c                    |    2 +-
 arch/powerpc/kernel/signal_64.c                    |    2 +-
 arch/powerpc/kernel/sysfs.c                        |    2 +-
 arch/powerpc/kernel/vdso.c                         |    5 +-
 arch/powerpc/lib/usercopy_64.c                     |   18 -
 arch/powerpc/mm/fault.c                            |   54 +-
 arch/powerpc/mm/mmap_64.c                          |   16 +
 arch/powerpc/mm/mmu_context_nohash.c               |    2 +-
 arch/powerpc/mm/numa.c                             |    2 +-
 arch/powerpc/mm/slice.c                            |   13 +-
 arch/powerpc/platforms/cell/spufs/file.c           |    4 +-
 arch/powerpc/platforms/powermac/smp.c              |    2 +-
 arch/s390/include/asm/atomic.h                     |   10 +
 arch/s390/include/asm/elf.h                        |   13 +-
 arch/s390/include/asm/exec.h                       |    2 +-
 arch/s390/include/asm/uaccess.h                    |   15 +-
 arch/s390/kernel/module.c                          |   22 +-
 arch/s390/kernel/process.c                         |   36 -
 arch/s390/mm/mmap.c                                |   24 +
 arch/score/include/asm/exec.h                      |    2 +-
 arch/score/kernel/process.c                        |    5 -
 arch/sh/kernel/cpu/sh4a/smp-shx3.c                 |    2 +-
 arch/sh/mm/mmap.c                                  |   22 +-
 arch/sparc/include/asm/atomic_64.h                 |  106 +-
 arch/sparc/include/asm/cache.h                     |    2 +-
 arch/sparc/include/asm/elf_32.h                    |    7 +
 arch/sparc/include/asm/elf_64.h                    |    7 +
 arch/sparc/include/asm/pgalloc_32.h                |    1 +
 arch/sparc/include/asm/pgalloc_64.h                |    1 +
 arch/sparc/include/asm/pgtable_32.h                |   15 +-
 arch/sparc/include/asm/pgtsrmmu.h                  |    5 +
 arch/sparc/include/asm/spinlock_64.h               |   35 +-
 arch/sparc/include/asm/thread_info_32.h            |    2 +
 arch/sparc/include/asm/thread_info_64.h            |    2 +
 arch/sparc/include/asm/uaccess.h                   |    1 +
 arch/sparc/include/asm/uaccess_32.h                |   27 +-
 arch/sparc/include/asm/uaccess_64.h                |   19 +-
 arch/sparc/kernel/Makefile                         |    2 +-
 arch/sparc/kernel/prom_common.c                    |    2 +-
 arch/sparc/kernel/sys_sparc_32.c                   |    2 +-
 arch/sparc/kernel/sys_sparc_64.c                   |   48 +-
 arch/sparc/kernel/sysfs.c                          |    2 +-
 arch/sparc/kernel/traps_64.c                       |   13 +-
 arch/sparc/lib/Makefile                            |    2 +-
 arch/sparc/lib/atomic_64.S                         |  136 +-
 arch/sparc/lib/ksyms.c                             |    6 +
 arch/sparc/mm/Makefile                             |    2 +-
 arch/sparc/mm/fault_32.c                           |  292 +
 arch/sparc/mm/fault_64.c                           |  486 ++
 arch/sparc/mm/hugetlbpage.c                        |   21 +-
 arch/tile/include/asm/atomic_64.h                  |   10 +
 arch/tile/include/asm/uaccess.h                    |    4 +-
 arch/um/Makefile                                   |    4 +
 arch/um/include/asm/kmap_types.h                   |    2 +-
 arch/um/include/asm/page.h                         |    3 +
 arch/um/include/asm/pgtable-3level.h               |    1 +
 arch/um/kernel/process.c                           |   16 -
 arch/x86/Kconfig                                   |   10 +-
 arch/x86/Kconfig.cpu                               |    6 +-
 arch/x86/Kconfig.debug                             |    4 +-
 arch/x86/Makefile                                  |   10 +
 arch/x86/boot/Makefile                             |    3 +
 arch/x86/boot/bitops.h                             |    4 +-
 arch/x86/boot/boot.h                               |    4 +-
 arch/x86/boot/compressed/Makefile                  |    3 +
 arch/x86/boot/compressed/eboot.c                   |    2 -
 arch/x86/boot/compressed/efi_stub_32.S             |   16 +-
 arch/x86/boot/compressed/head_32.S                 |    7 +-
 arch/x86/boot/compressed/head_64.S                 |    8 +-
 arch/x86/boot/compressed/misc.c                    |    4 +-
 arch/x86/boot/cpucheck.c                           |   28 +-
 arch/x86/boot/header.S                             |    6 +-
 arch/x86/boot/memory.c                             |    2 +-
 arch/x86/boot/video-vesa.c                         |    1 +
 arch/x86/boot/video.c                              |    2 +-
 arch/x86/crypto/aes-x86_64-asm_64.S                |    4 +
 arch/x86/crypto/aesni-intel_asm.S                  |   22 +
 arch/x86/crypto/blowfish-x86_64-asm_64.S           |    7 +
 arch/x86/crypto/camellia-x86_64-asm_64.S           |    7 +
 arch/x86/crypto/cast5-avx-x86_64-asm_64.S          |    7 +
 arch/x86/crypto/cast6-avx-x86_64-asm_64.S          |    9 +
 arch/x86/crypto/salsa20-x86_64-asm_64.S            |    4 +
 arch/x86/crypto/serpent-avx-x86_64-asm_64.S        |    9 +
 arch/x86/crypto/serpent-sse2-x86_64-asm_64.S       |    4 +
 arch/x86/crypto/sha1_ssse3_asm.S                   |    2 +
 arch/x86/crypto/twofish-avx-x86_64-asm_64.S        |    9 +
 arch/x86/crypto/twofish-x86_64-asm_64-3way.S       |    4 +
 arch/x86/crypto/twofish-x86_64-asm_64.S            |    3 +
 arch/x86/ia32/ia32_signal.c                        |   14 +-
 arch/x86/ia32/ia32entry.S                          |  141 +-
 arch/x86/ia32/sys_ia32.c                           |    4 +-
 arch/x86/include/asm/alternative-asm.h             |   39 +
 arch/x86/include/asm/alternative.h                 |    4 +-
 arch/x86/include/asm/apic.h                        |    2 +-
 arch/x86/include/asm/apm.h                         |    4 +-
 arch/x86/include/asm/atomic.h                      |  307 +-
 arch/x86/include/asm/atomic64_32.h                 |  100 +
 arch/x86/include/asm/atomic64_64.h                 |  202 +-
 arch/x86/include/asm/bitops.h                      |    4 +-
 arch/x86/include/asm/boot.h                        |    7 +-
 arch/x86/include/asm/cache.h                       |    5 +-
 arch/x86/include/asm/cacheflush.h                  |    2 +-
 arch/x86/include/asm/checksum_32.h                 |   12 +-
 arch/x86/include/asm/cmpxchg.h                     |   35 +
 arch/x86/include/asm/compat.h                      |    2 +-
 arch/x86/include/asm/cpufeature.h                  |    4 +-
 arch/x86/include/asm/desc.h                        |   67 +-
 arch/x86/include/asm/desc_defs.h                   |    6 +
 arch/x86/include/asm/div64.h                       |    2 +-
 arch/x86/include/asm/elf.h                         |   31 +-
 arch/x86/include/asm/emergency-restart.h           |    2 +-
 arch/x86/include/asm/fpu-internal.h                |    6 +-
 arch/x86/include/asm/futex.h                       |   16 +-
 arch/x86/include/asm/hw_irq.h                      |    4 +-
 arch/x86/include/asm/i8259.h                       |    2 +-
 arch/x86/include/asm/io.h                          |   21 +-
 arch/x86/include/asm/irqflags.h                    |    5 +
 arch/x86/include/asm/kprobes.h                     |    9 +-
 arch/x86/include/asm/local.h                       |  142 +-
 arch/x86/include/asm/mman.h                        |   15 +
 arch/x86/include/asm/mmu.h                         |   16 +-
 arch/x86/include/asm/mmu_context.h                 |   76 +-
 arch/x86/include/asm/module.h                      |   17 +-
 arch/x86/include/asm/nmi.h                         |    6 +-
 arch/x86/include/asm/page.h                        |    1 +
 arch/x86/include/asm/page_64.h                     |    4 +-
 arch/x86/include/asm/paravirt.h                    |   46 +-
 arch/x86/include/asm/paravirt_types.h              |   17 +-
 arch/x86/include/asm/pgalloc.h                     |   23 +
 arch/x86/include/asm/pgtable-2level.h              |    2 +
 arch/x86/include/asm/pgtable-3level.h              |    4 +
 arch/x86/include/asm/pgtable.h                     |  122 +-
 arch/x86/include/asm/pgtable_32.h                  |   14 +-
 arch/x86/include/asm/pgtable_32_types.h            |   15 +-
 arch/x86/include/asm/pgtable_64.h                  |   19 +-
 arch/x86/include/asm/pgtable_64_types.h            |    5 +
 arch/x86/include/asm/pgtable_types.h               |   36 +-
 arch/x86/include/asm/processor.h                   |   39 +-
 arch/x86/include/asm/ptrace.h                      |   26 +-
 arch/x86/include/asm/realmode.h                    |    4 +-
 arch/x86/include/asm/reboot.h                      |   10 +-
 arch/x86/include/asm/rwsem.h                       |   60 +-
 arch/x86/include/asm/segment.h                     |   24 +-
 arch/x86/include/asm/smp.h                         |   14 +-
 arch/x86/include/asm/spinlock.h                    |   36 +-
 arch/x86/include/asm/stackprotector.h              |    4 +-
 arch/x86/include/asm/stacktrace.h                  |   32 +-
 arch/x86/include/asm/switch_to.h                   |    4 +-
 arch/x86/include/asm/thread_info.h                 |   83 +-
 arch/x86/include/asm/uaccess.h                     |   96 +-
 arch/x86/include/asm/uaccess_32.h                  |  106 +-
 arch/x86/include/asm/uaccess_64.h                  |  232 +-
 arch/x86/include/asm/word-at-a-time.h              |    2 +-
 arch/x86/include/asm/x86_init.h                    |   10 +-
 arch/x86/include/asm/xsave.h                       |   10 +-
 arch/x86/include/uapi/asm/e820.h                   |    2 +-
 arch/x86/kernel/Makefile                           |    2 +-
 arch/x86/kernel/acpi/boot.c                        |    4 +-
 arch/x86/kernel/acpi/sleep.c                       |    4 +
 arch/x86/kernel/acpi/wakeup_32.S                   |    6 +-
 arch/x86/kernel/alternative.c                      |   65 +-
 arch/x86/kernel/apic/apic.c                        |    4 +-
 arch/x86/kernel/apic/apic_flat_64.c                |    4 +-
 arch/x86/kernel/apic/apic_noop.c                   |    2 +-
 arch/x86/kernel/apic/bigsmp_32.c                   |    2 +-
 arch/x86/kernel/apic/es7000_32.c                   |    5 +-
 arch/x86/kernel/apic/io_apic.c                     |    8 +-
 arch/x86/kernel/apic/numaq_32.c                    |    3 +-
 arch/x86/kernel/apic/probe_32.c                    |    2 +-
 arch/x86/kernel/apic/summit_32.c                   |    2 +-
 arch/x86/kernel/apic/x2apic_cluster.c              |    4 +-
 arch/x86/kernel/apic/x2apic_phys.c                 |    2 +-
 arch/x86/kernel/apic/x2apic_uv_x.c                 |    2 +-
 arch/x86/kernel/apm_32.c                           |   19 +-
 arch/x86/kernel/asm-offsets.c                      |   20 +
 arch/x86/kernel/asm-offsets_64.c                   |    1 +
 arch/x86/kernel/cpu/Makefile                       |    4 -
 arch/x86/kernel/cpu/amd.c                          |    2 +-
 arch/x86/kernel/cpu/common.c                       |   75 +-
 arch/x86/kernel/cpu/intel_cacheinfo.c              |   50 +-
 arch/x86/kernel/cpu/mcheck/mce.c                   |   33 +-
 arch/x86/kernel/cpu/mcheck/p5.c                    |    3 +
 arch/x86/kernel/cpu/mcheck/therm_throt.c           |    2 +-
 arch/x86/kernel/cpu/mcheck/winchip.c               |    3 +
 arch/x86/kernel/cpu/mtrr/main.c                    |    2 +-
 arch/x86/kernel/cpu/mtrr/mtrr.h                    |    2 +-
 arch/x86/kernel/cpu/perf_event.c                   |    8 +-
 arch/x86/kernel/cpu/perf_event_intel.c             |    6 +-
 arch/x86/kernel/cpu/perf_event_intel_uncore.c      |    4 +-
 arch/x86/kernel/cpu/perf_event_intel_uncore.h      |    2 +-
 arch/x86/kernel/cpuid.c                            |    2 +-
 arch/x86/kernel/crash.c                            |    4 +-
 arch/x86/kernel/crash_dump_64.c                    |    2 +-
 arch/x86/kernel/doublefault_32.c                   |    8 +-
 arch/x86/kernel/dumpstack.c                        |   28 +-
 arch/x86/kernel/dumpstack_32.c                     |   34 +-
 arch/x86/kernel/dumpstack_64.c                     |   61 +-
 arch/x86/kernel/e820.c                             |    4 +-
 arch/x86/kernel/early_printk.c                     |    1 +
 arch/x86/kernel/entry_32.S                         |  354 +-
 arch/x86/kernel/entry_64.S                         |  548 ++-
 arch/x86/kernel/ftrace.c                           |   14 +-
 arch/x86/kernel/head64.c                           |   13 +-
 arch/x86/kernel/head_32.S                          |  237 +-
 arch/x86/kernel/head_64.S                          |  143 +-
 arch/x86/kernel/i386_ksyms_32.c                    |    8 +
 arch/x86/kernel/i387.c                             |    2 +-
 arch/x86/kernel/i8259.c                            |   10 +-
 arch/x86/kernel/io_delay.c                         |    2 +-
 arch/x86/kernel/ioport.c                           |    2 +-
 arch/x86/kernel/irq.c                              |    8 +-
 arch/x86/kernel/irq_32.c                           |   69 +-
 arch/x86/kernel/irq_64.c                           |    2 +-
 arch/x86/kernel/kdebugfs.c                         |    2 +-
 arch/x86/kernel/kgdb.c                             |   25 +-
 arch/x86/kernel/kprobes/core.c                     |   30 +-
 arch/x86/kernel/kprobes/opt.c                      |   16 +-
 arch/x86/kernel/kvm.c                              |    2 +-
 arch/x86/kernel/ldt.c                              |   31 +-
 arch/x86/kernel/machine_kexec_32.c                 |    6 +-
 arch/x86/kernel/microcode_core.c                   |    2 +-
 arch/x86/kernel/microcode_intel.c                  |    4 +-
 arch/x86/kernel/module.c                           |   76 +-
 arch/x86/kernel/msr.c                              |    2 +-
 arch/x86/kernel/nmi.c                              |   19 +-
 arch/x86/kernel/nmi_selftest.c                     |    4 +-
 arch/x86/kernel/paravirt-spinlocks.c               |    2 +-
 arch/x86/kernel/paravirt.c                         |   43 +-
 arch/x86/kernel/pci-calgary_64.c                   |    2 +-
 arch/x86/kernel/pci-iommu_table.c                  |    2 +-
 arch/x86/kernel/pci-swiotlb.c                      |    2 +-
 arch/x86/kernel/process.c                          |   55 +-
 arch/x86/kernel/process_32.c                       |   29 +-
 arch/x86/kernel/process_64.c                       |   15 +-
 arch/x86/kernel/ptrace.c                           |   25 +-
 arch/x86/kernel/pvclock.c                          |    8 +-
 arch/x86/kernel/reboot.c                           |   44 +-
 arch/x86/kernel/relocate_kernel_64.S               |    2 +
 arch/x86/kernel/setup.c                            |   21 +-
 arch/x86/kernel/setup_percpu.c                     |   29 +-
 arch/x86/kernel/signal.c                           |   15 +-
 arch/x86/kernel/smp.c                              |    2 +-
 arch/x86/kernel/smpboot.c                          |   15 +-
 arch/x86/kernel/step.c                             |   10 +-
 arch/x86/kernel/sys_i386_32.c                      |  184 +
 arch/x86/kernel/sys_x86_64.c                       |   22 +-
 arch/x86/kernel/tboot.c                            |   14 +-
 arch/x86/kernel/time.c                             |   10 +-
 arch/x86/kernel/tls.c                              |    7 +-
 arch/x86/kernel/traps.c                            |   64 +-
 arch/x86/kernel/uprobes.c                          |    4 +-
 arch/x86/kernel/vm86_32.c                          |    6 +-
 arch/x86/kernel/vmlinux.lds.S                      |  148 +-
 arch/x86/kernel/vsyscall_64.c                      |   12 +-
 arch/x86/kernel/x8664_ksyms_64.c                   |    2 -
 arch/x86/kernel/x86_init.c                         |    8 +-
 arch/x86/kernel/xsave.c                            |    2 +
 arch/x86/kvm/cpuid.c                               |   21 +-
 arch/x86/kvm/emulate.c                             |    4 +-
 arch/x86/kvm/lapic.c                               |    2 +-
 arch/x86/kvm/paging_tmpl.h                         |    2 +-
 arch/x86/kvm/svm.c                                 |    8 +
 arch/x86/kvm/vmx.c                                 |   61 +-
 arch/x86/kvm/x86.c                                 |    8 +-
 arch/x86/lguest/boot.c                             |    3 +-
 arch/x86/lib/atomic64_386_32.S                     |  164 +
 arch/x86/lib/atomic64_cx8_32.S                     |  103 +-
 arch/x86/lib/checksum_32.S                         |  100 +-
 arch/x86/lib/clear_page_64.S                       |    5 +-
 arch/x86/lib/cmpxchg16b_emu.S                      |    2 +
 arch/x86/lib/copy_page_64.S                        |   24 +-
 arch/x86/lib/copy_user_64.S                        |   47 +-
 arch/x86/lib/copy_user_nocache_64.S                |   20 +-
 arch/x86/lib/csum-copy_64.S                        |    2 +
 arch/x86/lib/csum-wrappers_64.c                    |    4 +-
 arch/x86/lib/getuser.S                             |   70 +-
 arch/x86/lib/insn.c                                |    6 +-
 arch/x86/lib/iomap_copy_64.S                       |    2 +
 arch/x86/lib/memcpy_64.S                           |   18 +-
 arch/x86/lib/memmove_64.S                          |   34 +-
 arch/x86/lib/memset_64.S                           |    7 +-
 arch/x86/lib/mmx_32.c                              |  243 +-
 arch/x86/lib/msr-reg.S                             |   18 +-
 arch/x86/lib/putuser.S                             |   90 +-
 arch/x86/lib/rwlock.S                              |   42 +
 arch/x86/lib/rwsem.S                               |    6 +-
 arch/x86/lib/thunk_64.S                            |    2 +
 arch/x86/lib/usercopy_32.c                         |  363 +-
 arch/x86/lib/usercopy_64.c                         |   13 +-
 arch/x86/mm/extable.c                              |   25 +-
 arch/x86/mm/fault.c                                |  556 ++-
 arch/x86/mm/gup.c                                  |    2 +-
 arch/x86/mm/highmem_32.c                           |    4 +
 arch/x86/mm/hugetlbpage.c                          |   30 +-
 arch/x86/mm/init.c                                 |   98 +-
 arch/x86/mm/init_32.c                              |  113 +-
 arch/x86/mm/init_64.c                              |   38 +-
 arch/x86/mm/iomap_32.c                             |    4 +
 arch/x86/mm/ioremap.c                              |   15 +-
 arch/x86/mm/kmemcheck/kmemcheck.c                  |    4 +-
 arch/x86/mm/mmap.c                                 |   41 +-
 arch/x86/mm/mmio-mod.c                             |   10 +-
 arch/x86/mm/numa.c                                 |    2 +-
 arch/x86/mm/pageattr-test.c                        |    2 +-
 arch/x86/mm/pageattr.c                             |   33 +-
 arch/x86/mm/pat.c                                  |   12 +-
 arch/x86/mm/pat_rbtree.c                           |    2 +-
 arch/x86/mm/pf_in.c                                |   10 +-
 arch/x86/mm/pgtable.c                              |  137 +-
 arch/x86/mm/pgtable_32.c                           |    3 +
 arch/x86/mm/physaddr.c                             |    4 +-
 arch/x86/mm/setup_nx.c                             |    7 +
 arch/x86/mm/tlb.c                                  |    4 +
 arch/x86/net/bpf_jit.S                             |   14 +
 arch/x86/net/bpf_jit_comp.c                        |   37 +-
 arch/x86/oprofile/backtrace.c                      |    8 +-
 arch/x86/oprofile/nmi_int.c                        |    8 +-
 arch/x86/oprofile/op_model_amd.c                   |    8 +-
 arch/x86/oprofile/op_model_ppro.c                  |    7 +-
 arch/x86/oprofile/op_x86_model.h                   |    2 +-
 arch/x86/pci/amd_bus.c                             |    2 +-
 arch/x86/pci/irq.c                                 |    8 +-
 arch/x86/pci/mrst.c                                |    4 +-
 arch/x86/pci/pcbios.c                              |  144 +-
 arch/x86/platform/efi/efi_32.c                     |   24 +
 arch/x86/platform/efi/efi_64.c                     |   10 +
 arch/x86/platform/efi/efi_stub_32.S                |   64 +-
 arch/x86/platform/efi/efi_stub_64.S                |    8 +
 arch/x86/platform/mrst/mrst.c                      |    6 +-
 arch/x86/platform/olpc/olpc_dt.c                   |    2 +-
 arch/x86/power/cpu.c                               |   11 +-
 arch/x86/realmode/init.c                           |   10 +-
 arch/x86/realmode/rm/Makefile                      |    3 +
 arch/x86/realmode/rm/header.S                      |    4 +-
 arch/x86/realmode/rm/trampoline_32.S               |   12 +-
 arch/x86/realmode/rm/trampoline_64.S               |    2 +-
 arch/x86/tools/Makefile                            |    2 +-
 arch/x86/tools/relocs.c                            |   94 +-
 arch/x86/um/tls_32.c                               |    2 +-
 arch/x86/vdso/Makefile                             |    2 +-
 arch/x86/vdso/vdso32-setup.c                       |   23 +-
 arch/x86/vdso/vma.c                                |   29 +-
 arch/x86/xen/enlighten.c                           |   47 +-
 arch/x86/xen/mmu.c                                 |    9 +
 arch/x86/xen/smp.c                                 |   18 +-
 arch/x86/xen/xen-asm_32.S                          |   12 +-
 arch/x86/xen/xen-head.S                            |   11 +
 arch/x86/xen/xen-ops.h                             |    2 -
 block/blk-iopoll.c                                 |    4 +-
 block/blk-map.c                                    |    2 +-
 block/blk-softirq.c                                |    4 +-
 block/bsg.c                                        |   12 +-
 block/compat_ioctl.c                               |    2 +-
 block/genhd.c                                      |   11 +-
 block/partitions/efi.c                             |    8 +-
 block/scsi_ioctl.c                                 |   27 +-
 crypto/algapi.c                                    |    2 +-
 crypto/cryptd.c                                    |    4 +-
 crypto/pcrypt.c                                    |    6 +-
 drivers/acpi/apei/apei-internal.h                  |    2 +-
 drivers/acpi/apei/cper.c                           |    8 +-
 drivers/acpi/bgrt.c                                |    6 +-
 drivers/acpi/blacklist.c                           |    4 +-
 drivers/acpi/ec_sys.c                              |   12 +-
 drivers/acpi/processor_idle.c                      |    2 +-
 drivers/acpi/sysfs.c                               |    4 +-
 drivers/ata/libahci.c                              |    2 +-
 drivers/ata/libata-core.c                          |    8 +-
 drivers/ata/pata_arasan_cf.c                       |    4 +-
 drivers/atm/adummy.c                               |    2 +-
 drivers/atm/ambassador.c                           |    8 +-
 drivers/atm/atmtcp.c                               |   14 +-
 drivers/atm/eni.c                                  |   10 +-
 drivers/atm/firestream.c                           |    8 +-
 drivers/atm/fore200e.c                             |   14 +-
 drivers/atm/he.c                                   |   18 +-
 drivers/atm/horizon.c                              |    4 +-
 drivers/atm/idt77252.c                             |   36 +-
 drivers/atm/iphase.c                               |   34 +-
 drivers/atm/lanai.c                                |   12 +-
 drivers/atm/nicstar.c                              |   46 +-
 drivers/atm/solos-pci.c                            |    4 +-
 drivers/atm/suni.c                                 |    4 +-
 drivers/atm/uPD98402.c                             |   16 +-
 drivers/atm/zatm.c                                 |    6 +-
 drivers/base/attribute_container.c                 |    2 +-
 drivers/base/bus.c                                 |    4 +-
 drivers/base/devtmpfs.c                            |    8 +-
 drivers/base/node.c                                |    2 +-
 drivers/base/power/domain.c                        |    4 +-
 drivers/base/power/sysfs.c                         |    2 +-
 drivers/base/power/wakeup.c                        |    8 +-
 drivers/base/syscore.c                             |    4 +-
 drivers/block/cciss.c                              |   28 +-
 drivers/block/cciss.h                              |    2 +-
 drivers/block/cpqarray.c                           |   28 +-
 drivers/block/cpqarray.h                           |    2 +-
 drivers/block/drbd/drbd_int.h                      |    6 +-
 drivers/block/drbd/drbd_main.c                     |    8 +-
 drivers/block/drbd/drbd_receiver.c                 |   22 +-
 drivers/block/loop.c                               |    2 +-
 drivers/block/nbd.c                                |    2 +-
 drivers/block/pktcdvd.c                            |    2 +-
 drivers/cdrom/cdrom.c                              |   11 +-
 drivers/cdrom/gdrom.c                              |    1 -
 drivers/char/agp/compat_ioctl.c                    |    2 +-
 drivers/char/agp/frontend.c                        |    4 +-
 drivers/char/hpet.c                                |    2 +-
 drivers/char/hw_random/intel-rng.c                 |    2 +-
 drivers/char/ipmi/ipmi_msghandler.c                |    8 +-
 drivers/char/ipmi/ipmi_si_intf.c                   |    8 +-
 drivers/char/mem.c                                 |   45 +-
 drivers/char/nvram.c                               |    2 +-
 drivers/char/pcmcia/synclink_cs.c                  |   18 +-
 drivers/char/random.c                              |   10 +-
 drivers/char/sonypi.c                              |    9 +-
 drivers/char/tpm/tpm_acpi.c                        |    3 +-
 drivers/char/tpm/tpm_eventlog.c                    |    7 +-
 drivers/char/virtio_console.c                      |    4 +-
 drivers/clk/clk-composite.c                        |    2 +-
 drivers/clocksource/arm_arch_timer.c               |    2 +-
 drivers/clocksource/metag_generic.c                |    2 +-
 drivers/cpufreq/acpi-cpufreq.c                     |   20 +-
 drivers/cpufreq/cpufreq.c                          |    9 +-
 drivers/cpufreq/cpufreq_governor.c                 |    6 +-
 drivers/cpufreq/cpufreq_governor.h                 |    2 +-
 drivers/cpufreq/cpufreq_ondemand.c                 |    8 +-
 drivers/cpufreq/cpufreq_stats.c                    |    2 +-
 drivers/cpufreq/p4-clockmod.c                      |   12 +-
 drivers/cpufreq/sparc-us3-cpufreq.c                |   69 +-
 drivers/cpufreq/speedstep-centrino.c               |    7 +-
 drivers/cpuidle/cpuidle.c                          |    2 +-
 drivers/cpuidle/governor.c                         |    4 +-
 drivers/cpuidle/sysfs.c                            |    2 +-
 drivers/devfreq/devfreq.c                          |    6 +-
 drivers/dma/sh/shdma.c                             |    2 +-
 drivers/edac/edac_mc_sysfs.c                       |   12 +-
 drivers/edac/edac_pci_sysfs.c                      |   22 +-
 drivers/edac/mce_amd.h                             |    2 +-
 drivers/firewire/core-card.c                       |    2 +-
 drivers/firewire/core-device.c                     |    2 +-
 drivers/firewire/core-transaction.c                |    1 +
 drivers/firewire/core.h                            |    1 +
 drivers/firmware/dmi-id.c                          |    2 +-
 drivers/firmware/dmi_scan.c                        |    7 +-
 drivers/firmware/efi/efi.c                         |   12 +-
 drivers/firmware/efi/efivars.c                     |    2 +-
 drivers/firmware/google/memconsole.c               |    4 +-
 drivers/gpio/gpio-ich.c                            |    2 +-
 drivers/gpio/gpio-vr41xx.c                         |    2 +-
 drivers/gpu/drm/drm_crtc_helper.c                  |    2 +-
 drivers/gpu/drm/drm_drv.c                          |    6 +-
 drivers/gpu/drm/drm_fops.c                         |   18 +-
 drivers/gpu/drm/drm_global.c                       |   14 +-
 drivers/gpu/drm/drm_info.c                         |   14 +-
 drivers/gpu/drm/drm_ioc32.c                        |   13 +-
 drivers/gpu/drm/drm_ioctl.c                        |    2 +-
 drivers/gpu/drm/drm_lock.c                         |    4 +-
 drivers/gpu/drm/drm_stub.c                         |    2 +-
 drivers/gpu/drm/drm_sysfs.c                        |    2 +-
 drivers/gpu/drm/i810/i810_dma.c                    |    8 +-
 drivers/gpu/drm/i810/i810_drv.h                    |    4 +-
 drivers/gpu/drm/i915/i915_debugfs.c                |    2 +-
 drivers/gpu/drm/i915/i915_dma.c                    |    2 +-
 drivers/gpu/drm/i915/i915_drv.h                    |    4 +-
 drivers/gpu/drm/i915/i915_gem_execbuffer.c         |    4 +-
 drivers/gpu/drm/i915/i915_ioc32.c                  |   11 +-
 drivers/gpu/drm/i915/i915_irq.c                    |   22 +-
 drivers/gpu/drm/i915/intel_display.c               |   26 +-
 drivers/gpu/drm/mga/mga_drv.h                      |    4 +-
 drivers/gpu/drm/mga/mga_ioc32.c                    |   11 +-
 drivers/gpu/drm/mga/mga_irq.c                      |    8 +-
 drivers/gpu/drm/nouveau/nouveau_bios.c             |    2 +-
 drivers/gpu/drm/nouveau/nouveau_drm.h              |    2 +-
 drivers/gpu/drm/nouveau/nouveau_gem.c              |    4 +-
 drivers/gpu/drm/nouveau/nouveau_ioc32.c            |    2 +-
 drivers/gpu/drm/nouveau/nouveau_vga.c              |    2 +-
 drivers/gpu/drm/qxl/qxl_ttm.c                      |   38 +-
 drivers/gpu/drm/r128/r128_cce.c                    |    2 +-
 drivers/gpu/drm/r128/r128_drv.h                    |    4 +-
 drivers/gpu/drm/r128/r128_ioc32.c                  |   11 +-
 drivers/gpu/drm/r128/r128_irq.c                    |    4 +-
 drivers/gpu/drm/r128/r128_state.c                  |    4 +-
 drivers/gpu/drm/radeon/mkregtable.c                |    4 +-
 drivers/gpu/drm/radeon/radeon_device.c             |    2 +-
 drivers/gpu/drm/radeon/radeon_drv.h                |    2 +-
 drivers/gpu/drm/radeon/radeon_ioc32.c              |   13 +-
 drivers/gpu/drm/radeon/radeon_irq.c                |    6 +-
 drivers/gpu/drm/radeon/radeon_state.c              |    4 +-
 drivers/gpu/drm/radeon/radeon_ttm.c                |   57 +-
 drivers/gpu/drm/radeon/rs690.c                     |    4 +-
 drivers/gpu/drm/ttm/ttm_memory.c                   |    4 +-
 drivers/gpu/drm/ttm/ttm_page_alloc.c               |    4 +-
 drivers/gpu/drm/udl/udl_fb.c                       |    1 -
 drivers/gpu/drm/via/via_drv.h                      |    4 +-
 drivers/gpu/drm/via/via_irq.c                      |   18 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_drv.h                |    2 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c               |    8 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c              |    4 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_irq.c                |    4 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_marker.c             |    2 +-
 drivers/hid/hid-core.c                             |    4 +-
 drivers/hv/channel.c                               |    4 +-
 drivers/hv/hv.c                                    |    2 +-
 drivers/hv/hyperv_vmbus.h                          |    2 +-
 drivers/hv/vmbus_drv.c                             |    4 +-
 drivers/hwmon/acpi_power_meter.c                   |    4 +-
 drivers/hwmon/applesmc.c                           |    2 +-
 drivers/hwmon/asus_atk0110.c                       |   10 +-
 drivers/hwmon/coretemp.c                           |    2 +-
 drivers/hwmon/ibmaem.c                             |    2 +-
 drivers/hwmon/iio_hwmon.c                          |    2 +-
 drivers/hwmon/pmbus/pmbus_core.c                   |   10 +-
 drivers/hwmon/sht15.c                              |   12 +-
 drivers/hwmon/via-cputemp.c                        |    2 +-
 drivers/i2c/busses/i2c-amd756-s4882.c              |    2 +-
 drivers/i2c/busses/i2c-nforce2-s4985.c             |    2 +-
 drivers/i2c/i2c-dev.c                              |    2 +-
 drivers/ide/ide-cd.c                               |    2 +-
 drivers/iio/industrialio-core.c                    |    2 +-
 drivers/infiniband/core/cm.c                       |   32 +-
 drivers/infiniband/core/fmr_pool.c                 |   20 +-
 drivers/infiniband/hw/cxgb4/mem.c                  |    4 +-
 drivers/infiniband/hw/ipath/ipath_rc.c             |    6 +-
 drivers/infiniband/hw/ipath/ipath_ruc.c            |    6 +-
 drivers/infiniband/hw/mthca/mthca_cmd.c            |    2 +-
 drivers/infiniband/hw/mthca/mthca_mr.c             |    2 +-
 drivers/infiniband/hw/nes/nes.c                    |    4 +-
 drivers/infiniband/hw/nes/nes.h                    |   40 +-
 drivers/infiniband/hw/nes/nes_cm.c                 |   62 +-
 drivers/infiniband/hw/nes/nes_mgt.c                |    8 +-
 drivers/infiniband/hw/nes/nes_nic.c                |   40 +-
 drivers/infiniband/hw/nes/nes_verbs.c              |   10 +-
 drivers/infiniband/hw/qib/qib.h                    |    1 +
 drivers/input/gameport/gameport.c                  |    4 +-
 drivers/input/input.c                              |    4 +-
 drivers/input/joystick/sidewinder.c                |    1 +
 drivers/input/joystick/xpad.c                      |    4 +-
 drivers/input/mouse/psmouse.h                      |    2 +-
 drivers/input/mousedev.c                           |    2 +-
 drivers/input/serio/serio.c                        |    4 +-
 drivers/iommu/iommu.c                              |    2 +-
 drivers/iommu/irq_remapping.c                      |   12 +-
 drivers/irqchip/irq-gic.c                          |    4 +-
 drivers/isdn/capi/capi.c                           |   10 +-
 drivers/isdn/gigaset/interface.c                   |    8 +-
 drivers/isdn/hardware/avm/b1.c                     |    4 +-
 drivers/isdn/i4l/isdn_tty.c                        |   22 +-
 drivers/isdn/icn/icn.c                             |    2 +-
 drivers/leds/leds-clevo-mail.c                     |    2 +-
 drivers/leds/leds-ss4200.c                         |    2 +-
 drivers/lguest/core.c                              |   10 +-
 drivers/lguest/page_tables.c                       |    2 +-
 drivers/lguest/x86/core.c                          |   12 +-
 drivers/lguest/x86/switcher_32.S                   |   27 +-
 drivers/md/bcache/closure.h                        |    2 +-
 drivers/md/bitmap.c                                |    2 +-
 drivers/md/dm-ioctl.c                              |    2 +-
 drivers/md/dm-raid1.c                              |   16 +-
 drivers/md/dm-stripe.c                             |   10 +-
 drivers/md/dm-table.c                              |    2 +-
 drivers/md/dm-thin-metadata.c                      |    4 +-
 drivers/md/dm.c                                    |   16 +-
 drivers/md/md.c                                    |   26 +-
 drivers/md/md.h                                    |    6 +-
 drivers/md/persistent-data/dm-space-map.h          |    1 +
 drivers/md/raid1.c                                 |    4 +-
 drivers/md/raid10.c                                |   16 +-
 drivers/md/raid5.c                                 |   10 +-
 drivers/media/dvb-core/dvbdev.c                    |    2 +-
 drivers/media/dvb-frontends/dib3000.h              |    2 +-
 drivers/media/pci/cx88/cx88-video.c                |    6 +-
 drivers/media/platform/omap/omap_vout.c            |   11 +-
 drivers/media/platform/s5p-tv/mixer.h              |    2 +-
 drivers/media/platform/s5p-tv/mixer_grp_layer.c    |    2 +-
 drivers/media/platform/s5p-tv/mixer_reg.c          |    2 +-
 drivers/media/platform/s5p-tv/mixer_video.c        |   24 +-
 drivers/media/platform/s5p-tv/mixer_vp_layer.c     |    2 +-
 drivers/media/radio/radio-cadet.c                  |    2 +
 drivers/media/usb/dvb-usb/cxusb.c                  |    2 +-
 drivers/media/usb/dvb-usb/dw2102.c                 |    2 +-
 drivers/media/v4l2-core/v4l2-compat-ioctl32.c      |    6 +-
 drivers/media/v4l2-core/v4l2-ioctl.c               |   11 +-
 drivers/message/fusion/mptsas.c                    |   34 +-
 drivers/message/fusion/mptscsih.c                  |   19 +-
 drivers/message/i2o/i2o_proc.c                     |   51 +-
 drivers/message/i2o/iop.c                          |    8 +-
 drivers/mfd/janz-cmodio.c                          |    1 +
 drivers/mfd/twl4030-irq.c                          |    9 +-
 drivers/mfd/twl6030-irq.c                          |   10 +-
 drivers/misc/c2port/core.c                         |    4 +-
 drivers/misc/kgdbts.c                              |    4 +-
 drivers/misc/lis3lv02d/lis3lv02d.c                 |    8 +-
 drivers/misc/lis3lv02d/lis3lv02d.h                 |    2 +-
 drivers/misc/sgi-gru/gruhandles.c                  |    4 +-
 drivers/misc/sgi-gru/gruprocfs.c                   |    8 +-
 drivers/misc/sgi-gru/grutables.h                   |  154 +-
 drivers/misc/sgi-xp/xp.h                           |    2 +-
 drivers/misc/sgi-xp/xpc.h                          |    3 +-
 drivers/misc/sgi-xp/xpc_main.c                     |    4 +-
 drivers/mmc/core/mmc_ops.c                         |    2 +-
 drivers/mmc/host/dw_mmc.h                          |    2 +-
 drivers/mmc/host/sdhci-s3c.c                       |    8 +-
 drivers/mtd/nand/denali.c                          |    1 +
 drivers/mtd/nftlmount.c                            |    1 +
 drivers/mtd/sm_ftl.c                               |    2 +-
 drivers/net/bonding/bond_main.c                    |    2 +-
 drivers/net/ethernet/8390/ax88796.c                |    4 +-
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h    |    2 +-
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c     |   11 +-
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h     |    3 +-
 drivers/net/ethernet/broadcom/tg3.h                |    1 +
 drivers/net/ethernet/chelsio/cxgb3/l2t.h           |    2 +-
 drivers/net/ethernet/dec/tulip/de4x5.c             |    4 +-
 drivers/net/ethernet/emulex/benet/be_main.c        |    2 +-
 drivers/net/ethernet/faraday/ftgmac100.c           |    2 +
 drivers/net/ethernet/faraday/ftmac100.c            |    2 +
 drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c       |    2 +-
 drivers/net/ethernet/neterion/vxge/vxge-config.c   |    7 +-
 .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c  |    4 +-
 .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c  |   12 +-
 drivers/net/ethernet/realtek/r8169.c               |    8 +-
 drivers/net/ethernet/sfc/ptp.c                     |    2 +-
 drivers/net/ethernet/stmicro/stmmac/mmc_core.c     |    4 +-
 drivers/net/hyperv/hyperv_net.h                    |    2 +-
 drivers/net/hyperv/rndis_filter.c                  |    4 +-
 drivers/net/ieee802154/fakehard.c                  |    2 +-
 drivers/net/macvlan.c                              |   18 +-
 drivers/net/macvtap.c                              |    2 +-
 drivers/net/ppp/ppp_generic.c                      |    4 +-
 drivers/net/slip/slhc.c                            |    2 +-
 drivers/net/team/team.c                            |    2 +-
 drivers/net/tun.c                                  |    5 +-
 drivers/net/usb/hso.c                              |   23 +-
 drivers/net/vxlan.c                                |    2 +-
 drivers/net/wireless/at76c50x-usb.c                |    2 +-
 drivers/net/wireless/ath/ath9k/ar9002_mac.c        |   30 +-
 drivers/net/wireless/ath/ath9k/ar9003_mac.c        |   58 +-
 drivers/net/wireless/ath/ath9k/hw.h                |    4 +-
 drivers/net/wireless/iwlegacy/3945-mac.c           |    4 +-
 drivers/net/wireless/iwlwifi/dvm/debugfs.c         |   26 +-
 drivers/net/wireless/iwlwifi/pcie/trans.c          |    4 +-
 drivers/net/wireless/mac80211_hwsim.c              |   32 +-
 drivers/net/wireless/rndis_wlan.c                  |    2 +-
 drivers/net/wireless/rt2x00/rt2x00.h               |    2 +-
 drivers/net/wireless/rt2x00/rt2x00queue.c          |    4 +-
 drivers/net/wireless/ti/wl1251/sdio.c              |   12 +-
 drivers/net/wireless/ti/wl12xx/main.c              |    8 +-
 drivers/net/wireless/ti/wl18xx/main.c              |    6 +-
 drivers/oprofile/buffer_sync.c                     |    8 +-
 drivers/oprofile/event_buffer.c                    |    2 +-
 drivers/oprofile/oprof.c                           |    2 +-
 drivers/oprofile/oprofile_files.c                  |    2 +-
 drivers/oprofile/oprofile_stats.c                  |   10 +-
 drivers/oprofile/oprofile_stats.h                  |   10 +-
 drivers/oprofile/oprofilefs.c                      |    2 +-
 drivers/oprofile/timer_int.c                       |    2 +-
 drivers/parport/procfs.c                           |    4 +-
 drivers/pci/hotplug/acpiphp_ibm.c                  |    4 +-
 drivers/pci/hotplug/cpcihp_generic.c               |    6 +-
 drivers/pci/hotplug/cpcihp_zt5550.c                |   14 +-
 drivers/pci/hotplug/cpqphp_nvram.c                 |    4 +
 drivers/pci/hotplug/pci_hotplug_core.c             |    6 +-
 drivers/pci/hotplug/pciehp_core.c                  |    2 +-
 drivers/pci/pci-sysfs.c                            |    6 +-
 drivers/pci/pci.h                                  |    2 +-
 drivers/pci/pcie/aspm.c                            |    6 +-
 drivers/pci/probe.c                                |    2 +-
 drivers/platform/x86/chromeos_laptop.c             |    2 +-
 drivers/platform/x86/msi-laptop.c                  |   14 +-
 drivers/platform/x86/sony-laptop.c                 |    2 +-
 drivers/platform/x86/thinkpad_acpi.c               |   70 +-
 drivers/pnp/pnpbios/bioscalls.c                    |   14 +-
 drivers/pnp/resource.c                             |    4 +-
 drivers/power/pda_power.c                          |    7 +-
 drivers/power/power_supply.h                       |    4 +-
 drivers/power/power_supply_core.c                  |    7 +-
 drivers/power/power_supply_sysfs.c                 |    6 +-
 drivers/regulator/max8660.c                        |    6 +-
 drivers/regulator/max8973-regulator.c              |    8 +-
 drivers/regulator/mc13892-regulator.c              |    6 +-
 drivers/rtc/rtc-cmos.c                             |    4 +-
 drivers/rtc/rtc-ds1307.c                           |    2 +-
 drivers/rtc/rtc-m48t59.c                           |    4 +-
 drivers/scsi/bfa/bfa_fcpim.h                       |    2 +-
 drivers/scsi/bfa/bfa_ioc.h                         |    4 +-
 drivers/scsi/hosts.c                               |    4 +-
 drivers/scsi/hpsa.c                                |   30 +-
 drivers/scsi/hpsa.h                                |    2 +-
 drivers/scsi/libfc/fc_exch.c                       |   50 +-
 drivers/scsi/libsas/sas_ata.c                      |    2 +-
 drivers/scsi/lpfc/lpfc.h                           |    8 +-
 drivers/scsi/lpfc/lpfc_debugfs.c                   |   18 +-
 drivers/scsi/lpfc/lpfc_init.c                      |    6 +-
 drivers/scsi/lpfc/lpfc_scsi.c                      |   16 +-
 drivers/scsi/pmcraid.c                             |   20 +-
 drivers/scsi/pmcraid.h                             |    8 +-
 drivers/scsi/qla2xxx/qla_attr.c                    |    4 +-
 drivers/scsi/qla2xxx/qla_gbl.h                     |    4 +-
 drivers/scsi/qla2xxx/qla_os.c                      |    6 +-
 drivers/scsi/qla4xxx/ql4_def.h                     |    2 +-
 drivers/scsi/qla4xxx/ql4_os.c                      |    6 +-
 drivers/scsi/scsi.c                                |    2 +-
 drivers/scsi/scsi_lib.c                            |    6 +-
 drivers/scsi/scsi_sysfs.c                          |    2 +-
 drivers/scsi/scsi_tgt_lib.c                        |    2 +-
 drivers/scsi/scsi_transport_fc.c                   |    8 +-
 drivers/scsi/scsi_transport_iscsi.c                |    6 +-
 drivers/scsi/scsi_transport_srp.c                  |    6 +-
 drivers/scsi/sd.c                                  |    2 +-
 drivers/scsi/sg.c                                  |    2 +-
 drivers/spi/spi.c                                  |    2 +-
 drivers/staging/media/solo6x10/solo6x10-core.c     |    2 +-
 drivers/staging/octeon/ethernet-rx.c               |   12 +-
 drivers/staging/octeon/ethernet.c                  |    8 +-
 drivers/staging/rtl8712/rtl871x_io.h               |    2 +-
 drivers/staging/sbe-2t3e3/netdev.c                 |    2 +-
 drivers/staging/usbip/vhci.h                       |    2 +-
 drivers/staging/usbip/vhci_hcd.c                   |    6 +-
 drivers/staging/usbip/vhci_rx.c                    |    2 +-
 drivers/staging/vt6655/hostap.c                    |    7 +-
 drivers/staging/vt6656/hostap.c                    |    7 +-
 drivers/staging/zcache/tmem.c                      |    4 +-
 drivers/staging/zcache/tmem.h                      |    2 +
 drivers/target/target_core_device.c                |    2 +-
 drivers/target/target_core_transport.c             |    2 +-
 drivers/tty/cyclades.c                             |    6 +-
 drivers/tty/hvc/hvc_console.c                      |   14 +-
 drivers/tty/hvc/hvcs.c                             |   21 +-
 drivers/tty/ipwireless/tty.c                       |   27 +-
 drivers/tty/moxa.c                                 |    2 +-
 drivers/tty/n_gsm.c                                |    4 +-
 drivers/tty/n_tty.c                                |    3 +-
 drivers/tty/pty.c                                  |    4 +-
 drivers/tty/rocket.c                               |    6 +-
 drivers/tty/serial/kgdboc.c                        |   32 +-
 drivers/tty/serial/samsung.c                       |    9 +-
 drivers/tty/serial/serial_core.c                   |    8 +-
 drivers/tty/synclink.c                             |   34 +-
 drivers/tty/synclink_gt.c                          |   28 +-
 drivers/tty/synclinkmp.c                           |   34 +-
 drivers/tty/tty_io.c                               |    2 +-
 drivers/tty/tty_ldisc.c                            |   10 +-
 drivers/tty/tty_port.c                             |   22 +-
 drivers/uio/uio.c                                  |   21 +-
 drivers/usb/atm/cxacru.c                           |    2 +-
 drivers/usb/atm/usbatm.c                           |   24 +-
 drivers/usb/core/devices.c                         |    6 +-
 drivers/usb/core/hcd.c                             |    4 +-
 drivers/usb/core/message.c                         |    2 +-
 drivers/usb/core/sysfs.c                           |    2 +-
 drivers/usb/core/usb.c                             |    2 +-
 drivers/usb/early/ehci-dbgp.c                      |   16 +-
 drivers/usb/gadget/u_serial.c                      |   22 +-
 drivers/usb/serial/console.c                       |    6 +-
 drivers/usb/storage/usb.h                          |    2 +-
 drivers/usb/wusbcore/wa-hc.h                       |    4 +-
 drivers/usb/wusbcore/wa-xfer.c                     |    2 +-
 drivers/vhost/vringh.c                             |    2 +-
 drivers/video/aty/aty128fb.c                       |    2 +-
 drivers/video/aty/atyfb_base.c                     |    8 +-
 drivers/video/aty/mach64_cursor.c                  |    5 +-
 drivers/video/backlight/kb3886_bl.c                |    2 +-
 drivers/video/fb_defio.c                           |    6 +-
 drivers/video/fbcmap.c                             |    3 +-
 drivers/video/fbmem.c                              |    6 +-
 drivers/video/i810/i810_accel.c                    |    1 +
 drivers/video/mb862xx/mb862xxfb_accel.c            |   16 +-
 drivers/video/nvidia/nvidia.c                      |   27 +-
 drivers/video/output.c                             |    2 +-
 drivers/video/s1d13xxxfb.c                         |    6 +-
 drivers/video/smscufx.c                            |    4 +-
 drivers/video/udlfb.c                              |   36 +-
 drivers/video/uvesafb.c                            |   53 +-
 drivers/video/vesafb.c                             |   58 +-
 drivers/video/via/via_clock.h                      |    2 +-
 fs/9p/vfs_addr.c                                   |    2 +-
 fs/9p/vfs_inode.c                                  |    2 +-
 fs/Kconfig.binfmt                                  |    2 +-
 fs/aio.c                                           |   12 +-
 fs/autofs4/waitq.c                                 |    2 +-
 fs/befs/endian.h                                   |    4 +-
 fs/befs/linuxvfs.c                                 |    2 +-
 fs/binfmt_aout.c                                   |   23 +-
 fs/binfmt_elf.c                                    |  607 ++-
 fs/binfmt_flat.c                                   |    6 +
 fs/bio.c                                           |    6 +-
 fs/block_dev.c                                     |    2 +-
 fs/btrfs/ctree.c                                   |    9 +-
 fs/btrfs/super.c                                   |    2 +-
 fs/cachefiles/bind.c                               |    6 +-
 fs/cachefiles/daemon.c                             |    8 +-
 fs/cachefiles/internal.h                           |   12 +-
 fs/cachefiles/namei.c                              |    2 +-
 fs/cachefiles/proc.c                               |   12 +-
 fs/cachefiles/rdwr.c                               |    2 +-
 fs/ceph/dir.c                                      |    2 +-
 fs/cifs/cifs_debug.c                               |   12 +-
 fs/cifs/cifsfs.c                                   |    8 +-
 fs/cifs/cifsglob.h                                 |   54 +-
 fs/cifs/link.c                                     |    2 +-
 fs/cifs/misc.c                                     |    4 +-
 fs/cifs/smb1ops.c                                  |   80 +-
 fs/cifs/smb2ops.c                                  |   84 +-
 fs/cifs/smb2pdu.c                                  |    3 +-
 fs/coda/cache.c                                    |   10 +-
 fs/compat.c                                        |    6 +-
 fs/compat_binfmt_elf.c                             |    2 +
 fs/compat_ioctl.c                                  |   12 +-
 fs/configfs/dir.c                                  |   10 +-
 fs/coredump.c                                      |   24 +-
 fs/dcache.c                                        |    2 +-
 fs/ecryptfs/inode.c                                |    4 +-
 fs/ecryptfs/miscdev.c                              |    2 +-
 fs/exec.c                                          |  362 ++-
 fs/ext4/ext4.h                                     |   20 +-
 fs/ext4/mballoc.c                                  |   44 +-
 fs/ext4/mmp.c                                      |    2 +-
 fs/ext4/super.c                                    |    4 +-
 fs/fhandle.c                                       |    3 +-
 fs/fs_struct.c                                     |    8 +-
 fs/fscache/cookie.c                                |   36 +-
 fs/fscache/internal.h                              |  196 +-
 fs/fscache/object.c                                |   28 +-
 fs/fscache/operation.c                             |   30 +-
 fs/fscache/page.c                                  |  110 +-
 fs/fscache/stats.c                                 |  344 +-
 fs/fuse/cuse.c                                     |   10 +-
 fs/fuse/dev.c                                      |    4 +-
 fs/fuse/dir.c                                      |    2 +-
 fs/gfs2/inode.c                                    |    2 +-
 fs/hugetlbfs/inode.c                               |   13 +-
 fs/inode.c                                         |    4 +-
 fs/jffs2/erase.c                                   |    3 +-
 fs/jffs2/wbuf.c                                    |    3 +-
 fs/jfs/super.c                                     |    2 +-
 fs/libfs.c                                         |   10 +-
 fs/lockd/clntproc.c                                |    4 +-
 fs/lockd/svc.c                                     |    2 +-
 fs/locks.c                                         |    8 +-
 fs/namei.c                                         |   15 +-
 fs/namespace.c                                     |   10 +-
 fs/nfs/callback.c                                  |    4 +-
 fs/nfs/callback_xdr.c                              |    2 +-
 fs/nfs/inode.c                                     |    6 +-
 fs/nfs/nfs4state.c                                 |    2 +-
 fs/nfsd/nfs4proc.c                                 |    2 +-
 fs/nfsd/nfs4xdr.c                                  |    6 +-
 fs/nfsd/nfscache.c                                 |    9 +-
 fs/nfsd/vfs.c                                      |    6 +-
 fs/nls/nls_base.c                                  |   18 +-
 fs/nls/nls_euc-jp.c                                |    6 +-
 fs/nls/nls_koi8-ru.c                               |    6 +-
 fs/notify/fanotify/fanotify_user.c                 |    4 +-
 fs/notify/notification.c                           |    4 +-
 fs/ntfs/dir.c                                      |    2 +-
 fs/ntfs/file.c                                     |    4 +-
 fs/ocfs2/localalloc.c                              |    2 +-
 fs/ocfs2/ocfs2.h                                   |   10 +-
 fs/ocfs2/suballoc.c                                |   12 +-
 fs/ocfs2/super.c                                   |   20 +-
 fs/pipe.c                                          |   61 +-
 fs/proc/array.c                                    |   20 +
 fs/proc/base.c                                     |    4 +-
 fs/proc/kcore.c                                    |   32 +-
 fs/proc/meminfo.c                                  |    2 +-
 fs/proc/nommu.c                                    |    2 +-
 fs/proc/proc_sysctl.c                              |   18 +-
 fs/proc/self.c                                     |    2 +-
 fs/proc/task_mmu.c                                 |   39 +-
 fs/proc/task_nommu.c                               |    4 +-
 fs/proc/vmcore.c                                   |   12 +-
 fs/qnx6/qnx6.h                                     |    4 +-
 fs/quota/netlink.c                                 |    4 +-
 fs/read_write.c                                    |    2 +-
 fs/readdir.c                                       |    2 +-
 fs/reiserfs/do_balan.c                             |    2 +-
 fs/reiserfs/procfs.c                               |    2 +-
 fs/reiserfs/reiserfs.h                             |    4 +-
 fs/seq_file.c                                      |    2 +-
 fs/splice.c                                        |   40 +-
 fs/sysfs/bin.c                                     |    6 +-
 fs/sysfs/dir.c                                     |    2 +-
 fs/sysfs/file.c                                    |   10 +-
 fs/sysfs/symlink.c                                 |    2 +-
 fs/sysv/sysv.h                                     |    2 +-
 fs/ubifs/io.c                                      |    2 +-
 fs/udf/misc.c                                      |    2 +-
 fs/ufs/swab.h                                      |    4 +-
 fs/xattr.c                                         |   21 +
 fs/xattr_acl.c                                     |    4 +-
 fs/xfs/xfs_bmap.c                                  |    2 +-
 fs/xfs/xfs_dir2_sf.c                               |   10 +-
 fs/xfs/xfs_ioctl.c                                 |    2 +-
 fs/xfs/xfs_iops.c                                  |    2 +-
 include/asm-generic/4level-fixup.h                 |    2 +
 include/asm-generic/atomic-long.h                  |  210 +
 include/asm-generic/atomic.h                       |    2 +-
 include/asm-generic/atomic64.h                     |   12 +
 include/asm-generic/cache.h                        |    4 +-
 include/asm-generic/emergency-restart.h            |    2 +-
 include/asm-generic/kmap_types.h                   |    4 +-
 include/asm-generic/local.h                        |   13 +
 include/asm-generic/pgtable-nopmd.h                |   18 +-
 include/asm-generic/pgtable-nopud.h                |   15 +-
 include/asm-generic/pgtable.h                      |    8 +
 include/asm-generic/vmlinux.lds.h                  |   10 +-
 include/crypto/algapi.h                            |    2 +-
 include/drm/drmP.h                                 |   17 +-
 include/drm/drm_crtc_helper.h                      |    2 +-
 include/drm/ttm/ttm_memory.h                       |    2 +-
 include/keys/asymmetric-subtype.h                  |    2 +-
 include/linux/atmdev.h                             |    4 +-
 include/linux/binfmts.h                            |    3 +-
 include/linux/blkdev.h                             |    2 +-
 include/linux/blktrace_api.h                       |    2 +-
 include/linux/cache.h                              |    4 +
 include/linux/cdrom.h                              |    1 -
 include/linux/cleancache.h                         |    2 +-
 include/linux/clk-provider.h                       |    1 +
 include/linux/compat.h                             |    4 +-
 include/linux/compiler-gcc4.h                      |   20 +
 include/linux/compiler.h                           |   65 +-
 include/linux/completion.h                         |    6 +-
 include/linux/configfs.h                           |    2 +-
 include/linux/cpu.h                                |    2 +-
 include/linux/cpufreq.h                            |    3 +-
 include/linux/cpuidle.h                            |    5 +-
 include/linux/cpumask.h                            |   12 +-
 include/linux/crypto.h                             |    6 +-
 include/linux/ctype.h                              |    2 +-
 include/linux/decompress/mm.h                      |    2 +-
 include/linux/devfreq.h                            |    2 +-
 include/linux/device.h                             |    7 +-
 include/linux/dma-mapping.h                        |    2 +-
 include/linux/dmaengine.h                          |    4 +-
 include/linux/efi.h                                |    1 +
 include/linux/elf.h                                |    2 +
 include/linux/err.h                                |    4 +-
 include/linux/extcon.h                             |    2 +-
 include/linux/fb.h                                 |    2 +-
 include/linux/filter.h                             |    4 +
 include/linux/frontswap.h                          |    2 +-
 include/linux/fs.h                                 |    3 +-
 include/linux/fs_struct.h                          |    2 +-
 include/linux/fscache-cache.h                      |    4 +-
 include/linux/fscache.h                            |    2 +-
 include/linux/fsnotify.h                           |    2 +-
 include/linux/genhd.h                              |    2 +-
 include/linux/genl_magic_func.h                    |    2 +-
 include/linux/gfp.h                                |   12 +-
 include/linux/highmem.h                            |   12 +
 include/linux/hwmon-sysfs.h                        |    5 +-
 include/linux/i2c.h                                |    1 +
 include/linux/i2o.h                                |    2 +-
 include/linux/if_pppox.h                           |    2 +-
 include/linux/init.h                               |   33 +-
 include/linux/init_task.h                          |    7 +
 include/linux/interrupt.h                          |    8 +-
 include/linux/iommu.h                              |    2 +-
 include/linux/ioport.h                             |    2 +-
 include/linux/irq.h                                |    3 +-
 include/linux/irqchip/arm-gic.h                    |    4 +-
 include/linux/key-type.h                           |    2 +-
 include/linux/kgdb.h                               |    6 +-
 include/linux/kobject.h                            |    3 +-
 include/linux/kobject_ns.h                         |    2 +-
 include/linux/kref.h                               |    2 +-
 include/linux/kvm_host.h                           |    4 +-
 include/linux/libata.h                             |    2 +-
 include/linux/list.h                               |   15 +
 include/linux/math64.h                             |    6 +-
 include/linux/mm.h                                 |  116 +-
 include/linux/mm_types.h                           |   20 +
 include/linux/mmiotrace.h                          |    4 +-
 include/linux/mmzone.h                             |    2 +-
 include/linux/mod_devicetable.h                    |    6 +-
 include/linux/module.h                             |   60 +-
 include/linux/moduleloader.h                       |   16 +
 include/linux/moduleparam.h                        |    4 +-
 include/linux/namei.h                              |    6 +-
 include/linux/net.h                                |    2 +-
 include/linux/netdevice.h                          |    3 +-
 include/linux/netfilter.h                          |    2 +-
 include/linux/netfilter/ipset/ip_set.h             |    2 +-
 include/linux/netfilter/nfnetlink.h                |    2 +-
 include/linux/nls.h                                |    2 +-
 include/linux/notifier.h                           |    3 +-
 include/linux/oprofile.h                           |    4 +-
 include/linux/pci_hotplug.h                        |    3 +-
 include/linux/perf_event.h                         |   12 +-
 include/linux/pipe_fs_i.h                          |    8 +-
 include/linux/platform_data/usb-ehci-s5p.h         |    2 +-
 include/linux/platform_data/usb-ohci-exynos.h      |    2 +-
 include/linux/pm_domain.h                          |    2 +-
 include/linux/pm_runtime.h                         |    2 +-
 include/linux/pnp.h                                |    2 +-
 include/linux/poison.h                             |    4 +-
 include/linux/power/smartreflex.h                  |    2 +-
 include/linux/ppp-comp.h                           |    2 +-
 include/linux/proc_ns.h                            |    2 +-
 include/linux/random.h                             |    5 +
 include/linux/rculist.h                            |   16 +
 include/linux/reboot.h                             |   14 +-
 include/linux/regset.h                             |    3 +-
 include/linux/relay.h                              |    2 +-
 include/linux/rio.h                                |    2 +-
 include/linux/rmap.h                               |    4 +-
 include/linux/sched.h                              |   65 +-
 include/linux/sched/sysctl.h                       |    1 +
 include/linux/seq_file.h                           |    1 +
 include/linux/skbuff.h                             |   12 +-
 include/linux/slab.h                               |   42 +-
 include/linux/slab_def.h                           |   28 +-
 include/linux/slob_def.h                           |    4 +-
 include/linux/slub_def.h                           |    8 +-
 include/linux/sock_diag.h                          |    2 +-
 include/linux/sonet.h                              |    2 +-
 include/linux/sunrpc/addr.h                        |    8 +-
 include/linux/sunrpc/clnt.h                        |    2 +-
 include/linux/sunrpc/svc.h                         |    2 +-
 include/linux/sunrpc/svc_rdma.h                    |   18 +-
 include/linux/sunrpc/svcauth.h                     |    2 +-
 include/linux/swiotlb.h                            |    3 +-
 include/linux/syscalls.h                           |   10 +-
 include/linux/syscore_ops.h                        |    2 +-
 include/linux/sysctl.h                             |    6 +-
 include/linux/sysfs.h                              |   10 +-
 include/linux/sysrq.h                              |    3 +-
 include/linux/thread_info.h                        |    7 +
 include/linux/tty.h                                |    4 +-
 include/linux/tty_driver.h                         |    2 +-
 include/linux/tty_ldisc.h                          |    2 +-
 include/linux/types.h                              |   16 +
 include/linux/uaccess.h                            |    6 +-
 include/linux/unaligned/access_ok.h                |   24 +-
 include/linux/usb.h                                |    4 +-
 include/linux/usb/renesas_usbhs.h                  |    2 +-
 include/linux/vermagic.h                           |   21 +-
 include/linux/vmalloc.h                            |   11 +-
 include/linux/vmstat.h                             |   20 +-
 include/linux/xattr.h                              |    5 +-
 include/linux/zlib.h                               |    3 +-
 include/media/v4l2-dev.h                           |    2 +-
 include/net/9p/transport.h                         |    2 +-
 include/net/bluetooth/l2cap.h                      |    2 +-
 include/net/caif/cfctrl.h                          |    6 +-
 include/net/flow.h                                 |    2 +-
 include/net/genetlink.h                            |    2 +-
 include/net/gro_cells.h                            |    2 +-
 include/net/inet_connection_sock.h                 |    2 +-
 include/net/inetpeer.h                             |    8 +-
 include/net/ip.h                                   |    2 +-
 include/net/ip_fib.h                               |    2 +-
 include/net/ip_vs.h                                |    8 +-
 include/net/irda/ircomm_tty.h                      |    1 +
 include/net/iucv/af_iucv.h                         |    2 +-
 include/net/llc_c_ac.h                             |    2 +-
 include/net/llc_c_ev.h                             |    4 +-
 include/net/llc_c_st.h                             |    2 +-
 include/net/llc_s_ac.h                             |    2 +-
 include/net/llc_s_st.h                             |    2 +-
 include/net/mac80211.h                             |    2 +-
 include/net/neighbour.h                            |    2 +-
 include/net/net_namespace.h                        |   12 +-
 include/net/netdma.h                               |    2 +-
 include/net/netlink.h                              |    2 +-
 include/net/netns/conntrack.h                      |    6 +-
 include/net/netns/ipv4.h                           |    2 +-
 include/net/netns/ipv6.h                           |    2 +-
 include/net/protocol.h                             |    4 +-
 include/net/rtnetlink.h                            |    2 +-
 include/net/sctp/sctp.h                            |    6 +-
 include/net/sctp/sm.h                              |    4 +-
 include/net/sctp/structs.h                         |    2 +-
 include/net/sock.h                                 |    6 +-
 include/net/tcp.h                                  |    8 +-
 include/net/xfrm.h                                 |    8 +-
 include/rdma/iw_cm.h                               |    2 +-
 include/scsi/libfc.h                               |    3 +-
 include/scsi/scsi_device.h                         |    6 +-
 include/scsi/scsi_transport_fc.h                   |    3 +-
 include/sound/compress_driver.h                    |    2 +-
 include/sound/soc.h                                |    4 +-
 include/target/target_core_base.h                  |    2 +-
 include/trace/events/irq.h                         |    4 +-
 include/uapi/linux/a.out.h                         |    8 +
 include/uapi/linux/byteorder/little_endian.h       |   28 +-
 include/uapi/linux/elf.h                           |   28 +
 include/uapi/linux/screen_info.h                   |    3 +-
 include/uapi/linux/swab.h                          |    6 +-
 include/uapi/linux/sysctl.h                        |    6 +-
 include/uapi/linux/xattr.h                         |    4 +
 include/video/udlfb.h                              |    8 +-
 include/video/uvesafb.h                            |    1 +
 init/Kconfig                                       |    2 +-
 init/Makefile                                      |    3 +
 init/do_mounts.c                                   |   14 +-
 init/do_mounts.h                                   |    8 +-
 init/do_mounts_initrd.c                            |   30 +-
 init/do_mounts_md.c                                |    6 +-
 init/init_task.c                                   |    4 +
 init/initramfs.c                                   |   42 +-
 init/main.c                                        |   83 +-
 ipc/ipc_sysctl.c                                   |   10 +-
 ipc/mq_sysctl.c                                    |    2 +-
 ipc/msg.c                                          |   11 +-
 ipc/sem.c                                          |   11 +-
 ipc/shm.c                                          |   17 +-
 kernel/acct.c                                      |    2 +-
 kernel/audit.c                                     |    8 +-
 kernel/auditfilter.c                               |    2 +-
 kernel/auditsc.c                                   |    4 +-
 kernel/capability.c                                |    3 +
 kernel/compat.c                                    |   38 +-
 kernel/debug/debug_core.c                          |   16 +-
 kernel/debug/kdb/kdb_main.c                        |    4 +-
 kernel/events/core.c                               |   30 +-
 kernel/events/internal.h                           |   10 +-
 kernel/exit.c                                      |    4 +-
 kernel/fork.c                                      |  167 +-
 kernel/futex.c                                     |    9 +
 kernel/futex_compat.c                              |    2 +-
 kernel/gcov/base.c                                 |    7 +-
 kernel/hrtimer.c                                   |    4 +-
 kernel/irq_work.c                                  |    7 +-
 kernel/jump_label.c                                |    5 +
 kernel/kallsyms.c                                  |   39 +-
 kernel/kexec.c                                     |    3 +-
 kernel/kmod.c                                      |    4 +-
 kernel/kprobes.c                                   |    8 +-
 kernel/ksysfs.c                                    |    2 +-
 kernel/lockdep.c                                   |    7 +-
 kernel/module.c                                    |  337 +-
 kernel/mutex-debug.c                               |   12 +-
 kernel/mutex-debug.h                               |    4 +-
 kernel/mutex.c                                     |   11 +-
 kernel/notifier.c                                  |   17 +-
 kernel/panic.c                                     |    3 +-
 kernel/pid.c                                       |    2 +-
 kernel/pid_namespace.c                             |    2 +-
 kernel/posix-cpu-timers.c                          |    4 +-
 kernel/posix-timers.c                              |   22 +-
 kernel/power/process.c                             |   12 +-
 kernel/profile.c                                   |   14 +-
 kernel/ptrace.c                                    |    8 +-
 kernel/rcupdate.c                                  |    4 +-
 kernel/rcutiny.c                                   |    4 +-
 kernel/rcutiny_plugin.h                            |    2 +-
 kernel/rcutorture.c                                |   56 +-
 kernel/rcutree.c                                   |   76 +-
 kernel/rcutree.h                                   |   24 +-
 kernel/rcutree_plugin.h                            |   20 +-
 kernel/rcutree_trace.c                             |   22 +-
 kernel/rtmutex-tester.c                            |   24 +-
 kernel/sched/auto_group.c                          |    4 +-
 kernel/sched/core.c                                |   51 +-
 kernel/sched/fair.c                                |    4 +-
 kernel/sched/sched.h                               |    2 +-
 kernel/signal.c                                    |   12 +-
 kernel/smp.c                                       |    2 +-
 kernel/smpboot.c                                   |    4 +-
 kernel/softirq.c                                   |   18 +-
 kernel/srcu.c                                      |    4 +-
 kernel/sys.c                                       |   10 +-
 kernel/sysctl.c                                    |   39 +-
 kernel/time.c                                      |    2 +-
 kernel/time/alarmtimer.c                           |    2 +-
 kernel/time/tick-broadcast.c                       |    2 +-
 kernel/time/timer_stats.c                          |   10 +-
 kernel/timer.c                                     |    6 +-
 kernel/trace/blktrace.c                            |    6 +-
 kernel/trace/ftrace.c                              |   18 +-
 kernel/trace/ring_buffer.c                         |   76 +-
 kernel/trace/trace.c                               |    2 +-
 kernel/trace/trace.h                               |    2 +-
 kernel/trace/trace_events.c                        |   25 +-
 kernel/trace/trace_mmiotrace.c                     |    8 +-
 kernel/trace/trace_output.c                        |   12 +-
 kernel/trace/trace_stack.c                         |    2 +-
 kernel/user_namespace.c                            |    2 +-
 kernel/utsname_sysctl.c                            |    2 +-
 kernel/watchdog.c                                  |    2 +-
 kernel/workqueue.c                                 |    2 +-
 lib/Kconfig.debug                                  |    8 +-
 lib/Makefile                                       |    2 +-
 lib/bitmap.c                                       |    8 +-
 lib/bug.c                                          |    2 +
 lib/debugobjects.c                                 |    2 +-
 lib/devres.c                                       |    4 +-
 lib/div64.c                                        |    4 +-
 lib/dma-debug.c                                    |    4 +-
 lib/inflate.c                                      |    2 +-
 lib/ioremap.c                                      |    4 +-
 lib/kobject.c                                      |    6 +-
 lib/list_debug.c                                   |  126 +-
 lib/radix-tree.c                                   |    2 +-
 lib/strncpy_from_user.c                            |    2 +-
 lib/strnlen_user.c                                 |    2 +-
 lib/swiotlb.c                                      |    2 +-
 lib/usercopy.c                                     |    6 +
 lib/vsprintf.c                                     |   12 +-
 mm/Kconfig                                         |    6 +-
 mm/backing-dev.c                                   |    4 +-
 mm/filemap.c                                       |    2 +-
 mm/fremap.c                                        |    5 +
 mm/highmem.c                                       |    7 +-
 mm/hugetlb.c                                       |   70 +-
 mm/internal.h                                      |    1 +
 mm/maccess.c                                       |    4 +-
 mm/madvise.c                                       |   41 +
 mm/memory-failure.c                                |   26 +-
 mm/memory.c                                        |  424 ++-
 mm/mempolicy.c                                     |   26 +
 mm/mlock.c                                         |   15 +-
 mm/mmap.c                                          |  606 ++-
 mm/mprotect.c                                      |  139 +-
 mm/mremap.c                                        |   44 +-
 mm/nommu.c                                         |   21 +-
 mm/page-writeback.c                                |    4 +-
 mm/page_alloc.c                                    |   41 +-
 mm/page_io.c                                       |    2 +-
 mm/percpu.c                                        |    2 +-
 mm/process_vm_access.c                             |   14 +-
 mm/rmap.c                                          |   38 +-
 mm/shmem.c                                         |   19 +-
 mm/slab.c                                          |   79 +-
 mm/slab.h                                          |    5 +-
 mm/slab_common.c                                   |   46 +-
 mm/slob.c                                          |  201 +-
 mm/slub.c                                          |   79 +-
 mm/sparse-vmemmap.c                                |    4 +-
 mm/sparse.c                                        |    2 +-
 mm/swap.c                                          |    3 +
 mm/swapfile.c                                      |   12 +-
 mm/util.c                                          |    6 +
 mm/vmalloc.c                                       |   77 +-
 mm/vmstat.c                                        |   12 +-
 net/8021q/vlan.c                                   |    5 +-
 net/9p/mod.c                                       |    4 +-
 net/9p/trans_fd.c                                  |    2 +-
 net/atm/atm_misc.c                                 |    8 +-
 net/atm/lec.h                                      |    2 +-
 net/atm/proc.c                                     |    6 +-
 net/atm/resources.c                                |    4 +-
 net/ax25/sysctl_net_ax25.c                         |    2 +-
 net/batman-adv/bat_iv_ogm.c                        |    8 +-
 net/batman-adv/hard-interface.c                    |    4 +-
 net/batman-adv/soft-interface.c                    |    4 +-
 net/batman-adv/types.h                             |    6 +-
 net/batman-adv/unicast.c                           |    2 +-
 net/bluetooth/hci_core.c                           |    8 +-
 net/bluetooth/hci_sock.c                           |    2 +-
 net/bluetooth/l2cap_core.c                         |    6 +-
 net/bluetooth/l2cap_sock.c                         |   12 +-
 net/bluetooth/rfcomm/sock.c                        |    4 +-
 net/bluetooth/rfcomm/tty.c                         |   10 +-
 net/bridge/netfilter/ebtables.c                    |    6 +-
 net/caif/cfctrl.c                                  |   11 +-
 net/can/af_can.c                                   |    2 +-
 net/can/gw.c                                       |    6 +-
 net/compat.c                                       |   34 +-
 net/core/datagram.c                                |    2 +-
 net/core/dev.c                                     |   16 +-
 net/core/flow.c                                    |    8 +-
 net/core/iovec.c                                   |    4 +-
 net/core/neighbour.c                               |    2 +-
 net/core/net-sysfs.c                               |    2 +-
 net/core/net_namespace.c                           |    8 +-
 net/core/rtnetlink.c                               |   13 +-
 net/core/scm.c                                     |    8 +-
 net/core/sock.c                                    |   24 +-
 net/core/sock_diag.c                               |    9 +-
 net/core/sysctl_net_core.c                         |   18 +-
 net/decnet/af_decnet.c                             |    1 +
 net/decnet/sysctl_net_decnet.c                     |    4 +-
 net/ipv4/af_inet.c                                 |    8 +-
 net/ipv4/ah4.c                                     |    2 +-
 net/ipv4/devinet.c                                 |   18 +-
 net/ipv4/esp4.c                                    |    2 +-
 net/ipv4/fib_frontend.c                            |    6 +-
 net/ipv4/fib_semantics.c                           |    2 +-
 net/ipv4/inet_connection_sock.c                    |    2 +-
 net/ipv4/inetpeer.c                                |    4 +-
 net/ipv4/ip_fragment.c                             |   15 +-
 net/ipv4/ip_gre.c                                  |    6 +-
 net/ipv4/ip_sockglue.c                             |    2 +-
 net/ipv4/ip_vti.c                                  |    4 +-
 net/ipv4/ipcomp.c                                  |    2 +-
 net/ipv4/ipconfig.c                                |    6 +-
 net/ipv4/ipip.c                                    |    4 +-
 net/ipv4/netfilter/arp_tables.c                    |   12 +-
 net/ipv4/netfilter/ip_tables.c                     |   12 +-
 net/ipv4/ping.c                                    |    2 +-
 net/ipv4/raw.c                                     |   14 +-
 net/ipv4/route.c                                   |   18 +-
 net/ipv4/sysctl_net_ipv4.c                         |   45 +-
 net/ipv4/tcp_input.c                               |    2 +-
 net/ipv4/tcp_probe.c                               |    2 +-
 net/ipv4/udp.c                                     |   10 +-
 net/ipv4/xfrm4_policy.c                            |   14 +-
 net/ipv6/addrconf.c                                |   12 +-
 net/ipv6/icmp.c                                    |    2 +-
 net/ipv6/ip6_gre.c                                 |    8 +-
 net/ipv6/ip6_tunnel.c                              |    4 +-
 net/ipv6/ipv6_sockglue.c                           |    2 +-
 net/ipv6/netfilter/ip6_tables.c                    |   12 +-
 net/ipv6/netfilter/nf_conntrack_reasm.c            |   14 +-
 net/ipv6/raw.c                                     |   19 +-
 net/ipv6/reassembly.c                              |   13 +-
 net/ipv6/route.c                                   |    2 +-
 net/ipv6/sit.c                                     |    4 +-
 net/ipv6/sysctl_net_ipv6.c                         |    2 +-
 net/ipv6/udp.c                                     |    8 +-
 net/ipv6/xfrm6_policy.c                            |   13 +-
 net/irda/ircomm/ircomm_tty.c                       |   18 +-
 net/iucv/af_iucv.c                                 |    4 +-
 net/iucv/iucv.c                                    |    2 +-
 net/key/af_key.c                                   |    4 +-
 net/mac80211/cfg.c                                 |    8 +-
 net/mac80211/ieee80211_i.h                         |    3 +-
 net/mac80211/iface.c                               |   16 +-
 net/mac80211/main.c                                |    2 +-
 net/mac80211/pm.c                                  |    6 +-
 net/mac80211/rate.c                                |    2 +-
 net/mac80211/rc80211_pid_debugfs.c                 |    2 +-
 net/mac80211/util.c                                |    4 +-
 net/netfilter/ipset/ip_set_core.c                  |    2 +-
 net/netfilter/ipvs/ip_vs_conn.c                    |    6 +-
 net/netfilter/ipvs/ip_vs_core.c                    |    4 +-
 net/netfilter/ipvs/ip_vs_ctl.c                     |   14 +-
 net/netfilter/ipvs/ip_vs_lblc.c                    |    2 +-
 net/netfilter/ipvs/ip_vs_lblcr.c                   |    2 +-
 net/netfilter/ipvs/ip_vs_sync.c                    |    6 +-
 net/netfilter/ipvs/ip_vs_xmit.c                    |    4 +-
 net/netfilter/nf_conntrack_acct.c                  |    2 +-
 net/netfilter/nf_conntrack_ecache.c                |    2 +-
 net/netfilter/nf_conntrack_helper.c                |    2 +-
 net/netfilter/nf_conntrack_proto.c                 |    2 +-
 net/netfilter/nf_conntrack_proto_dccp.c            |    4 +-
 net/netfilter/nf_conntrack_standalone.c            |    2 +-
 net/netfilter/nf_conntrack_timestamp.c             |    2 +-
 net/netfilter/nf_log.c                             |   10 +-
 net/netfilter/nf_sockopt.c                         |    4 +-
 net/netfilter/nfnetlink_log.c                      |    4 +-
 net/netfilter/xt_statistic.c                       |    8 +-
 net/netlink/af_netlink.c                           |    4 +-
 net/netlink/genetlink.c                            |   16 +-
 net/packet/af_packet.c                             |   12 +-
 net/phonet/pep.c                                   |    6 +-
 net/phonet/socket.c                                |    2 +-
 net/phonet/sysctl.c                                |    2 +-
 net/rds/cong.c                                     |    6 +-
 net/rds/ib.h                                       |    2 +-
 net/rds/ib_cm.c                                    |    2 +-
 net/rds/ib_recv.c                                  |    4 +-
 net/rds/iw.h                                       |    2 +-
 net/rds/iw_cm.c                                    |    2 +-
 net/rds/iw_recv.c                                  |    4 +-
 net/rds/rds.h                                      |    2 +-
 net/rds/tcp.c                                      |    2 +-
 net/rds/tcp_send.c                                 |    2 +-
 net/rxrpc/af_rxrpc.c                               |    2 +-
 net/rxrpc/ar-ack.c                                 |   14 +-
 net/rxrpc/ar-call.c                                |    2 +-
 net/rxrpc/ar-connection.c                          |    2 +-
 net/rxrpc/ar-connevent.c                           |    2 +-
 net/rxrpc/ar-input.c                               |    4 +-
 net/rxrpc/ar-internal.h                            |    8 +-
 net/rxrpc/ar-local.c                               |    2 +-
 net/rxrpc/ar-output.c                              |    4 +-
 net/rxrpc/ar-peer.c                                |    2 +-
 net/rxrpc/ar-proc.c                                |    4 +-
 net/rxrpc/ar-transport.c                           |    2 +-
 net/rxrpc/rxkad.c                                  |    4 +-
 net/sctp/ipv6.c                                    |    6 +-
 net/sctp/protocol.c                                |   10 +-
 net/sctp/sm_sideeffect.c                           |    2 +-
 net/sctp/socket.c                                  |   21 +-
 net/sctp/sysctl.c                                  |    4 +-
 net/socket.c                                       |   18 +-
 net/sunrpc/clnt.c                                  |    4 +-
 net/sunrpc/sched.c                                 |    4 +-
 net/sunrpc/svc.c                                   |    6 +-
 net/sunrpc/xprtrdma/svc_rdma.c                     |   38 +-
 net/sunrpc/xprtrdma/svc_rdma_recvfrom.c            |    6 +-
 net/sunrpc/xprtrdma/svc_rdma_sendto.c              |    2 +-
 net/sunrpc/xprtrdma/svc_rdma_transport.c           |   10 +-
 net/tipc/link.c                                    |    6 +-
 net/tipc/msg.c                                     |    2 +-
 net/tipc/subscr.c                                  |    2 +-
 net/unix/sysctl_net_unix.c                         |    2 +-
 net/wireless/wext-core.c                           |   19 +-
 net/xfrm/xfrm_policy.c                             |   27 +-
 net/xfrm/xfrm_state.c                              |   29 +-
 net/xfrm/xfrm_sysctl.c                             |    2 +-
 scripts/Makefile.build                             |    2 +-
 scripts/Makefile.clean                             |    3 +-
 scripts/Makefile.host                              |   28 +-
 scripts/basic/fixdep.c                             |   12 +-
 scripts/gcc-plugin.sh                              |   17 +
 scripts/headers_install.sh                         |    1 +
 scripts/link-vmlinux.sh                            |    2 +-
 scripts/mod/file2alias.c                           |   14 +-
 scripts/mod/modpost.c                              |   25 +-
 scripts/mod/modpost.h                              |    6 +-
 scripts/mod/sumversion.c                           |    2 +-
 scripts/package/builddeb                           |    1 +
 scripts/pnmtologo.c                                |    6 +-
 scripts/sortextable.h                              |    6 +-
 security/Kconfig                                   |  676 +++-
 security/apparmor/lsm.c                            |    2 +-
 security/integrity/ima/ima.h                       |    4 +-
 security/integrity/ima/ima_api.c                   |    2 +-
 security/integrity/ima/ima_fs.c                    |    4 +-
 security/integrity/ima/ima_queue.c                 |    2 +-
 security/keys/compat.c                             |    2 +-
 security/keys/internal.h                           |    2 +-
 security/keys/key.c                                |   18 +-
 security/keys/keyctl.c                             |    8 +-
 security/keys/keyring.c                            |    6 +-
 security/security.c                                |    9 +-
 security/selinux/hooks.c                           |    2 +-
 security/selinux/include/xfrm.h                    |    2 +-
 security/smack/smack_lsm.c                         |    2 +-
 security/tomoyo/tomoyo.c                           |    2 +-
 security/yama/yama_lsm.c                           |   22 +-
 sound/aoa/codecs/onyx.c                            |    7 +-
 sound/aoa/codecs/onyx.h                            |    1 +
 sound/core/oss/pcm_oss.c                           |   18 +-
 sound/core/pcm_compat.c                            |    2 +-
 sound/core/pcm_native.c                            |    4 +-
 sound/core/seq/seq_device.c                        |    8 +-
 sound/core/sound.c                                 |    2 +-
 sound/drivers/mts64.c                              |   14 +-
 sound/drivers/opl4/opl4_lib.c                      |    2 +-
 sound/drivers/portman2x4.c                         |    3 +-
 sound/firewire/amdtp.c                             |    4 +-
 sound/firewire/amdtp.h                             |    2 +-
 sound/firewire/isight.c                            |   10 +-
 sound/firewire/scs1x.c                             |    8 +-
 sound/oss/sb_audio.c                               |    2 +-
 sound/oss/swarm_cs4297a.c                          |    6 +-
 sound/pci/ymfpci/ymfpci.h                          |    2 +-
 sound/pci/ymfpci/ymfpci_main.c                     |   12 +-
 sound/soc/fsl/fsl_ssi.c                            |    2 +-
 sound/sound_core.c                                 |    2 +-
 tools/gcc/.gitignore                               |    1 +
 tools/gcc/Makefile                                 |   45 +
 tools/gcc/checker_plugin.c                         |  172 +
 tools/gcc/colorize_plugin.c                        |  151 +
 tools/gcc/constify_plugin.c                        |  560 ++
 tools/gcc/generate_size_overflow_hash.sh           |   94 +
 tools/gcc/kallocstat_plugin.c                      |  170 +
 tools/gcc/kernexec_plugin.c                        |  465 ++
 tools/gcc/latent_entropy_plugin.c                  |  327 ++
 tools/gcc/size_overflow_hash.data                  | 5893 ++++++++++++++++++++
 tools/gcc/size_overflow_plugin.c                   | 2114 +++++++
 tools/gcc/stackleak_plugin.c                       |  327 ++
 tools/gcc/structleak_plugin.c                      |  277 +
 tools/perf/util/include/asm/alternative-asm.h      |    3 +
 tools/perf/util/include/linux/compiler.h           |    8 +
 virt/kvm/kvm_main.c                                |   32 +-
 1607 files changed, 30734 insertions(+), 7318 deletions(-)
commit a00016a11e35e91aec8e2d9b6ec4c6fbb11d6d2b
Merge: 0949bd4 fc53d63
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 22 19:03:44 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit fc53d6338964741b368070ec5c935bc579b8c2a6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 22 19:02:45 2012 -0400

    Update to pax-linux-3.2.12-test33.patch

commit 0949bd46a6455b308f66ad7c993bfee62412db35
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 22 16:56:09 2012 -0400

    Use current_umask() instead of current->fs->umask

commit 22f6432d0fe733619cfcb523782ed7d80c46d645
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 21 19:42:42 2012 -0400

    compile fix

commit 0cad49d6b8fbb32395da924c1665a1110a9a9eef
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 21 19:34:56 2012 -0400

    Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain
    uses of domains with particular hash collisions

commit 47fc52e0a068a29d6cca2f809daf0679cba33c44
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 20:25:49 2012 -0400

    zero kernel_role

commit b00953b43c69238d181d21121ef1577c988d5f6b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 19:29:34 2012 -0400

    zero real_root after releasing it

commit 0b3ab73ce5d34a2c3206955cd65eddd6bdfd32a1
Merge: b724f59 273f98e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 19:11:26 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit 273f98e58cdac555d3b5dce5c1ca168349f95878
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 19:10:52 2012 -0400

    Temporary workaround for (most) size_overflow plugin false-positives
    Increase randomization for brk-managed heap to 21 bits
    Update to pax-linux-3.2.12-test32.patch

commit b724f59125304460c2af8bd4b02921993afbb5d3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 18:58:53 2012 -0400

    compile fix

commit 329f1a9d0f137d0a973316c53bbec18a6eeecd4f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 18:52:23 2012 -0400

    Require default and kernel role

commit a7c5c4f55bdd61cfcd0fb1be7a67160429409878
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 18:47:28 2012 -0400

    Allow policies without special roles
    don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles)

commit 402ec3d24d66d38403dc543c84851f5e72d39e22
Merge: 8e012dc f14661a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 19 18:06:59 2012 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        fs/namei.c

commit f14661aaf202155c97f66626cea0269017bb7775
Merge: eae671f 058b017
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 19 18:05:44 2012 -0400

    Merge branch 'linux-3.2.y' into pax-test

commit 8e012dcf7a50b7cde34c2cec93ecedd049123b75
Author: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
Date:   Fri Mar 16 17:08:39 2012 -0700

    nilfs2: fix NULL pointer dereference in nilfs_load_super_block()
    
    According to the report from Slicky Devil, nilfs caused kernel oops at
    nilfs_load_super_block function during mount after he shrank the
    partition without resizing the filesystem:
    
     BUG: unable to handle kernel NULL pointer dereference at 00000048
     IP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2]
     *pde = 00000000
     Oops: 0000 [#1] PREEMPT SMP
     ...
     Call Trace:
      [<d0d7a87b>] init_nilfs+0x4b/0x2e0 [nilfs2]
      [<d0d6f707>] nilfs_mount+0x447/0x5b0 [nilfs2]
      [<c0226636>] mount_fs+0x36/0x180
      [<c023d961>] vfs_kern_mount+0x51/0xa0
      [<c023ddae>] do_kern_mount+0x3e/0xe0
      [<c023f189>] do_mount+0x169/0x700
      [<c023fa9b>] sys_mount+0x6b/0xa0
      [<c04abd1f>] sysenter_do_call+0x12/0x28
     Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43
     20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72
     48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00
     EIP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc
     CR2: 0000000000000048
    
    This turned out due to a defect in an error path which runs if the
    calculated location of the secondary super block was invalid.
    
    This patch fixes it and eliminates the reported oops.
    
    Reported-by: Slicky Devil <slicky.dvl@gmail.com>
    Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
    Tested-by: Slicky Devil <slicky.dvl@gmail.com>
    Cc: <stable@vger.kernel.org>        [2.6.30+]
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 8067d7f69bf27dc08057a771cf125e71e4575bf2
Author: Haogang Chen <haogangchen@gmail.com>
Date:   Fri Mar 16 17:08:38 2012 -0700

    nilfs2: clamp ns_r_segments_percentage to [1, 99]
    
    ns_r_segments_percentage is read from the disk.  Bogus or malicious
    value could cause integer overflow and malfunction due to meaningless
    disk usage calculation.  This patch reports error when mounting such
    bogus volumes.
    
    Signed-off-by: Haogang Chen <haogangchen@gmail.com>
    Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit e1a90645643f9b0194a5984ec8febd06360d5c8b
Author: Eric Dumazet <eric.dumazet@gmail.com>
Date:   Sat Mar 10 09:20:21 2012 +0000

    tcp: fix syncookie regression
    
    commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit())
    added a serious regression on synflood handling.
    
    Simon Kirby discovered a successful connection was delayed by 20 seconds
    before being responsive.
    
    In my tests, I discovered that xmit frames were lost, and needed ~4
    retransmits and a socket dst rebuild before being really sent.
    
    In case of syncookie initiated connection, we use a different path to
    initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared.
    
    As ip_queue_xmit() now depends on inet flow being setup, fix this by
    copying the temp flowi4 we use in cookie_v4_check().
    
    Reported-by: Simon Kirby <sim@netnation.com>
    Bisected-by: Simon Kirby <sim@netnation.com>
    Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
    Tested-by: Eric Dumazet <eric.dumazet@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 06c6c8628bf38b08b4d97f4c55cde9fdecfb5d65
Author: Stanislav Kinsbursky <skinsbursky@parallels.com>
Date:   Mon Mar 12 02:59:41 2012 +0000

    tun: don't hold network namespace by tun sockets
    
    v3: added previously removed sock_put() to the tun_release() callback, because
    sk_release_kernel() doesn't drop the socket reference.
    
    v2: sk_release_kernel() used for socket release. Dummy tun_release() is
    required for sk_release_kernel() ---> sock_release() ---> sock->ops->release()
    call.
    
    TUN was designed to destroy it's socket on network namesapce shutdown. But this
    will never happen for persistent device, because it's socket holds network
    namespace.
    This patch removes of holding network namespace by TUN socket and replaces it
    by creating socket in init_net and then changing it's net it to desired one. On
    shutdown socket is moved back to init_net prior to final put.
    
    Signed-off-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 46ae7374bd387c58d673a9e58852a9fd31042c5c
Author: Tyler Hicks <tyhicks@canonical.com>
Date:   Mon Dec 12 10:02:30 2011 -0600

    vfs: Correctly set the dir i_mutex lockdep class
    
    9a7aa12f3911853a introduced additional logic around setting the i_mutex
    lockdep class for directory inodes. The idea was that some filesystems
    may want their own special lockdep class for different directory
    inodes and calling unlock_new_inode() should not clobber one of
    those special classes.
    
    I believe that the added conditional, around the *negated* return value
    of lockdep_match_class(), caused directory inodes to be placed in the
    wrong lockdep class.
    
    inode_init_always() sets the i_mutex lockdep class with i_mutex_key for
    all inodes. If the filesystem did not change the class during inode
    initialization, then the conditional mentioned above was false and the
    directory inode was incorrectly left in the non-directory lockdep class.
    If the filesystem did set a special lockdep class, then the conditional
    mentioned above was true and that class was clobbered with
    i_mutex_dir_key.
    
    This patch removes the negation from the conditional so that the i_mutex
    lockdep class is properly set for directory inodes. Special classes are
    preserved and directory inodes with unmodified classes are set with
    i_mutex_dir_key.
    
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Reviewed-by: Jan Kara <jack@suse.cz>
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

commit 603590b0d2eca61ce26499eac9c563bc567a18c9
Author: Jan Kara <jack@suse.cz>
Date:   Mon Feb 20 17:54:00 2012 +0100

    udf: Fix deadlock in udf_release_file()
    
    udf_release_file() can be called from munmap() path with mmap_sem held.  Thus
    we cannot take i_mutex there because that ranks above mmap_sem. Luckily,
    i_mutex is not needed in udf_release_file() anymore since protection by
    i_data_sem is enough to protect from races with write and truncate.
    
    Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
    Reviewed-by: Namjae Jeon <linkinjeon@gmail.com>
    Signed-off-by: Jan Kara <jack@suse.cz>
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

commit ca79ab9034f3c2f7e3f65c35e0d9ed3ecea529bf
Author: Miklos Szeredi <mszeredi@suse.cz>
Date:   Tue Mar 6 13:56:33 2012 +0100

    vfs: fix double put after complete_walk()
    
    complete_walk() already puts nd->path, no need to do it again at cleanup time.
    
    This would result in Oopses if triggered, apparently the codepath is not too
    well exercised.
    
    Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
    CC: stable@vger.kernel.org
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

commit 13885ba2b18400f3ef6540497d30f1af896605e5
Author: Miklos Szeredi <mszeredi@suse.cz>
Date:   Tue Mar 6 13:56:34 2012 +0100

    vfs: fix return value from do_last()
    
    complete_walk() returns either ECHILD or ESTALE.  do_last() turns this into
    ECHILD unconditionally.  If not in RCU mode, this error will reach userspace
    which is complete nonsense.
    
    Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
    CC: stable@vger.kernel.org
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    
    Conflicts:
    
        fs/namei.c

commit f5ab7572c99ffb58953eb1070622307e904c3b7f
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Sat Mar 10 17:07:28 2012 -0500

    restore smp_mb() in unlock_new_inode()
    
    wait_on_inode() doesn't have ->i_lock
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

commit f3e758cd08e3881982d4b78eb72fe8a1ead6b872
Author: David S. Miller <davem@davemloft.net>
Date:   Tue Mar 13 18:19:51 2012 -0700

    sparc32: Add -Av8 to assembler command line.
    
    Newer version of binutils are more strict about specifying the
    correct options to enable certain classes of instructions.
    
    The sparc32 build is done for v7 in order to support sun4c systems
    which lack hardware integer multiply and divide instructions.
    
    So we have to pass -Av8 when building the assembler routines that
    use these instructions and get patched into the kernel when we find
    out that we have a v8 capable cpu.
    
    Reported-by: Paul Gortmaker <paul.gortmaker@windriver.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 66276ec78b2a971d2e704e5ef963cdc8b6a049a4
Author: Thomas Gleixner <tglx@linutronix.de>
Date:   Fri Mar 9 20:55:10 2012 +0100

    x86: Derandom delay_tsc for 64 bit
    
    Commit f0fbf0abc093 ("x86: integrate delay functions") converted
    delay_tsc() into a random delay generator for 64 bit.  The reason is
    that it merged the mostly identical versions of delay_32.c and
    delay_64.c.  Though the subtle difference of the result was:
    
     static void delay_tsc(unsigned long loops)
     {
    -   unsigned bclock, now;
    +   unsigned long bclock, now;
    
    Now the function uses rdtscl() which returns the lower 32bit of the
    TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64
    bit this fails when the lower 32bit are close to wrap around when
    bclock is read, because the following check
    
           if ((now - bclock) >= loops)
                        break;
    
    evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0
    because the unsigned long (now - bclock) of these values results in
    0xffffffff00000001 which is definitely larger than the loops
    value. That explains Tvortkos observation:
    
    "Because I am seeing udelay(500) (_occasionally_) being short, and
     that by delaying for some duration between 0us (yep) and 491us."
    
    Make those variables explicitely u32 again, so this works for both 32
    and 64 bit.
    
    Reported-by: Tvrtko Ursulin <tvrtko.ursulin@onelan.co.uk>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Cc: stable@vger.kernel.org # >= 2.6.27
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 2d0ddb60f5031bdf79b4d51225f9f2d5856255bf
Author: Al Viro <viro@ZenIV.linux.org.uk>
Date:   Thu Mar 8 17:51:19 2012 +0000

    aio: fix the "too late munmap()" race
    
    Current code has put_ioctx() called asynchronously from aio_fput_routine();
    that's done *after* we have killed the request that used to pin ioctx,
    so there's nothing to stop io_destroy() waiting in wait_for_all_aios()
    from progressing.  As the result, we can end up with async call of
    put_ioctx() being the last one and possibly happening during exit_mmap()
    or elf_core_dump(), neither of which expects stray munmap() being done
    to them...
    
    We do need to prevent _freeing_ ioctx until aio_fput_routine() is done
    with that, but that's all we care about - neither io_destroy() nor
    exit_aio() will progress past wait_for_all_aios() until aio_fput_routine()
    does really_put_req(), so the ioctx teardown won't be done until then
    and we don't care about the contents of ioctx past that point.
    
    Since actual freeing of these suckers is RCU-delayed, we don't need to
    bump ioctx refcount when request goes into list for async removal.
    All we need is rcu_read_lock held just over the ->ctx_lock-protected
    area in aio_fput_routine().
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
    Acked-by: Benjamin LaHaise <bcrl@kvack.org>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 002124c055afbf09b52226af65621999e8316448
Author: Al Viro <viro@ZenIV.linux.org.uk>
Date:   Wed Mar 7 05:16:35 2012 +0000

    aio: fix io_setup/io_destroy race
    
    Have ioctx_alloc() return an extra reference, so that caller would drop it
    on success and not bother with re-grabbing it on failure exit.  The current
    code is obviously broken - io_destroy() from another thread that managed
    to guess the address io_setup() would've returned would free ioctx right
    under us; gets especially interesting if aio_context_t * we pass to
    io_setup() points to PROT_READ mapping, so put_user() fails and we end
    up doing io_destroy() on kioctx another thread has just got freed...
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Acked-by: Benjamin LaHaise <bcrl@kvack.org>
    Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit a1cd2719b8ed8e40dbd98c87713ac23a2169f6d8
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Thu Mar 15 15:17:12 2012 -0700

    drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode
    
    strict_strtoul() writes a long but ->gamma_mode only has space to store an
    int, so on 64 bit systems we end up scribbling over ->gamma_table_count as
    well.  I've changed it to use kstrtouint() instead.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Acked-by: Inki Dae <inki.dae@samsung.com>
    Signed-off-by: Florian Tobias Schandinat <FlorianSchandinat@gmx.de>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit cf83f735a5571f4341ee6eab947a1f7d833cea6e
Merge: e4b05b6 eae671f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 16 21:04:27 2012 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        security/Kconfig

commit eae671fafe93f04685c04a089cc13efebc05d600
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 16 20:58:01 2012 -0400

    Update to pax-linux-3.2.11-test31.patch
    Introduction of the size_overflow plugin from Emese Revfy
    Many thanks to Emese for her hard work :)

commit e4b05b65c645c412eceb9c950ee7b4771627e6b1
Merge: e55aa68 258c015
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 15 20:59:19 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit 258c0159fa6dd5044ca984eeaad57bb6e21bacea
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 15 20:59:05 2012 -0400

    fix ARM compilation

commit e55aa68f4bb20e75cd7423123aa612c2a69590c0
Merge: 8f95ea9 55b7573
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 14 19:33:41 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit 55b7573f6c2f3be26fb39c7bd6a9d742d02811ca
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 14 19:33:15 2012 -0400

    Update to pax-linux-3.2.10-test28.patch

commit 8f95ea9f718c293794a1f6bdd2a5f5f336f7bd64
Merge: c8786a2 886ac5e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 13 17:38:13 2012 -0400

    Merge branch 'pax-test' into grsec-test
    
    Greets and thanks to snq for his assistance in testing/debugging REFCOUNT on ARM :)

commit 886ac5eeb1835e87cf7398b8aae9e9ba6b36bf77
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 13 17:37:44 2012 -0400

    Update to pax-linux-3.2.10-test26.patch

commit c8786a2abed5e5327f68efa520c04db99bb6a63a
Merge: 219c982 c061fcf
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 13 17:25:06 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit c061fcfa6b78f3774800821144d8ac2d94d7da3e
Merge: 89373d2 3f4b3b2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 13 17:25:02 2012 -0400

    Merge branch 'linux-3.2.y' into pax-test

commit 219c982a05abe47be4ea7d749e1b408e0cb86f1f
Merge: 54e19a3 89373d2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 12 17:23:57 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit 89373d2abafb9bda97f78bdb157d1d05cf21e008
Merge: a778588 7459f11
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 12 17:23:49 2012 -0400

    Merge branch 'linux-3.2.y' into pax-test

commit 54e19a3979978fca902b14ae25125f26fbbbc7a7
Merge: c4650f1 a778588
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 12 16:51:25 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit a778588c9d1b75c48c1f09aac98c1b28bd87a749
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 12 16:51:12 2012 -0400

    Update to pax-linux-3.2.9-test24.patch

commit c4650f14b13f84735fe3de06a1f3ff5776473eff
Merge: fb2abee 1015790
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 11 21:08:28 2012 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        security/Kconfig

commit 101579028a736c224e590c7e12a7357018c424e1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 11 21:07:27 2012 -0400

    Update to pax-linux-3.2.9-test22.patch

commit fb2abee4b9b49f5f18342a8cdf7aa3ba2b7c9100
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 11 11:02:17 2012 -0400

    Allow 4096 CPUs

commit 96bae28cbe6a41d48e3b56e5904814096e956000
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 11 10:25:58 2012 -0400

    Use a per-cpu 48-bit counter instead of a global atomic64
    Initialize each counter to have the cpu number in the lower 16 bits
    instead of incrementing the counter each time by 1, perform the increments
    above the cpu number so that wrapping/exhausting the counter doesn't corrupt
    any state
    idea from PaX Team

commit b975688101da6e966aebb1bc6b8c5c5983974f9c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 10 20:33:12 2012 -0500

    Special vnsec edition! :)
    Further reduce argv/env allowance for suid/sgid apps to 512KB
    Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap)
    Clear 3GB personality on suid/sgid binaries
    Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64)
      with the main purpose of throwing off program stack -> arg/env alignment
    Update documentation

commit e5cfa902c4e891d11dd2086543d2555aa0c27d33
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 10 19:54:47 2012 -0500

    Resolve skbuff.h warnings that turn into errors during compilation in
    the grsecurity directory with -Werror

commit 2023210ad43a944033fcacc660ce410888f562ee
Merge: ece4383 5f66adf
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 9 19:48:01 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 5f66adf72f83730a07bc79a2fab56afed6dbbd0e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 9 19:47:06 2012 -0500

    Add colorize plugin

commit ece4383e5e91c92d138c4df84225a70b552f4d69
Merge: a366d0e ab4a5a1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 9 17:56:46 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit ab4a5a1a67289c3585e2ff8aa64ecece7bd17eea
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 9 17:56:26 2012 -0500

    Update to pax-linux-3.2.9-test21.patch

commit a366d0ed963ce93fce10121c1100989d5f064e75
Author: Mikulas Patocka <mpatocka@redhat.com>
Date:   Sun Mar 4 19:52:03 2012 -0500

    mm: fix find_vma_prev
    
    Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory
    management on PA-RISC.
    
    After application of the patch, programs that allocate big arrays on the
    stack crash with segfault, for example, this will crash if compiled
    without optimization:
    
      int main()
      {
        char array[200000];
        array[199999] = 0;
        return 0;
      }
    
    The reason is that PA-RISC has up-growing stack and the stack is usually
    the last memory area.  In the above example, a page fault happens above
    the stack.
    
    Previously, if we passed too high address to find_vma_prev, it returned
    NULL and stored the last VMA in *pprev.  After "simplify find_vma_prev"
    change, it stores NULL in *pprev.  Consequently, the stack area is not
    found and it is not expanded, as it used to be before the change.
    
    This patch restores the old behavior and makes it return the last VMA in
    *pprev if the requested address is higher than address of any other VMA.
    
    Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
    Acked-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 9cd8dd4d56051099f11563f72fcd91cd0ce19604
Author: Hugh Dickins <hughd@google.com>
Date:   Tue Mar 6 12:28:52 2012 -0800

    mmap: EINVAL not ENOMEM when rejecting VM_GROWS
    
    Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP
    from shared anonymous: hoist the file case's -EINVAL up for both.
    
    Signed-off-by: Hugh Dickins <hughd@google.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 97745dce6c87f9d9ca5b4be9bd4c2fc1684ca04c
Author: Al Viro <viro@ZenIV.linux.org.uk>
Date:   Mon Mar 5 06:38:42 2012 +0000

    aout: move setup_arg_pages() prior to reading/mapping the binary
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 3b20ce55ae8cffee43cb4afdf5be438b5ac4fef0
Author: Jan Beulich <JBeulich@suse.com>
Date:   Mon Mar 5 16:49:24 2012 +0000

    vsprintf: make %pV handling compatible with kasprintf()
    
    kasprintf() (and potentially other functions that I didn't run across so
    far) want to evaluate argument lists twice.  Caring to do so for the
    primary list is obviously their job, but they can't reasonably be
    expected to check the format string for instances of %pV, which however
    need special handling too: On architectures like x86-64 (as opposed to
    e.g.  ix86), using the same argument list twice doesn't produce the
    expected results, as an internally managed cursor gets updated during
    the first run.
    
    Fix the problem by always acting on a copy of the original list when
    handling %pV.
    
    Signed-off-by: Jan Beulich <jbeulich@suse.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 4146896ab9674f51d4909f3a52bc7fe80f04e4cb
Author: Al Viro <viro@ZenIV.linux.org.uk>
Date:   Mon Mar 5 06:39:47 2012 +0000

    VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit a831bd53764695ea680cc1fa3c98759a610ed2ac
Author: Christian König <deathsimple@vodafone.de>
Date:   Tue Feb 28 23:19:20 2012 +0100

    drm/radeon: fix uninitialized variable
    
    Without this fix the driver randomly treats
    textures as arrays and I'm really wondering
    why gcc isn't complaining about it.
    
    Signed-off-by: Christian König <deathsimple@vodafone.de>
    Reviewed-by: Jerome Glisse <jglisse@redhat.com>
    Signed-off-by: Dave Airlie <airlied@redhat.com>

commit aa2cd55f97f3cc03bdd895b6e8ba99619ee69dfc
Author: H. Peter Anvin <hpa@zytor.com>
Date:   Fri Mar 2 10:43:48 2012 -0800

    regset: Prevent null pointer reference on readonly regsets
    
    The regset common infrastructure assumed that regsets would always
    have .get and .set methods, but not necessarily .active methods.
    Unfortunately people have since written regsets without .set methods.
    
    Rather than putting in stub functions everywhere, handle regsets with
    null .get or .set methods explicitly.
    
    Signed-off-by: H. Peter Anvin <hpa@zytor.com>
    Reviewed-by: Oleg Nesterov <oleg@redhat.com>
    Acked-by: Roland McGrath <roland@hack.frob.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 072ddd99401c79b53c6bf6bff9deb93022124c79
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 5 18:12:57 2012 -0500

    Fix compiler errors reported on forums

commit 1606774b48af24e6f99d99c624c0e447d4b66474
Merge: 3127bd5 4ca2ffd
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 5 17:31:35 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 4ca2ffd9da024f4ba2d0cb6245ba1b2726169452
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 5 17:31:21 2012 -0500

    Update to pax-linux-3.2.9-test20.patch

commit 3127bd581a292966b1057c7433219dac188c3720
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 2 21:30:37 2012 -0500

    Fix memory leak on logged exec_id check failure in /proc/pid/statm
    Thanks to Djalal Harouni for the report

commit d9f1a3be0e97e0632f97379322712d8deeb3ce23
Merge: 0a56be8 9aa8288
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 2 18:38:22 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 9aa8288a09e6e03ce37c08136b26bff17a093b5c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 2 18:37:43 2012 -0500

    Update to pax-linux-3.2.9-test19.patch

commit 0a56be884bbd7ce733cac0b879c45383494d73b0
Merge: 9e66745 3f5c52a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 1 20:18:01 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 3f5c52aba100b3bb252980f9d363aafde52da1a2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 1 20:16:56 2012 -0500

    Update to pax-linux-3.2.9-test18.patch

commit ae53ec231d12719a36bf871f8c5841020ed692ee
Merge: b255baf 44fb317
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 1 20:15:31 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test

commit 9e667456c03eadea2f305be761abe4de9a5877a3
Merge: 5e4e200 b255baf
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 27 20:53:59 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit b255baf50365d39b406f43aab2c64745607baaa2
Merge: 340ce90 1de504e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 27 20:53:29 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test
    Update to pax-linux-3.2.8-test17.patch
    
    Conflicts:
        arch/x86/include/asm/i387.h
        arch/x86/kernel/process_32.c
        arch/x86/kernel/traps.c

commit 5e4e200ac530452884b625cb75de240e1e98c731
Merge: 44306d7 340ce90
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 27 18:02:13 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 340ce90d98a043fa8e4ed9ffc229d4c1f86e2fec
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 27 18:01:48 2012 -0500

    Update to pax-linux-3.2.7-test17.patch

commit 44306d7b3097f77e73040dd25f4f6750751bae7a
Merge: 29d0b07 521c411
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 26 19:04:15 2012 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        Makefile

commit 521c411bb4ca66ce01146fde8bac9dd22414076d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 26 19:03:33 2012 -0500

    Update to pax-linux-3.2.7-test16.patch

commit 29d0b07290bb9a10cdfcc3c30058e16265330dea
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 26 17:12:44 2012 -0500

    fix typo

commit 344f6d84e5d3fdc6ec40a078fc2f5861d340b2ef
Merge: f45b3be caa8f83
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 20:59:27 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit caa8f83456c4d0b204beefffaa1d1993f2348d08
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 20:59:12 2012 -0500

    Update to pax-linux-3.2.7-test15.patch

commit f45b3be34a345502a302e736af9a65742ddef7cb
Merge: 62f35fd 9f1309b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 11:40:15 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 9f1309b0b935e3b30fc87a9e3009b84cf943ef47
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 11:39:57 2012 -0500

    Update to pax-linux-3.2.7-test14.patch

commit 62f35fdbecc58f2988fe13638d907b87a15776bb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 09:08:55 2012 -0500

    We could log on attempted exploits of writing /proc/self/mem, but the current
    log function declares the access a read, so just swap the ordering for now

commit 066ee8f9c26f1549b4ad893508777b549c8d4b79
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 08:46:14 2012 -0500

    Log /proc/pid/mem attempts

commit 674471e581893a94d475acac3e3c4496209b3ac9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 08:15:00 2012 -0500

    Make use of f_version for protecting /proc file structs (fine since we're not a directory
    or seq_file)

commit eab42cfdd237ffcdd8ec24bedecc275a3a9e987f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 24 20:02:19 2012 -0500

    Fix ia64 compilation

commit 50dfea412fd395e0183c2ade368efa525d38b267
Merge: 12db845 4c6f99b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 24 19:00:53 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 4c6f99bf338e03966356b147d0360cb3b522a44f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 24 19:00:36 2012 -0500

    (6:57:09 PM) pipacs: but you can be proactive
    (Fix other-arch atomic64/REFCOUNT compilation failures)

commit 12db8453f6bb0a756f369c9151668ba1249bc478
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 23 21:10:12 2012 -0500

    Remove unnecessary copies, as suggested by solar

commit cc02cab84368467ea03cb35f861a8a7092d91ab4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 23 20:59:35 2012 -0500

    Make global_exec_counter static, as suggested by solar

commit e642091a475ebb3a30e81f85e7751233d0c2af43
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 23 19:00:26 2012 -0500

    sync with stable tree

commit 6df09c3d8e371905b7b8fe90c4188f23614c6be5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 23 18:48:47 2012 -0500

    Remove unneeded gr_acl_handle_fchmod, as the code is shared now by gr_acl_handle_chmod
    Remove handling of old kludge in chmod/fchmod

commit 815cb62f2ca7b58efc39778b3a855feb675ab56c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 23 18:18:49 2012 -0500

    Apply umask checks to chmod/fchmod as well, as requested by sponsor
    Union the enforced umask with the existing one to produce minimal privilege
    Change umask type to u16

commit 0e7668c6abbdbcd3f7f9759e3994d6f4bc9953f0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 22 18:16:11 2012 -0500

    Add per-role umask enforcement to RBAC, requested by a sponsor

commit ad5ac943fe58199f1cc475912a39edb157acb77b
Merge: dda0bb5 41722e3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 20 20:04:42 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 41722e342e116d95f3d3556d66c97c888d752d39
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 20 20:04:00 2012 -0500

    Merge changes from pax-linux-3.2.7-test12.patch, fixes KVM incompatibility with
    KERNEXEC plugin

commit dda0bb57137846a476a866c60db2681aaf6052c0
Merge: 4fd554e d70927a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 20 20:01:41 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit d70927afec977d489a54c106a3c3ddc32e953050
Merge: 1daebf1 9d0231c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 20 20:01:33 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test

commit 4fd554e3a097b22c5049fcdc423897477deff5ef
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 20 09:17:57 2012 -0500

    Fix wrong logic on capability checks for switching roles, broke policies
    Thanks to Richard Kojedzinszky for reporting

commit 12f97d52ac603f24344f8d71569c412a307e9422
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 21:20:10 2012 -0500

    sparc64 compile fix

commit 07af3d8e76a6a47ce1836e5b20ed8c0f879c8201
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 18:38:32 2012 -0500

    Update configuration help and name for GRKERNSEC_PROC_MEMMAP

commit 5ced6f8def06c2176b40b5fa07345fc723dc4dcb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 18:18:01 2012 -0500

    optimize the check a bit

commit 03159050f64989be44ae03be769cbed62a7cd2e5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 18:00:45 2012 -0500

    smile VUPEN :D
    (limit argv+env to 1MB for suid/sgid binaries)

commit dd759d8800d225a397e4de49fe729c7d601298d2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 17:49:33 2012 -0500

    Address Space Protection -> Memory Protections (suggested on IRC for consistency)

commit 4de635bda8ebfb85312e3bf851bdbff93de400da
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 17:45:06 2012 -0500

    Change the long long type for exec_id to the proper u64

commit 4feb07e7cb64b3d0f0f8cca1aef70bc725cae6fa
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Thu Feb 9 00:46:47 2012 +0000

    isdn: type bug in isdn_net_header()
    
    We use len to store the return value from eth_header().  eth_header()
    can return -ETH_HLEN (-14).  We want to pass this back instead of
    truncating it to 65522 and returning that.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Acked-by: Neil Horman <nhorman@tuxdriver.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 134ac8545b47f0f27d550ea6e1edb3a1ed7a9748
Author: Heiko Carstens <heiko.carstens@de.ibm.com>
Date:   Sat Feb 4 10:47:10 2012 +0100

    exec: fix use-after-free bug in setup_new_exec()
    
    Setting the task name is done within setup_new_exec() by accessing
    bprm->filename. However this happens after flush_old_exec().
    This may result in a use after free bug, flush_old_exec() may
    "complete" vfork_done, which will wake up the parent which in turn
    may free the passed in filename.
    To fix this add a new tcomm field in struct linux_binprm which
    contains the now early generated task name until it is used.
    
    Fixes this bug on s390:
    
      Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000
      Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818)
      Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374)
      Call Trace:
      ([<0000000000282e2c>] setup_new_exec+0x38/0x374)
       [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4
       [<0000000000280a42>] search_binary_handler+0x38e/0x5bc
       [<0000000000282b6c>] do_execve_common+0x410/0x514
       [<0000000000282cb6>] do_execve+0x46/0x58
       [<00000000005bce58>] kernel_execve+0x28/0x70
       [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140
       [<00000000005bc8da>] kernel_thread_starter+0x6/0xc
       [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc
      Last Breaking-Event-Address:
       [<00000000002830f0>] setup_new_exec+0x2fc/0x374
    
      Kernel panic - not syncing: Fatal exception: panic_on_oops
    
    Reported-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
    Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit d758ee9f5230893dabb5aab737b3109684bde196
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Fri Feb 10 09:03:58 2012 +0100

    relay: prevent integer overflow in relay_open()
    
    "subbuf_size" and "n_subbufs" come from the user and they need to be
    capped to prevent an integer overflow.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Cc: stable@kernel.org
    Signed-off-by: Jens Axboe <axboe@kernel.dk>

commit 40ed7b34848b8e0d7bf9a3fc21a7c75ce1ae507c
Merge: b1baadf 1daebf1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 13 17:47:04 2012 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        fs/proc/base.c

commit 1daebf1d623fe5b0efdd329f78562eb7078bc772
Merge: 1413df2 c2db2e2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 13 17:45:54 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test

commit b1baadf5047ab67cf61cd20bf58c6afb09c37c7d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 12 16:44:05 2012 -0500

    add missing declaration

commit 3981059c35e8463002517935c28f3d74b8e3703c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 12 16:36:04 2012 -0500

    Require CAP_SETUID/CAP_SETGID in a subject in order to change roles
    in addition to existing checks (this handles the setresuid ruid = euid case)

commit 0beab03263c773f463412c350ad9064b44b6ede0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 12 16:13:40 2012 -0500

    Revert setreuid changes when RBAC is enabled, breaks freeradius
    I'll fix the learning issue Lavish reported a different way through
    gradm modifications
    
    This reverts commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111.

commit 0c61cb1cfbbfec7d07647268c922d51434d22621
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 11 14:22:46 2012 -0500

    copy exec_id on fork

commit 000c08e0890630086b2ed04084050ed856a7ec31
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 10 20:00:36 2012 -0500

    compile fix

commit 54b8c8f54484e5ee18040657827158bc4b63bccc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 10 19:19:52 2012 -0500

    Introduce enhancement to CONFIG_GRKERNSEC_PROC_MEMMAP
    denies reading of sensitive /proc/pid entries where the file descriptor
    was opened in a different task than the one performing the read

commit dd19579049186e2648b9ae5e42af04cfda7ab2dc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 10 17:43:24 2012 -0500

    Remove duplicate signal check

commit 6ff60c34155bb73a4eec7bbfe6f59e9d35e1c0c6
Merge: 4eba97e 1413df2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 8 19:24:34 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 1413df258d4664d928b876ffb57e1bdc1ccd06f6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 8 19:24:08 2012 -0500

    Merge changes from pax-linux-3.2.4-test11.patch

commit 4eba97eda7f7d25b7ab6ad5c9de094545e749044
Merge: 0e058dd 8dd90a2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 6 17:50:12 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 8dd90a21adfeefd86134d1fedf77b958bc59eaa3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 6 17:49:07 2012 -0500

    Merge changes from pax-linux-3.2.4-test10.patch, fixes BPF JIT double-free

commit a6b5dfed0937a0eb386b4b519a387f8e8177ffdc
Merge: 7e4169c 6133971
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 6 17:48:57 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test

commit 0e058dd6d14e0c67c44dd332a871f1fe1bb06095
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 5 19:24:45 2012 -0500

    We now allow configurations with no PaX markings, giving the system no way to override the defaults

commit 9afb0110287e31c3c56d861b4927f64f8dbd7857
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 5 10:01:23 2012 -0500

    Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory

commit a6a0ad24a5f7bef90236d94c1bdfe21d291fc834
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 4 21:01:16 2012 -0500

    Improve security of ptrace-based monitoring/sandboxing
    See:
    http://article.gmane.org/gmane.linux.kernel.lsm/15156

commit ca4ca5a1027b41f9528794e52a53ce9c47926101
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 20:42:55 2012 -0500

    fix typo

commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 20:25:38 2012 -0500

    Reported by lavish on IRC:
    If a suid/sgid binary did not learn any setuid/setgid call during learning,
    we would not any CAP_SETUID/CAP_SETGID capability to the task, nor
    any restrictions on uid/gid changes.  uid and gid can however be changed
    within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to
    euid/egid.
    
    My fix:
    POSIX doesn't specify whether unprivileged users can perform the above
    setresuid/setresgid as an unprivileged user, though Linux has historically
    permitted them.  Modify this behavior when RBAC is enabled to require
    CAP_SETUID/CAP_SETGID for these operations.
    
    Thanks to Lavish for the report!
    
    Conflicts:
    
        kernel/sys.c

commit e55be1f30908f1ad4450cb0558cde71ff5c7247f
Merge: ba586eb 7e4169c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 20:10:21 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 7e4169c6c880ec9641f1178c88545913c8a21e1f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 20:10:05 2012 -0500

    Merge changes from pax-linux-3.2.4-test9.patch

commit ba586ebbcd0ed781e38a99c580a757a00347c6eb
Author: Christopher Yeoh <cyeoh@au1.ibm.com>
Date:   Thu Feb 2 11:34:09 2012 +1030

    Fix race in process_vm_rw_core
    
    This fixes the race in process_vm_core found by Oleg (see
    
      http://article.gmane.org/gmane.linux.kernel/1235667/
    
    for details).
    
    This has been updated since I last sent it as the creation of the new
    mm_access() function did almost exactly the same thing as parts of the
    previous version of this patch did.
    
    In order to use mm_access() even when /proc isn't enabled, we move it to
    kernel/fork.c where other related process mm access functions already
    are.
    
    Signed-off-by: Chris Yeoh <yeohc@au1.ibm.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    Conflicts:
    
        fs/proc/base.c
        mm/process_vm_access.c

commit b9194d60fb9fe579f5c34817ed822abde18939a0
Author: Oleg Nesterov <oleg@redhat.com>
Date:   Tue Jan 31 17:15:11 2012 +0100

    proc: make sure mem_open() doesn't pin the target's memory
    
    Once /proc/pid/mem is opened, the memory can't be released until
    mem_release() even if its owner exits.
    
    Change mem_open() to do atomic_inc(mm_count) + mmput(), this only
    pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count)
    before access_remote_vm(), this verifies that this mm is still alive.
    
    I am not sure what should mem_rw() return if atomic_inc_not_zero()
    fails. With this patch it returns zero to match the "mm == NULL" case,
    may be it should return -EINVAL like it did before e268337d.
    
    Perhaps it makes sense to add the additional fatal_signal_pending()
    check into the main loop, to ensure we do not hold this memory if
    the target task was oom-killed.
    
    Cc: stable@kernel.org
    Signed-off-by: Oleg Nesterov <oleg@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit d4500134f9363bc79556e0e7a1fd811cd8552cc4
Author: Oleg Nesterov <oleg@redhat.com>
Date:   Tue Jan 31 17:14:38 2012 +0100

    proc: mem_release() should check mm != NULL
    
    mem_release() can hit mm == NULL, add the necessary check.
    
    Cc: stable@kernel.org
    Signed-off-by: Oleg Nesterov <oleg@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 5d1c11221a86f233fdbb232312a561f85d0a3a05
Author: Oleg Nesterov <oleg@redhat.com>
Date:   Tue Jan 31 17:14:54 2012 +0100

    note: redisabled mem_write
    
    proc: unify mem_read() and mem_write()
    
    No functional changes, cleanup and preparation.
    
    mem_read() and mem_write() are very similar. Move this code into the
    new common helper, mem_rw(), which takes the additional "int write"
    argument.
    
    Cc: stable@kernel.org
    Signed-off-by: Oleg Nesterov <oleg@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    Conflicts:
    
        fs/proc/base.c

commit af966b421d9f55ab7e1a8b2741beba44b22bc2e0
Merge: 3903f01 01fee18
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 19:50:40 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 01fee1851aef26b898ccba5312cabf1f919b74cb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 19:49:46 2012 -0500

    Merge changes from pax-linux-3.2.4-test8.patch

commit c2490ddbfc3f5dd664dd0e1b8575856c3be01879
Merge: 201c0db 141936c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 19:49:01 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test

commit 3903f0172ecadf7a575ba3535402a1506133640a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jan 30 23:26:44 2012 -0500

    Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT
    
    We'll whitelist required directories for compatibility instead of requiring
    that people disable the feature entirely if they use SELinux, fuse, etc
    
    Conflicts:
    
        fs/sysfs/mount.c

commit e3618feaa7e63807f1b88c199882075b3ec9bd05
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 29 01:12:19 2012 -0500

    perform RBAC check if TPE is on but match fails, matches previous behavior

commit 627b7fe22799a86e2f81a74f0e0c53474bec3100
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jan 28 13:17:06 2012 -0500

    log more information about the reason for a TPE denial for novice users, requested by a sponsor

commit efefd67008cbad8a8591e2484410966a300a39a5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:58:53 2012 -0500

    merge upstream sha512 changes

commit 8a79280377db78fb2091fe01eddb9e24f75d9fe1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:49:07 2012 -0500

    drop lock on error in xfs_readlink
    
    http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0

commit aa5f2f63e37f426bf2211c5fb8f7bc70de14f08a
Author: Li Wang <liwang@nudt.edu.cn>
Date:   Thu Jan 19 09:44:36 2012 +0800

    eCryptfs: Infinite loop due to overflow in ecryptfs_write()
    
    ecryptfs_write() can enter an infinite loop when truncating a file to a
    size larger than 4G. This only happens on architectures where size_t is
    represented by 32 bits.
    
    This was caused by a size_t overflow due to it incorrectly being used to
    store the result of a calculation which uses potentially large values of
    type loff_t.
    
    [tyhicks@canonical.com: rewrite subject and commit message]
    Signed-off-by: Li Wang <liwang@nudt.edu.cn>
    Signed-off-by: Yunchuan Wen <wenyunchuan@kylinos.com.cn>
    Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>

commit a7607747d0f74f357d78bb796d70635dd05f46e8
Author: Tyler Hicks <tyhicks@canonical.com>
Date:   Thu Jan 19 20:33:44 2012 -0600

    eCryptfs: Check inode changes in setattr
    
    Most filesystems call inode_change_ok() very early in ->setattr(), but
    eCryptfs didn't call it at all. It allowed the lower filesystem to make
    the call in its ->setattr() function. Then, eCryptfs would copy the
    appropriate inode attributes from the lower inode to the eCryptfs inode.
    
    This patch changes that and actually calls inode_change_ok() on the
    eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call
    would happen earlier in ecryptfs_setattr(), but there are some possible
    inode initialization steps that must happen first.
    
    Since the call was already being made on the lower inode, the change in
    functionality should be minimal, except for the case of a file extending
    truncate call. In that case, inode_newsize_ok() was never being
    called on the eCryptfs inode. Rather than inode_newsize_ok() catching
    maximum file size errors early on, eCryptfs would encrypt zeroed pages
    and write them to the lower filesystem until the lower filesystem's
    write path caught the error in generic_write_checks(). This patch
    introduces a new function, called ecryptfs_inode_newsize_ok(), which
    checks if the new lower file size is within the appropriate limits when
    the truncate operation will be growing the lower file.
    
    In summary this change prevents eCryptfs truncate operations (and the
    resulting page encryptions), which would exceed the lower filesystem
    limits or FSIZE rlimits, from ever starting.
    
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Reviewed-by: Li Wang <liwang@nudt.edu.cn>
    Cc: <stable@vger.kernel.org>

commit 0d96f190a39505254ace4e9330219aaeda9b64e3
Author: Tyler Hicks <tyhicks@canonical.com>
Date:   Wed Jan 18 18:30:04 2012 -0600

    eCryptfs: Make truncate path killable
    
    ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a
    page, zeroes out the appropriate portions, and then encrypts the page
    before writing it to the lower filesystem. It was unkillable and due to
    the lack of sparse file support could result in tying up a large portion
    of system resources, while encrypting pages of zeros, with no way for
    the truncate operation to be stopped from userspace.
    
    This patch adds the ability for ecryptfs_write() to detect a pending
    fatal signal and return as gracefully as possible. The intent is to
    leave the lower file in a useable state, while still allowing a user to
    break out of the encryption loop. If a pending fatal signal is detected,
    the eCryptfs inode size is updated to reflect the modified inode size
    and then -EINTR is returned.
    
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Cc: <stable@vger.kernel.org>

commit a02d0d2516b9e92edffeb8fca87462bca49c1f6f
Author: Tyler Hicks <tyhicks@canonical.com>
Date:   Tue Jan 24 10:02:22 2012 -0600

    eCryptfs: Fix oops when printing debug info in extent crypto functions
    
    If pages passed to the eCryptfs extent-based crypto functions are not
    mapped and the module parameter ecryptfs_verbosity=1 was specified at
    loading time, a NULL pointer dereference will occur.
    
    Note that this wouldn't happen on a production system, as you wouldn't
    pass ecryptfs_verbosity=1 on a production system. It leaks private
    information to the system logs and is for debugging only.
    
    The debugging info printed in these messages is no longer very useful
    and rather than doing a kmap() in these debugging paths, it will be
    better to simply remove the debugging paths completely.
    
    https://launchpad.net/bugs/913651
    
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Reported-by: Daniel DeFreez
    Cc: <stable@vger.kernel.org>

commit b1c44d3054dc7f293b2e0a98c0e9e5e03e01f04c
Author: Tyler Hicks <tyhicks@canonical.com>
Date:   Thu Jan 12 11:30:44 2012 +0100

    eCryptfs: Sanitize write counts of /dev/ecryptfs
    
    A malicious count value specified when writing to /dev/ecryptfs may
    result in a a very large kernel memory allocation.
    
    This patch peeks at the specified packet payload size, adds that to the
    size of the packet headers and compares the result with the write count
    value. The resulting maximum memory allocation size is approximately 532
    bytes.
    
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Reported-by: Sasha Levin <levinsasha928@gmail.com>
    Cc: <stable@vger.kernel.org>

commit 96dcb7282d323813181a1791f51c0ab7696b675b
Merge: 6c09fa5 201c0db
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:44:15 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 201c0dbf177527367676028151e36d340923f033
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:43:24 2012 -0500

    Merge changes from pax-linux-3.2.2-test6.patch, fixes 0 order vmalloc allocation errors
    on loading modules with empty sections

commit 6c09fa566a7c29f00556ca12f343f2db91c4f42b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:42:13 2012 -0500

    compile fix

commit 917ae526b4fcec2b3e1afefa13de9dff7d8a5423
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:39:28 2012 -0500

    use LSM flags instead of duplicating checks

commit 0cf3be2ea2ae43c9dd4933fb26c0429041b8acb8
Merge: 44b9f11 558718b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 18:56:23 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 558718b2217beff69edf60f34a6f9893d910e9ac
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 18:56:04 2012 -0500

    Merge changes from pax-linux-3.2.2-test6.patch

commit 44b9f1132b2de7cbf5f57525fe0f7f9fb0a76507
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 18:53:55 2012 -0500

    don't increase the size of task_struct when unnecessary
    change ptrace_readexec log message

commit a9c9626e054adb885883aa64f85506852894dd33
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 18:16:28 2012 -0500

    Update documentation for CONFIG_GRKERNSEC_PTRACE_READEXEC --
    the protection applies to all unreadable binaries.

commit 98fdf4ab69eba7a72efb2054295daafdbbc2fb8f
Merge: 7b3f3af 05a1349
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 25 20:52:09 2012 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        block/scsi_ioctl.c
        drivers/scsi/sd.c
        fs/proc/base.c

commit 05a134966efb9cb9346ad3422888969ffc79ac1d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 25 20:47:36 2012 -0500

    Resync with pax-linux-3.2.2-test5.patch

commit 5ecaafd81b229aeeb5656df36f9c8da86307f82a
Merge: c6d443d 3499d64
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 25 20:45:16 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test (and pax-linux-3.2.2-test5.patch)
    
    Conflicts:
        ipc/shm.c

commit 7b3f3afd7444613c759d68ff8c2efaebfae3bab1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 24 19:42:01 2012 -0500

    Add two new features, one is automatic by enabling CONFIG_GRKERNSEC
    (may be changed if it breaks some userland), the other has its own
    config option
    
    First feature requires CAP_SYS_ADMIN to write to any sysctl entry via
    the syscall or /proc/sys.
    
    Second feature requires read access to a suid/sgid binary in order
    to ptrace it, preventing infoleaking of binaries in situations where
    the admin has specified 4711 or 2711 perms.  Feature has been
    given the config option CONFIG_GRKERNSEC_PTRACE_READEXEC and
    a sysctl entry of ptrace_readexec

commit 11a7bb25c411c9dccfdca5718639b4becdffd388
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 22 14:37:10 2012 -0500

    Compilation fixes

commit cd400e21c7c352baba47d6f375297a7847afb33a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 22 14:20:27 2012 -0500

    Initial port of grsecurity 2.2.2 for Linux 3.2.1
    Note that the new syscalls added to this kernel for remote process read/write
    are subject to ptrace hardening/other relevant RBAC features
    /proc/slabinfo is S_IRUSR via mainline now, so I made slab_allocators S_IRUSR by default
    as well
    pax_track_stack has been removed from support for this kernel -- if you're running this kernel
    you should be using a version of gcc with plugin support

commit c6d443d1270f455c56a4ffe0f1dd3d3e7ec12a2f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 22 11:47:31 2012 -0500

    Import pax-linux-3.2.1-test5.patch
commit bfd7db842f835f9837cd43644459b3a95b0b488d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 22 11:02:02 2012 -0500

    Allow processes to access others' /proc/pid/maps files (subject to the normal modification of data)
    instead of returning -EACCES
    thanks to Wraith from irc for the report

commit 873ac13576506cd48ddb527c2540f274e249da50
Merge: 34083dd 8a44fcc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 20 18:04:02 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 8a44fcc90cf3368003dc84e1ed013b2e4248c9b2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 20 18:02:15 2012 -0500

    Merge the diff between pax-linux-3.2.1-test4.patch and pax-linux-3.2.1-test5.patch
    Denies executable shared memory when MPROTECT is active
    Fixes ia32 emulation crash on 64bit host introduced in a recent patch

commit 34083ddf5c0b2b1c0f5e9f7d9e32ddcba223446b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jan 19 20:23:14 2012 -0500

    Introduce new GRKERNSEC_SETXID implementation
    We're not able to change the credentials of other threads in the process until at most
    one syscall after the first thread does it, since we mark the threads as needing rescheduling
    and such work occurs on syscall exit.
    This does however ensure that we're only modifying the current task's credentials
    which upholds RCU expectations
    
    Many thanks to corsac for testing

commit 5f900ad54d3992a4e1cda88273acc2f897a42e71
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jan 19 17:42:48 2012 -0500

    Simplify backport

commit f02e444f7b2fb286f99d3b4031ff4e44a4606c37
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jan 19 17:08:16 2012 -0500

    Commit the latest silent fix for a local privilege escalation from Linus
    Also disable writing to /proc/pid/mem
    http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc

commit 814d38c72b1ee3338294576a05af4f6ca9cffa6c
Merge: 0394a3f 7e6299b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 18 20:22:09 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 7e6299b4733c082dde930375dd207b63237751ec
Merge: 83555fb 9bb1282
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 18 20:21:37 2012 -0500

    Merge branch 'linux-3.1.y' into pax-test

commit 0394a3f36c6195dcaf22e265c94d11bb7338c6f7
Author: Jesper Juhl <jj@chaosbits.net>
Date:   Sun Jan 8 22:44:29 2012 +0100

    audit: always follow va_copy() with va_end()
    
    A call to va_copy() should always be followed by a call to va_end() in
    the same function.  In kernel/autit.c::audit_log_vformat() this is not
    always done.  This patch makes sure va_end() is always called.
    
    Signed-off-by: Jesper Juhl <jj@chaosbits.net>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: Eric Paris <eparis@redhat.com>
    Cc: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit fcbb39319e88bfdf70efe3931cf80a9f23b1a4d9
Author: Andi Kleen <ak@linux.intel.com>
Date:   Thu Jan 12 17:20:30 2012 -0800

    panic: don't print redundant backtraces on oops
    
    When an oops causes a panic and panic prints another backtrace it's pretty
    common to have the original oops data be scrolled away on a 80x50 screen.
    
    The second backtrace is quite redundant and not needed anyways.
    
    So don't print the panic backtrace when oops_in_progress is true.
    
    [akpm@linux-foundation.org: add comment]
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
    Cc: Michael Holzheu <holzheu@linux.vnet.ibm.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 22e4717d04333e2aff6d5d1b2c1b16045f367a1f
Author: Miklos Szeredi <mszeredi@suse.cz>
Date:   Thu Jan 12 17:59:46 2012 +0100

    fsnotify: don't BUG in fsnotify_destroy_mark()
    
    Removing the parent of a watched file results in "kernel BUG at
    fs/notify/mark.c:139".
    
    To reproduce
    
      add "-w /tmp/audit/dir/watched_file" to audit.rules
      rm -rf /tmp/audit/dir
    
    This is caused by fsnotify_destroy_mark() being called without an
    extra reference taken by the caller.
    
    Reported by Francesco Cosoleto here:
    
      https://bugzilla.novell.com/show_bug.cgi?id=689860
    
    Fix by removing the BUG_ON and adding a comment about not accessing mark after
    the iput.
    
    Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
    CC: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 1a90cff66ed00cd57bf00a990d13e95060fa362c
Author: Paolo Bonzini <pbonzini@redhat.com>
Date:   Thu Jan 12 16:01:28 2012 +0100

    block: fail SCSI passthrough ioctls on partition devices
    
    Linux allows executing the SG_IO ioctl on a partition or LVM volume, and
    will pass the command to the underlying block device.  This is
    well-known, but it is also a large security problem when (via Unix
    permissions, ACLs, SELinux or a combination thereof) a program or user
    needs to be granted access only to part of the disk.
    
    This patch lets partitions forward a small set of harmless ioctls;
    others are logged with printk so that we can see which ioctls are
    actually sent.  In my tests only CDROM_GET_CAPABILITY actually occurred.
    Of course it was being sent to a (partition on a) hard disk, so it would
    have failed with ENOTTY and the patch isn't changing anything in
    practice.  Still, I'm treating it specially to avoid spamming the logs.
    
    In principle, this restriction should include programs running with
    CAP_SYS_RAWIO.  If for example I let a program access /dev/sda2 and
    /dev/sdb, it still should not be able to read/write outside the
    boundaries of /dev/sda2 independent of the capabilities.  However, for
    now programs with CAP_SYS_RAWIO will still be allowed to send the
    ioctls.  Their actions will still be logged.
    
    This patch does not affect the non-libata IDE driver.  That driver
    however already tests for bd != bd->bd_contains before issuing some
    ioctl; it could be restricted further to forbid these ioctls even for
    programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO.
    
    Cc: linux-scsi@vger.kernel.org
    Cc: Jens Axboe <axboe@kernel.dk>
    Cc: James Bottomley <JBottomley@parallels.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    [ Make it also print the command name when warning - Linus ]
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit b41a1178caa15bd7d6d5b36c04c7b1ead05717e2
Author: Paolo Bonzini <pbonzini@redhat.com>
Date:   Thu Jan 12 16:01:27 2012 +0100

    block: add and use scsi_blk_cmd_ioctl
    
    Introduce a wrapper around scsi_cmd_ioctl that takes a block device.
    
    The function will then be enhanced to detect partition block devices
    and, in that case, subject the ioctls to whitelisting.
    
    Cc: linux-scsi@vger.kernel.org
    Cc: Jens Axboe <axboe@kernel.dk>
    Cc: James Bottomley <JBottomley@parallels.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 97a79814903fc350e1d13704ea31528a42705401
Author: Kees Cook <keescook@chromium.org>
Date:   Sat Jan 7 10:41:04 2012 -0800

    audit: treat s_id as an untrusted string
    
    The use of s_id should go through the untrusted string path, just to be
    extra careful.
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Acked-by: Mimi Zohar <zohar@us.ibm.com>
    Signed-off-by: Eric Paris <eparis@redhat.com>

commit 2d3f39e9dd73f26a8248fd4442f110d983c5b419
Author: Xi Wang <xi.wang@gmail.com>
Date:   Tue Dec 20 18:39:41 2011 -0500

    audit: fix signedness bug in audit_log_execve_info()
    
    In the loop, a size_t "len" is used to hold the return value of
    audit_log_single_execve_arg(), which returns -1 on error.  In that
    case the error handling (len <= 0) will be bypassed since "len" is
    unsigned, and the loop continues with (p += len) being wrapped.
    Change the type of "len" to signed int to fix the error handling.
    
        size_t len;
        ...
        for (...) {
                len = audit_log_single_execve_arg(...);
                if (len <= 0)
                        break;
                p += len;
        }
    
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Signed-off-by: Eric Paris <eparis@redhat.com>

commit 1b3dc2ea3204fb22b9d0d30b2b7953991f5be594
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Tue Jan 17 03:28:51 2012 -0300

    [media] ds3000: using logical && instead of bitwise &
    
    The intent here was to test if the FE_HAS_LOCK was set.  The current
    test is equivalent to "if (status) { ..."
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>

commit 36522330dc59d2fc70c042f3f081d75c32b6259a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jan 16 13:10:38 2012 -0500

    Ignore the 0 signal for protected task RBAC checks

commit d513acd55f7a683f6e146a4f570cdb63300479ab
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jan 16 11:56:13 2012 -0500

    whitespace cleanup

commit ced261c4b82818c700aff8487f647f6f3e5b5122
Merge: d48751f 83555fb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 13 20:12:54 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 83555fb431e5be6c0e09687ff3bdc583f0caf9d9
Merge: fcd8129 93dad39
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 13 20:12:43 2012 -0500

    Merge branch 'linux-3.1.y' into pax-test

commit d48751f3919ae855fda0ff6c149db82442329253
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 11 19:05:47 2012 -0500

    Call our own set_user when forcing change to new id

commit 26d9d497f6b926bc1699980aa18c360a3d3c52a0
Merge: e6578ff fcd8129
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 10 16:00:10 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit fcd8129277601f2e2d5a2066120cf8b2472d7d1f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 10 15:58:43 2012 -0500

    Merge changes from pax-linux-3.1.8-test23.patch

commit e6578ff3e7629c432ed9b99bde6af2a1c00279b5
Merge: 8859ec3 a120549
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 21:45:56 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit a12054967a77090de1caa07c41e694a77db4e237
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 21:45:30 2012 -0500

    Merge changes from pax-linux-3.1.8-test22.patch

commit 8859ec32f9815c274df65448f9f2960176c380d3
Merge: a5016b4 ddd4114
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 21:26:08 2012 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        fs/binfmt_elf.c
        security/Kconfig

commit ddd41147e158a79704983a409b7433eba797cf66
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 21:12:42 2012 -0500

    Resync with PaX patch (whitespace difference)

commit 29e569df8205c5f0e043fe4803aa984406c8b118
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 21:09:47 2012 -0500

    Merge changes from pax-linux-3.1.8-test21.patch

commit a5016b4f9c09c337b17e063a7f369af1e86d944d
Merge: 0124c92 04231d5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 18:52:20 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 04231d52dc8d0d6788a6bc6709dc046d3eb37097
Merge: 7bdddeb a919904
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 18:51:50 2012 -0500

    Merge branch 'linux-3.1.y' into pax-test
    
    Conflicts:
        include/net/flow.h

commit 0124c9264234c450904a0a5fa2f8c608ab8e3796
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 18:33:05 2012 -0500

    Make GRKERNSEC_SETXID option compatible with credential debugging

commit 69919c6da7cf8a781439da15b597a7d6bc9b3abe
Author: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Date:   Wed Dec 28 15:57:11 2011 -0800

    mm/mempolicy.c: refix mbind_range() vma issue
    
    commit 8aacc9f550 ("mm/mempolicy.c: fix pgoff in mbind vma merge") is the
    slightly incorrect fix.
    
    Why? Think following case.
    
    1. map 4 pages of a file at offset 0
    
       [0123]
    
    2. map 2 pages just after the first mapping of the same file but with
       page offset 2
    
       [0123][23]
    
    3. mbind() 2 pages from the first mapping at offset 2.
       mbind_range() should treat new vma is,
    
       [0123][23]
         |23|
         mbind vma
    
       but it does
    
       [0123][23]
         |01|
         mbind vma
    
       Oops. then, it makes wrong vma merge and splitting ([01][0123] or similar).
    
    This patch fixes it.
    
    [testcase]
      test result - before the patch
    
        case4: 126: test failed. expect '2,4', actual '2,2,2'
                case5: passed
        case6: passed
        case7: passed
        case8: passed
        case_n: 246: test failed. expect '4,2', actual '1,4'
    
        ------------[ cut here ]------------
        kernel BUG at mm/filemap.c:135!
        invalid opcode: 0000 [#4] SMP DEBUG_PAGEALLOC
    
        (snip long bug on messages)
    
      test result - after the patch
    
        case4: passed
                case5: passed
        case6: passed
        case7: passed
        case8: passed
        case_n: passed
    
      source:  mbind_vma_test.c
    ============================================================
     #include <numaif.h>
     #include <numa.h>
     #include <sys/mman.h>
     #include <stdio.h>
     #include <unistd.h>
     #include <stdlib.h>
     #include <string.h>
    
    static unsigned long pagesize;
    void* mmap_addr;
    struct bitmask *nmask;
    char buf[1024];
    FILE *file;
    char retbuf[10240] = "";
    int mapped_fd;
    
    char *rubysrc = "ruby -e '\
      pid = %d; \
      vstart = 0x%llx; \
      vend = 0x%llx; \
      s = `pmap -q #{pid}`; \
      rary = []; \
      s.each_line {|line|; \
        ary=line.split(\" \"); \
        addr = ary[0].to_i(16); \
        if(vstart <= addr && addr < vend) then \
          rary.push(ary[1].to_i()/4); \
        end; \
      }; \
      print rary.join(\",\"); \
    '";
    
    void init(void)
    {
        void* addr;
        char buf[128];
    
        nmask = numa_allocate_nodemask();
        numa_bitmask_setbit(nmask, 0);
    
        pagesize = getpagesize();
    
        sprintf(buf, "%s", "mbind_vma_XXXXXX");
        mapped_fd = mkstemp(buf);
        if (mapped_fd == -1)
                perror("mkstemp "), exit(1);
        unlink(buf);
    
        if (lseek(mapped_fd, pagesize*8, SEEK_SET) < 0)
                perror("lseek "), exit(1);
        if (write(mapped_fd, "\0", 1) < 0)
                perror("write "), exit(1);
    
        addr = mmap(NULL, pagesize*8, PROT_NONE,
                    MAP_SHARED, mapped_fd, 0);
        if (addr == MAP_FAILED)
                perror("mmap "), exit(1);
    
        if (mprotect(addr+pagesize, pagesize*6, PROT_READ|PROT_WRITE) < 0)
                perror("mprotect "), exit(1);
    
        mmap_addr = addr + pagesize;
    
        /* make page populate */
        memset(mmap_addr, 0, pagesize*6);
    }
    
    void fin(void)
    {
        void* addr = mmap_addr - pagesize;
        munmap(addr, pagesize*8);
    
        memset(buf, 0, sizeof(buf));
        memset(retbuf, 0, sizeof(retbuf));
    }
    
    void mem_bind(int index, int len)
    {
        int err;
    
        err = mbind(mmap_addr+pagesize*index, pagesize*len,
                    MPOL_BIND, nmask->maskp, nmask->size, 0);
        if (err)
                perror("mbind "), exit(err);
    }
    
    void mem_interleave(int index, int len)
    {
        int err;
    
        err = mbind(mmap_addr+pagesize*index, pagesize*len,
                    MPOL_INTERLEAVE, nmask->maskp, nmask->size, 0);
        if (err)
                perror("mbind "), exit(err);
    }
    
    void mem_unbind(int index, int len)
    {
        int err;
    
        err = mbind(mmap_addr+pagesize*index, pagesize*len,
                    MPOL_DEFAULT, NULL, 0, 0);
        if (err)
                perror("mbind "), exit(err);
    }
    
    void Assert(char *expected, char *value, char *name, int line)
    {
        if (strcmp(expected, value) == 0) {
                fprintf(stderr, "%s: passed\n", name);
                return;
        }
        else {
                fprintf(stderr, "%s: %d: test failed. expect '%s', actual '%s'\n",
                        name, line,
                        expected, value);
    //          exit(1);
        }
    }
    
    /*
          AAAA
        PPPPPPNNNNNN
        might become
        PPNNNNNNNNNN
        case 4 below
    */
    void case4(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        mem_bind(0, 4);
        mem_unbind(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("2,4", retbuf, "case4", __LINE__);
    
        fin();
    }
    
    /*
           AAAA
     PPPPPPNNNNNN
     might become
     PPPPPPPPPPNN
     case 5 below
    */
    void case5(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        mem_bind(0, 2);
        mem_bind(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("4,2", retbuf, "case5", __LINE__);
    
        fin();
    }
    
    /*
            AAAA
        PPPPNNNNXXXX
        might become
        PPPPPPPPPPPP 6
    */
    void case6(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        mem_bind(0, 2);
        mem_bind(4, 2);
        mem_bind(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("6", retbuf, "case6", __LINE__);
    
        fin();
    }
    
    /*
        AAAA
    PPPPNNNNXXXX
    might become
    PPPPPPPPXXXX 7
    */
    void case7(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        mem_bind(0, 2);
        mem_interleave(4, 2);
        mem_bind(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("4,2", retbuf, "case7", __LINE__);
    
        fin();
    }
    
    /*
        AAAA
    PPPPNNNNXXXX
    might become
    PPPPNNNNNNNN 8
    */
    void case8(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        mem_bind(0, 2);
        mem_interleave(4, 2);
        mem_interleave(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("2,4", retbuf, "case8", __LINE__);
    
        fin();
    }
    
    void case_n(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        /* make redundunt mappings [0][1234][34][7] */
        mmap(mmap_addr + pagesize*4, pagesize*2, PROT_READ|PROT_WRITE,
             MAP_FIXED|MAP_SHARED, mapped_fd, pagesize*3);
    
        /* Expect to do nothing. */
        mem_unbind(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("4,2", retbuf, "case_n", __LINE__);
    
        fin();
    }
    
    int main(int argc, char** argv)
    {
        case4();
        case5();
        case6();
        case7();
        case8();
        case_n();
    
        return 0;
    }
    =============================================================
    
    Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
    Acked-by: Johannes Weiner <hannes@cmpxchg.org>
    Cc: Minchan Kim <minchan.kim@gmail.com>
    Cc: Caspar Zhang <caspar@casparzhang.com>
    Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
    Cc: Christoph Lameter <cl@linux.com>
    Cc: Hugh Dickins <hugh.dickins@tiscali.co.uk>
    Cc: Mel Gorman <mel@csn.ul.ie>
    Cc: Lee Schermerhorn <lee.schermerhorn@hp.com>
    Cc: <stable@vger.kernel.org>                [3.1.x]
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit f3a1082005781777086df235049f8c0b7efe524e
Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Date:   Tue Dec 27 22:32:41 2011 -0500

    packet: fix possible dev refcnt leak when bind fail
    
    If bind is fail when bind is called after set PACKET_FANOUT
    sock option, the dev refcnt will leak.
    
    Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 915f8b08dac68839dc7204ee81cf9852fda16d24
Author: Haogang Chen <haogangchen@gmail.com>
Date:   Mon Dec 19 17:11:56 2011 -0800

    nilfs2: potential integer overflow in nilfs_ioctl_clean_segments()
    
    There is a potential integer overflow in nilfs_ioctl_clean_segments().
    When a large argv[n].v_nmembs is passed from the userspace, the subsequent
    call to vmalloc() will allocate a buffer smaller than expected, which
    leads to out-of-bound access in nilfs_ioctl_move_blocks() and
    lfs_clean_segments().
    
    The following check does not prevent the overflow because nsegs is also
    controlled by the userspace and could be very large.
    
                if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment)
                        goto out_free;
    
    This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and
    returns -EINVAL when overflow.
    
    Signed-off-by: Haogang Chen <haogangchen@gmail.com>
    Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 006afb6eb7a7398edc0068c3a7b9510ffaf80f72
Author: Kautuk Consul <consul.kautuk@gmail.com>
Date:   Mon Dec 19 17:12:04 2011 -0800

    mm/vmalloc.c: remove static declaration of va from __get_vm_area_node
    
    Static storage is not required for the struct vmap_area in
    __get_vm_area_node.
    
    Removing "static" to store this variable on the stack instead.
    
    Signed-off-by: Kautuk Consul <consul.kautuk@gmail.com>
    Acked-by: David Rientjes <rientjes@google.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 461ecdf221edb089e5fa0d5563e1688cd0a36f66
Author: Michel Lespinasse <walken@google.com>
Date:   Mon Dec 19 17:12:06 2011 -0800

    binary_sysctl(): fix memory leak
    
    binary_sysctl() calls sysctl_getname() which allocates from names_cache
    slab usin __getname()
    
    The matching function to free the name is __putname(), and not putname()
    which should be used only to match getname() allocations.
    
    This is because when auditing is enabled, putname() calls audit_putname
    *instead* (not in addition) to __putname().  Then, if a syscall is in
    progress, audit_putname does not release the name - instead, it expects
    the name to get released when the syscall completes, but that will happen
    only if audit_getname() was called previously, i.e.  if the name was
    allocated with getname() rather than the naked __getname().  So,
    __getname() followed by putname() ends up leaking memory.
    
    Signed-off-by: Michel Lespinasse <walken@google.com>
    Acked-by: Al Viro <viro@zeniv.linux.org.uk>
    Cc: Christoph Hellwig <hch@infradead.org>
    Cc: Eric Paris <eparis@redhat.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 0a2cd3ef50c0bae70d59c74a77db0455d26fde56
Author: Sean Hefty <sean.hefty@intel.com>
Date:   Tue Dec 6 21:17:11 2011 +0000

    RDMA/cma: Verify private data length
    
    private_data_len is defined as a u8.  If the user specifies a large
    private_data size (> 220 bytes), we will calculate a total length that
    exceeds 255, resulting in private_data_len wrapping back to 0.  This
    can lead to overwriting random kernel memory.  Avoid this by verifying
    that the resulting size fits into a u8.
    
    Reported-by: B. Thery <benjamin.thery@bull.net>
    Addresses: <http://bugs.openfabrics.org/bugzilla/show_bug.cgi?id=2335>
    Signed-off-by: Sean Hefty <sean.hefty@intel.com>
    Signed-off-by: Roland Dreier <roland@purestorage.com>

commit 6b618c54aaec99078629ec5b9575cb7d6fc31176
Author: Xi Wang <xi.wang@gmail.com>
Date:   Sun Dec 11 23:40:56 2011 -0800

    Input: cma3000_d0x - fix signedness bug in cma3000_thread_irq()
    
    The error check (intr_status < 0) didn't work because intr_status is
    a u8.  Change its type to signed int.
    
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Signed-off-by: Dmitry Torokhov <dtor@mail.ru>

commit e27f34e383d7863b2528a63b81b23db09781f6b6
Author: Xi Wang <xi.wang@gmail.com>
Date:   Fri Dec 16 12:44:15 2011 +0000

    sctp: fix incorrect overflow check on autoclose
    
    Commit 8ffd3208 voids the previous patches f6778aab and 810c0719 for
    limiting the autoclose value.  If userspace passes in -1 on 32-bit
    platform, the overflow check didn't work and autoclose would be set
    to 0xffffffff.
    
    This patch defines a max_autoclose (in seconds) for limiting the value
    and exposes it through sysctl, with the following intentions.
    
    1) Avoid overflowing autoclose * HZ.
    
    2) Keep the default autoclose bound consistent across 32- and 64-bit
       platforms (INT_MAX / HZ in this patch).
    
    3) Keep the autoclose value consistent between setsockopt() and
       getsockopt() calls.
    
    Suggested-by: Vlad Yasevich <vladislav.yasevich@hp.com>
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 8ebdfaad2f46ff0ac9fef9858e436bcc712a1ac8
Author: Xi Wang <xi.wang@gmail.com>
Date:   Wed Dec 21 05:18:33 2011 -0500

    vmwgfx: fix incorrect VRAM size check in vmw_kms_fb_create()
    
    Commit e133e737 didn't correctly fix the integer overflow issue.
    
    -   unsigned int required_size;
    +   u64 required_size;
        ...
        required_size = mode_cmd->pitch * mode_cmd->height;
    -   if (unlikely(required_size > dev_priv->vram_size)) {
    +   if (unlikely(required_size > (u64) dev_priv->vram_size)) {
    
    Note that both pitch and height are u32.  Their product is still u32 and
    would overflow before being assigned to required_size.  A correct way is
    to convert pitch and height to u64 before the multiplication.
    
        required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height;
    
    This patch calls the existing vmw_kms_validate_mode_vram() for
    validation.
    
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Reviewed-and-tested-by: Thomas Hellstrom <thellstrom@vmware.com>
    Signed-off-by: Dave Airlie <airlied@redhat.com>
    
    Conflicts:
    
        drivers/gpu/drm/vmwgfx/vmwgfx_kms.c

commit eb8f0bd01fb994c9abc77dc84729794cd841753d
Author: Xi Wang <xi.wang@gmail.com>
Date:   Thu Dec 22 13:35:22 2011 +0000

    rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt()
    
    Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will
    cause a kernel oops due to insufficient bounds checking.
    
        if (count > 1<<30) {
                /* Enforce a limit to prevent overflow */
                return -EINVAL;
        }
        count = roundup_pow_of_two(count);
        table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count));
    
    Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as:
    
        ... + (count * sizeof(struct rps_dev_flow))
    
    where sizeof(struct rps_dev_flow) is 8.  (1 << 30) * 8 will overflow
    32 bits.
    
    This patch replaces the magic number (1 << 30) with a symbolic bound.
    
    Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 648188958672024b616c42c1f6c98c8cfc85619d
Author: Xi Wang <xi.wang@gmail.com>
Date:   Fri Dec 30 10:40:17 2011 -0500

    netfilter: ctnetlink: fix timeout calculation
    
    The sanity check (timeout < 0) never works; the dividend is unsigned
    and so is the division, which should have been a signed division.
    
        long timeout = (ct->timeout.expires - jiffies) / HZ;
        if (timeout < 0)
                timeout = 0;
    
    This patch converts the time values to signed for the division.
    
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

commit ab03a0973cee73f88655ff4981812ad316a6cd59
Merge: 76f82df 7bdddeb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 3 17:42:50 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 7bdddebd9d274a344a1c57a561152160c9e9a32a
Merge: 3e59cb5 55cc81a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 3 17:42:36 2012 -0500

    Merge branch 'linux-3.1.y' into pax-test

commit 76f82df18ba181687f454426fa9ced7a92b2ac1f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 22 20:15:02 2011 -0500

    Only further restrict futex targeting another process -- our modified
    permission check also happened to allow a case where a process retaining
    uid 0 could issue futex syscalls against other uid 0 tasks, despite the euid
    being non-zero (reported on forums by ben_w)

commit 6b235a4450a5fea41663ec35fa0608988b6078c6
Merge: 97c16f0 3e59cb5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 22 19:11:06 2011 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        fs/hfs/btree.c

commit 3e59cb503d4ca6ce0954b8d3eb508cf7d1a31f50
Merge: 285eb4e c26f60b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 22 19:09:57 2011 -0500

    Merge branch 'linux-3.1.y' into pax-test
    
    Conflicts:
        arch/x86/kernel/process.c

commit 97c16f0fcff592160c1787bd1c56ae7ad070ac17
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Dec 19 21:54:01 2011 -0500

    Add new option: "Enforce consistent multithreaded privileges"

commit 7d125a16a5245b2bafc9184b8f93e864394ba1cb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Dec 7 19:58:31 2011 -0500

    Remove harmless duplicate code -- exec_file would be null already so the
    second check would never pass.

commit 4e3304e94aa72737810bc50169519af157dce4ce
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Dec 7 19:50:39 2011 -0500

    Revert back to (possibly?) undocumented /proc/pid behavior that gdb
    depended on for attaching to a thread.  Entries exist in /proc for
    threads, but are not visible in a readdir.

commit 1bd899335f23815cfe8deac44c6b346398f3b95e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 18:03:28 2011 -0500

    Put the already-walked path if in RCU-walk mode

commit ec7ae36b7159f10649709779443a988662965d66
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 17:35:21 2011 -0500

    Fix memory leak introduced by recent (unpublished) commit
    75ab998b94a29d464518d6d501bdde3fbfcbfa14

commit 1e2318a8ea2e67eaf17236be374b5da8a5ba5e04
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 13:56:10 2011 -0500

    Explicitly check size copied to userland in override_release to silence gcc

commit c30a85d0fff67e0724e726febb934c0b6fa01c6c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 13:54:02 2011 -0500

    Initialize variable to silence erroneous gcc warning

commit 2cf8e7a3bf4e97b2cd3de9ebc453bc505dc7eb78
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 13:47:47 2011 -0500

    Future-proof other potential RCU-aware locations where we can log.

commit 0c904e8c7ea0338c47c7ae825e093a152dc8f8a8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 13:02:54 2011 -0500

    Fix freeze reported by 'vs' on the forums.  Bug occurred due to
    MAY_NOT_BLOCK added to Linux 3.1.  Our logging code, when a capability used
    in generic_permission() was in the task's effective set but disallowed by
    RBAC, would block when acquiring locks resulting in the freeze.
    
    Also update the ordering of checks so that CAP_DAC_READ_SEARCH isn't logged
    as being required when CAP_DAC_OVERRIDE is present (consistent with
    older patches).

commit ab694e5eccfbc369baa593ebc1269d1908cf16dc
Author: Xi Wang <xi.wang@gmail.com>
Date:   Tue Nov 29 09:26:30 2011 +0000

    sctp: better integer overflow check in sctp_auth_create_key()
    
    The check from commit 30c2235c is incomplete and cannot prevent
    cases like key_len = 0x80000000 (INT_MAX + 1).  In that case, the
    left-hand side of the check (INT_MAX - key_len), which is unsigned,
    becomes 0xffffffff (UINT_MAX) and bypasses the check.
    
    However this shouldn't be a security issue.  The function is called
    from the following two code paths:
    
     1) setsockopt()
    
     2) sctp_auth_asoc_set_secret()
    
    In case (1), sca_keylength is never going to exceed 65535 since it's
    bounded by a u16 from the user API.  As such, the key length will
    never overflow.
    
    In case (2), sca_keylength is computed based on the user key (1 short)
    and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still
    will not overflow.
    
    In other words, this overflow check is not really necessary.  Just
    make it more correct.
    
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Cc: Vlad Yasevich <vladislav.yasevich@hp.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit e565e28c3635a1d50f80541fbf6b606d742fec76
Author: Josh Boyer <jwboyer@redhat.com>
Date:   Fri Aug 19 14:50:26 2011 -0400

    fs/minix: Verify bitmap block counts before mounting
    
    Newer versions of MINIX can create filesystems that allocate an extra
    bitmap block.  Mounting of this succeeds, but doing a statfs call will
    result in an oops in count_free because of a negative number being used
    for the bh index.
    
    Avoid this by verifying the number of allocated blocks at mount time,
    erroring out if there are not enough and make statfs ignore the extras
    if there are too many.
    
    This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792
    
    Signed-off-by: Josh Boyer <jwboyer@redhat.com>
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

commit 6e134e398ec1a3f428261680e83df4319e64bed9
Author: Julia Lawall <julia@diku.dk>
Date:   Tue Nov 15 14:53:11 2011 -0800

    drivers/gpu/vga/vgaarb.c: add missing kfree
    
    kbuf is a buffer that is local to this function, so all of the error paths
    leaving the function should release it.
    
    Signed-off-by: Julia Lawall <julia@diku.dk>
    Cc: Jesper Juhl <jj@chaosbits.net>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Dave Airlie <airlied@redhat.com>

commit 2b9057b321e36860e8d63985b5c4e496f254b717
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Dec 3 21:33:28 2011 -0500

    Import changes between pax-linux-3.1.4-test18.patch and grsecurity-2.2.2-3.1.4-201112021740.patch

commit 5dfe6091dca281a456eaff5e7b4692d768a05cfd
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Dec 3 21:29:37 2011 -0500

    Import pax-linux-3.1.4-test18.patch

commit 285eb4ea45d853ae00426b3315a61c1368080dad
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Dec 10 18:33:46 2011 -0500

    Import changes from pax-linux-3.1.5-test20.patch

commit a6bda918fc90ec1d5c387e978d147ad2044153f1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 8 20:55:54 2011 -0500

    Import changes from pax-linux-3.1.4-test19.patch

commit e6d987bdb782b280f882cc20055e3d9cb28ad3a5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Dec 3 21:29:37 2011 -0500

    Import pax-linux-3.1.4-test18.patch
commit d92091aac493a547d85ddf1b98bd9aaa8c7112a5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 4 23:05:14 2013 -0400

    always enforce a non-zero gap for RAND_THREADSTACK

 mm/mmap.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 40d67e38a42d4e94b43b3d7400addc662b9857dc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 4 16:09:28 2013 -0400

    fix up file comparisons

 grsecurity/gracl_segv.c    |    2 +-
 grsecurity/grsec_sig.c     |    4 ++--
 include/linux/grinternal.h |   12 ++++++++++++
 3 files changed, 15 insertions(+), 3 deletions(-)

commit a1fff2c95162314626dd96bec71d951a8c1c4708
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 4 15:33:18 2013 -0400

    fix suid binary matching

 grsecurity/grsec_sig.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 00131c458eea5200971c8fc326e90fdb6c2d0baa
Merge: 37b97a9 47beb61
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 4 15:02:31 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 47beb61be9d430ab3fdb79a3b1e2099b4cfcf798
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 4 15:01:37 2013 -0400

    Update to pax-linux-3.9.9-test13.patch:
    - hopefully fixed the EFI boot regression (https://bugs.gentoo.org/show_bug.cgi?id=471626)
    - fixed some arm compilation issues (http://forums.grsecurity.net/viewtopic.php?f=1&t=3586 and http://forums.grsecurity.net/viewtopic.php?f=1&t=3587)

 arch/arm/include/asm/uaccess.h |   20 ++++++++++----------
 arch/arm/kernel/armksyms.c     |    2 +-
 arch/arm/kernel/entry-armv.S   |    4 ++--
 arch/arm/mm/Kconfig            |    2 +-
 arch/x86/ia32/ia32entry.S      |    4 ++--
 arch/x86/include/asm/page.h    |    1 +
 arch/x86/kernel/entry_32.S     |    4 ++--
 arch/x86/kernel/entry_64.S     |    8 ++++----
 arch/x86/kernel/head64.c       |   12 ++++++------
 arch/x86/kernel/head_64.S      |   16 ++++++++++++----
 arch/x86/mm/init.c             |    8 ++++++++
 arch/x86/mm/init_32.c          |    6 ------
 arch/x86/mm/init_64.c          |    6 ------
 arch/x86/platform/efi/efi_32.c |    5 +++++
 arch/x86/platform/efi/efi_64.c |   10 ++++++++++
 15 files changed, 64 insertions(+), 44 deletions(-)

commit 89085d2d0643813a62f23d1199a335dc1e129bc0
Merge: 963af7f 0adf2e7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 4 14:55:44 2013 -0400

    Merge branch 'linux-3.9.y' into pax-test

commit 37b97a95e97badc79cc8b6e092f0f94ac24e4ae4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 4 13:46:02 2013 -0400

    fix typo

 grsecurity/gracl.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 32538dba4959a290a1de81a7f8eeaba99f952aa6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 4 13:29:51 2013 -0400

    update log arguments

 grsecurity/grsec_sig.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 5c7ee197d6ecb3ec9b3b9588d2b0cb8541d9fa71
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 4 13:20:23 2013 -0400

    Update logging of suid exec ban
    
    Conflicts:
    
        grsecurity/grsec_sig.c

 grsecurity/grsec_sig.c |    3 +--
 include/linux/grmsg.h  |    1 +
 2 files changed, 2 insertions(+), 2 deletions(-)

commit ef808866c070aa1901bd2224521baaf5d145a3a7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 4 12:58:33 2013 -0400

    Additional improvements to the user banning code:
    
    Separate the kernel-bruteforcing case from the suid bruteforcing case
    In the suid bruteforcing case, only kill existing copies of the bruteforced
    binary.  Instead of preventing all future execs by this user, prevent them
    from executing any suid/sgid binaries for the next 15 minutes.
    
    Kernel case is mostly unchanged from before, except the task trying to change
    real uid to the banned user will be terminated instead of failing the setuid
    call.
    
    Configuration help has been updated to reflect the new changes.

 fs/exec.c                  |   13 +++++---
 grsecurity/Kconfig         |    5 ++-
 grsecurity/gracl.c         |    6 ++--
 grsecurity/grsec_sig.c     |   76 ++++++++++++++++++++++++++------------------
 include/linux/grsecurity.h |    1 -
 include/linux/sched.h      |    9 +++--
 6 files changed, 65 insertions(+), 45 deletions(-)

commit 0f0b6c9d67d429364621b8784ef4a048b7e40736
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jul 3 16:14:09 2013 -0400

    fix renamed export of csum_partial_copy_from_user, as reported by fabled
    on the forums

 arch/arm/kernel/armksyms.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 318235973c2a548c3d25562645d6b69f66e85934
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jul 3 16:09:16 2013 -0400

    make CPU_USE_DOMAINS depend on !PAX_MEMORY_UDEREF, fixes compile error
    reported on the forums by fabled

 arch/arm/mm/Kconfig |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit b569a7f60fab7a522d8c142765c8b847bbce8a1e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jul 3 15:53:12 2013 -0400

    Revise the user ban code to kill the process issuing a banned
    set*id instead of returning an error.  For the sake of keeping
    unified user banning between the suid and kernel bruteforce case,
    we will apply this killing to the suid bruteforce case, despite
    a check just at exec time (that already existed) being sufficient.
    
    Returning an error could enable exploitation of the "failure to check
    setuid return value" case which was recently effectively closed
    upstream, albeit in a rare situation with a suitable binary and
    two colluding users.
    
    Many thanks to stealth for reviewing the user ban code.

 grsecurity/gracl.c     |    4 ++--
 grsecurity/grsec_sig.c |   16 +++++++++++++---
 2 files changed, 15 insertions(+), 5 deletions(-)

commit 4a0808a0aa34bf3692f9ade0f11f6fbe30418c4f
Author: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
Date:   Fri Jun 28 14:15:15 2013 +0300

    Upstream commit: 605c912bb843c024b1ed173dc427cd5c08e5d54d
    
    UBIFS: fix a horrid bug
    
    Al Viro pointed me to the fact that '->readdir()' and '->llseek()' have no
    mutual exclusion, which means the 'ubifs_dir_llseek()' can be run while we are
    in the middle of 'ubifs_readdir()'.
    
    This means that 'file->private_data' can be freed while 'ubifs_readdir()' uses
    it, and this is a very bad bug: not only 'ubifs_readdir()' can return garbage,
    but this may corrupt memory and lead to all kinds of problems like crashes an
    security holes.
    
    This patch fixes the problem by using the 'file->f_version' field, which
    '->llseek()' always unconditionally sets to zero. We set it to 1 in
    'ubifs_readdir()' and whenever we detect that it became 0, we know there was a
    seek and it is time to clear the state saved in 'file->private_data'.
    
    I tested this patch by writing a user-space program which runds readdir and
    seek in parallell. I could easily crash the kernel without these patches, but
    could not crash it with these patches.
    
    Cc: stable@vger.kernel.org
    Reported-by: Al Viro <viro@zeniv.linux.org.uk>
    Tested-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
    Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

 fs/ubifs/dir.c |   30 +++++++++++++++++++++++++++---
 1 files changed, 27 insertions(+), 3 deletions(-)

commit c22280b85088978bd8b45bd23096879459b48008
Author: Stephane Eranian <eranian@google.com>
Date:   Thu Jun 20 11:36:28 2013 +0200

    Upstream commit: 2976b10f05bd7f6dab9f9e7524451ddfed656a89
    
    perf: Disable monitoring on setuid processes for regular users
    
    There was a a bug in setup_new_exec(), whereby
    the test to disabled perf monitoring was not
    correct because the new credentials for the
    process were not yet committed and therefore
    the get_dumpable() test was never firing.
    
    The patch fixes the problem by moving the
    perf_event test until after the credentials
    are committed.
    
    Signed-off-by: Stephane Eranian <eranian@google.com>
    Tested-by: Jiri Olsa <jolsa@redhat.com>
    Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
    Cc: <stable@kernel.org>
    Signed-off-by: Ingo Molnar <mingo@kernel.org>

 fs/exec.c |   16 +++++++++-------
 1 files changed, 9 insertions(+), 7 deletions(-)

commit 16e6a61c34ae5ed0fbfa9151b24dc6a751cca7c0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jun 29 13:10:02 2013 -0400

    on context switch, make sure we switch DACR when domain support and
    KERNEXEC is disabled but UDEREF is enabled

 arch/arm/kernel/entry-armv.S |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 08d017fa51370921694ce087b28c96fec92993d4
Author: Michael S. Tsirkin <mst@redhat.com>
Date:   Sun Jun 23 17:26:58 2013 +0300

    Upstream commit: 4c7ab054ab4f5d63625508ed6f8a607184cae7c2
    
    macvtap: fix recovery from gup errors
    
    get user pages might fail partially in macvtap zero copy
    mode. To recover we need to put all pages that we got,
    but code used a wrong index resulting in double-free
    errors.
    
    Reported-by: Brad Hubbard <bhubbard@redhat.com>
    Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
    Acked-by: Jason Wang <jasowang@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/macvtap.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

commit 8118c60e6478b9d0687c2aa7779e45ac7859b1be
Author: Michael S. Tsirkin <mst@redhat.com>
Date:   Sun Jun 23 17:19:03 2013 +0300

    Upstream commit: 7e24bfbe43b545b1689a5f134ed83645b9e34b86
    
    tun: fix recovery from gup errors
    
    get user pages might fail partially in tun zero copy
    mode. To recover we need to put all pages that we got,
    but code used a wrong index resulting in double-free
    errors.
    
    Reported-by: Brad Hubbard <bhubbard@redhat.com>
    Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
    Acked-by: Jason Wang <jasowang@redhat.com>
    Acked-by: Neil Horman <nhorman@tuxdriver.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/tun.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

commit c71e53d3b87fba6f7ba29a440d4c835f03aadf28
Author: Balazs Peter Odor <balazs@obiserver.hu>
Date:   Sat Jun 22 19:24:43 2013 +0200

    Upstream commit: 5aed93875cd88502f04a0d4517b8a2d89a849773
    
    netfilter: nf_nat_sip: fix mangling
    
    In (b20ab9c netfilter: nf_ct_helper: better logging for dropped packets)
    there were some missing brackets around the logging information, thus
    always returning drop.
    
    Closes https://bugzilla.kernel.org/show_bug.cgi?id=60061
    
    Signed-off-by: Balazs Peter Odor <balazs@obiserver.hu>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

 net/netfilter/nf_nat_sip.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 87c18924aecb841586b8972fabb20c5b75ca2fc9
Author: Anderson Lizardo <anderson.lizardo@openbossa.org>
Date:   Sun Jun 2 16:30:40 2013 -0400

    Upstream commit: 300b962e5244a1ea010df7e88595faa0085b461d
    
    Bluetooth: Fix crash in l2cap_build_cmd() with small MTU
    
    If a too small MTU value is set with ioctl(HCISETACLMTU) or by a bogus
    controller, memory corruption happens due to a memcpy() call with
    negative length.
    
    Fix this crash on either incoming or outgoing connections with a MTU
    smaller than L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE:
    
    [   46.885433] BUG: unable to handle kernel paging request at f56ad000
    [   46.888037] IP: [<c03d94cd>] memcpy+0x1d/0x40
    [   46.888037] *pdpt = 0000000000ac3001 *pde = 00000000373f8067 *pte = 80000000356ad060
    [   46.888037] Oops: 0002 [#1] SMP DEBUG_PAGEALLOC
    [   46.888037] Modules linked in: hci_vhci bluetooth virtio_balloon i2c_piix4 uhci_hcd usbcore usb_common
    [   46.888037] CPU: 0 PID: 1044 Comm: kworker/u3:0 Not tainted 3.10.0-rc1+ #12
    [   46.888037] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007
    [   46.888037] Workqueue: hci0 hci_rx_work [bluetooth]
    [   46.888037] task: f59b15b0 ti: f55c4000 task.ti: f55c4000
    [   46.888037] EIP: 0060:[<c03d94cd>] EFLAGS: 00010212 CPU: 0
    [   46.888037] EIP is at memcpy+0x1d/0x40
    [   46.888037] EAX: f56ac1c0 EBX: fffffff8 ECX: 3ffffc6e EDX: f55c5cf2
    [   46.888037] ESI: f55c6b32 EDI: f56ad000 EBP: f55c5c68 ESP: f55c5c5c
    [   46.888037]  DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
    [   46.888037] CR0: 8005003b CR2: f56ad000 CR3: 3557d000 CR4: 000006f0
    [   46.888037] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
    [   46.888037] DR6: ffff0ff0 DR7: 00000400
    [   46.888037] Stack:
    [   46.888037]  fffffff8 00000010 00000003 f55c5cac f8c6a54c ffffffff f8c69eb2 00000000
    [   46.888037]  f4783cdc f57f0070 f759c590 1001c580 00000003 0200000a 00000000 f5a88560
    [   46.888037]  f5ba2600 f5a88560 00000041 00000000 f55c5d90 f8c6f4c7 00000008 f55c5cf2
    [   46.888037] Call Trace:
    [   46.888037]  [<f8c6a54c>] l2cap_send_cmd+0x1cc/0x230 [bluetooth]
    [   46.888037]  [<f8c69eb2>] ? l2cap_global_chan_by_psm+0x152/0x1a0 [bluetooth]
    [   46.888037]  [<f8c6f4c7>] l2cap_connect+0x3f7/0x540 [bluetooth]
    [   46.888037]  [<c019b37b>] ? trace_hardirqs_off+0xb/0x10
    [   46.888037]  [<c01a0ff8>] ? mark_held_locks+0x68/0x110
    [   46.888037]  [<c064ad20>] ? mutex_lock_nested+0x280/0x360
    [   46.888037]  [<c064b9d9>] ? __mutex_unlock_slowpath+0xa9/0x150
    [   46.888037]  [<c01a118c>] ? trace_hardirqs_on_caller+0xec/0x1b0
    [   46.888037]  [<c064ad08>] ? mutex_lock_nested+0x268/0x360
    [   46.888037]  [<c01a125b>] ? trace_hardirqs_on+0xb/0x10
    [   46.888037]  [<f8c72f8d>] l2cap_recv_frame+0xb2d/0x1d30 [bluetooth]
    [   46.888037]  [<c01a0ff8>] ? mark_held_locks+0x68/0x110
    [   46.888037]  [<c064b9d9>] ? __mutex_unlock_slowpath+0xa9/0x150
    [   46.888037]  [<c01a118c>] ? trace_hardirqs_on_caller+0xec/0x1b0
    [   46.888037]  [<f8c754f1>] l2cap_recv_acldata+0x2a1/0x320 [bluetooth]
    [   46.888037]  [<f8c491d8>] hci_rx_work+0x518/0x810 [bluetooth]
    [   46.888037]  [<f8c48df2>] ? hci_rx_work+0x132/0x810 [bluetooth]
    [   46.888037]  [<c0158979>] process_one_work+0x1a9/0x600
    [   46.888037]  [<c01588fb>] ? process_one_work+0x12b/0x600
    [   46.888037]  [<c015922e>] ? worker_thread+0x19e/0x320
    [   46.888037]  [<c015922e>] ? worker_thread+0x19e/0x320
    [   46.888037]  [<c0159187>] worker_thread+0xf7/0x320
    [   46.888037]  [<c0159090>] ? rescuer_thread+0x290/0x290
    [   46.888037]  [<c01602f8>] kthread+0xa8/0xb0
    [   46.888037]  [<c0656777>] ret_from_kernel_thread+0x1b/0x28
    [   46.888037]  [<c0160250>] ? flush_kthread_worker+0x120/0x120
    [   46.888037] Code: c3 90 8d 74 26 00 e8 63 fc ff ff eb e8 90 55 89 e5 83 ec 0c 89 5d f4 89 75 f8 89 7d fc 3e 8d 74 26 00 89 cb 89 c7 c1 e9 02 89 d6 <f3> a5 89 d9 83 e1 03 74 02 f3 a4 8b 5d f4 8b 75 f8 8b 7d fc 89
    [   46.888037] EIP: [<c03d94cd>] memcpy+0x1d/0x40 SS:ESP 0068:f55c5c5c
    [   46.888037] CR2: 00000000f56ad000
    [   46.888037] ---[ end trace 0217c1f4d78714a9 ]---
    
    Signed-off-by: Anderson Lizardo <anderson.lizardo@openbossa.org>
    Cc: stable@vger.kernel.org
    Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
    Signed-off-by: John W. Linville <linville@tuxdriver.com>

 net/bluetooth/l2cap_core.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit b0471b6c1160858fc646d8e94628fd1299f61692
Author: Jaganath Kanakkassery <jaganath.k@samsung.com>
Date:   Fri Jun 21 19:55:11 2013 +0530

    Upstream commit: 3f6fa3d489e127ca5a5b298eabac3ff5dbe0e112
    
    Bluetooth: Fix invalid length check in l2cap_information_rsp()
    
    The length check is invalid since the length varies with type of
    info response.
    
    This was introduced by the commit cb3b3152b2f5939d67005cff841a1ca748b19888
    
    Because of this, l2cap info rsp is not handled and command reject is sent.
    
    > ACL data: handle 11 flags 0x02 dlen 16
            L2CAP(s): Info rsp: type 2 result 0
              Extended feature mask 0x00b8
                Enhanced Retransmission mode
                Streaming mode
                FCS Option
                Fixed Channels
    < ACL data: handle 11 flags 0x00 dlen 10
            L2CAP(s): Command rej: reason 0
              Command not understood
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Jaganath Kanakkassery <jaganath.k@samsung.com>
    Signed-off-by: Chan-Yeol Park <chanyeol.park@samsung.com>
    Acked-by: Johan Hedberg <johan.hedberg@intel.com>
    Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>

 net/bluetooth/l2cap_core.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 4184af98c360d825e638b268b1a9847232e8d299
Author: Eric Dumazet <edumazet@google.com>
Date:   Wed Jun 26 04:15:07 2013 -0700

    Upstream commit: a963a37d384d71ad43b3e9e79d68d42fbe0901f3
    
    ipv6: ip6_sk_dst_check() must not assume ipv6 dst
    
    It's possible to use AF_INET6 sockets and to connect to an IPv4
    destination. After this, socket dst cache is a pointer to a rtable,
    not rt6_info.
    
    ip6_sk_dst_check() should check the socket dst cache is IPv6, or else
    various corruptions/crashes can happen.
    
    Dave Jones can reproduce immediate crash with
    trinity -q -l off -n -c sendmsg -c connect
    
    With help from Hannes Frederic Sowa
    
    Reported-by: Dave Jones <davej@redhat.com>
    Reported-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv6/ip6_output.c |    8 +++++++-
 1 files changed, 7 insertions(+), 1 deletions(-)

commit a9909c4993e8547ebeeafc4a4f5ff8570a941eb2
Author: Zefan Li <lizefan@huawei.com>
Date:   Wed Jun 26 15:29:54 2013 +0800

    Upstream commit: 11eb2645cbf38a08ae491bf6c602eea900ec0bb5
    
    dlci: acquire rtnl_lock before calling __dev_get_by_name()
    
    Otherwise the net device returned can be freed at anytime.
    
    Signed-off-by: Li Zefan <lizefan@huawei.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/wan/dlci.c |   14 +++++++++-----
 1 files changed, 9 insertions(+), 5 deletions(-)

commit 1fe6f23c9acd14d832d056909ff326bde418e645
Author: Zefan Li <lizefan@huawei.com>
Date:   Wed Jun 26 15:31:58 2013 +0800

    Upstream commit: 578a1310f2592ba90c5674bca21c1dbd1adf3f0a
    
    dlci: validate the net device in dlci_del()
    
    We triggered an oops while running trinity with 3.4 kernel:
    
    BUG: unable to handle kernel paging request at 0000000100000d07
    IP: [<ffffffffa0109738>] dlci_ioctl+0xd8/0x2d4 [dlci]
    PGD 640c0d067 PUD 0
    Oops: 0000 [#1] PREEMPT SMP
    CPU 3
    ...
    Pid: 7302, comm: trinity-child3 Not tainted 3.4.24.09+ 40 Huawei Technologies Co., Ltd. Tecal RH2285          /BC11BTSA
    RIP: 0010:[<ffffffffa0109738>]  [<ffffffffa0109738>] dlci_ioctl+0xd8/0x2d4 [dlci]
    ...
    Call Trace:
      [<ffffffff8137c5c3>] sock_ioctl+0x153/0x280
      [<ffffffff81195494>] do_vfs_ioctl+0xa4/0x5e0
      [<ffffffff8118354a>] ? fget_light+0x3ea/0x490
      [<ffffffff81195a1f>] sys_ioctl+0x4f/0x80
      [<ffffffff81478b69>] system_call_fastpath+0x16/0x1b
    ...
    
    It's because the net device is not a dlci device.
    
    Reported-by: Li Jinyue <lijinyue@huawei.com>
    Signed-off-by: Li Zefan <lizefan@huawei.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/wan/dlci.c |   12 ++++++++++++
 1 files changed, 12 insertions(+), 0 deletions(-)

commit 4d4464407611527ef6b6b5475cfcab6121b3da66
Merge: 59571a9 963af7f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jun 27 18:54:52 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 963af7f7f591759b731ce6325ceb583a72fcf423
Merge: c51e25a 55db48a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jun 27 18:54:42 2013 -0400

    Merge branch 'linux-3.9.y' into pax-test

commit 59571a9db7485f530a1e865a13cacc4c991ec41f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jun 26 18:39:08 2013 -0400

    From: Mathias Krause <minipli@googlemail.com>
    To: Steffen Klassert <steffen.klassert@secunet.com>,
            "David S. Miller" <davem@davemloft.net>
    Cc: Mathias Krause <minipli@googlemail.com>, netdev@vger.kernel.org,
            Herbert Xu <herbert@gondor.apana.org.au>
    Subject: [PATCH] af_key: fix info leaks in notify messages
    
    key_notify_sa_flush() and key_notify_policy_flush() miss to initialize
    the sadb_msg_reserved member of the broadcasted message and thereby
    leak 2 bytes of heap memory to listeners. Fix that.
    
    Signed-off-by: Mathias Krause <minipli@googlemail.com>
    Cc: Steffen Klassert <steffen.klassert@secunet.com>
    Cc: "David S. Miller" <davem@davemloft.net>
    Cc: Herbert Xu <herbert@gondor.apana.org.au>

 net/key/af_key.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit e1dd9fb168b3597f15fd5bd4bc88a7dd4cce5fd9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jun 26 18:33:06 2013 -0400

    update rand_threadstack code to continue the search for a gap if the first
    choice doesn't have enough space, instead of returning ENOMEM

 mm/mmap.c |   17 ++++++++++-------
 1 files changed, 10 insertions(+), 7 deletions(-)

commit 87020d4a4d83038d65ff1fd519938840f6888b9e
Merge: 2682346 c51e25a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jun 26 18:25:32 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit c51e25a23f30a1198076bd085f19b2073caf164d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jun 26 18:24:54 2013 -0400

    Update to pax-linux-3.9.7-test12.patch:
    - fixed a regression on PARAVIRT/amd64 kernels
    - simplified the recent vm_unmapped_area_info based change

 arch/x86/kernel/entry_64.S |    8 ++++----
 mm/mmap.c                  |   22 ++++++++++++----------
 2 files changed, 16 insertions(+), 14 deletions(-)

commit 26823469a08e59cb67bea18d448d9e8c65f82e08
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jun 25 21:26:51 2013 -0400

    re-enable GRKERNSEC_RAND_THREADSTACK now that the generic PaX
    vm_unmapped_area code is complete

 arch/x86/kernel/sys_i386_32.c |    5 +++++
 grsecurity/Kconfig            |    2 +-
 mm/mmap.c                     |   11 ++++++++++-
 3 files changed, 16 insertions(+), 2 deletions(-)

commit bcd93cc348a8faba1716f5cc137a48f25d6a67e7
Merge: e58fe8c c4e0704
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jun 25 19:08:52 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        arch/x86/kernel/sys_i386_32.c

commit c4e07040c2c32c9eb2b093e5ae6e5bb050cb7511
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jun 25 19:05:39 2013 -0400

    Update to pax-linux-3.9.7-test11.patch:
    - fixed some fallout from the recent executable vmalloc changes (http://forums.grsecurity.net/viewtopic.php?t=3562#p13111)
    - moved the PaX specific heap-stack gap check code over to the vm_unmapped_area_info based infrastructure
    - fixed the recent nested nmi related fixes some more
    - fixed a regression in kernel memory initialization on relocatable i386 kernels
    - empty_zero_page can be read-only on amd64 as well

 arch/arm/mm/mmap.c            |    6 --
 arch/x86/kernel/entry_64.S    |    8 +--
 arch/x86/kernel/head_64.S     |    1 -
 arch/x86/kernel/setup.c       |    2 +-
 arch/x86/kernel/sys_i386_32.c |  160 ++++++++++++----------------------------
 drivers/lguest/core.c         |    2 +-
 include/linux/mm.h            |    6 +-
 include/linux/vmalloc.h       |    2 +-
 mm/mmap.c                     |   30 +++++++-
 9 files changed, 83 insertions(+), 134 deletions(-)

commit e58fe8c43f6ee7047ac830ebfa9a70626b7ed11d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jun 23 14:37:14 2013 -0400

    second compile fix, reported by forsaken on forums

 include/linux/vmalloc.h |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 0ee10d89b09b56b46bc242ce760a1d9598276e2f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jun 23 14:36:35 2013 -0400

    compile fix, reported by KDE on forums

 kernel/printk.c |    7 -------
 1 files changed, 0 insertions(+), 7 deletions(-)

commit 1fc9a5e2e267205d28302e1e86ca0da434561111
Author: Ben Hutchings <ben@decadent.org.uk>
Date:   Sun Jun 16 21:27:12 2013 +0100

    Upstream commit: b8cb62f82103083a6e8fa5470bfe634a2c06514d
    
    x86/efi: Fix dummy variable buffer allocation
    
    1. Check for allocation failure
    2. Clear the buffer contents, as they may actually be written to flash
    3. Don't leak the buffer
    
    Compile-tested only.
    
    [ Tested successfully on my buggy ASUS machine - Matt ]
    
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
    Cc: stable@vger.kernel.org
    Signed-off-by: Matt Fleming <matt.fleming@intel.com>

 arch/x86/platform/efi/efi.c |    7 ++++++-
 1 files changed, 6 insertions(+), 1 deletions(-)

commit 83e15c8baaa620d8c777e84aa037b4302f0487c5
Author: Dave Kleikamp <dave.kleikamp@oracle.com>
Date:   Tue Jun 18 09:05:36 2013 -0500

    Upstream commit: 23a01138efe216f8084cfaa74b0b90dd4b097441
    
    sparc: tsb must be flushed before tlb
    
    This fixes a race where a cpu may re-load a tlb from a stale tsb right
    after it has been flushed by a remote function call.
    
    I still see some instability when stressing the system with parallel
    kernel builds while creating memory pressure by writing to
    /proc/sys/vm/nr_hugepages, but this patch improves the stability
    significantly.
    
    Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
    Acked-by: Bob Picco <bob.picco@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 arch/sparc/mm/tlb.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit d93b62f6485db9aadda34322a6867868db07f56f
Merge: 4ef62f5 71d83e9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jun 21 16:52:55 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        security/Kconfig

commit 71d83e97c936563913bcfb5a25c45b2021a331eb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jun 21 16:48:42 2013 -0400

    Update to pax-linux-3.9.7-test10.patch:
    - fixed a few format string problems uncovered by -Wformat-nonliteral
    - another attempt at fixing the nested nmi/cr0.wp problem
    - fixed vmalloc when used for allocating executable memory on non-modular kernels, reported by Lorand Kelemen (https://bugs.gentoo.org/show_bug.cgi?id=473866)
    - worked around an intentional gcc overflow in nfscache that tripped up the size overflow plugin (https://bugs.gentoo.org/show_bug.cgi?id=472274)
    - fixed a locking issue with track_exec_limit reported by spender
    - hunger reported a size overflow event in kobj_map that turned out to be a real bug, fix by Tejun Heo (https://patchwork.kernel.org/patch/2676631/)

 Documentation/dontdiff                  |    1 +
 arch/x86/boot/compressed/efi_stub_32.S  |   16 ++-----
 arch/x86/kernel/cpu/mcheck/mce.c        |    2 +-
 arch/x86/kernel/e820.c                  |    4 +-
 arch/x86/kernel/entry_64.S              |   74 ++++++++++++++++++------------
 arch/x86/kernel/vmlinux.lds.S           |    2 +-
 block/genhd.c                           |   11 +++--
 crypto/algapi.c                         |    2 +-
 crypto/pcrypt.c                         |    6 +-
 drivers/base/attribute_container.c      |    2 +-
 drivers/base/power/sysfs.c              |    2 +-
 drivers/block/nbd.c                     |    2 +-
 drivers/cdrom/cdrom.c                   |    2 +-
 drivers/char/hw_random/intel-rng.c      |    2 +-
 drivers/char/mem.c                      |    2 +-
 drivers/devfreq/devfreq.c               |    2 +-
 drivers/gpu/drm/drm_encoder_slave.c     |    6 +--
 drivers/gpu/drm/drm_sysfs.c             |    2 +-
 drivers/gpu/drm/ttm/ttm_memory.c        |    4 +-
 drivers/iommu/irq_remapping.c           |    2 +-
 drivers/video/output.c                  |    2 +-
 fs/ext4/mmp.c                           |    2 +-
 fs/ext4/super.c                         |    2 +-
 fs/lockd/svc.c                          |    2 +-
 fs/nfs/callback.c                       |    4 +-
 fs/nfs/nfs4state.c                      |    2 +-
 fs/nfsd/nfscache.c                      |    3 +-
 init/initramfs.c                        |    2 +-
 kernel/rcutree.c                        |    2 +-
 lib/kobject.c                           |    2 +-
 mm/backing-dev.c                        |    4 +-
 mm/mmap.c                               |    4 +-
 mm/slub.c                               |    2 +-
 mm/vmalloc.c                            |   15 +++----
 net/bluetooth/hci_core.c                |    8 ++--
 net/netfilter/nf_conntrack_proto_dccp.c |    4 +-
 net/sunrpc/svc.c                        |    2 +-
 security/Kconfig                        |   15 +++---
 sound/core/sound.c                      |    2 +-
 sound/sound_core.c                      |    2 +-
 40 files changed, 116 insertions(+), 111 deletions(-)

commit 4ef62f52ab23ed87aaf0106be3eddf2019bc7d2c
Merge: 39efd8f 256eff7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jun 21 16:45:15 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        kernel/printk.c

commit 256eff7a817d5faa18cd56fb97cc8c25112ec0a6
Merge: e6e3059 485f25f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jun 20 22:14:24 2013 -0400

    Merge branch 'linux-3.9.y' into pax-test

commit 39efd8f4b9573d1ce31f47cdbea00b6c12054d4d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jun 18 17:20:18 2013 -0400

    add apparmor compat patch

 security/apparmor/Kconfig      |    9 ++
 security/apparmor/apparmorfs.c |  231 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 240 insertions(+), 0 deletions(-)

commit 49bee3c5341687504669bf62becf4a419a226ba0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jun 17 18:48:04 2013 -0400

    Revert "Upstream commit: cf7df378aa4ff7da3a44769b7ff6e9eef1a9f3db"
    
    This reverts commit 066d9226bc6c569d5f420c978b758e0bddd23444.

 kernel/sys.c |   29 +++--------------------------
 1 files changed, 3 insertions(+), 26 deletions(-)

commit bece88b4276babb2039a3e4f3e3b0cdeb8cd8328
Author: Al Viro <viro@ZenIV.linux.org.uk>
Date:   Sun Jun 16 18:06:06 2013 +0100

    Upstream commit: 8177a9d79c0e942dcac3312f15585d0344d505a5
    
    lseek(fd, n, SEEK_END) does *not* go to eof - n
    
    When you copy some code, you are supposed to read it.  If nothing else,
    there's a chance to spot and fix an obvious bug instead of sharing it...
    
    X-Song: "I Got It From Agnes", by Tom Lehrer
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    [ Tom Lehrer? You're dating yourself, Al ]
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 drivers/net/ethernet/brocade/bna/bnad_debugfs.c |    2 +-
 drivers/scsi/bfa/bfad_debugfs.c                 |    2 +-
 drivers/scsi/fnic/fnic_debugfs.c                |    2 +-
 drivers/scsi/lpfc/lpfc_debugfs.c                |    2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

commit 5a450f1c46f0c84379518aee878993d3f4a331b6
Author: Theodore Ts'o <tytso@mit.edu>
Date:   Thu Jun 6 11:14:31 2013 -0400

    Upstream commit: 40c87e7a5404861cef33f6ced9809525a5ee2c50
    
    ext4: verify group number in verify_group_input() before using it
    
    Check the group number for sanity earilier, before calling routines
    such as ext4_bg_has_super() or ext4_group_overhead_blocks().
    
    Reported-by: Jonathan Salwan <jonathan.salwan@gmail.com>
    Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>

 fs/ext4/resize.c |   17 +++++++++++------
 1 files changed, 11 insertions(+), 6 deletions(-)

commit e2700ce1305cc746d2d9000392f00d96fdf28fb8
Author: Neil Horman <nhorman@tuxdriver.com>
Date:   Wed Jun 12 14:26:44 2013 -0400

    Upstream commit: c5c7774d7eb4397891edca9ebdf750ba90977a69
    
    sctp: fully initialize sctp_outq in sctp_outq_init
    
    In commit 2f94aabd9f6c925d77aecb3ff020f1cc12ed8f86
    (refactor sctp_outq_teardown to insure proper re-initalization)
    we modified sctp_outq_teardown to use sctp_outq_init to fully re-initalize the
    outq structure.  Steve West recently asked me why I removed the q->error = 0
    initalization from sctp_outq_teardown.  I did so because I was operating under
    the impression that sctp_outq_init would properly initalize that value for us,
    but it doesn't.  sctp_outq_init operates under the assumption that the outq
    struct is all 0's (as it is when called from sctp_association_init), but using
    it in __sctp_outq_teardown violates that assumption. We should do a memset in
    sctp_outq_init to ensure that the entire structure is in a known state there
    instead.
    
    Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
    Reported-by: "West, Steve (NSN - US/Fort Worth)" <steve.west@nsn.com>
    CC: Vlad Yasevich <vyasevich@gmail.com>
    CC: netdev@vger.kernel.org
    CC: davem@davemloft.net
    Acked-by: Vlad Yasevich <vyasevich@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    
    Conflicts:
    
        net/sctp/outqueue.c

 net/sctp/outqueue.c |    8 ++------
 1 files changed, 2 insertions(+), 6 deletions(-)

commit e13515ad7a9c7634599a105b2527752e527a905d
Author: Saurabh Mohan <saurabh@vyatta.com>
Date:   Mon Jun 10 17:45:10 2013 -0700

    Upstream commit: baafc77b32f647daa7c45825f7af8cdd55d00817
    
    net/ipv4: ip_vti clear skb cb before tunneling.
    
    If users apply shaper to vti tunnel then it will cause a kernel crash. The
    problem seems to be due to the vti_tunnel_xmit function not clearing
    skb->opt field before passing the packet to xfrm tunneling code.
    
    Signed-off-by: Saurabh Mohan <saurabh@vyatta.com>
    Acked-by: Stephen Hemminger <stephen@networkplumber.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/ip_vti.c |    3 +--
 1 files changed, 1 insertions(+), 2 deletions(-)

commit e63056a252ed6fc0f16ab158d7c34cb57bd762e4
Author: Guillaume Nault <g.nault@alphalink.fr>
Date:   Wed Jun 12 16:07:36 2013 +0200

    Upstream commit: a6f79d0f26704214b5b702bbac525cb72997f984
    
    l2tp: Fix sendmsg() return value
    
    PPPoL2TP sockets should comply with the standard send*() return values
    (i.e. return number of bytes sent instead of 0 upon success).
    
    Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/l2tp/l2tp_ppp.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit af361b412e816e894fb42ddff7a0545b7def64c0
Author: Guillaume Nault <g.nault@alphalink.fr>
Date:   Wed Jun 12 16:07:23 2013 +0200

    Upstream commit: 55b92b7a11690bc377b5d373872a6b650ae88e64
    
    l2tp: Fix PPP header erasure and memory leak
    
    Copy user data after PPP framing header. This prevents erasure of the
    added PPP header and avoids leaking two bytes of uninitialised memory
    at the end of skb's data buffer.
    
    Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/l2tp/l2tp_ppp.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 1f43aca088c35dda35abf76e08544e534c71fed4
Author: Daniel Borkmann <dborkman@redhat.com>
Date:   Wed Jun 12 16:02:27 2013 +0200

    Upstream commit: 2dc85bf323515e59e15dfa858d1472bb25cad0fe
    
    packet: packet_getname_spkt: make sure string is always 0-terminated
    
    uaddr->sa_data is exactly of size 14, which is hard-coded here and
    passed as a size argument to strncpy(). A device name can be of size
    IFNAMSIZ (== 16), meaning we might leave the destination string
    unterminated. Thus, use strlcpy() and also sizeof() while we're
    at it. We need to memset the data area beforehand, since strlcpy
    does not padd the remaining buffer with zeroes for user space, so
    that we do not possibly leak anything.
    
    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/packet/af_packet.c |    5 ++---
 1 files changed, 2 insertions(+), 3 deletions(-)

commit d0ae62fae5528bf2a393377f50b8dd9888d1e49f
Author: Andy Lutomirski <luto@amacapital.net>
Date:   Wed Jun 5 19:38:26 2013 +0000

    Upstream commit: a7526eb5d06b0084ef12d7b168d008fcf516caab
    
    net: Unbreak compat_sys_{send,recv}msg
    
    I broke them in this commit:
    
        commit 1be374a0518a288147c6a7398792583200a67261
        Author: Andy Lutomirski <luto@amacapital.net>
        Date:   Wed May 22 14:07:44 2013 -0700
    
            net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg
    
    This patch adds __sys_sendmsg and __sys_sendmsg as common helpers that accept
    MSG_CMSG_COMPAT and blocks MSG_CMSG_COMPAT at the syscall entrypoints.  It
    also reverts some unnecessary checks in sys_socketcall.
    
    Apparently I was suffering from underscore blindness the first time around.
    
    Signed-off-by: Andy Lutomirski <luto@amacapital.net>
    Tested-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 include/linux/socket.h |    3 ++
 net/compat.c           |   13 +++++++-
 net/socket.c           |   72 ++++++++++++++++++++++--------------------------
 3 files changed, 47 insertions(+), 41 deletions(-)

commit b481a366021e5db07a9ea138bc0c1fe598a5ba2f
Author: Andy Lutomirski <luto@amacapital.net>
Date:   Wed May 22 14:07:44 2013 -0700

    Upstream commit: 1be374a0518a288147c6a7398792583200a67261
    
    net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg
    
    To: linux-kernel@vger.kernel.org
    Cc: x86@kernel.org, trinity@vger.kernel.org, Andy Lutomirski <luto@amacapital.net>, netdev@vger.kernel.org, "David S.
        Miller" <davem@davemloft.net>
    Subject: [PATCH 5/5] net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg
    
    MSG_CMSG_COMPAT is (AFAIK) not intended to be part of the API --
    it's a hack that steals a bit to indicate to other networking code
    that a compat entry was used.  So don't allow it from a non-compat
    syscall.
    
    This prevents an oops when running this code:
    
    int main()
    {
        int s;
        struct sockaddr_in addr;
        struct msghdr *hdr;
    
        char *highpage = mmap((void*)(TASK_SIZE_MAX - 4096), 4096,
                              PROT_READ | PROT_WRITE,
                              MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0);
        if (highpage == MAP_FAILED)
                err(1, "mmap");
    
        s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
        if (s == -1)
                err(1, "socket");
    
            addr.sin_family = AF_INET;
            addr.sin_port = htons(1);
            addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
        if (connect(s, (struct sockaddr*)&addr, sizeof(addr)) != 0)
                err(1, "connect");
    
        void *evil = highpage + 4096 - COMPAT_MSGHDR_SIZE;
        printf("Evil address is %p\n", evil);
    
        if (syscall(__NR_sendmmsg, s, evil, 1, MSG_CMSG_COMPAT) < 0)
                err(1, "sendmmsg");
    
        return 0;
    }
    
    Cc: David S. Miller <davem@davemloft.net>
    Signed-off-by: Andy Lutomirski <luto@amacapital.net>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/socket.c |   33 +++++++++++++++++++++++++++++++--
 1 files changed, 31 insertions(+), 2 deletions(-)

commit 6ccb09f408cc4ff23adbf68c7d2307f5fffcf88e
Author: Kees Cook <keescook@chromium.org>
Date:   Fri May 10 14:48:21 2013 -0700

    Upstream commit: e0e29b683d6784ef59bbc914eac85a04b650e63c
    
    b43: stop format string leaking into error msgs
    
    The module parameter "fwpostfix" is userspace controllable, unfiltered,
    and is used to define the firmware filename. b43_do_request_fw() populates
    ctx->errors[] on error, containing the firmware filename. b43err()
    parses its arguments as a format string. For systems with b43 hardware,
    this could lead to a uid-0 to ring-0 escalation.
    
    CVE-2013-2852
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@vger.kernel.org
    Signed-off-by: John W. Linville <linville@tuxdriver.com>

 drivers/net/wireless/b43/main.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit dfb67a67049ace7b94ad7e2febfac69816d50d85
Author: Mark A. Greer <mgreer@animalcreek.com>
Date:   Wed May 29 12:25:34 2013 -0700

    Upstream commit: f873ded213d6d8c36354c0fc903af44da4fd6ac5
    
    mwifiex: debugfs: Fix out of bounds array access
    
    When reading the contents of '/sys/kernel/debug/mwifiex/p2p0/info',
    the following panic occurs:
    
    $ cat /sys/kernel/debug/mwifiex/p2p0/info
    Unable to handle kernel paging request at virtual address 74706164
    pgd = de530000
    [74706164] *pgd=00000000
    Internal error: Oops: 5 [#1] SMP ARM
    Modules linked in: phy_twl4030_usb omap2430 musb_hdrc mwifiex_sdio mwifiex
    CPU: 0 PID: 1635 Comm: cat Not tainted 3.10.0-rc1-00010-g1268390 #1
    task: de16b6c0 ti: de048000 task.ti: de048000
    PC is at strnlen+0xc/0x4c
    LR is at string+0x3c/0xf8
    pc : [<c02c123c>]    lr : [<c02c2d1c>]    psr: a0000013
    sp : de049e10  ip : c06efba0  fp : de6d2092
    r10: bf01a260  r9 : ffffffff  r8 : 74706164
    r7 : 0000ffff  r6 : ffffffff  r5 : de6d209c  r4 : 00000000
    r3 : ff0a0004  r2 : 74706164  r1 : ffffffff  r0 : 74706164
    Flags: NzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
    Control: 10c5387d  Table: 9e530019  DAC: 00000015
    Process cat (pid: 1635, stack limit = 0xde048240)
    Stack: (0xde049e10 to 0xde04a000)
    9e00:                                     de6d2092 00000002 bf01a25e de6d209c
    9e20: de049e80 c02c438c 0000000a ff0a0004 ffffffff 00000000 00000000 de049e48
    9e40: 00000000 2192df6d ff0a0004 ffffffff 00000000 de6d2092 de049ef8 bef3cc00
    9e60: de6b0000 dc358000 de6d2000 00000000 00000003 c02c45a4 bf01790c bf01a254
    9e80: 74706164 bf018698 00000000 de59c3c0 de048000 de049f80 00001000 bef3cc00
    9ea0: 00000008 00000000 00000000 00000000 00000000 00000000 00000000 00000000
    9ec0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
    9ee0: 00000000 00000000 00000000 00000001 00000000 00000000 6669776d 20786569
    9f00: 20302e31 2e343128 392e3636 3231702e 00202933 00000000 00000003 c0294898
    9f20: 00000000 00000000 00000000 00000000 de59c3c0 c0107c04 de554000 de59c3c0
    9f40: 00001000 bef3cc00 de049f80 bef3cc00 de049f80 00000000 00000003 c0108a00
    9f60: de048000 de59c3c0 00000000 00000000 de59c3c0 00001000 bef3cc00 c0108b60
    9f80: 00000000 00000000 00001000 bef3cc00 00000003 00000003 c0014128 de048000
    9fa0: 00000000 c0013f80 00001000 bef3cc00 00000003 bef3cc00 00001000 00000000
    9fc0: 00001000 bef3cc00 00000003 00000003 00000001 00000001 00000001 00000003
    9fe0: 00000000 bef3cbdc 00011984 b6f1127c 60000010 00000003 18dbdd2c 7f7bfffd
    [<c02c123c>] (strnlen+0xc/0x4c) from [<c02c2d1c>] (string+0x3c/0xf8)
    [<c02c2d1c>] (string+0x3c/0xf8) from [<c02c438c>] (vsnprintf+0x1e8/0x3e8)
    [<c02c438c>] (vsnprintf+0x1e8/0x3e8) from [<c02c45a4>] (sprintf+0x18/0x24)
    [<c02c45a4>] (sprintf+0x18/0x24) from [<bf01790c>] (mwifiex_info_read+0xfc/0x3e8 [mwifiex])
    [<bf01790c>] (mwifiex_info_read+0xfc/0x3e8 [mwifiex]) from [<c0108a00>] (vfs_read+0xb0/0x144)
    [<c0108a00>] (vfs_read+0xb0/0x144) from [<c0108b60>] (SyS_read+0x44/0x70)
    [<c0108b60>] (SyS_read+0x44/0x70) from [<c0013f80>] (ret_fast_syscall+0x0/0x30)
    Code: e12fff1e e3510000 e1a02000 0a00000d (e5d03000)
    ---[ end trace ca98273dc605a04f ]---
    
    The panic is caused by the mwifiex_info_read() routine assuming that
    there can only be four modes (0-3) which is an invalid assumption.
    For example, when testing P2P, the mode is '8' (P2P_CLIENT) so the
    code accesses data beyond the bounds of the bss_modes[] array which
    causes the panic.  Fix this by updating bss_modes[] to support the
    current list of modes and adding a check to prevent the out-of-bounds
    access from occuring in the future when more modes are added.
    
    Signed-off-by: Mark A. Greer <mgreer@animalcreek.com>
    Acked-by: Bing Zhao <bzhao@marvell.com>
    Signed-off-by: John W. Linville <linville@tuxdriver.com>

 drivers/net/wireless/mwifiex/debugfs.c |   22 +++++++++++++++++-----
 1 files changed, 17 insertions(+), 5 deletions(-)

commit 04152dec6e99ca4c0fc52219f7cf2152dafe6b52
Author: Johan Hedberg <johan.hedberg@intel.com>
Date:   Tue May 28 13:46:30 2013 +0300

    Upstream commit: cb3b3152b2f5939d67005cff841a1ca748b19888
    
    Bluetooth: Fix missing length checks for L2CAP signalling PDUs
    
    There has been code in place to check that the L2CAP length header
    matches the amount of data received, but many PDU handlers have not been
    checking that the data received actually matches that expected by the
    specific PDU. This patch adds passing the length header to the specific
    handler functions and ensures that those functions fail cleanly in the
    case of an incorrect amount of data.
    
    Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
    Signed-off-by: John W. Linville <linville@tuxdriver.com>

 net/bluetooth/l2cap_core.c |   70 ++++++++++++++++++++++++++++++++-----------
 1 files changed, 52 insertions(+), 18 deletions(-)

commit 628be2427afb241b5a1aa24bc5907d05287e1f25
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Mon Jun 3 12:00:49 2013 +0300

    Upstream commit: a8241c63517ec0b900695daa9003cddc41c536a1
    
    ipvs: info leak in __ip_vs_get_dest_entries()
    
    The entry struct has a 2 byte hole after ->port and another 4 byte
    hole after ->stats.outpkts.  You must have CAP_NET_ADMIN in your
    namespace to hit this information leak.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Acked-by: Julian Anastasov <ja@ssi.bg>
    Signed-off-by: Simon Horman <horms@verge.net.au>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

 net/netfilter/ipvs/ip_vs_ctl.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 066d9226bc6c569d5f420c978b758e0bddd23444
Author: Robin Holt <holt@sgi.com>
Date:   Wed Jun 12 14:04:37 2013 -0700

    Upstream commit: cf7df378aa4ff7da3a44769b7ff6e9eef1a9f3db
    
    reboot: rigrate shutdown/reboot to boot cpu
    
    We recently noticed that reboot of a 1024 cpu machine takes approx 16
    minutes of just stopping the cpus.  The slowdown was tracked to commit
    f96972f2dc63 ("kernel/sys.c: call disable_nonboot_cpus() in
    kernel_restart()").
    
    The current implementation does all the work of hot removing the cpus
    before halting the system.  We are switching to just migrating to the
    boot cpu and then continuing with shutdown/reboot.
    
    This also has the effect of not breaking x86's command line parameter
    for specifying the reboot cpu.  Note, this code was shamelessly copied
    from arch/x86/kernel/reboot.c with bits removed pertaining to the
    reboot_cpu command line parameter.
    
    Signed-off-by: Robin Holt <holt@sgi.com>
    Tested-by: Shawn Guo <shawn.guo@linaro.org>
    Cc: "Srivatsa S. Bhat" <srivatsa.bhat@linux.vnet.ibm.com>
    Cc: H. Peter Anvin <hpa@zytor.com>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: Ingo Molnar <mingo@elte.hu>
    Cc: Russ Anderson <rja@sgi.com>
    Cc: Robin Holt <holt@sgi.com>
    Cc: Russell King <linux@arm.linux.org.uk>
    Cc: Guan Xuetao <gxt@mprc.pku.edu.cn>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 kernel/sys.c |   29 ++++++++++++++++++++++++++---
 1 files changed, 26 insertions(+), 3 deletions(-)

commit 94e2a91600b07d39825e7059195f35eb611a39a2
Merge: 20cc761 e6e3059
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jun 13 16:23:46 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit e6e3059de5525ebcd55af43b20c9cdbf43b9d30a
Merge: c6aadb1 4b73feb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jun 13 16:23:39 2013 -0400

    Merge branch 'linux-3.9.y' into pax-test

commit 20cc7613e38cde07adc73179a91d6c15292e8d43
Author: Daniel Borkmann <dborkman@redhat.com>
Date:   Thu Jun 6 15:53:47 2013 +0200

    Upstream commit: 1abd165ed757db1afdefaac0a4bc8a70f97d258c
    
    net: sctp: fix NULL pointer dereference in socket destruction
    
    While stress testing sctp sockets, I hit the following panic:
    
    BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
    IP: [<ffffffffa0490c4e>] sctp_endpoint_free+0xe/0x40 [sctp]
    PGD 7cead067 PUD 7ce76067 PMD 0
    Oops: 0000 [#1] SMP
    Modules linked in: sctp(F) libcrc32c(F) [...]
    CPU: 7 PID: 2950 Comm: acc Tainted: GF            3.10.0-rc2+ #1
    Hardware name: Dell Inc. PowerEdge T410/0H19HD, BIOS 1.6.3 02/01/2011
    task: ffff88007ce0e0c0 ti: ffff88007b568000 task.ti: ffff88007b568000
    RIP: 0010:[<ffffffffa0490c4e>]  [<ffffffffa0490c4e>] sctp_endpoint_free+0xe/0x40 [sctp]
    RSP: 0018:ffff88007b569e08  EFLAGS: 00010292
    RAX: 0000000000000000 RBX: ffff88007db78a00 RCX: dead000000200200
    RDX: ffffffffa049fdb0 RSI: ffff8800379baf38 RDI: 0000000000000000
    RBP: ffff88007b569e18 R08: ffff88007c230da0 R09: 0000000000000001
    R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
    R13: ffff880077990d00 R14: 0000000000000084 R15: ffff88007db78a00
    FS:  00007fc18ab61700(0000) GS:ffff88007fc60000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
    CR2: 0000000000000020 CR3: 000000007cf9d000 CR4: 00000000000007e0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
    Stack:
     ffff88007b569e38 ffff88007db78a00 ffff88007b569e38 ffffffffa049fded
     ffffffff81abf0c0 ffff88007db78a00 ffff88007b569e58 ffffffff8145b60e
     0000000000000000 0000000000000000 ffff88007b569eb8 ffffffff814df36e
    Call Trace:
     [<ffffffffa049fded>] sctp_destroy_sock+0x3d/0x80 [sctp]
     [<ffffffff8145b60e>] sk_common_release+0x1e/0xf0
     [<ffffffff814df36e>] inet_create+0x2ae/0x350
     [<ffffffff81455a6f>] __sock_create+0x11f/0x240
     [<ffffffff81455bf0>] sock_create+0x30/0x40
     [<ffffffff8145696c>] SyS_socket+0x4c/0xc0
     [<ffffffff815403be>] ? do_page_fault+0xe/0x10
     [<ffffffff8153cb32>] ? page_fault+0x22/0x30
     [<ffffffff81544e02>] system_call_fastpath+0x16/0x1b
    Code: 0c c9 c3 66 2e 0f 1f 84 00 00 00 00 00 e8 fb fe ff ff c9 c3 66 0f
          1f 84 00 00 00 00 00 55 48 89 e5 53 48 83 ec 08 66 66 66 66 90 <48>
          8b 47 20 48 89 fb c6 47 1c 01 c6 40 12 07 e8 9e 68 01 00 48
    RIP  [<ffffffffa0490c4e>] sctp_endpoint_free+0xe/0x40 [sctp]
     RSP <ffff88007b569e08>
    CR2: 0000000000000020
    ---[ end trace e0d71ec1108c1dd9 ]---
    
    I did not hit this with the lksctp-tools functional tests, but with a
    small, multi-threaded test program, that heavily allocates, binds,
    listens and waits in accept on sctp sockets, and then randomly kills
    some of them (no need for an actual client in this case to hit this).
    Then, again, allocating, binding, etc, and then killing child processes.
    
    This panic then only occurs when ``echo 1 > /proc/sys/net/sctp/auth_enable''
    is set. The cause for that is actually very simple: in sctp_endpoint_init()
    we enter the path of sctp_auth_init_hmacs(). There, we try to allocate
    our crypto transforms through crypto_alloc_hash(). In our scenario,
    it then can happen that crypto_alloc_hash() fails with -EINTR from
    crypto_larval_wait(), thus we bail out and release the socket via
    sk_common_release(), sctp_destroy_sock() and hit the NULL pointer
    dereference as soon as we try to access members in the endpoint during
    sctp_endpoint_free(), since endpoint at that time is still NULL. Now,
    if we have that case, we do not need to do any cleanup work and just
    leave the destruction handler.
    
    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
    Acked-by: Neil Horman <nhorman@tuxdriver.com>
    Acked-by: Vlad Yasevich <vyasevich@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/sctp/socket.c |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

commit 386ba837978cc8a1111440bdcd8600f2df4634a4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jun 12 20:37:48 2013 -0400

    fix deadlock when booting i386 kernel without NX

 mm/mmap.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

commit fe96e11acb36fcda9a9e6f6439557db4aa4e8da0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jun 11 22:18:07 2013 -0400

    fix elif / elif defined() typo in recent change

 kernel/events/core.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit bc43377e1e757cd37a06be0187884a42af718aab
Merge: 3cdea63 c6aadb1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jun 11 18:50:39 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit c6aadb12ae8dd3d12c2d6b8fbe80d29e514d60c0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jun 11 18:49:36 2013 -0400

    Update to pax-linux-3.9.4-test9.patch:
    - fixed a KERNEXEC regression resulting in unusable RAM regions (http://forums.grsecurity.net/viewtopic.php?f=3&t=3506)
    - removed a user-triggerable BUG_ON, fixing it properly wasn't worth the effort

 arch/x86/kernel/setup.c |    2 +-
 mm/mlock.c              |    1 -
 2 files changed, 1 insertions(+), 2 deletions(-)

commit 3cdea63e90607d8d55820b101854091623feedb8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jun 10 21:21:44 2013 -0400

    Fix fanotify infoleak reported by Dan Carpenter at:
    https://lkml.org/lkml/2013/6/3/128
    
    Requires CAP_SYS_ADMIN, so this is about as low priority as it gets

 fs/notify/fanotify/fanotify_user.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 373a2b5df78f82b9d3db72bd6577e29a71591323
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jun 10 21:16:46 2013 -0400

    Backport infoleak fix by Dan Carpenter in cpqarray:
    https://lkml.org/lkml/2013/6/3/131

 drivers/block/cpqarray.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 251e84b9b05e063981b20be154c9389862f94759
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jun 10 21:04:17 2013 -0400

    Backport 050e4b8fb7cdd7096c987a9cd556029c622c7fe2

 drivers/cdrom/cdrom.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 383d89bf95818b05a485a6e8b118963b5bcbc83e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jun 10 18:34:32 2013 -0400

    change const to __read_only

 kernel/sysctl.c |   18 +++++++++---------
 1 files changed, 9 insertions(+), 9 deletions(-)

commit 8f08f803f605649e63f0857a1b9a9805b629eaa4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jun 10 17:34:13 2013 -0400

    compile fix, make const values const

 kernel/sysctl.c |   18 +++++++++---------
 1 files changed, 9 insertions(+), 9 deletions(-)

commit 6b90c228f6d4a3c2cc9c2b9a6a7ac14534ebd42d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jun 10 17:37:13 2013 -0400

    Backport upstream commit: af733960ca59f7d59ea337e1f633771c9e67101a

 drivers/char/mwave/tp3780i.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 1c590aa70c95ebd76ba9672aa23d800b81780615
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jun 9 19:50:35 2013 -0400

    allow -1 perf_event_paranoid

 kernel/sysctl.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit defdc4a2bd3efda4af2bb6f3aa8f495fa8078584
Merge: 4e85539 117c3fa
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jun 9 17:30:12 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 117c3fa8d26c3806103123560f807d99071b60b6
Merge: ed9b427 5dd2e98
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jun 9 17:30:00 2013 -0400

    Merge branch 'linux-3.9.y' into pax-test

commit 4e8553989b0406f15be4a2dccdbc7599cc2b4f42
Author: Eric Dumazet <edumazet@google.com>
Date:   Mon May 13 21:25:52 2013 +0000

    Upstream commit: 54d27fcb338bd9c42d1dfc5a39e18f6f9d373c2e
    
    tcp: fix tcp_md5_hash_skb_data()
    
    TCP md5 communications fail [1] for some devices, because sg/crypto code
    assume page offsets are below PAGE_SIZE.
    
    This was discovered using mlx4 driver [2], but I suspect loopback
    might trigger the same bug now we use order-3 pages in tcp_sendmsg()
    
    [1] Failure is giving following messages.
    
    huh, entered softirq 3 NET_RX ffffffff806ad230 preempt_count 00000100,
    exited with 00000101?
    
    [2] mlx4 driver uses order-2 pages to allocate RX frags
    
    Reported-by: Matt Schnall <mischnal@google.com>
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Cc: Bernhard Beck <bbeck@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/tcp.c |    7 +++++--
 1 files changed, 5 insertions(+), 2 deletions(-)

commit 4f1ed254c28a1b3e03c0b0b744c5042661c295eb
Author: Eric Dumazet <edumazet@google.com>
Date:   Fri May 17 04:53:13 2013 +0000

    Upstream commit: 284041ef21fdf2e0d216ab6b787bc9072b4eb58a
    
    ipv6: fix possible crashes in ip6_cork_release()
    
    commit 0178b695fd6b4 ("ipv6: Copy cork options in ip6_append_data")
    added some code duplication and bad error recovery, leading to potential
    crash in ip6_cork_release() as kfree() could be called with garbage.
    
    use kzalloc() to make sure this wont happen.
    
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Cc: Herbert Xu <herbert@gondor.apana.org.au>
    Cc: Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>
    Cc: Neal Cardwell <ncardwell@google.com>

 net/ipv6/ip6_output.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 5771263fe368cd384127dd17d7596a7e1a4e2eec
Author: Chen Gang <gang.chen@asianux.com>
Date:   Thu May 16 23:13:04 2013 +0000

    Upstream commit: ff0102ee104847023c36357e2b9f133f3f40d211
    
    net: irda: using kzalloc() instead of kmalloc() to avoid strncpy() issue.
    
    'discovery->data.info' length is 22, NICKNAME_MAX_LEN is 21, so the
    strncpy() will always left the last byte of 'discovery->data.info'
    uninitialized.
    
    When 'text' length is longer than 21 (NICKNAME_MAX_LEN), if still left
    the last byte of 'discovery->data.info' uninitialized, the next
    strlen() will cause issue.
    
    Also 'discovery->data' is 'struct irda_device_info' which defined in
    "include/uapi/...", it may copy to user mode, so need whole initialized.
    
    All together, need use kzalloc() instead of kmalloc() to initialize all
    members firstly.
    
    Signed-off-by: Chen Gang <gang.chen@asianux.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/irda/irlap_frame.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit c01c9af268cb066f240aec53454b8b74d8d01688
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Sun May 19 08:36:36 2013 +0000

    Upstream commit: 25dff94ff9df40d4d663bb6ea3193a7758cc50e5
    
    isdn/kcapi: fix a small underflow
    
    In get_capi_ctr_by_nr() and get_capi_appl_by_nr() the parameter comes
    from skb->data.  The current code can underflow to one space before the
    start of the array.
    
    The sanity check isn't needed in __get_capi_appl_by_nr() but I changed
    it to match the others.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/isdn/capi/kcapi.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

commit 4a3f12a9df775147b0c4b0277de1aa99eddc5c66
Author: Timo Teräs <timo.teras@iki.fi>
Date:   Wed May 22 01:40:47 2013 +0000

    Upstream commit: 497574c72c9922cf20c12aed15313c389f722fa0
    
    xfrm: properly handle invalid states as an error
    
    The error exit path needs err explicitly set. Otherwise it
    returns success and the only caller, xfrm_output_resume(),
    would oops in skb_dst(skb)->ops derefence as skb_dst(skb) is
    NULL.
    
    Bug introduced in commit bb65a9cb (xfrm: removes a superfluous
    check and add a statistic).
    
    Signed-off-by: Timo Teräs <timo.teras@iki.fi>
    Cc: Li RongQing <roy.qing.li@gmail.com>
    Cc: Steffen Klassert <steffen.klassert@secunet.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/xfrm/xfrm_output.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 61d8e1e848afa93cd971f6d1da875ad98b6ddfbd
Author: Jeff Mahoney <jeffm@jeffreymahoney.com>
Date:   Fri May 31 15:07:52 2013 -0400

    Upstream commit: 0bdc7acba56a7ca4232f15f37b16f7ec079385ab
    
    reiserfs: fix spurious multiple-fill in reiserfs_readdir_dentry
    
    After sleeping for filldir(), we check to see if the file system has
    changed and research. The next_pos pointer is updated but its value
    isn't pushed into the key used for the search itself. As a result,
    the search returns the same item that the last cycle of the loop did
    and filldir() is called multiple times with the same data.
    
    The end result is that the buffer can contain the same name multiple
    times. This can be returned to userspace or used internally in the
    xattr code where it can manifest with the following warning:
    
    jdm-20004 reiserfs_delete_xattrs: Couldn't delete all xattrs (-2)
    
    reiserfs_for_each_xattr uses reiserfs_readdir_dentry to iterate over
    the xattr names and ends up trying to unlink the same name twice. The
    second attempt fails with -ENOENT and the error is returned. At some
    point I'll need to add support into reiserfsck to remove the orphaned
    directories left behind when this occurs.
    
    The fix is to push the value into the key before researching.
    
    Signed-off-by: Jeff Mahoney <jeffm@suse.com>
    Signed-off-by: Jan Kara <jack@suse.cz>

 fs/reiserfs/dir.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit ca0746bf380eec77d75d1741ac4742ded0e55ec7
Author: Jeff Mahoney <jeffm@suse.com>
Date:   Fri May 31 15:51:17 2013 -0400

    Upstream commit: a1457c0ce976bad1356b9b0437f2a5c3ab8a9cfc
    
    reiserfs: fix deadlock with nfs racing on create/lookup
    
    Reiserfs is currently able to be deadlocked by having two NFS clients
    where one has removed and recreated a file and another is accessing the
    file with an open file handle.
    
    If one client deletes and recreates a file with timing such that the
    recreated file obtains the same [dirid, objectid] pair as the original
    file while another client accesses the file via file handle, the create
    and lookup can race and deadlock if the lookup manages to create the
    in-memory inode first.
    
    The create thread, in insert_inode_locked4, will hold the write lock
    while waiting on the other inode to be unlocked. The lookup thread,
    anywhere in the iget path, will release and reacquire the write lock while
    it schedules. If it needs to reacquire the lock while the create thread
    has it, it will never be able to make forward progress because it needs
    to reacquire the lock before ultimately unlocking the inode.
    
    This patch drops the write lock across the insert_inode_locked4 call so
    that the ordering of inode_wait -> write lock is retained. Since this
    would have been the case before the BKL push-down, this is safe.
    
    Signed-off-by: Jeff Mahoney <jeffm@suse.com>
    Signed-off-by: Jan Kara <jack@suse.cz>

 fs/reiserfs/inode.c |    9 +++++++--
 1 files changed, 7 insertions(+), 2 deletions(-)

commit cd21c0eb4950498be46a07257426c0cea4aa2bf1
Author: Jeff Mahoney <jeffm@suse.com>
Date:   Fri May 31 15:54:17 2013 -0400

    Upstream commit: 4a8570112b76a63ad21cfcbe2783f98f7fd5ba1b
    
    reiserfs: fix problems with chowning setuid file w/ xattrs
    
    reiserfs_chown_xattrs() takes the iattr struct passed into ->setattr
    and uses it to iterate over all the attrs associated with a file to change
    ownership of xattrs (and transfer quota associated with the xattr files).
    
    When the setuid bit is cleared during chown, ATTR_MODE and iattr->ia_mode
    are passed to all the xattrs as well. This means that the xattr directory
    will have S_IFREG added to its mode bits.
    
    This has been prevented in practice by a missing IS_PRIVATE check
    in reiserfs_acl_chmod, which caused a double-lock to occur while holding
    the write lock. Since the file system was completely locked up, the
    writeout of the corrupted mode never happened.
    
    This patch temporarily clears everything but ATTR_UID|ATTR_GID for the
    calls to reiserfs_setattr and adds the missing IS_PRIVATE check.
    
    Signed-off-by: Jeff Mahoney <jeffm@suse.com>
    Signed-off-by: Jan Kara <jack@suse.cz>

 fs/reiserfs/xattr.c     |   14 +++++++++++++-
 fs/reiserfs/xattr_acl.c |    3 +++
 2 files changed, 16 insertions(+), 1 deletions(-)

commit c18cef940310c06bdf86d64d8cb227e56e165300
Author: Dave Chinner <dchinner@redhat.com>
Date:   Mon May 27 16:38:25 2013 +1000

    Upstream commit: 2962f5a5dcc56f69cbf62121a7be67cc15d6940b
    
    xfs: kill suid/sgid through the truncate path.
    
    XFS has failed to kill suid/sgid bits correctly when truncating
    files of non-zero size since commit c4ed4243 ("xfs: split
    xfs_setattr") introduced in the 3.1 kernel. Fix it.
    
    Fix it.
    
    cc: stable kernel <stable@vger.kernel.org>
    Signed-off-by: Dave Chinner <dchinner@redhat.com>
    Reviewed-by: Brian Foster <bfoster@redhat.com>
    Signed-off-by: Ben Myers <bpm@sgi.com>
    
    (cherry picked from commit 56c19e89b38618390addfc743d822f99519055c6)

 fs/xfs/xfs_iops.c |   47 ++++++++++++++++++++++++++++++++---------------
 1 files changed, 32 insertions(+), 15 deletions(-)

commit 8e62c6a0946a4b11a55540094a0ee5d3a222dbcc
Author: Trond Myklebust <Trond.Myklebust@netapp.com>
Date:   Wed May 29 15:36:40 2013 -0400

    Upstream commit: f448badd34700ae728a32ba024249626d49c10e1
    
    NFSv4: Fix a thinko in nfs4_try_open_cached
    
    We need to pass the full open mode flags to nfs_may_open() when doing
    a delegated open.
    
    Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
    Cc: stable@vger.kernel.org

 fs/nfs/nfs4proc.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit c47de62893a9f269be0a272c2840aac1e2a35c68
Author: Chen Gang <gang.chen@asianux.com>
Date:   Thu May 30 01:18:43 2013 +0000

    Upstream commit: ea99b1adf22abd62bdcf14b1c9a0a4d3664eefd8
    
    parisc: kernel: using strlcpy() instead of strcpy()
    
    'boot_args' is an input args, and 'boot_command_line' has a fix length.
    So use strlcpy() instead of strcpy() to avoid memory overflow.
    
    Signed-off-by: Chen Gang <gang.chen@asianux.com>
    Acked-by: Kyle McMartin <kyle@mcmartin.ca>
    Signed-off-by: Helge Deller <deller@gmx.de>

 arch/parisc/kernel/setup.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit ce869e6f799f95fcac340420ba3612503df80dbf
Author: Chen Gang <gang.chen@asianux.com>
Date:   Mon May 27 04:57:09 2013 +0000

    Upstream commit: 3f108de96ba449a8df3d7e3c053bf890fee2cb95
    
    parisc: memory overflow, 'name' length is too short for using
    
    'path.bc[i]' can be asigned by PCI_SLOT() which can '> 10', so sizeof(6
    * "%u:" + "%u" + '\0') may be 21.
    
    Since 'name' length is 20, it may be memory overflow.
    
    And 'path.bc[i]' is 'unsigned char' for printing, we can be sure the
    max length of 'name' must be less than 28.
    
    So simplify thinking, we can use 28 instead of 20 directly, and do not
    think of whether 'patchc.bc[i]' can '> 100'.
    
    Signed-off-by: Chen Gang <gang.chen@asianux.com>
    Signed-off-by: Helge Deller <deller@gmx.de>

 arch/parisc/kernel/drivers.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 5dc65cd34d442783118a17c518e2daedb90a31d0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jun 4 17:52:23 2013 -0400

    add PERF_HARDEN recommendation

 grsecurity/Kconfig |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit 45b0f6e97666ca330b9a69e7fd2d2d9345d9618c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jun 4 17:22:44 2013 -0400

    Introduce new feature: CONFIG_GRKERNSEC_PERF_HARDEN

 grsecurity/Kconfig         |   19 +++++++++++++++++++
 include/linux/perf_event.h |    5 +++++
 kernel/events/core.c       |   10 +++++++++-
 kernel/sysctl.c            |    9 ++++++++-
 4 files changed, 41 insertions(+), 2 deletions(-)

commit 84619a3501fd38285a72d9e963f58d1827beedd6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jun 1 14:23:31 2013 -0400

    remove user-triggerable BUG_ON in do_munlockall()

 mm/mlock.c |    1 -
 1 files changed, 0 insertions(+), 1 deletions(-)

commit f4bcf6087bd7b9a5b9c9021790396865c5362da0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jun 1 13:44:05 2013 -0400

    Upstream commit: cea4dcfdad926a27a18e188720efe0f2c9403456
    
    From: Kees Cook <keescook@chromium.org>
    Date: Thu, 23 May 2013 17:32:17 +0000
    Subject: iscsi-target: fix heap buffer overflow on error
    
    If a key was larger than 64 bytes, as checked by iscsi_check_key(), the
    error response packet, generated by iscsi_add_notunderstood_response(),
    would still attempt to copy the entire key into the packet, overflowing
    the structure on the heap.
    
    Remote preauthentication kernel memory corruption was possible if a
    target was configured and listening on the network.
    
    CVE-2013-2850
    
    Embargo-screwup-by: Kees Cook <keescook@chromium.org>
    Cc: stable@vger.kernel.org
    Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>

 drivers/target/iscsi/iscsi_target_parameters.c |    8 +++-----
 drivers/target/iscsi/iscsi_target_parameters.h |    4 +++-
 2 files changed, 6 insertions(+), 6 deletions(-)

commit 2fdc3e0a0ecd44f22d49ea2230638ed650dd5e7e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jun 1 13:43:26 2013 -0400

    Revert "Fix distro-embargoed bug CVE-2013-2850, bad strncpy parameters"
    Applying upstream fix instead
    
    This reverts commit 8c237f4a53a038ab0f1c4fdc3656bdb3d77b7291.

 drivers/target/iscsi/iscsi_target_parameters.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

commit 8ad50b7b6bbaaec7f07f894c15d76abe801f0769
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Sun May 19 21:52:20 2013 +0300

    Upstream commit: e75b61897276c5100e61c9c74fd55ded28f31431
    
    USB: cxacru: potential underflow in cxacru_cm_get_array()
    
    commit 2a0ebf80aa95cc758d4725f74a7016e992606a39 upstream.
    
    The value of "offd" comes off the instance->rcv_buf[] and we used it as
    the offset into an array.  The problem is that we check the upper bound
    but not for negative values.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

 drivers/usb/atm/cxacru.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 8c237f4a53a038ab0f1c4fdc3656bdb3d77b7291
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jun 1 11:30:17 2013 -0400

    Fix distro-embargoed bug CVE-2013-2850, bad strncpy parameters

 drivers/target/iscsi/iscsi_target_parameters.c |    5 ++---
 1 files changed, 2 insertions(+), 3 deletions(-)

commit 8578566969d91678a3d7d5251b4eafc6d7775314
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu May 30 17:44:15 2013 -0400

    Apply compatibility fix to previous RLIMIT_NPROC change
    don't enforce the rlimit check at exec time if the user is root
    Prevents problems with sudo if root is listed as part of a group
    in limits.conf with process limits enforced

 kernel/sys.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 0ed0c927ce3db94e2d0c0f328e24a28fe4f143e7
Merge: 643b294 ed9b427
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed May 29 19:19:28 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit ed9b4276488528d0c3803df1dc0df804238241e0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed May 29 19:18:45 2013 -0400

    Updated to pax-linux-3.9.4-test8.patch:
    - fixed some fallout detected by the checker plugin

 arch/x86/kernel/crash_dump_64.c               |    2 +-
 drivers/base/devtmpfs.c                       |    6 +++---
 drivers/char/agp/compat_ioctl.c               |    2 +-
 drivers/char/agp/frontend.c                   |    2 +-
 drivers/char/mem.c                            |    2 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c         |    4 ++--
 drivers/i2c/i2c-dev.c                         |    2 +-
 drivers/media/v4l2-core/v4l2-compat-ioctl32.c |    6 +++---
 drivers/media/v4l2-core/v4l2-ioctl.c          |   20 ++++++++++++--------
 fs/9p/vfs_addr.c                              |    2 +-
 fs/binfmt_elf.c                               |    4 ++--
 fs/compat_ioctl.c                             |    4 ++--
 fs/exec.c                                     |    2 +-
 fs/namespace.c                                |    8 ++++----
 fs/proc/vmcore.c                              |   12 ++++++++----
 fs/read_write.c                               |    2 +-
 include/linux/syscalls.h                      |    8 ++++----
 init/do_mounts_initrd.c                       |    8 ++++----
 init/main.c                                   |    4 ++--
 kernel/events/core.c                          |    2 +-
 kernel/events/internal.h                      |   10 +++++-----
 mm/page_io.c                                  |    2 +-
 security/keys/internal.h                      |    2 +-
 tools/gcc/checker_plugin.c                    |    1 +
 24 files changed, 63 insertions(+), 54 deletions(-)

commit 643b294b41c6adcad1cf107efe4ae52a834e6f15
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed May 29 18:51:31 2013 -0400

    eliminate gcc warning

 fs/exec.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit cf6f73059387ffeddb7b1de3e97a3cf588bcef86
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed May 29 18:30:20 2013 -0400

    use BUILD_BUG() instead of BUILD_BUG_ON(1)

 arch/x86/net/bpf_jit_comp.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 5343410354267368e5809f3ad8d9a264f141be18
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed May 29 17:57:41 2013 -0400

    defensively handle additions to the BPF JIT by introducing a BUILD_BUG_ON
    for unknown opcodes

 arch/x86/net/bpf_jit_comp.c |   11 +++++++----
 1 files changed, 7 insertions(+), 4 deletions(-)

commit 01f78a604b47c93fb26e8aeb68ef619bb3b8579d
Author: Xiao Guangrong <xiaoguangrong@linux.vnet.ibm.com>
Date:   Fri May 24 15:55:11 2013 -0700

    Upstream commit: d34883d4e35c0a994e91dd847a82b4c9e0c31d83
    
    mm: mmu_notifier: re-fix freed page still mapped in secondary MMU
    
    Commit 751efd8610d3 ("mmu_notifier_unregister NULL Pointer deref and
    multiple ->release()") breaks the fix 3ad3d901bbcf ("mm: mmu_notifier:
    fix freed page still mapped in secondary MMU").
    
    Since hlist_for_each_entry_rcu() is changed now, we can not revert that
    patch directly, so this patch reverts the commit and simply fix the bug
    spotted by that patch
    
    This bug spotted by commit 751efd8610d3 is:
    
        There is a race condition between mmu_notifier_unregister() and
        __mmu_notifier_release().
    
        Assume two tasks, one calling mmu_notifier_unregister() as a result
        of a filp_close() ->flush() callout (task A), and the other calling
        mmu_notifier_release() from an mmput() (task B).
    
                            A                               B
        t1                                            srcu_read_lock()
        t2            if (!hlist_unhashed())
        t3                                            srcu_read_unlock()
        t4            srcu_read_lock()
        t5                                            hlist_del_init_rcu()
        t6                                            synchronize_srcu()
        t7            srcu_read_unlock()
        t8            hlist_del_rcu()  <--- NULL pointer deref.
    
    This can be fixed by using hlist_del_init_rcu instead of hlist_del_rcu.
    
    The another issue spotted in the commit is "multiple ->release()
    callouts", we needn't care it too much because it is really rare (e.g,
    can not happen on kvm since mmu-notify is unregistered after
    exit_mmap()) and the later call of multiple ->release should be fast
    since all the pages have already been released by the first call.
    Anyway, this issue should be fixed in a separate patch.
    
    -stable suggestions: Any version that has commit 751efd8610d3 need to be
    backported.  I find the oldest version has this commit is 3.0-stable.
    
    [akpm@linux-foundation.org: tweak comments]
    Signed-off-by: Xiao Guangrong <xiaoguangrong@linux.vnet.ibm.com>
    Tested-by: Robin Holt <holt@sgi.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 mm/mmu_notifier.c |   79 ++++++++++++++++++++++++++---------------------------
 1 files changed, 39 insertions(+), 40 deletions(-)

commit 163a5539b36247865d39b2bcfa8efc03a62124a6
Author: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
Date:   Fri May 24 15:55:21 2013 -0700

    Upstream commit: 7c3425123ddfdc5f48e7913ff59d908789712b18
    
    mm/THP: use pmd_populate() to update the pmd with pgtable_t pointer
    
    We should not use set_pmd_at to update pmd_t with pgtable_t pointer.
    set_pmd_at is used to set pmd with huge pte entries and architectures
    like ppc64, clear few flags from the pte when saving a new entry.
    Without this change we observe bad pte errors like below on ppc64 with
    THP enabled.
    
      BUG: Bad page map in process ld mm=0xc000001ee39f4780 pte:7fc3f37848000001 pmd:c000001ec0000000
    
    Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
    Cc: Hugh Dickins <hughd@google.com>
    Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
    Reviewed-by: Andrea Arcangeli <aarcange@redhat.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 mm/huge_memory.c |    7 ++++++-
 1 files changed, 6 insertions(+), 1 deletions(-)

commit 3e54faf888d324d5f362dcba16173ea7bba61e8a
Author: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
Date:   Fri May 24 15:55:08 2013 -0700

    Upstream commit: 7b92d03c3239f43e5b86c9cc9630f026d36ee995
    
    fat: fix possible overflow for fat_clusters
    
    Intermediate value of fat_clusters can be overflowed on 32bits arch.
    
    Reported-by: Krzysztof Strasburger <strasbur@chkw386.ch.pwr.wroc.pl>
    Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 fs/fat/inode.c |   15 ++++++++++++++-
 1 files changed, 14 insertions(+), 1 deletions(-)

commit 2d9fc67d9d63641e6bbf389edba8d8514c68655d
Author: Jarod Wilson <jarod@redhat.com>
Date:   Fri May 24 15:55:31 2013 -0700

    Upstream commit: 1e7e2e05c179a68aaf8830fe91547a87f4589e53
    
    drivers/char/random.c: fix priming of last_data
    
    Commit ec8f02da9ea5 ("random: prime last_data value per fips
    requirements") added priming of last_data per fips requirements.
    
    Unfortuantely, it did so in a way that can lead to multiple threads all
    incrementing nbytes, but only one actually doing anything with the extra
    data, which leads to some fun random corruption and panics.
    
    The fix is to simply do everything needed to prime last_data in a single
    shot, so there's no window for multiple cpus to increment nbytes -- in
    fact, we won't even increment or decrement nbytes anymore, we'll just
    extract the needed EXTRACT_SIZE one time per pool and then carry on with
    the normal routine.
    
    All these changes have been tested across multiple hosts and
    architectures where panics were previously encoutered.  The code changes
    are are strictly limited to areas only touched when when booted in fips
    mode.
    
    This change should also go into 3.8-stable, to make the myriads of fips
    users on 3.8.x happy.
    
    Signed-off-by: Jarod Wilson <jarod@redhat.com>
    Tested-by: Jan Stancek <jstancek@redhat.com>
    Tested-by: Jan Stodola <jstodola@redhat.com>
    Cc: Herbert Xu <herbert@gondor.apana.org.au>
    Acked-by: Neil Horman <nhorman@tuxdriver.com>
    Cc: "David S. Miller" <davem@davemloft.net>
    Cc: Matt Mackall <mpm@selenic.com>
    Cc: "Theodore Ts'o" <tytso@mit.edu>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 drivers/char/random.c |   30 +++++++++++++++---------------
 1 files changed, 15 insertions(+), 15 deletions(-)

commit 2d74639040ba6ce47f57ec010714ec06529c4b42
Author: Jiri Kosina <jkosina@suse.cz>
Date:   Fri May 24 15:55:33 2013 -0700

    Upstream commit: 10b3a32d292c21ea5b3ad5ca5975e88bb20b8d68
    
    random: fix accounting race condition with lockless irq entropy_count update
    
    Commit 902c098a3663 ("random: use lockless techniques in the interrupt
    path") turned IRQ path from being spinlock protected into lockless
    cmpxchg-retry update.
    
    That commit removed r->lock serialization between crediting entropy bits
    from IRQ context and accounting when extracting entropy on userspace
    read path, but didn't turn the r->entropy_count reads/updates in
    account() to use cmpxchg as well.
    
    It has been observed, that under certain circumstances this leads to
    read() on /dev/urandom to return 0 (EOF), as r->entropy_count gets
    corrupted and becomes negative, which in turn results in propagating 0
    all the way from account() to the actual read() call.
    
    Convert the accounting code to be the proper lockless counterpart of
    what has been partially done by 902c098a3663.
    
    Signed-off-by: Jiri Kosina <jkosina@suse.cz>
    Cc: Theodore Ts'o <tytso@mit.edu>
    Cc: Greg KH <greg@kroah.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 drivers/char/random.c |   26 +++++++++++++++++---------
 1 files changed, 17 insertions(+), 9 deletions(-)

commit 65d05c7ea468c23c175105526dd4f163302a92cf
Merge: 1a98d0a 6ce3a135
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat May 25 07:48:15 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        arch/x86/kernel/vm86_32.c

commit 6ce3a13567ec17c1e72a88871ddf46da61ad5166
Merge: 79bdd65 0bfd8ff
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat May 25 07:46:55 2013 -0400

    Merge branch 'linux-3.9.y' into pax-test

commit 1a98d0a10ede55ae99fabfb2d67eb536d3de9444
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu May 23 18:42:23 2013 -0400

    use existing local variable

 fs/exec.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit b2b80ef8586061e32e986b31608717c25d1e7c54
Merge: cb45fbd 79bdd65
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu May 23 17:58:53 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 79bdd65dac68267bc1b201c6b4a99966a373c305
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu May 23 17:57:46 2013 -0400

    Update to pax-linux-3.9.3-test7.patch:
    - fixed some size overflow related warnings (hash table, attributes)
    - fixed a gcc bug/feature exposed by constification, the investigation was prompted by http://rikiji.it/2013/05/10/CVE-2013-2094-x86.html

 arch/x86/include/asm/page_64.h    |    2 +-
 arch/x86/kernel/head64.c          |    2 +-
 tools/gcc/constify_plugin.c       |   48 ++-
 tools/gcc/size_overflow_hash.data | 1191 +++++++++++++++++++------------------
 4 files changed, 651 insertions(+), 592 deletions(-)

commit cb45fbda4967b1b544a754fbdc92d73283379522
Merge: 62588fa 57c11b8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon May 20 17:32:17 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 57c11b85acd841a088aa4df8e60be337880df8cd
Merge: 0598b37 4bb0869
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon May 20 17:32:08 2013 -0400

    Merge branch 'linux-3.9.y' into pax-test

commit 62588fa72b82a8ff7027f52dc2a05729f41e0f53
Merge: e261c7b 0598b37
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri May 17 22:57:36 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 0598b3778624dbc6c3887af025c040dbd6e92ba5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri May 17 22:57:07 2013 -0400

    Update to pax-linux-3.9.2-test6.patch:
    - fixed a gcc assert in the structleak plugin, reported by Emese Revfy
    - fixed pfn extraction from pud/pgd entries, reported by ousado

 arch/x86/include/asm/pgtable.h |    9 +++++++--
 tools/gcc/structleak_plugin.c  |    3 ++-
 2 files changed, 9 insertions(+), 3 deletions(-)

commit e261c7bc611e9127bbb7bd95cddd51524bf255ae
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu May 16 22:54:12 2013 -0400

    add offset to topdown check, fixes compilation

 arch/x86/kernel/sys_x86_64.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 455c5ed5279cf546f5d5c3844fb16f17300b2219
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu May 16 20:57:41 2013 -0400

    CONFIG_GRKERNSEC depends on the recently-introduced CONFIG_TTY,
    reported by lulzh3ad on irc

 security/Kconfig |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 0d4593e84707cdf6deb6b925c18c676a476b1613
Merge: 43cd0c0 39a877f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu May 16 20:39:11 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 39a877f192ed305d88edac10a14a9e8e1e161f3f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu May 16 20:37:35 2013 -0400

    Update to pax-linux-3.9.2-test105.patch:
    - fixed !EFI boot problem, reported by spender
    - fixed a few compile warnings
    - fixed some more compile errors due to constification
    - fixed some arm fallout, reported by Michael Tremer

 arch/arm/include/asm/psci.h                        |    2 +-
 arch/arm/kernel/psci.c                             |    2 +-
 arch/x86/kernel/sys_x86_64.c                       |    3 +--
 arch/x86/realmode/init.c                           |    2 +-
 drivers/hwmon/pmbus/pmbus_core.c                   |   10 +++++-----
 drivers/irqchip/irq-gic.c                          |    2 +-
 .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c  |    4 +++-
 .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c  |   12 +++++++++---
 drivers/platform/x86/chromeos_laptop.c             |    2 +-
 fs/jfs/super.c                                     |    4 ++--
 include/linux/irqchip/arm-gic.h                    |    2 ++
 include/sound/compress_driver.h                    |    2 +-
 net/mac80211/cfg.c                                 |    4 ++--
 sound/soc/fsl/fsl_ssi.c                            |    2 +-
 14 files changed, 31 insertions(+), 22 deletions(-)

commit 43cd0c0c7bf3f3331689f88130a8e8ce58fc8540
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu May 16 20:35:22 2013 -0400

    Fix usercopy false positive under gcc 4.1

 arch/x86/kernel/signal.c |    9 +++++++--
 1 files changed, 7 insertions(+), 2 deletions(-)

commit 56a166129d817f6634c8c230e6ec497669bdfaca
Author: Amerigo Wang <amwang@redhat.com>
Date:   Thu May 9 21:56:37 2013 +0000

    Upstream commit: 5dbd5068430b8bd1c19387d46d6c1a88b261257f
    
    ipv6,gre: do not leak info to user-space
    
    There is a hole in struct ip6_tnl_parm2, so we have to
    zero the struct on stack before copying it to user-space.
    
    Cc: David S. Miller <davem@davemloft.net>
    Signed-off-by: Cong Wang <amwang@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv6/ip6_gre.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit d6f50dae2653ad912952da40417a8ccbd59c7699
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue May 14 16:52:35 2013 -0400

    disable unprivileged kernel profiling under HIDESYM, rename
    the variable to something more appropriate

 include/linux/perf_event.h |    8 ++++----
 kernel/events/core.c       |    6 +++++-
 kernel/sysctl.c            |    4 ++--
 3 files changed, 11 insertions(+), 7 deletions(-)

commit 01322c6951bed4eedefbd2178dbd99292b365d99
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon May 13 17:19:57 2013 -0400

    mark GRKERNSEC_RAND_THREADSTACK broken until PaX fixes its
    existing stack-heap gap code for the new unified vm_unmapped_area

 grsecurity/Kconfig |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 8e576ddc2196770ba2b86ba8f7b9e76c141d1083
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon May 13 15:40:32 2013 -0400

    fix NX fault on early boot

 arch/x86/realmode/init.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 85ce9b6f668f9b02f21d23ae61a1bacc8804f615
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon May 13 10:48:13 2013 -0400

    compile fix, we weren't using %pa anyway and it's now being used
    by upstream for physical address printing

 lib/vsprintf.c |    3 +--
 1 files changed, 1 insertions(+), 2 deletions(-)

commit 4eeaeea04d4776b8263f0e9b018edcdbe66c929d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon May 13 10:39:52 2013 -0400

    compile fix

 grsecurity/grsec_chroot.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 155fe84d0b966e41b077781e6b3bc6f6ed5b294b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon May 13 10:35:36 2013 -0400

    compile fixes

 grsecurity/grsec_chroot.c  |    2 +-
 include/linux/grinternal.h |    8 ++++----
 include/linux/grsecurity.h |    4 ++--
 3 files changed, 7 insertions(+), 7 deletions(-)

commit f92047409f0a843ec0b44033ca4c37e539f9a1d5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon May 13 10:27:18 2013 -0400

    compile fix

 fs/exec.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

commit 0e4123608755ab6af3f448cca6f6a8a57dbdcff1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon May 13 10:23:17 2013 -0400

    Initial port of grsecurity for 3.9.2

 Documentation/kernel-parameters.txt                |    4 +
 Makefile                                           |    8 +-
 arch/alpha/include/asm/cache.h                     |    4 +-
 arch/alpha/kernel/osf_sys.c                        |   12 +-
 arch/arm/include/asm/thread_info.h                 |    9 +-
 arch/arm/kernel/process.c                          |    4 +-
 arch/arm/kernel/ptrace.c                           |    9 +
 arch/arm/kernel/traps.c                            |    7 +-
 arch/arm/mm/fault.c                                |   29 +-
 arch/arm/mm/mmap.c                                 |    8 +-
 arch/avr32/include/asm/cache.h                     |    4 +-
 arch/blackfin/include/asm/cache.h                  |    3 +-
 arch/cris/include/arch-v10/arch/cache.h            |    3 +-
 arch/cris/include/arch-v32/arch/cache.h            |    3 +-
 arch/frv/include/asm/cache.h                       |    3 +-
 arch/frv/mm/elf-fdpic.c                            |    4 +-
 arch/hexagon/include/asm/cache.h                   |    6 +-
 arch/ia64/include/asm/cache.h                      |    3 +-
 arch/ia64/kernel/sys_ia64.c                        |    2 +
 arch/ia64/mm/hugetlbpage.c                         |    2 +
 arch/m32r/include/asm/cache.h                      |    4 +-
 arch/m68k/include/asm/cache.h                      |    4 +-
 arch/metag/mm/hugetlbpage.c                        |    1 +
 arch/microblaze/include/asm/cache.h                |    3 +-
 arch/mips/include/asm/cache.h                      |    3 +-
 arch/mips/include/asm/thread_info.h                |    9 +-
 arch/mips/kernel/ptrace.c                          |    9 +
 arch/mips/kernel/scall32-o32.S                     |    2 +-
 arch/mips/kernel/scall64-64.S                      |    2 +-
 arch/mips/kernel/scall64-n32.S                     |    2 +-
 arch/mips/kernel/scall64-o32.S                     |    2 +-
 arch/mips/mm/mmap.c                                |    4 +-
 arch/mn10300/proc-mn103e010/include/proc/cache.h   |    4 +-
 arch/mn10300/proc-mn2ws0050/include/proc/cache.h   |    4 +-
 arch/openrisc/include/asm/cache.h                  |    4 +-
 arch/parisc/include/asm/cache.h                    |    5 +-
 arch/parisc/kernel/sys_parisc.c                    |   17 +-
 arch/powerpc/include/asm/cache.h                   |    3 +-
 arch/powerpc/include/asm/thread_info.h             |    8 +-
 arch/powerpc/kernel/process.c                      |   10 +-
 arch/powerpc/kernel/ptrace.c                       |   14 +
 arch/powerpc/kernel/traps.c                        |    5 +
 arch/powerpc/mm/slice.c                            |    8 +-
 arch/s390/include/asm/cache.h                      |    4 +-
 arch/score/include/asm/cache.h                     |    4 +-
 arch/sh/include/asm/cache.h                        |    3 +-
 arch/sh/mm/mmap.c                                  |    6 +-
 arch/sparc/include/asm/cache.h                     |    4 +-
 arch/sparc/include/asm/thread_info_64.h            |    9 +-
 arch/sparc/kernel/process_32.c                     |    6 +-
 arch/sparc/kernel/process_64.c                     |    8 +-
 arch/sparc/kernel/ptrace_64.c                      |   14 +
 arch/sparc/kernel/sys_sparc_64.c                   |    8 +-
 arch/sparc/kernel/syscalls.S                       |    8 +-
 arch/sparc/kernel/traps_32.c                       |    8 +-
 arch/sparc/kernel/traps_64.c                       |   28 +-
 arch/sparc/kernel/unaligned_64.c                   |    2 +-
 arch/sparc/mm/fault_64.c                           |    2 +-
 arch/sparc/mm/hugetlbpage.c                        |    3 +-
 arch/tile/include/asm/cache.h                      |    3 +-
 arch/tile/mm/hugetlbpage.c                         |    2 +
 arch/um/defconfig                                  |    1 -
 arch/um/include/asm/cache.h                        |    3 +-
 arch/unicore32/include/asm/cache.h                 |    6 +-
 arch/x86/Kconfig                                   |    5 +-
 arch/x86/Kconfig.debug                             |    2 +-
 arch/x86/ia32/ia32_aout.c                          |    2 +
 arch/x86/include/asm/thread_info.h                 |    8 +-
 arch/x86/kernel/dumpstack.c                        |    8 +
 arch/x86/kernel/entry_32.S                         |    2 +-
 arch/x86/kernel/entry_64.S                         |    2 +-
 arch/x86/kernel/ioport.c                           |   13 +
 arch/x86/kernel/ptrace.c                           |   14 +
 arch/x86/kernel/smpboot.c                          |    3 +
 arch/x86/kernel/sys_i386_32.c                      |   14 +-
 arch/x86/kernel/sys_x86_64.c                       |    6 +-
 arch/x86/kernel/verify_cpu.S                       |    1 +
 arch/x86/kernel/vm86_32.c                          |   16 +
 arch/x86/mm/fault.c                                |   12 +-
 arch/x86/mm/hugetlbpage.c                          |   15 +-
 arch/x86/mm/init.c                                 |   66 +-
 arch/x86/net/bpf_jit_comp.c                        |  126 +-
 arch/xtensa/variants/dc232b/include/variant/core.h |    2 +-
 arch/xtensa/variants/fsf/include/variant/core.h    |    3 +-
 arch/xtensa/variants/s6000/include/variant/core.h  |    3 +-
 drivers/block/cciss.c                              |    2 +
 drivers/char/Kconfig                               |    4 +-
 drivers/char/genrtc.c                              |    1 +
 drivers/char/mem.c                                 |   17 +
 drivers/char/random.c                              |   12 +
 drivers/gpu/drm/drm_info.c                         |    4 +
 drivers/hid/hid-wiimote-debug.c                    |    2 +-
 drivers/media/radio/radio-cadet.c                  |    2 +-
 drivers/message/fusion/mptbase.c                   |    9 +
 drivers/net/bonding/bond_main.c                    |    2 +-
 drivers/net/phy/mdio-bitbang.c                     |    1 +
 drivers/net/wireless/zd1211rw/zd_usb.c             |    2 +-
 drivers/pci/proc.c                                 |    9 +
 drivers/rtc/rtc-dev.c                              |    3 +
 drivers/tty/sysrq.c                                |    2 +-
 drivers/tty/vt/keyboard.c                          |   22 +-
 drivers/usb/storage/realtek_cr.c                   |    2 +-
 drivers/video/logo/logo_linux_clut224.ppm          | 2721 ++++++--------
 drivers/xen/xenfs/xenstored.c                      |    5 +
 fs/attr.c                                          |    1 +
 fs/autofs4/waitq.c                                 |    9 +
 fs/binfmt_aout.c                                   |    7 +
 fs/binfmt_elf.c                                    |    8 +-
 fs/btrfs/ioctl.c                                   |    6 +-
 fs/compat.c                                        |   20 +-
 fs/coredump.c                                      |   10 +-
 fs/debugfs/inode.c                                 |    4 +
 fs/exec.c                                          |  181 +-
 fs/ext2/balloc.c                                   |    4 +-
 fs/ext3/balloc.c                                   |    4 +-
 fs/ext4/balloc.c                                   |    4 +-
 fs/fcntl.c                                         |    5 +
 fs/file.c                                          |    4 +
 fs/filesystems.c                                   |    4 +
 fs/fs_struct.c                                     |   13 +-
 fs/hugetlbfs/inode.c                               |    5 +-
 fs/namei.c                                         |  241 ++-
 fs/namespace.c                                     |   24 +
 fs/open.c                                          |   38 +
 fs/pipe.c                                          |    2 +-
 fs/proc/Kconfig                                    |   10 +-
 fs/proc/array.c                                    |   59 +-
 fs/proc/base.c                                     |  168 +-
 fs/proc/cmdline.c                                  |    4 +
 fs/proc/devices.c                                  |    4 +
 fs/proc/fd.c                                       |   17 +-
 fs/proc/inode.c                                    |   17 +
 fs/proc/internal.h                                 |    3 +
 fs/proc/kcore.c                                    |    3 +
 fs/proc/proc_net.c                                 |   12 +
 fs/proc/proc_sysctl.c                              |   43 +-
 fs/proc/root.c                                     |    8 +
 fs/proc/task_mmu.c                                 |   75 +-
 fs/readdir.c                                       |   19 +
 fs/select.c                                        |    2 +
 fs/seq_file.c                                      |   12 +-
 fs/stat.c                                          |   19 +-
 fs/sysfs/dir.c                                     |   12 +
 fs/utimes.c                                        |    7 +
 fs/xattr.c                                         |   19 +-
 grsecurity/Kconfig                                 | 1031 +++++
 grsecurity/Makefile                                |   38 +
 grsecurity/gracl.c                                 | 4073 ++++++++++++++++++++
 grsecurity/gracl_alloc.c                           |  105 +
 grsecurity/gracl_cap.c                             |  110 +
 grsecurity/gracl_fs.c                              |  431 +++
 grsecurity/gracl_ip.c                              |  387 ++
 grsecurity/gracl_learn.c                           |  207 +
 grsecurity/gracl_res.c                             |   68 +
 grsecurity/gracl_segv.c                            |  305 ++
 grsecurity/gracl_shm.c                             |   40 +
 grsecurity/grsec_chdir.c                           |   19 +
 grsecurity/grsec_chroot.c                          |  370 ++
 grsecurity/grsec_disabled.c                        |  434 +++
 grsecurity/grsec_exec.c                            |  187 +
 grsecurity/grsec_fifo.c                            |   24 +
 grsecurity/grsec_fork.c                            |   23 +
 grsecurity/grsec_init.c                            |  283 ++
 grsecurity/grsec_link.c                            |   58 +
 grsecurity/grsec_log.c                             |  326 ++
 grsecurity/grsec_mem.c                             |   40 +
 grsecurity/grsec_mount.c                           |   62 +
 grsecurity/grsec_pax.c                             |   36 +
 grsecurity/grsec_ptrace.c                          |   30 +
 grsecurity/grsec_sig.c                             |  222 ++
 grsecurity/grsec_sock.c                            |  244 ++
 grsecurity/grsec_sysctl.c                          |  469 +++
 grsecurity/grsec_time.c                            |   16 +
 grsecurity/grsec_tpe.c                             |   73 +
 grsecurity/grsum.c                                 |   61 +
 include/linux/capability.h                         |    5 +
 include/linux/cred.h                               |    3 +
 include/linux/fs.h                                 |   10 +
 include/linux/fsnotify.h                           |    6 +
 include/linux/gracl.h                              |  319 ++
 include/linux/gralloc.h                            |    9 +
 include/linux/grdefs.h                             |  140 +
 include/linux/grinternal.h                         |  215 +
 include/linux/grmsg.h                              |  111 +
 include/linux/grsecurity.h                         |  242 ++
 include/linux/grsock.h                             |   19 +
 include/linux/kallsyms.h                           |   14 +-
 include/linux/kmod.h                               |    2 +
 include/linux/mm.h                                 |    1 +
 include/linux/netfilter/xt_gradm.h                 |    9 +
 include/linux/printk.h                             |    3 +-
 include/linux/proc_fs.h                            |   12 +
 include/linux/sched.h                              |   68 +-
 include/linux/security.h                           |    1 +
 include/linux/seq_file.h                           |    3 +
 include/linux/shm.h                                |    4 +
 include/linux/skbuff.h                             |    3 +
 include/linux/slab.h                               |    9 -
 include/linux/sysctl.h                             |    2 +
 include/linux/thread_info.h                        |    2 +
 include/linux/uidgid.h                             |    5 +
 include/linux/vermagic.h                           |    9 +-
 include/net/secure_seq.h                           |    1 +
 include/trace/events/fs.h                          |   53 +
 include/uapi/linux/personality.h                   |    1 +
 init/Kconfig                                       |    3 +-
 init/main.c                                        |   14 +
 ipc/mqueue.c                                       |    1 +
 ipc/shm.c                                          |   28 +
 kernel/capability.c                                |   39 +-
 kernel/cgroup.c                                    |    2 +-
 kernel/compat.c                                    |    1 +
 kernel/configs.c                                   |   11 +
 kernel/cred.c                                      |  110 +-
 kernel/exit.c                                      |   10 +-
 kernel/fork.c                                      |   41 +-
 kernel/futex.c                                     |    1 +
 kernel/kallsyms.c                                  |    9 +
 kernel/kcmp.c                                      |    4 +
 kernel/kmod.c                                      |   71 +-
 kernel/kprobes.c                                   |    4 +-
 kernel/ksysfs.c                                    |    2 +
 kernel/lockdep_proc.c                              |   10 +-
 kernel/module.c                                    |   81 +-
 kernel/panic.c                                     |    4 +-
 kernel/pid.c                                       |   19 +-
 kernel/posix-timers.c                              |    8 +
 kernel/printk.c                                    |   13 +-
 kernel/ptrace.c                                    |   20 +-
 kernel/resource.c                                  |   10 +
 kernel/sched/core.c                                |    6 +-
 kernel/signal.c                                    |   37 +-
 kernel/sys.c                                       |   45 +-
 kernel/sysctl.c                                    |   39 +-
 kernel/taskstats.c                                 |    6 +
 kernel/time.c                                      |    5 +
 kernel/time/timekeeping.c                          |    3 +
 kernel/time/timer_list.c                           |   12 +
 kernel/time/timer_stats.c                          |   10 +-
 lib/Kconfig.debug                                  |    5 +-
 lib/is_single_threaded.c                           |    3 +
 lib/vsprintf.c                                     |   35 +-
 localversion-grsec                                 |    1 +
 mm/Kconfig                                         |    4 +-
 mm/filemap.c                                       |    1 +
 mm/kmemleak.c                                      |    4 +-
 mm/mempolicy.c                                     |   12 +-
 mm/migrate.c                                       |    3 +-
 mm/mlock.c                                         |    3 +
 mm/mmap.c                                          |   64 +-
 mm/mprotect.c                                      |    8 +
 mm/process_vm_access.c                             |    6 +
 mm/shmem.c                                         |    2 +-
 mm/slab.c                                          |    2 +-
 mm/slub.c                                          |   14 +-
 mm/vmalloc.c                                       |    4 +
 mm/vmstat.c                                        |   18 +-
 net/8021q/vlan.c                                   |    7 +
 net/core/dev_ioctl.c                               |    4 +
 net/core/net-procfs.c                              |    5 +
 net/core/secure_seq.c                              |    4 +-
 net/core/sock_diag.c                               |    7 +
 net/ipv4/af_inet.c                                 |    5 +-
 net/ipv4/inet_hashtables.c                         |    5 +
 net/ipv4/ip_sockglue.c                             |    3 +-
 net/ipv4/tcp_input.c                               |    4 +-
 net/ipv4/tcp_ipv4.c                                |   24 +-
 net/ipv4/tcp_minisocks.c                           |    9 +-
 net/ipv4/tcp_timer.c                               |   11 +
 net/ipv4/udp.c                                     |   24 +
 net/ipv6/tcp_ipv6.c                                |   23 +-
 net/ipv6/udp.c                                     |    7 +
 net/netfilter/Kconfig                              |   10 +
 net/netfilter/Makefile                             |    1 +
 net/netfilter/nf_conntrack_core.c                  |    8 +
 net/netfilter/xt_gradm.c                           |   51 +
 net/netrom/af_netrom.c                             |    2 +-
 net/phonet/af_phonet.c                             |    2 +-
 net/sctp/probe.c                                   |    2 +-
 net/sctp/proc.c                                    |    3 +-
 net/socket.c                                       |   66 +-
 net/sysctl_net.c                                   |    2 +-
 net/tipc/link.c                                    |   11 +-
 net/unix/af_unix.c                                 |   31 +-
 security/Kconfig                                   |  342 ++-
 security/commoncap.c                               |   29 +
 security/min_addr.c                                |    2 +
 security/security.c                                |    2 -
 security/selinux/hooks.c                           |    2 -
 security/tomoyo/mount.c                            |    4 +
 security/yama/Kconfig                              |    2 +-
 291 files changed, 15221 insertions(+), 2052 deletions(-)

commit 88854c350c899bceca4a94598c42bed44d0dc91b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon May 13 07:37:47 2013 -0400

    Initial import of pax-linux-3.9.2-test2.patch

 Documentation/dontdiff                           |   45 +-
 Documentation/kernel-parameters.txt              |   12 +
 Makefile                                         |  100 +-
 arch/alpha/include/asm/atomic.h                  |   10 +
 arch/alpha/include/asm/elf.h                     |    7 +
 arch/alpha/include/asm/pgalloc.h                 |    6 +
 arch/alpha/include/asm/pgtable.h                 |   11 +
 arch/alpha/kernel/module.c                       |    2 +-
 arch/alpha/kernel/osf_sys.c                      |    8 +-
 arch/alpha/mm/fault.c                            |  141 +-
 arch/arm/Kconfig                                 |    2 +-
 arch/arm/include/asm/atomic.h                    |  421 ++-
 arch/arm/include/asm/cache.h                     |    5 +-
 arch/arm/include/asm/cacheflush.h                |    2 +-
 arch/arm/include/asm/checksum.h                  |   14 +-
 arch/arm/include/asm/cmpxchg.h                   |    2 +
 arch/arm/include/asm/domain.h                    |   33 +-
 arch/arm/include/asm/elf.h                       |   13 +-
 arch/arm/include/asm/fncpy.h                     |    2 +
 arch/arm/include/asm/futex.h                     |   10 +
 arch/arm/include/asm/kmap_types.h                |    2 +-
 arch/arm/include/asm/mach/dma.h                  |    2 +-
 arch/arm/include/asm/mach/map.h                  |    7 +-
 arch/arm/include/asm/outercache.h                |    2 +-
 arch/arm/include/asm/page.h                      |    2 +-
 arch/arm/include/asm/pgalloc.h                   |   22 +-
 arch/arm/include/asm/pgtable-2level-hwdef.h      |    5 +
 arch/arm/include/asm/pgtable-2level.h            |    1 +
 arch/arm/include/asm/pgtable-3level-hwdef.h      |    2 +
 arch/arm/include/asm/pgtable-3level.h            |    2 +
 arch/arm/include/asm/pgtable.h                   |   56 +-
 arch/arm/include/asm/proc-fns.h                  |    2 +-
 arch/arm/include/asm/processor.h                 |    5 +-
 arch/arm/include/asm/smp.h                       |    2 +-
 arch/arm/include/asm/thread_info.h               |    6 +-
 arch/arm/include/asm/uaccess.h                   |   92 +-
 arch/arm/include/uapi/asm/ptrace.h               |    2 +-
 arch/arm/kernel/armksyms.c                       |    6 +-
 arch/arm/kernel/entry-armv.S                     |  107 +-
 arch/arm/kernel/entry-common.S                   |   41 +-
 arch/arm/kernel/entry-header.S                   |   60 +
 arch/arm/kernel/fiq.c                            |    2 +
 arch/arm/kernel/head.S                           |    6 +-
 arch/arm/kernel/hw_breakpoint.c                  |    2 +-
 arch/arm/kernel/module.c                         |   29 +-
 arch/arm/kernel/patch.c                          |    2 +
 arch/arm/kernel/perf_event_cpu.c                 |    2 +-
 arch/arm/kernel/process.c                        |   15 +-
 arch/arm/kernel/setup.c                          |   22 +-
 arch/arm/kernel/signal.c                         |   24 +-
 arch/arm/kernel/smp.c                            |    2 +-
 arch/arm/kernel/traps.c                          |   15 +-
 arch/arm/kernel/vmlinux.lds.S                    |   22 +-
 arch/arm/lib/clear_user.S                        |    6 +-
 arch/arm/lib/copy_from_user.S                    |    6 +-
 arch/arm/lib/copy_page.S                         |    1 +
 arch/arm/lib/copy_to_user.S                      |    6 +-
 arch/arm/lib/csumpartialcopyuser.S               |    4 +-
 arch/arm/lib/delay.c                             |    2 +-
 arch/arm/lib/uaccess_with_memcpy.c               |    2 +-
 arch/arm/mach-kirkwood/common.c                  |   19 +-
 arch/arm/mach-omap2/board-n8x0.c                 |    2 +-
 arch/arm/mach-omap2/gpmc.c                       |   22 +-
 arch/arm/mach-omap2/omap-wakeupgen.c             |    2 +-
 arch/arm/mach-omap2/omap_device.c                |    4 +-
 arch/arm/mach-omap2/omap_device.h                |    4 +-
 arch/arm/mach-omap2/omap_hwmod.c                 |    4 +-
 arch/arm/mach-omap2/wd_timer.c                   |    6 +-
 arch/arm/mach-ux500/include/mach/setup.h         |    7 -
 arch/arm/mm/Kconfig                              |    3 +-
 arch/arm/mm/alignment.c                          |    8 +
 arch/arm/mm/fault.c                              |   91 +
 arch/arm/mm/fault.h                              |   12 +
 arch/arm/mm/init.c                               |   41 +
 arch/arm/mm/ioremap.c                            |    4 +-
 arch/arm/mm/mmap.c                               |   36 +-
 arch/arm/mm/mmu.c                                |  187 +-
 arch/arm/mm/proc-v7-2level.S                     |    3 +
 arch/arm/plat-omap/sram.c                        |    2 +
 arch/arm/plat-samsung/include/plat/dma-ops.h     |    2 +-
 arch/arm64/kernel/debug-monitors.c               |    2 +-
 arch/arm64/kernel/hw_breakpoint.c                |    2 +-
 arch/avr32/include/asm/elf.h                     |    8 +-
 arch/avr32/include/asm/kmap_types.h              |    4 +-
 arch/avr32/mm/fault.c                            |   27 +
 arch/frv/include/asm/atomic.h                    |   10 +
 arch/frv/include/asm/kmap_types.h                |    2 +-
 arch/frv/mm/elf-fdpic.c                          |    3 +-
 arch/ia64/include/asm/atomic.h                   |   10 +
 arch/ia64/include/asm/elf.h                      |    7 +
 arch/ia64/include/asm/pgalloc.h                  |   12 +
 arch/ia64/include/asm/pgtable.h                  |   13 +-
 arch/ia64/include/asm/spinlock.h                 |    2 +-
 arch/ia64/include/asm/uaccess.h                  |   26 +-
 arch/ia64/kernel/err_inject.c                    |    2 +-
 arch/ia64/kernel/mca.c                           |    2 +-
 arch/ia64/kernel/module.c                        |   48 +-
 arch/ia64/kernel/palinfo.c                       |    2 +-
 arch/ia64/kernel/salinfo.c                       |    2 +-
 arch/ia64/kernel/sys_ia64.c                      |    7 +
 arch/ia64/kernel/topology.c                      |    2 +-
 arch/ia64/kernel/vmlinux.lds.S                   |    2 +-
 arch/ia64/mm/fault.c                             |   32 +-
 arch/ia64/mm/init.c                              |   13 +
 arch/m32r/lib/usercopy.c                         |    6 +
 arch/mips/include/asm/atomic.h                   |   14 +
 arch/mips/include/asm/elf.h                      |   11 +-
 arch/mips/include/asm/exec.h                     |    2 +-
 arch/mips/include/asm/page.h                     |    2 +-
 arch/mips/include/asm/pgalloc.h                  |    5 +
 arch/mips/kernel/binfmt_elfn32.c                 |    7 +
 arch/mips/kernel/binfmt_elfo32.c                 |    7 +
 arch/mips/kernel/process.c                       |   12 -
 arch/mips/mm/fault.c                             |   17 +
 arch/mips/mm/mmap.c                              |   51 +-
 arch/parisc/include/asm/atomic.h                 |   10 +
 arch/parisc/include/asm/elf.h                    |    7 +
 arch/parisc/include/asm/pgalloc.h                |    6 +
 arch/parisc/include/asm/pgtable.h                |   11 +
 arch/parisc/include/asm/uaccess.h                |    4 +-
 arch/parisc/kernel/module.c                      |   50 +-
 arch/parisc/kernel/sys_parisc.c                  |    9 +-
 arch/parisc/kernel/traps.c                       |    4 +-
 arch/parisc/mm/fault.c                           |  140 +-
 arch/powerpc/include/asm/atomic.h                |   10 +
 arch/powerpc/include/asm/elf.h                   |   19 +-
 arch/powerpc/include/asm/exec.h                  |    2 +-
 arch/powerpc/include/asm/kmap_types.h            |    2 +-
 arch/powerpc/include/asm/mman.h                  |    2 +-
 arch/powerpc/include/asm/page.h                  |    8 +-
 arch/powerpc/include/asm/page_64.h               |    7 +-
 arch/powerpc/include/asm/pgalloc-64.h            |    7 +
 arch/powerpc/include/asm/pgtable.h               |    1 +
 arch/powerpc/include/asm/pte-hash32.h            |    1 +
 arch/powerpc/include/asm/reg.h                   |    1 +
 arch/powerpc/include/asm/smp.h                   |    2 +-
 arch/powerpc/include/asm/uaccess.h               |  140 +-
 arch/powerpc/kernel/exceptions-64e.S             |    4 +-
 arch/powerpc/kernel/exceptions-64s.S             |    2 +-
 arch/powerpc/kernel/module_32.c                  |   13 +-
 arch/powerpc/kernel/process.c                    |   55 -
 arch/powerpc/kernel/signal_32.c                  |    2 +-
 arch/powerpc/kernel/signal_64.c                  |    2 +-
 arch/powerpc/kernel/sysfs.c                      |    2 +-
 arch/powerpc/kernel/vdso.c                       |    5 +-
 arch/powerpc/lib/usercopy_64.c                   |   18 -
 arch/powerpc/mm/fault.c                          |   54 +-
 arch/powerpc/mm/mmap_64.c                        |   16 +
 arch/powerpc/mm/mmu_context_nohash.c             |    2 +-
 arch/powerpc/mm/numa.c                           |    2 +-
 arch/powerpc/mm/slice.c                          |   23 +-
 arch/powerpc/platforms/cell/spufs/file.c         |    4 +-
 arch/powerpc/platforms/powermac/smp.c            |    2 +-
 arch/s390/include/asm/atomic.h                   |   10 +
 arch/s390/include/asm/elf.h                      |   13 +-
 arch/s390/include/asm/exec.h                     |    2 +-
 arch/s390/include/asm/uaccess.h                  |   15 +-
 arch/s390/kernel/module.c                        |   22 +-
 arch/s390/kernel/process.c                       |   36 -
 arch/s390/mm/mmap.c                              |   24 +
 arch/score/include/asm/exec.h                    |    2 +-
 arch/score/kernel/process.c                      |    5 -
 arch/sh/kernel/cpu/sh4a/smp-shx3.c               |    2 +-
 arch/sh/mm/mmap.c                                |   22 +-
 arch/sparc/include/asm/atomic_64.h               |  106 +-
 arch/sparc/include/asm/cache.h                   |    2 +-
 arch/sparc/include/asm/elf_32.h                  |    7 +
 arch/sparc/include/asm/elf_64.h                  |    7 +
 arch/sparc/include/asm/pgalloc_32.h              |    1 +
 arch/sparc/include/asm/pgalloc_64.h              |    1 +
 arch/sparc/include/asm/pgtable_32.h              |   15 +-
 arch/sparc/include/asm/pgtsrmmu.h                |    5 +
 arch/sparc/include/asm/spinlock_64.h             |   35 +-
 arch/sparc/include/asm/thread_info_32.h          |    2 +
 arch/sparc/include/asm/thread_info_64.h          |    2 +
 arch/sparc/include/asm/uaccess.h                 |    1 +
 arch/sparc/include/asm/uaccess_32.h              |   27 +-
 arch/sparc/include/asm/uaccess_64.h              |   19 +-
 arch/sparc/kernel/Makefile                       |    2 +-
 arch/sparc/kernel/prom_common.c                  |    2 +-
 arch/sparc/kernel/sys_sparc_32.c                 |    2 +-
 arch/sparc/kernel/sys_sparc_64.c                 |   48 +-
 arch/sparc/kernel/sysfs.c                        |    2 +-
 arch/sparc/kernel/traps_64.c                     |   13 +-
 arch/sparc/kernel/us3_cpufreq.c                  |   69 +-
 arch/sparc/lib/Makefile                          |    2 +-
 arch/sparc/lib/atomic_64.S                       |  136 +-
 arch/sparc/lib/ksyms.c                           |    6 +
 arch/sparc/mm/Makefile                           |    2 +-
 arch/sparc/mm/fault_32.c                         |  292 ++
 arch/sparc/mm/fault_64.c                         |  486 ++
 arch/sparc/mm/hugetlbpage.c                      |   21 +-
 arch/tile/include/asm/atomic_64.h                |   10 +
 arch/tile/include/asm/uaccess.h                  |    4 +-
 arch/um/Makefile                                 |    4 +
 arch/um/include/asm/kmap_types.h                 |    2 +-
 arch/um/include/asm/page.h                       |    3 +
 arch/um/include/asm/pgtable-3level.h             |    1 +
 arch/um/kernel/process.c                         |   16 -
 arch/x86/Kconfig                                 |   10 +-
 arch/x86/Kconfig.cpu                             |    6 +-
 arch/x86/Kconfig.debug                           |    6 +-
 arch/x86/Makefile                                |   10 +
 arch/x86/boot/Makefile                           |    3 +
 arch/x86/boot/bitops.h                           |    4 +-
 arch/x86/boot/boot.h                             |    4 +-
 arch/x86/boot/compressed/Makefile                |    3 +
 arch/x86/boot/compressed/eboot.c                 |    2 -
 arch/x86/boot/compressed/head_32.S               |    7 +-
 arch/x86/boot/compressed/head_64.S               |    8 +-
 arch/x86/boot/compressed/misc.c                  |    4 +-
 arch/x86/boot/cpucheck.c                         |   28 +-
 arch/x86/boot/header.S                           |    6 +-
 arch/x86/boot/memory.c                           |    2 +-
 arch/x86/boot/video-vesa.c                       |    1 +
 arch/x86/boot/video.c                            |    2 +-
 arch/x86/crypto/aes-x86_64-asm_64.S              |    4 +
 arch/x86/crypto/aesni-intel_asm.S                |   21 +
 arch/x86/crypto/blowfish-x86_64-asm_64.S         |    7 +
 arch/x86/crypto/camellia-x86_64-asm_64.S         |    7 +
 arch/x86/crypto/cast5-avx-x86_64-asm_64.S        |    7 +
 arch/x86/crypto/cast6-avx-x86_64-asm_64.S        |    7 +
 arch/x86/crypto/salsa20-x86_64-asm_64.S          |    4 +
 arch/x86/crypto/serpent-avx-x86_64-asm_64.S      |    7 +
 arch/x86/crypto/serpent-sse2-x86_64-asm_64.S     |    4 +
 arch/x86/crypto/sha1_ssse3_asm.S                 |    2 +
 arch/x86/crypto/twofish-avx-x86_64-asm_64.S      |    7 +
 arch/x86/crypto/twofish-x86_64-asm_64-3way.S     |    4 +
 arch/x86/crypto/twofish-x86_64-asm_64.S          |    3 +
 arch/x86/ia32/ia32_signal.c                      |   14 +-
 arch/x86/ia32/ia32entry.S                        |  141 +-
 arch/x86/ia32/sys_ia32.c                         |    6 +-
 arch/x86/include/asm/alternative-asm.h           |   39 +
 arch/x86/include/asm/alternative.h               |    4 +-
 arch/x86/include/asm/apic.h                      |    2 +-
 arch/x86/include/asm/apm.h                       |    4 +-
 arch/x86/include/asm/atomic.h                    |  307 ++-
 arch/x86/include/asm/atomic64_32.h               |  100 +
 arch/x86/include/asm/atomic64_64.h               |  202 +-
 arch/x86/include/asm/bitops.h                    |    4 +-
 arch/x86/include/asm/boot.h                      |    7 +-
 arch/x86/include/asm/cache.h                     |    5 +-
 arch/x86/include/asm/cacheflush.h                |    2 +-
 arch/x86/include/asm/checksum_32.h               |   12 +-
 arch/x86/include/asm/cmpxchg.h                   |   35 +
 arch/x86/include/asm/compat.h                    |    2 +-
 arch/x86/include/asm/cpufeature.h                |    4 +-
 arch/x86/include/asm/desc.h                      |   67 +-
 arch/x86/include/asm/desc_defs.h                 |    6 +
 arch/x86/include/asm/div64.h                     |    2 +-
 arch/x86/include/asm/elf.h                       |   31 +-
 arch/x86/include/asm/emergency-restart.h         |    2 +-
 arch/x86/include/asm/fpu-internal.h              |    6 +-
 arch/x86/include/asm/futex.h                     |   16 +-
 arch/x86/include/asm/hw_irq.h                    |    4 +-
 arch/x86/include/asm/i8259.h                     |    2 +-
 arch/x86/include/asm/io.h                        |   21 +-
 arch/x86/include/asm/irqflags.h                  |    5 +
 arch/x86/include/asm/kprobes.h                   |    9 +-
 arch/x86/include/asm/local.h                     |  142 +-
 arch/x86/include/asm/mman.h                      |   15 +
 arch/x86/include/asm/mmu.h                       |   16 +-
 arch/x86/include/asm/mmu_context.h               |   76 +-
 arch/x86/include/asm/module.h                    |   17 +-
 arch/x86/include/asm/nmi.h                       |    6 +-
 arch/x86/include/asm/page_64.h                   |    2 +-
 arch/x86/include/asm/paravirt.h                  |   46 +-
 arch/x86/include/asm/paravirt_types.h            |   17 +-
 arch/x86/include/asm/pgalloc.h                   |   23 +
 arch/x86/include/asm/pgtable-2level.h            |    2 +
 arch/x86/include/asm/pgtable-3level.h            |    4 +
 arch/x86/include/asm/pgtable.h                   |  113 +-
 arch/x86/include/asm/pgtable_32.h                |   14 +-
 arch/x86/include/asm/pgtable_32_types.h          |   15 +-
 arch/x86/include/asm/pgtable_64.h                |   19 +-
 arch/x86/include/asm/pgtable_64_types.h          |    5 +
 arch/x86/include/asm/pgtable_types.h             |   36 +-
 arch/x86/include/asm/processor.h                 |   39 +-
 arch/x86/include/asm/ptrace.h                    |   26 +-
 arch/x86/include/asm/realmode.h                  |    4 +-
 arch/x86/include/asm/reboot.h                    |   10 +-
 arch/x86/include/asm/rwsem.h                     |   60 +-
 arch/x86/include/asm/segment.h                   |   24 +-
 arch/x86/include/asm/smp.h                       |   14 +-
 arch/x86/include/asm/spinlock.h                  |   36 +-
 arch/x86/include/asm/stackprotector.h            |    4 +-
 arch/x86/include/asm/stacktrace.h                |   32 +-
 arch/x86/include/asm/switch_to.h                 |    4 +-
 arch/x86/include/asm/thread_info.h               |   83 +-
 arch/x86/include/asm/uaccess.h                   |   96 +-
 arch/x86/include/asm/uaccess_32.h                |  106 +-
 arch/x86/include/asm/uaccess_64.h                |  232 +-
 arch/x86/include/asm/word-at-a-time.h            |    2 +-
 arch/x86/include/asm/x86_init.h                  |   10 +-
 arch/x86/include/asm/xsave.h                     |   10 +-
 arch/x86/include/uapi/asm/e820.h                 |    2 +-
 arch/x86/kernel/Makefile                         |    2 +-
 arch/x86/kernel/acpi/boot.c                      |    4 +-
 arch/x86/kernel/acpi/sleep.c                     |    4 +
 arch/x86/kernel/acpi/wakeup_32.S                 |    6 +-
 arch/x86/kernel/alternative.c                    |   65 +-
 arch/x86/kernel/apic/apic.c                      |    4 +-
 arch/x86/kernel/apic/apic_flat_64.c              |    4 +-
 arch/x86/kernel/apic/apic_noop.c                 |    2 +-
 arch/x86/kernel/apic/bigsmp_32.c                 |    2 +-
 arch/x86/kernel/apic/es7000_32.c                 |    5 +-
 arch/x86/kernel/apic/io_apic.c                   |    8 +-
 arch/x86/kernel/apic/numaq_32.c                  |    3 +-
 arch/x86/kernel/apic/probe_32.c                  |    2 +-
 arch/x86/kernel/apic/summit_32.c                 |    2 +-
 arch/x86/kernel/apic/x2apic_cluster.c            |    4 +-
 arch/x86/kernel/apic/x2apic_phys.c               |    2 +-
 arch/x86/kernel/apic/x2apic_uv_x.c               |    2 +-
 arch/x86/kernel/apm_32.c                         |   19 +-
 arch/x86/kernel/asm-offsets.c                    |   20 +
 arch/x86/kernel/asm-offsets_64.c                 |    1 +
 arch/x86/kernel/cpu/Makefile                     |    4 -
 arch/x86/kernel/cpu/amd.c                        |    2 +-
 arch/x86/kernel/cpu/common.c                     |   75 +-
 arch/x86/kernel/cpu/intel.c                      |    2 +-
 arch/x86/kernel/cpu/intel_cacheinfo.c            |   50 +-
 arch/x86/kernel/cpu/mcheck/mce.c                 |   31 +-
 arch/x86/kernel/cpu/mcheck/p5.c                  |    3 +
 arch/x86/kernel/cpu/mcheck/therm_throt.c         |    2 +-
 arch/x86/kernel/cpu/mcheck/winchip.c             |    3 +
 arch/x86/kernel/cpu/mtrr/main.c                  |    2 +-
 arch/x86/kernel/cpu/mtrr/mtrr.h                  |    2 +-
 arch/x86/kernel/cpu/perf_event.c                 |    8 +-
 arch/x86/kernel/cpu/perf_event_intel.c           |    6 +-
 arch/x86/kernel/cpu/perf_event_intel_uncore.c    |    4 +-
 arch/x86/kernel/cpu/perf_event_intel_uncore.h    |    2 +-
 arch/x86/kernel/cpuid.c                          |    2 +-
 arch/x86/kernel/crash.c                          |    4 +-
 arch/x86/kernel/doublefault_32.c                 |    8 +-
 arch/x86/kernel/dumpstack.c                      |   30 +-
 arch/x86/kernel/dumpstack_32.c                   |   34 +-
 arch/x86/kernel/dumpstack_64.c                   |   63 +-
 arch/x86/kernel/early_printk.c                   |    1 +
 arch/x86/kernel/entry_32.S                       |  354 ++-
 arch/x86/kernel/entry_64.S                       |  530 ++-
 arch/x86/kernel/ftrace.c                         |   14 +-
 arch/x86/kernel/head64.c                         |    1 -
 arch/x86/kernel/head_32.S                        |  237 +-
 arch/x86/kernel/head_64.S                        |  120 +-
 arch/x86/kernel/i386_ksyms_32.c                  |    8 +
 arch/x86/kernel/i387.c                           |    2 +-
 arch/x86/kernel/i8259.c                          |   10 +-
 arch/x86/kernel/io_delay.c                       |    2 +-
 arch/x86/kernel/ioport.c                         |    2 +-
 arch/x86/kernel/irq.c                            |    8 +-
 arch/x86/kernel/irq_32.c                         |   69 +-
 arch/x86/kernel/irq_64.c                         |    2 +-
 arch/x86/kernel/kdebugfs.c                       |    2 +-
 arch/x86/kernel/kgdb.c                           |   25 +-
 arch/x86/kernel/kprobes/core.c                   |   30 +-
 arch/x86/kernel/kprobes/opt.c                    |   16 +-
 arch/x86/kernel/kvm.c                            |    2 +-
 arch/x86/kernel/ldt.c                            |   31 +-
 arch/x86/kernel/machine_kexec_32.c               |    6 +-
 arch/x86/kernel/microcode_core.c                 |    2 +-
 arch/x86/kernel/microcode_intel.c                |    4 +-
 arch/x86/kernel/module.c                         |   76 +-
 arch/x86/kernel/msr.c                            |    2 +-
 arch/x86/kernel/nmi.c                            |   19 +-
 arch/x86/kernel/nmi_selftest.c                   |    4 +-
 arch/x86/kernel/paravirt-spinlocks.c             |    2 +-
 arch/x86/kernel/paravirt.c                       |   43 +-
 arch/x86/kernel/pci-calgary_64.c                 |    2 +-
 arch/x86/kernel/pci-iommu_table.c                |    2 +-
 arch/x86/kernel/pci-swiotlb.c                    |    2 +-
 arch/x86/kernel/process.c                        |   57 +-
 arch/x86/kernel/process_32.c                     |   29 +-
 arch/x86/kernel/process_64.c                     |   15 +-
 arch/x86/kernel/ptrace.c                         |   25 +-
 arch/x86/kernel/pvclock.c                        |    8 +-
 arch/x86/kernel/reboot.c                         |   44 +-
 arch/x86/kernel/relocate_kernel_64.S             |    4 +-
 arch/x86/kernel/setup.c                          |   19 +-
 arch/x86/kernel/setup_percpu.c                   |   29 +-
 arch/x86/kernel/signal.c                         |   15 +-
 arch/x86/kernel/smp.c                            |    2 +-
 arch/x86/kernel/smpboot.c                        |   15 +-
 arch/x86/kernel/step.c                           |   10 +-
 arch/x86/kernel/sys_i386_32.c                    |  248 +
 arch/x86/kernel/sys_x86_64.c                     |   19 +-
 arch/x86/kernel/tboot.c                          |   14 +-
 arch/x86/kernel/time.c                           |   10 +-
 arch/x86/kernel/tls.c                            |    7 +-
 arch/x86/kernel/traps.c                          |   64 +-
 arch/x86/kernel/uprobes.c                        |    2 +-
 arch/x86/kernel/vm86_32.c                        |    6 +-
 arch/x86/kernel/vmlinux.lds.S                    |  148 +-
 arch/x86/kernel/vsyscall_64.c                    |   12 +-
 arch/x86/kernel/x8664_ksyms_64.c                 |    2 -
 arch/x86/kernel/x86_init.c                       |    8 +-
 arch/x86/kernel/xsave.c                          |    2 +
 arch/x86/kvm/cpuid.c                             |   21 +-
 arch/x86/kvm/emulate.c                           |    4 +-
 arch/x86/kvm/lapic.c                             |    2 +-
 arch/x86/kvm/paging_tmpl.h                       |    2 +-
 arch/x86/kvm/svm.c                               |    8 +
 arch/x86/kvm/vmx.c                               |   57 +-
 arch/x86/kvm/x86.c                               |   10 +-
 arch/x86/lguest/boot.c                           |    3 +-
 arch/x86/lib/atomic64_386_32.S                   |  164 +
 arch/x86/lib/atomic64_cx8_32.S                   |  103 +-
 arch/x86/lib/checksum_32.S                       |  100 +-
 arch/x86/lib/clear_page_64.S                     |    5 +-
 arch/x86/lib/cmpxchg16b_emu.S                    |    2 +
 arch/x86/lib/copy_page_64.S                      |   24 +-
 arch/x86/lib/copy_user_64.S                      |   47 +-
 arch/x86/lib/copy_user_nocache_64.S              |   20 +-
 arch/x86/lib/csum-copy_64.S                      |    2 +
 arch/x86/lib/csum-wrappers_64.c                  |    4 +-
 arch/x86/lib/getuser.S                           |   70 +-
 arch/x86/lib/insn.c                              |    6 +-
 arch/x86/lib/iomap_copy_64.S                     |    2 +
 arch/x86/lib/memcpy_64.S                         |   18 +-
 arch/x86/lib/memmove_64.S                        |   34 +-
 arch/x86/lib/memset_64.S                         |    7 +-
 arch/x86/lib/mmx_32.c                            |  243 +-
 arch/x86/lib/msr-reg.S                           |   18 +-
 arch/x86/lib/putuser.S                           |   90 +-
 arch/x86/lib/rwlock.S                            |   42 +
 arch/x86/lib/rwsem.S                             |    6 +-
 arch/x86/lib/thunk_64.S                          |    2 +
 arch/x86/lib/usercopy_32.c                       |  376 +-
 arch/x86/lib/usercopy_64.c                       |   25 +-
 arch/x86/mm/extable.c                            |   25 +-
 arch/x86/mm/fault.c                              |  556 ++-
 arch/x86/mm/gup.c                                |    2 +-
 arch/x86/mm/highmem_32.c                         |    4 +
 arch/x86/mm/hugetlbpage.c                        |   30 +-
 arch/x86/mm/init.c                               |   90 +-
 arch/x86/mm/init_32.c                            |  119 +-
 arch/x86/mm/init_64.c                            |   44 +-
 arch/x86/mm/iomap_32.c                           |    4 +
 arch/x86/mm/ioremap.c                            |   15 +-
 arch/x86/mm/kmemcheck/kmemcheck.c                |    4 +-
 arch/x86/mm/mmap.c                               |   41 +-
 arch/x86/mm/mmio-mod.c                           |   10 +-
 arch/x86/mm/numa.c                               |    2 +-
 arch/x86/mm/pageattr-test.c                      |    2 +-
 arch/x86/mm/pageattr.c                           |   33 +-
 arch/x86/mm/pat.c                                |   12 +-
 arch/x86/mm/pf_in.c                              |   10 +-
 arch/x86/mm/pgtable.c                            |  137 +-
 arch/x86/mm/pgtable_32.c                         |    3 +
 arch/x86/mm/physaddr.c                           |    4 +-
 arch/x86/mm/setup_nx.c                           |    7 +
 arch/x86/mm/tlb.c                                |    4 +
 arch/x86/net/bpf_jit.S                           |   14 +
 arch/x86/net/bpf_jit_comp.c                      |   37 +-
 arch/x86/oprofile/backtrace.c                    |    8 +-
 arch/x86/oprofile/nmi_int.c                      |    8 +-
 arch/x86/oprofile/op_model_amd.c                 |    8 +-
 arch/x86/oprofile/op_model_ppro.c                |    7 +-
 arch/x86/oprofile/op_x86_model.h                 |    2 +-
 arch/x86/pci/amd_bus.c                           |    2 +-
 arch/x86/pci/irq.c                               |    8 +-
 arch/x86/pci/mrst.c                              |    4 +-
 arch/x86/pci/pcbios.c                            |  144 +-
 arch/x86/platform/efi/efi_32.c                   |   19 +
 arch/x86/platform/efi/efi_stub_32.S              |   64 +-
 arch/x86/platform/efi/efi_stub_64.S              |    8 +
 arch/x86/platform/mrst/mrst.c                    |    6 +-
 arch/x86/platform/olpc/olpc_dt.c                 |    2 +-
 arch/x86/power/cpu.c                             |    4 +-
 arch/x86/realmode/init.c                         |    8 +-
 arch/x86/realmode/rm/Makefile                    |    3 +
 arch/x86/realmode/rm/header.S                    |    4 +-
 arch/x86/realmode/rm/trampoline_32.S             |   12 +-
 arch/x86/realmode/rm/trampoline_64.S             |    2 +-
 arch/x86/tools/relocs.c                          |   95 +-
 arch/x86/vdso/Makefile                           |    2 +-
 arch/x86/vdso/vdso32-setup.c                     |   23 +-
 arch/x86/vdso/vma.c                              |   29 +-
 arch/x86/xen/enlighten.c                         |   47 +-
 arch/x86/xen/mmu.c                               |    9 +
 arch/x86/xen/smp.c                               |   18 +-
 arch/x86/xen/xen-asm_32.S                        |   12 +-
 arch/x86/xen/xen-head.S                          |   11 +
 arch/x86/xen/xen-ops.h                           |    2 -
 block/blk-iopoll.c                               |    4 +-
 block/blk-map.c                                  |    2 +-
 block/blk-softirq.c                              |    4 +-
 block/bsg.c                                      |   12 +-
 block/compat_ioctl.c                             |    2 +-
 block/partitions/efi.c                           |    8 +-
 block/scsi_ioctl.c                               |   27 +-
 crypto/cryptd.c                                  |    4 +-
 drivers/acpi/apei/apei-internal.h                |    2 +-
 drivers/acpi/apei/cper.c                         |    8 +-
 drivers/acpi/bgrt.c                              |    6 +-
 drivers/acpi/blacklist.c                         |    4 +-
 drivers/acpi/ec_sys.c                            |   12 +-
 drivers/acpi/processor_idle.c                    |    2 +-
 drivers/acpi/sysfs.c                             |    4 +-
 drivers/ata/libahci.c                            |    2 +-
 drivers/ata/libata-core.c                        |    8 +-
 drivers/ata/pata_arasan_cf.c                     |    4 +-
 drivers/atm/adummy.c                             |    2 +-
 drivers/atm/ambassador.c                         |    8 +-
 drivers/atm/atmtcp.c                             |   14 +-
 drivers/atm/eni.c                                |   10 +-
 drivers/atm/firestream.c                         |    8 +-
 drivers/atm/fore200e.c                           |   14 +-
 drivers/atm/he.c                                 |   18 +-
 drivers/atm/horizon.c                            |    4 +-
 drivers/atm/idt77252.c                           |   36 +-
 drivers/atm/iphase.c                             |   34 +-
 drivers/atm/lanai.c                              |   12 +-
 drivers/atm/nicstar.c                            |   46 +-
 drivers/atm/solos-pci.c                          |    4 +-
 drivers/atm/suni.c                               |    4 +-
 drivers/atm/uPD98402.c                           |   16 +-
 drivers/atm/zatm.c                               |    6 +-
 drivers/base/bus.c                               |    4 +-
 drivers/base/devtmpfs.c                          |    2 +-
 drivers/base/node.c                              |    2 +-
 drivers/base/power/domain.c                      |    4 +-
 drivers/base/power/wakeup.c                      |    8 +-
 drivers/base/syscore.c                           |    4 +-
 drivers/block/cciss.c                            |   28 +-
 drivers/block/cciss.h                            |    2 +-
 drivers/block/cpqarray.c                         |   28 +-
 drivers/block/cpqarray.h                         |    2 +-
 drivers/block/drbd/drbd_int.h                    |    6 +-
 drivers/block/drbd/drbd_main.c                   |    8 +-
 drivers/block/drbd/drbd_receiver.c               |   22 +-
 drivers/block/loop.c                             |    2 +-
 drivers/block/pktcdvd.c                          |    2 +-
 drivers/cdrom/cdrom.c                            |    9 +-
 drivers/cdrom/gdrom.c                            |    1 -
 drivers/char/agp/frontend.c                      |    2 +-
 drivers/char/hpet.c                              |    2 +-
 drivers/char/ipmi/ipmi_msghandler.c              |    8 +-
 drivers/char/ipmi/ipmi_si_intf.c                 |    8 +-
 drivers/char/mem.c                               |   41 +-
 drivers/char/nvram.c                             |    2 +-
 drivers/char/pcmcia/synclink_cs.c                |   18 +-
 drivers/char/random.c                            |   10 +-
 drivers/char/sonypi.c                            |    9 +-
 drivers/char/tpm/tpm_acpi.c                      |    3 +-
 drivers/char/tpm/tpm_eventlog.c                  |    7 +-
 drivers/char/virtio_console.c                    |    4 +-
 drivers/clocksource/arm_arch_timer.c             |    2 +-
 drivers/clocksource/metag_generic.c              |    2 +-
 drivers/cpufreq/acpi-cpufreq.c                   |   20 +-
 drivers/cpufreq/cpufreq.c                        |    9 +-
 drivers/cpufreq/cpufreq_governor.c               |    4 +-
 drivers/cpufreq/cpufreq_governor.h               |    2 +-
 drivers/cpufreq/cpufreq_stats.c                  |    2 +-
 drivers/cpufreq/p4-clockmod.c                    |   12 +-
 drivers/cpufreq/speedstep-centrino.c             |    7 +-
 drivers/cpuidle/cpuidle.c                        |    2 +-
 drivers/cpuidle/governor.c                       |    4 +-
 drivers/cpuidle/sysfs.c                          |    2 +-
 drivers/devfreq/devfreq.c                        |    4 +-
 drivers/dma/sh/shdma.c                           |    2 +-
 drivers/edac/edac_mc_sysfs.c                     |   12 +-
 drivers/edac/edac_pci_sysfs.c                    |   22 +-
 drivers/edac/mce_amd.h                           |    2 +-
 drivers/firewire/core-card.c                     |    2 +-
 drivers/firewire/core-cdev.c                     |    3 +-
 drivers/firewire/core-device.c                   |    2 +-
 drivers/firewire/core-transaction.c              |    1 +
 drivers/firewire/core.h                          |    1 +
 drivers/firmware/dmi-id.c                        |    2 +-
 drivers/firmware/dmi_scan.c                      |    7 +-
 drivers/firmware/efivars.c                       |    4 +-
 drivers/firmware/google/memconsole.c             |    4 +-
 drivers/gpio/gpio-ich.c                          |    2 +-
 drivers/gpio/gpio-vr41xx.c                       |    2 +-
 drivers/gpu/drm/drm_crtc_helper.c                |    2 +-
 drivers/gpu/drm/drm_drv.c                        |    6 +-
 drivers/gpu/drm/drm_fops.c                       |   18 +-
 drivers/gpu/drm/drm_global.c                     |   14 +-
 drivers/gpu/drm/drm_info.c                       |   14 +-
 drivers/gpu/drm/drm_ioc32.c                      |   13 +-
 drivers/gpu/drm/drm_ioctl.c                      |    2 +-
 drivers/gpu/drm/drm_lock.c                       |    4 +-
 drivers/gpu/drm/drm_stub.c                       |    2 +-
 drivers/gpu/drm/i810/i810_dma.c                  |    8 +-
 drivers/gpu/drm/i810/i810_drv.h                  |    4 +-
 drivers/gpu/drm/i915/i915_debugfs.c              |    2 +-
 drivers/gpu/drm/i915/i915_dma.c                  |    2 +-
 drivers/gpu/drm/i915/i915_drv.h                  |    4 +-
 drivers/gpu/drm/i915/i915_gem_execbuffer.c       |    6 +-
 drivers/gpu/drm/i915/i915_ioc32.c                |   11 +-
 drivers/gpu/drm/i915/i915_irq.c                  |   22 +-
 drivers/gpu/drm/i915/intel_display.c             |   26 +-
 drivers/gpu/drm/mga/mga_drv.h                    |    4 +-
 drivers/gpu/drm/mga/mga_ioc32.c                  |   11 +-
 drivers/gpu/drm/mga/mga_irq.c                    |    8 +-
 drivers/gpu/drm/nouveau/nouveau_bios.c           |    2 +-
 drivers/gpu/drm/nouveau/nouveau_drm.h            |    2 +-
 drivers/gpu/drm/nouveau/nouveau_gem.c            |    4 +-
 drivers/gpu/drm/nouveau/nouveau_ioc32.c          |    2 +-
 drivers/gpu/drm/nouveau/nouveau_vga.c            |    2 +-
 drivers/gpu/drm/r128/r128_cce.c                  |    2 +-
 drivers/gpu/drm/r128/r128_drv.h                  |    4 +-
 drivers/gpu/drm/r128/r128_ioc32.c                |   11 +-
 drivers/gpu/drm/r128/r128_irq.c                  |    4 +-
 drivers/gpu/drm/r128/r128_state.c                |    4 +-
 drivers/gpu/drm/radeon/mkregtable.c              |    4 +-
 drivers/gpu/drm/radeon/radeon_device.c           |    2 +-
 drivers/gpu/drm/radeon/radeon_drv.h              |    2 +-
 drivers/gpu/drm/radeon/radeon_ioc32.c            |   13 +-
 drivers/gpu/drm/radeon/radeon_irq.c              |    6 +-
 drivers/gpu/drm/radeon/radeon_state.c            |    4 +-
 drivers/gpu/drm/radeon/radeon_ttm.c              |   37 +-
 drivers/gpu/drm/radeon/rs690.c                   |    4 +-
 drivers/gpu/drm/ttm/ttm_page_alloc.c             |    4 +-
 drivers/gpu/drm/udl/udl_fb.c                     |    1 -
 drivers/gpu/drm/via/via_drv.h                    |    4 +-
 drivers/gpu/drm/via/via_irq.c                    |   18 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_drv.h              |    2 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c             |    8 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_irq.c              |    4 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_marker.c           |    2 +-
 drivers/hid/hid-core.c                           |    4 +-
 drivers/hv/channel.c                             |    4 +-
 drivers/hv/hv.c                                  |    2 +-
 drivers/hv/hyperv_vmbus.h                        |    2 +-
 drivers/hv/vmbus_drv.c                           |    4 +-
 drivers/hwmon/acpi_power_meter.c                 |    4 +-
 drivers/hwmon/applesmc.c                         |    2 +-
 drivers/hwmon/asus_atk0110.c                     |   10 +-
 drivers/hwmon/coretemp.c                         |    2 +-
 drivers/hwmon/ibmaem.c                           |    2 +-
 drivers/hwmon/sht15.c                            |   12 +-
 drivers/hwmon/via-cputemp.c                      |    2 +-
 drivers/i2c/busses/i2c-amd756-s4882.c            |    2 +-
 drivers/i2c/busses/i2c-nforce2-s4985.c           |    2 +-
 drivers/ide/ide-cd.c                             |    2 +-
 drivers/iio/industrialio-core.c                  |    2 +-
 drivers/infiniband/core/cm.c                     |   32 +-
 drivers/infiniband/core/fmr_pool.c               |   20 +-
 drivers/infiniband/hw/cxgb4/mem.c                |    4 +-
 drivers/infiniband/hw/ipath/ipath_rc.c           |    6 +-
 drivers/infiniband/hw/ipath/ipath_ruc.c          |    6 +-
 drivers/infiniband/hw/mthca/mthca_cmd.c          |    2 +-
 drivers/infiniband/hw/mthca/mthca_mr.c           |    2 +-
 drivers/infiniband/hw/nes/nes.c                  |    4 +-
 drivers/infiniband/hw/nes/nes.h                  |   40 +-
 drivers/infiniband/hw/nes/nes_cm.c               |   62 +-
 drivers/infiniband/hw/nes/nes_mgt.c              |    8 +-
 drivers/infiniband/hw/nes/nes_nic.c              |   40 +-
 drivers/infiniband/hw/nes/nes_verbs.c            |   10 +-
 drivers/infiniband/hw/qib/qib.h                  |    1 +
 drivers/input/gameport/gameport.c                |    4 +-
 drivers/input/input.c                            |    4 +-
 drivers/input/joystick/sidewinder.c              |    1 +
 drivers/input/joystick/xpad.c                    |    4 +-
 drivers/input/mouse/psmouse.h                    |    2 +-
 drivers/input/mousedev.c                         |    2 +-
 drivers/input/serio/serio.c                      |    4 +-
 drivers/iommu/iommu.c                            |    2 +-
 drivers/iommu/irq_remapping.c                    |   10 +-
 drivers/irqchip/irq-gic.c                        |    4 +-
 drivers/isdn/capi/capi.c                         |   10 +-
 drivers/isdn/gigaset/interface.c                 |    8 +-
 drivers/isdn/hardware/avm/b1.c                   |    4 +-
 drivers/isdn/i4l/isdn_tty.c                      |   22 +-
 drivers/isdn/icn/icn.c                           |    2 +-
 drivers/leds/leds-clevo-mail.c                   |    2 +-
 drivers/leds/leds-ss4200.c                       |    2 +-
 drivers/lguest/core.c                            |   10 +-
 drivers/lguest/page_tables.c                     |    2 +-
 drivers/lguest/x86/core.c                        |   12 +-
 drivers/lguest/x86/switcher_32.S                 |   27 +-
 drivers/md/bitmap.c                              |    2 +-
 drivers/md/dm-ioctl.c                            |    2 +-
 drivers/md/dm-raid1.c                            |   16 +-
 drivers/md/dm-stripe.c                           |   10 +-
 drivers/md/dm-table.c                            |    2 +-
 drivers/md/dm-thin-metadata.c                    |    4 +-
 drivers/md/dm.c                                  |   16 +-
 drivers/md/md.c                                  |   26 +-
 drivers/md/md.h                                  |    6 +-
 drivers/md/persistent-data/dm-space-map.h        |    1 +
 drivers/md/raid1.c                               |    4 +-
 drivers/md/raid10.c                              |   16 +-
 drivers/md/raid5.c                               |   10 +-
 drivers/media/dvb-core/dvbdev.c                  |    2 +-
 drivers/media/dvb-frontends/dib3000.h            |    2 +-
 drivers/media/pci/cx88/cx88-video.c              |    6 +-
 drivers/media/platform/omap/omap_vout.c          |   11 +-
 drivers/media/platform/s5p-tv/mixer.h            |    2 +-
 drivers/media/platform/s5p-tv/mixer_grp_layer.c  |    2 +-
 drivers/media/platform/s5p-tv/mixer_reg.c        |    2 +-
 drivers/media/platform/s5p-tv/mixer_video.c      |   24 +-
 drivers/media/platform/s5p-tv/mixer_vp_layer.c   |    2 +-
 drivers/media/radio/radio-cadet.c                |    2 +
 drivers/media/usb/dvb-usb/cxusb.c                |    2 +-
 drivers/media/usb/dvb-usb/dw2102.c               |    2 +-
 drivers/media/v4l2-core/v4l2-ioctl.c             |    5 +-
 drivers/message/fusion/mptsas.c                  |   34 +-
 drivers/message/fusion/mptscsih.c                |   19 +-
 drivers/message/i2o/i2o_proc.c                   |   51 +-
 drivers/message/i2o/iop.c                        |    8 +-
 drivers/mfd/janz-cmodio.c                        |    1 +
 drivers/mfd/twl4030-irq.c                        |    9 +-
 drivers/mfd/twl6030-irq.c                        |   10 +-
 drivers/misc/c2port/core.c                       |    4 +-
 drivers/misc/kgdbts.c                            |    4 +-
 drivers/misc/lis3lv02d/lis3lv02d.c               |    8 +-
 drivers/misc/lis3lv02d/lis3lv02d.h               |    2 +-
 drivers/misc/sgi-gru/gruhandles.c                |    4 +-
 drivers/misc/sgi-gru/gruprocfs.c                 |    8 +-
 drivers/misc/sgi-gru/grutables.h                 |  154 +-
 drivers/misc/sgi-xp/xp.h                         |    2 +-
 drivers/misc/sgi-xp/xpc.h                        |    3 +-
 drivers/misc/sgi-xp/xpc_main.c                   |    4 +-
 drivers/mmc/core/mmc_ops.c                       |    2 +-
 drivers/mmc/host/dw_mmc.h                        |    2 +-
 drivers/mmc/host/sdhci-s3c.c                     |    8 +-
 drivers/mtd/devices/doc2000.c                    |    2 +-
 drivers/mtd/nand/denali.c                        |    1 +
 drivers/mtd/nftlmount.c                          |    1 +
 drivers/mtd/sm_ftl.c                             |    2 +-
 drivers/net/bonding/bond_main.c                  |    2 +-
 drivers/net/ethernet/8390/ax88796.c              |    4 +-
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h  |    2 +-
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c   |   11 +-
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h   |    3 +-
 drivers/net/ethernet/broadcom/tg3.h              |    1 +
 drivers/net/ethernet/chelsio/cxgb3/l2t.h         |    2 +-
 drivers/net/ethernet/dec/tulip/de4x5.c           |    4 +-
 drivers/net/ethernet/emulex/benet/be_main.c      |    2 +-
 drivers/net/ethernet/faraday/ftgmac100.c         |    2 +
 drivers/net/ethernet/faraday/ftmac100.c          |    2 +
 drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c     |    2 +-
 drivers/net/ethernet/neterion/vxge/vxge-config.c |    7 +-
 drivers/net/ethernet/realtek/r8169.c             |    8 +-
 drivers/net/ethernet/sfc/ptp.c                   |    2 +-
 drivers/net/ethernet/stmicro/stmmac/mmc_core.c   |    4 +-
 drivers/net/hyperv/hyperv_net.h                  |    2 +-
 drivers/net/hyperv/rndis_filter.c                |    4 +-
 drivers/net/ieee802154/fakehard.c                |    2 +-
 drivers/net/macvlan.c                            |   18 +-
 drivers/net/macvtap.c                            |    2 +-
 drivers/net/ppp/ppp_generic.c                    |    4 +-
 drivers/net/slip/slhc.c                          |    2 +-
 drivers/net/team/team.c                          |    2 +-
 drivers/net/tun.c                                |    5 +-
 drivers/net/usb/hso.c                            |   23 +-
 drivers/net/vxlan.c                              |    2 +-
 drivers/net/wireless/at76c50x-usb.c              |    2 +-
 drivers/net/wireless/ath/ath9k/ar9002_mac.c      |   30 +-
 drivers/net/wireless/ath/ath9k/ar9003_mac.c      |   58 +-
 drivers/net/wireless/ath/ath9k/hw.h              |    4 +-
 drivers/net/wireless/iwlegacy/3945-mac.c         |    4 +-
 drivers/net/wireless/iwlwifi/dvm/debugfs.c       |   26 +-
 drivers/net/wireless/iwlwifi/pcie/trans.c        |    4 +-
 drivers/net/wireless/mac80211_hwsim.c            |   32 +-
 drivers/net/wireless/rndis_wlan.c                |    2 +-
 drivers/net/wireless/rt2x00/rt2x00.h             |    2 +-
 drivers/net/wireless/rt2x00/rt2x00queue.c        |    4 +-
 drivers/net/wireless/ti/wl1251/sdio.c            |   12 +-
 drivers/net/wireless/ti/wl12xx/main.c            |    8 +-
 drivers/net/wireless/ti/wl18xx/main.c            |    6 +-
 drivers/oprofile/buffer_sync.c                   |    8 +-
 drivers/oprofile/event_buffer.c                  |    2 +-
 drivers/oprofile/oprof.c                         |    2 +-
 drivers/oprofile/oprofile_files.c                |    2 +-
 drivers/oprofile/oprofile_stats.c                |   10 +-
 drivers/oprofile/oprofile_stats.h                |   10 +-
 drivers/oprofile/oprofilefs.c                    |    2 +-
 drivers/oprofile/timer_int.c                     |    2 +-
 drivers/parport/procfs.c                         |    4 +-
 drivers/pci/hotplug/acpiphp_ibm.c                |    4 +-
 drivers/pci/hotplug/cpcihp_generic.c             |    6 +-
 drivers/pci/hotplug/cpcihp_zt5550.c              |   14 +-
 drivers/pci/hotplug/cpqphp_nvram.c               |    4 +
 drivers/pci/hotplug/pci_hotplug_core.c           |    6 +-
 drivers/pci/hotplug/pciehp_core.c                |    2 +-
 drivers/pci/pci-sysfs.c                          |    6 +-
 drivers/pci/pci.h                                |    2 +-
 drivers/pci/pcie/aspm.c                          |    6 +-
 drivers/pci/probe.c                              |    2 +-
 drivers/platform/x86/msi-laptop.c                |   14 +-
 drivers/platform/x86/sony-laptop.c               |    2 +-
 drivers/platform/x86/thinkpad_acpi.c             |   70 +-
 drivers/pnp/pnpbios/bioscalls.c                  |   14 +-
 drivers/pnp/resource.c                           |    4 +-
 drivers/power/pda_power.c                        |    7 +-
 drivers/power/power_supply.h                     |    4 +-
 drivers/power/power_supply_core.c                |    7 +-
 drivers/power/power_supply_sysfs.c               |    6 +-
 drivers/regulator/max8660.c                      |    6 +-
 drivers/regulator/max8973-regulator.c            |    8 +-
 drivers/regulator/mc13892-regulator.c            |    6 +-
 drivers/rtc/rtc-cmos.c                           |    4 +-
 drivers/rtc/rtc-ds1307.c                         |    2 +-
 drivers/rtc/rtc-m48t59.c                         |    4 +-
 drivers/scsi/bfa/bfa_fcpim.h                     |    2 +-
 drivers/scsi/bfa/bfa_ioc.h                       |    4 +-
 drivers/scsi/hosts.c                             |    4 +-
 drivers/scsi/hpsa.c                              |   30 +-
 drivers/scsi/hpsa.h                              |    2 +-
 drivers/scsi/libfc/fc_exch.c                     |   50 +-
 drivers/scsi/libsas/sas_ata.c                    |    2 +-
 drivers/scsi/lpfc/lpfc.h                         |    8 +-
 drivers/scsi/lpfc/lpfc_debugfs.c                 |   18 +-
 drivers/scsi/lpfc/lpfc_init.c                    |    6 +-
 drivers/scsi/lpfc/lpfc_scsi.c                    |   16 +-
 drivers/scsi/pmcraid.c                           |   20 +-
 drivers/scsi/pmcraid.h                           |    8 +-
 drivers/scsi/qla2xxx/qla_attr.c                  |    4 +-
 drivers/scsi/qla2xxx/qla_gbl.h                   |    4 +-
 drivers/scsi/qla2xxx/qla_os.c                    |    6 +-
 drivers/scsi/qla4xxx/ql4_def.h                   |    2 +-
 drivers/scsi/qla4xxx/ql4_os.c                    |    6 +-
 drivers/scsi/scsi.c                              |    2 +-
 drivers/scsi/scsi_lib.c                          |    6 +-
 drivers/scsi/scsi_sysfs.c                        |    2 +-
 drivers/scsi/scsi_tgt_lib.c                      |    2 +-
 drivers/scsi/scsi_transport_fc.c                 |    8 +-
 drivers/scsi/scsi_transport_iscsi.c              |    6 +-
 drivers/scsi/scsi_transport_srp.c                |    6 +-
 drivers/scsi/sd.c                                |    2 +-
 drivers/scsi/sg.c                                |    2 +-
 drivers/spi/spi.c                                |    2 +-
 drivers/staging/iio/iio_hwmon.c                  |    2 +-
 drivers/staging/octeon/ethernet-rx.c             |   12 +-
 drivers/staging/octeon/ethernet.c                |    8 +-
 drivers/staging/rtl8712/rtl871x_io.h             |    2 +-
 drivers/staging/sbe-2t3e3/netdev.c               |    2 +-
 drivers/staging/usbip/vhci.h                     |    2 +-
 drivers/staging/usbip/vhci_hcd.c                 |    6 +-
 drivers/staging/usbip/vhci_rx.c                  |    2 +-
 drivers/staging/vt6655/hostap.c                  |    7 +-
 drivers/staging/vt6656/hostap.c                  |    7 +-
 drivers/staging/zcache/tmem.c                    |    4 +-
 drivers/staging/zcache/tmem.h                    |    2 +
 drivers/target/target_core_device.c              |    2 +-
 drivers/target/target_core_transport.c           |    2 +-
 drivers/tty/cyclades.c                           |    6 +-
 drivers/tty/hvc/hvc_console.c                    |   14 +-
 drivers/tty/hvc/hvcs.c                           |   21 +-
 drivers/tty/ipwireless/tty.c                     |   27 +-
 drivers/tty/moxa.c                               |    2 +-
 drivers/tty/n_gsm.c                              |    4 +-
 drivers/tty/n_tty.c                              |    3 +-
 drivers/tty/pty.c                                |    4 +-
 drivers/tty/rocket.c                             |    6 +-
 drivers/tty/serial/kgdboc.c                      |   32 +-
 drivers/tty/serial/samsung.c                     |    9 +-
 drivers/tty/serial/serial_core.c                 |    8 +-
 drivers/tty/synclink.c                           |   34 +-
 drivers/tty/synclink_gt.c                        |   28 +-
 drivers/tty/synclinkmp.c                         |   34 +-
 drivers/tty/tty_io.c                             |    2 +-
 drivers/tty/tty_ldisc.c                          |   10 +-
 drivers/tty/tty_port.c                           |   22 +-
 drivers/uio/uio.c                                |   21 +-
 drivers/usb/atm/cxacru.c                         |    2 +-
 drivers/usb/atm/usbatm.c                         |   24 +-
 drivers/usb/core/devices.c                       |    6 +-
 drivers/usb/core/hcd.c                           |    4 +-
 drivers/usb/core/message.c                       |    2 +-
 drivers/usb/core/sysfs.c                         |    2 +-
 drivers/usb/core/usb.c                           |    2 +-
 drivers/usb/early/ehci-dbgp.c                    |   16 +-
 drivers/usb/gadget/u_serial.c                    |   22 +-
 drivers/usb/serial/console.c                     |    6 +-
 drivers/usb/storage/usb.h                        |    2 +-
 drivers/usb/wusbcore/wa-hc.h                     |    4 +-
 drivers/usb/wusbcore/wa-xfer.c                   |    2 +-
 drivers/video/aty/aty128fb.c                     |    2 +-
 drivers/video/aty/atyfb_base.c                   |    8 +-
 drivers/video/aty/mach64_cursor.c                |    5 +-
 drivers/video/backlight/kb3886_bl.c              |    2 +-
 drivers/video/fb_defio.c                         |    6 +-
 drivers/video/fbcmap.c                           |    3 +-
 drivers/video/fbmem.c                            |    6 +-
 drivers/video/i810/i810_accel.c                  |    1 +
 drivers/video/mb862xx/mb862xxfb_accel.c          |   16 +-
 drivers/video/nvidia/nvidia.c                    |   27 +-
 drivers/video/s1d13xxxfb.c                       |    6 +-
 drivers/video/smscufx.c                          |    4 +-
 drivers/video/udlfb.c                            |   36 +-
 drivers/video/uvesafb.c                          |   53 +-
 drivers/video/vesafb.c                           |   58 +-
 drivers/video/via/via_clock.h                    |    2 +-
 fs/9p/vfs_inode.c                                |    2 +-
 fs/Kconfig.binfmt                                |    2 +-
 fs/aio.c                                         |   11 +-
 fs/autofs4/waitq.c                               |    2 +-
 fs/befs/endian.h                                 |    4 +-
 fs/befs/linuxvfs.c                               |    2 +-
 fs/binfmt_aout.c                                 |   23 +-
 fs/binfmt_elf.c                                  |  605 +++-
 fs/binfmt_flat.c                                 |    6 +
 fs/bio.c                                         |    6 +-
 fs/block_dev.c                                   |    2 +-
 fs/btrfs/ctree.c                                 |    9 +-
 fs/btrfs/super.c                                 |    2 +-
 fs/cachefiles/bind.c                             |    6 +-
 fs/cachefiles/daemon.c                           |    8 +-
 fs/cachefiles/internal.h                         |   12 +-
 fs/cachefiles/namei.c                            |    2 +-
 fs/cachefiles/proc.c                             |   12 +-
 fs/cachefiles/rdwr.c                             |    2 +-
 fs/ceph/dir.c                                    |    2 +-
 fs/cifs/cifs_debug.c                             |   12 +-
 fs/cifs/cifsfs.c                                 |    8 +-
 fs/cifs/cifsglob.h                               |   54 +-
 fs/cifs/link.c                                   |    2 +-
 fs/cifs/misc.c                                   |    4 +-
 fs/cifs/smb1ops.c                                |   80 +-
 fs/cifs/smb2ops.c                                |   84 +-
 fs/cifs/smb2pdu.c                                |    3 +-
 fs/coda/cache.c                                  |   10 +-
 fs/compat.c                                      |    6 +-
 fs/compat_binfmt_elf.c                           |    2 +
 fs/compat_ioctl.c                                |    8 +-
 fs/configfs/dir.c                                |   10 +-
 fs/coredump.c                                    |   24 +-
 fs/dcache.c                                      |    2 +-
 fs/ecryptfs/inode.c                              |    4 +-
 fs/ecryptfs/miscdev.c                            |    2 +-
 fs/ecryptfs/read_write.c                         |    2 +-
 fs/exec.c                                        |  362 ++-
 fs/ext4/ext4.h                                   |   20 +-
 fs/ext4/mballoc.c                                |   44 +-
 fs/ext4/super.c                                  |    2 +-
 fs/fhandle.c                                     |    3 +-
 fs/fifo.c                                        |   22 +-
 fs/fs_struct.c                                   |    8 +-
 fs/fscache/cookie.c                              |   36 +-
 fs/fscache/internal.h                            |  196 +-
 fs/fscache/object.c                              |   28 +-
 fs/fscache/operation.c                           |   30 +-
 fs/fscache/page.c                                |  110 +-
 fs/fscache/stats.c                               |  344 +-
 fs/fuse/cuse.c                                   |   10 +-
 fs/fuse/dev.c                                    |    2 +-
 fs/fuse/dir.c                                    |    2 +-
 fs/gfs2/inode.c                                  |    2 +-
 fs/hugetlbfs/inode.c                             |   13 +-
 fs/inode.c                                       |    4 +-
 fs/jffs2/erase.c                                 |    3 +-
 fs/jffs2/wbuf.c                                  |    3 +-
 fs/jfs/super.c                                   |    6 +-
 fs/libfs.c                                       |   10 +-
 fs/lockd/clntproc.c                              |    4 +-
 fs/locks.c                                       |    8 +-
 fs/namei.c                                       |   15 +-
 fs/namespace.c                                   |    2 +-
 fs/nfs/callback_xdr.c                            |    2 +-
 fs/nfs/inode.c                                   |    6 +-
 fs/nfsd/nfs4proc.c                               |    2 +-
 fs/nfsd/nfs4xdr.c                                |    6 +-
 fs/nfsd/nfscache.c                               |    8 +-
 fs/nfsd/vfs.c                                    |    6 +-
 fs/nls/nls_base.c                                |   18 +-
 fs/nls/nls_euc-jp.c                              |    6 +-
 fs/nls/nls_koi8-ru.c                             |    6 +-
 fs/notify/fanotify/fanotify_user.c               |    4 +-
 fs/notify/notification.c                         |    4 +-
 fs/ntfs/dir.c                                    |    2 +-
 fs/ntfs/file.c                                   |    4 +-
 fs/ocfs2/localalloc.c                            |    2 +-
 fs/ocfs2/ocfs2.h                                 |   10 +-
 fs/ocfs2/suballoc.c                              |   12 +-
 fs/ocfs2/super.c                                 |   20 +-
 fs/pipe.c                                        |   33 +-
 fs/proc/array.c                                  |   20 +
 fs/proc/base.c                                   |    4 +-
 fs/proc/kcore.c                                  |   32 +-
 fs/proc/meminfo.c                                |    2 +-
 fs/proc/nommu.c                                  |    2 +-
 fs/proc/proc_sysctl.c                            |   18 +-
 fs/proc/self.c                                   |    2 +-
 fs/proc/task_mmu.c                               |   39 +-
 fs/proc/task_nommu.c                             |    4 +-
 fs/qnx6/qnx6.h                                   |    4 +-
 fs/quota/netlink.c                               |    4 +-
 fs/readdir.c                                     |    2 +-
 fs/reiserfs/do_balan.c                           |    2 +-
 fs/reiserfs/procfs.c                             |    2 +-
 fs/reiserfs/reiserfs.h                           |    4 +-
 fs/seq_file.c                                    |    2 +-
 fs/splice.c                                      |   36 +-
 fs/sysfs/bin.c                                   |    6 +-
 fs/sysfs/dir.c                                   |    2 +-
 fs/sysfs/file.c                                  |   10 +-
 fs/sysfs/symlink.c                               |    2 +-
 fs/sysv/sysv.h                                   |    2 +-
 fs/ubifs/io.c                                    |    2 +-
 fs/udf/misc.c                                    |    2 +-
 fs/ufs/swab.h                                    |    4 +-
 fs/xattr.c                                       |   21 +
 fs/xattr_acl.c                                   |    4 +-
 fs/xfs/xfs_bmap.c                                |    2 +-
 fs/xfs/xfs_dir2_sf.c                             |   10 +-
 fs/xfs/xfs_ioctl.c                               |    2 +-
 fs/xfs/xfs_iops.c                                |    2 +-
 include/asm-generic/4level-fixup.h               |    2 +
 include/asm-generic/atomic-long.h                |  210 +
 include/asm-generic/atomic.h                     |    2 +-
 include/asm-generic/atomic64.h                   |   12 +
 include/asm-generic/cache.h                      |    4 +-
 include/asm-generic/emergency-restart.h          |    2 +-
 include/asm-generic/kmap_types.h                 |    4 +-
 include/asm-generic/local.h                      |   13 +
 include/asm-generic/pgtable-nopmd.h              |   18 +-
 include/asm-generic/pgtable-nopud.h              |   15 +-
 include/asm-generic/pgtable.h                    |    8 +
 include/asm-generic/vmlinux.lds.h                |   10 +-
 include/crypto/algapi.h                          |    2 +-
 include/drm/drmP.h                               |   17 +-
 include/drm/drm_crtc_helper.h                    |    2 +-
 include/drm/ttm/ttm_memory.h                     |    2 +-
 include/keys/asymmetric-subtype.h                |    2 +-
 include/linux/atmdev.h                           |    4 +-
 include/linux/binfmts.h                          |    3 +-
 include/linux/blkdev.h                           |    2 +-
 include/linux/blktrace_api.h                     |    2 +-
 include/linux/cache.h                            |    4 +
 include/linux/cdrom.h                            |    1 -
 include/linux/cleancache.h                       |    2 +-
 include/linux/compat.h                           |    6 +-
 include/linux/compiler-gcc4.h                    |   20 +
 include/linux/compiler.h                         |   65 +-
 include/linux/completion.h                       |    6 +-
 include/linux/configfs.h                         |    2 +-
 include/linux/cpu.h                              |    2 +-
 include/linux/cpufreq.h                          |    3 +-
 include/linux/cpuidle.h                          |    5 +-
 include/linux/cpumask.h                          |   12 +-
 include/linux/crypto.h                           |    6 +-
 include/linux/ctype.h                            |    2 +-
 include/linux/decompress/mm.h                    |    2 +-
 include/linux/devfreq.h                          |    2 +-
 include/linux/device.h                           |    7 +-
 include/linux/dma-mapping.h                      |    2 +-
 include/linux/dmaengine.h                        |    4 +-
 include/linux/efi.h                              |    1 +
 include/linux/elf.h                              |    2 +
 include/linux/err.h                              |    4 +-
 include/linux/extcon.h                           |    2 +-
 include/linux/fb.h                               |    2 +-
 include/linux/filter.h                           |    4 +
 include/linux/frontswap.h                        |    2 +-
 include/linux/fs.h                               |    3 +-
 include/linux/fs_struct.h                        |    2 +-
 include/linux/fscache-cache.h                    |    4 +-
 include/linux/fscache.h                          |    2 +-
 include/linux/fsnotify.h                         |    2 +-
 include/linux/ftrace_event.h                     |    2 +-
 include/linux/genhd.h                            |    2 +-
 include/linux/genl_magic_func.h                  |    2 +-
 include/linux/gfp.h                              |   12 +-
 include/linux/highmem.h                          |   12 +
 include/linux/hwmon-sysfs.h                      |    5 +-
 include/linux/i2c.h                              |    1 +
 include/linux/i2o.h                              |    2 +-
 include/linux/if_pppox.h                         |    2 +-
 include/linux/init.h                             |   33 +-
 include/linux/init_task.h                        |    7 +
 include/linux/interrupt.h                        |    8 +-
 include/linux/iommu.h                            |    2 +-
 include/linux/ioport.h                           |    2 +-
 include/linux/irq.h                              |    3 +-
 include/linux/irqchip/arm-gic.h                  |    2 +-
 include/linux/key-type.h                         |    2 +-
 include/linux/kgdb.h                             |    6 +-
 include/linux/kobject.h                          |    3 +-
 include/linux/kobject_ns.h                       |    2 +-
 include/linux/kref.h                             |    2 +-
 include/linux/kvm_host.h                         |    4 +-
 include/linux/libata.h                           |    2 +-
 include/linux/list.h                             |   15 +
 include/linux/math64.h                           |    6 +-
 include/linux/mm.h                               |  110 +-
 include/linux/mm_types.h                         |   20 +
 include/linux/mmiotrace.h                        |    4 +-
 include/linux/mmzone.h                           |    2 +-
 include/linux/mod_devicetable.h                  |    6 +-
 include/linux/module.h                           |   60 +-
 include/linux/moduleloader.h                     |   16 +
 include/linux/moduleparam.h                      |    4 +-
 include/linux/namei.h                            |    6 +-
 include/linux/net.h                              |    2 +-
 include/linux/netdevice.h                        |    3 +-
 include/linux/netfilter.h                        |    2 +-
 include/linux/netfilter/ipset/ip_set.h           |    2 +-
 include/linux/netfilter/nfnetlink.h              |    2 +-
 include/linux/nls.h                              |    2 +-
 include/linux/notifier.h                         |    3 +-
 include/linux/oprofile.h                         |    4 +-
 include/linux/pci_hotplug.h                      |    3 +-
 include/linux/perf_event.h                       |   12 +-
 include/linux/pipe_fs_i.h                        |    6 +-
 include/linux/platform_data/usb-ehci-s5p.h       |    2 +-
 include/linux/platform_data/usb-exynos.h         |    2 +-
 include/linux/pm_domain.h                        |    2 +-
 include/linux/pm_runtime.h                       |    2 +-
 include/linux/pnp.h                              |    2 +-
 include/linux/poison.h                           |    4 +-
 include/linux/power/smartreflex.h                |    2 +-
 include/linux/ppp-comp.h                         |    2 +-
 include/linux/proc_fs.h                          |    2 +-
 include/linux/random.h                           |    5 +
 include/linux/rculist.h                          |   16 +
 include/linux/reboot.h                           |   14 +-
 include/linux/regset.h                           |    3 +-
 include/linux/relay.h                            |    2 +-
 include/linux/rio.h                              |    2 +-
 include/linux/rmap.h                             |    4 +-
 include/linux/sched.h                            |   67 +-
 include/linux/sched/sysctl.h                     |    1 +
 include/linux/seq_file.h                         |    1 +
 include/linux/skbuff.h                           |   12 +-
 include/linux/slab.h                             |   36 +-
 include/linux/slab_def.h                         |   33 +-
 include/linux/slob_def.h                         |    4 +-
 include/linux/slub_def.h                         |   10 +-
 include/linux/sock_diag.h                        |    2 +-
 include/linux/sonet.h                            |    2 +-
 include/linux/sunrpc/addr.h                      |    8 +-
 include/linux/sunrpc/clnt.h                      |    2 +-
 include/linux/sunrpc/svc.h                       |    2 +-
 include/linux/sunrpc/svc_rdma.h                  |   18 +-
 include/linux/sunrpc/svcauth.h                   |    2 +-
 include/linux/swiotlb.h                          |    3 +-
 include/linux/syscalls.h                         |    2 +-
 include/linux/syscore_ops.h                      |    2 +-
 include/linux/sysctl.h                           |    6 +-
 include/linux/sysfs.h                            |   10 +-
 include/linux/sysrq.h                            |    3 +-
 include/linux/thread_info.h                      |    7 +
 include/linux/tty.h                              |    4 +-
 include/linux/tty_driver.h                       |    2 +-
 include/linux/tty_ldisc.h                        |    2 +-
 include/linux/types.h                            |   16 +
 include/linux/uaccess.h                          |    6 +-
 include/linux/unaligned/access_ok.h              |   24 +-
 include/linux/usb.h                              |    4 +-
 include/linux/usb/renesas_usbhs.h                |    2 +-
 include/linux/vermagic.h                         |   21 +-
 include/linux/vmalloc.h                          |   11 +-
 include/linux/vmstat.h                           |   20 +-
 include/linux/xattr.h                            |    5 +-
 include/linux/zlib.h                             |    3 +-
 include/media/v4l2-dev.h                         |    2 +-
 include/media/v4l2-ioctl.h                       |    1 -
 include/net/9p/transport.h                       |    2 +-
 include/net/bluetooth/l2cap.h                    |    2 +-
 include/net/caif/cfctrl.h                        |    6 +-
 include/net/flow.h                               |    2 +-
 include/net/genetlink.h                          |    2 +-
 include/net/gro_cells.h                          |    2 +-
 include/net/inet_connection_sock.h               |    2 +-
 include/net/inetpeer.h                           |    8 +-
 include/net/ip.h                                 |    2 +-
 include/net/ip_fib.h                             |    2 +-
 include/net/ip_vs.h                              |    8 +-
 include/net/irda/ircomm_tty.h                    |    1 +
 include/net/iucv/af_iucv.h                       |    2 +-
 include/net/llc_c_ac.h                           |    2 +-
 include/net/llc_c_ev.h                           |    4 +-
 include/net/llc_c_st.h                           |    2 +-
 include/net/llc_s_ac.h                           |    2 +-
 include/net/llc_s_st.h                           |    2 +-
 include/net/mac80211.h                           |    2 +-
 include/net/neighbour.h                          |    2 +-
 include/net/net_namespace.h                      |   12 +-
 include/net/netdma.h                             |    2 +-
 include/net/netlink.h                            |    2 +-
 include/net/netns/conntrack.h                    |    6 +-
 include/net/netns/ipv4.h                         |    2 +-
 include/net/protocol.h                           |    4 +-
 include/net/rtnetlink.h                          |    2 +-
 include/net/sctp/sctp.h                          |    6 +-
 include/net/sctp/sm.h                            |    4 +-
 include/net/sctp/structs.h                       |    2 +-
 include/net/sock.h                               |    6 +-
 include/net/tcp.h                                |    8 +-
 include/net/xfrm.h                               |    8 +-
 include/rdma/iw_cm.h                             |    2 +-
 include/scsi/libfc.h                             |    3 +-
 include/scsi/scsi_device.h                       |    6 +-
 include/scsi/scsi_transport_fc.h                 |    3 +-
 include/sound/soc.h                              |    4 +-
 include/target/target_core_base.h                |    2 +-
 include/trace/events/irq.h                       |    4 +-
 include/uapi/linux/a.out.h                       |    8 +
 include/uapi/linux/byteorder/little_endian.h     |   28 +-
 include/uapi/linux/elf.h                         |   28 +
 include/uapi/linux/screen_info.h                 |    3 +-
 include/uapi/linux/swab.h                        |    6 +-
 include/uapi/linux/sysctl.h                      |    6 +-
 include/uapi/linux/xattr.h                       |    4 +
 include/video/udlfb.h                            |    8 +-
 include/video/uvesafb.h                          |    1 +
 init/Kconfig                                     |    2 +-
 init/Makefile                                    |    3 +
 init/do_mounts.c                                 |   14 +-
 init/do_mounts.h                                 |    8 +-
 init/do_mounts_initrd.c                          |   22 +-
 init/do_mounts_md.c                              |    6 +-
 init/init_task.c                                 |    4 +
 init/initramfs.c                                 |   40 +-
 init/main.c                                      |   77 +-
 ipc/ipc_sysctl.c                                 |   10 +-
 ipc/mq_sysctl.c                                  |    2 +-
 ipc/msg.c                                        |   11 +-
 ipc/sem.c                                        |   11 +-
 ipc/shm.c                                        |   17 +-
 kernel/acct.c                                    |    2 +-
 kernel/audit.c                                   |    8 +-
 kernel/auditsc.c                                 |    4 +-
 kernel/capability.c                              |    3 +
 kernel/compat.c                                  |   40 +-
 kernel/debug/debug_core.c                        |   16 +-
 kernel/debug/kdb/kdb_main.c                      |    4 +-
 kernel/events/core.c                             |   28 +-
 kernel/exit.c                                    |    4 +-
 kernel/fork.c                                    |  167 +-
 kernel/futex.c                                   |    9 +
 kernel/futex_compat.c                            |    2 +-
 kernel/gcov/base.c                               |    7 +-
 kernel/hrtimer.c                                 |    4 +-
 kernel/irq_work.c                                |    7 +-
 kernel/jump_label.c                              |    5 +
 kernel/kallsyms.c                                |   39 +-
 kernel/kexec.c                                   |    3 +-
 kernel/kmod.c                                    |    4 +-
 kernel/kprobes.c                                 |    8 +-
 kernel/ksysfs.c                                  |    2 +-
 kernel/lockdep.c                                 |    7 +-
 kernel/module.c                                  |  337 +-
 kernel/mutex-debug.c                             |   12 +-
 kernel/mutex-debug.h                             |    4 +-
 kernel/mutex.c                                   |    7 +-
 kernel/notifier.c                                |   17 +-
 kernel/panic.c                                   |    3 +-
 kernel/pid.c                                     |    2 +-
 kernel/pid_namespace.c                           |    2 +-
 kernel/posix-cpu-timers.c                        |    4 +-
 kernel/posix-timers.c                            |   20 +-
 kernel/power/process.c                           |   12 +-
 kernel/profile.c                                 |   14 +-
 kernel/ptrace.c                                  |    8 +-
 kernel/rcupdate.c                                |    4 +-
 kernel/rcutiny.c                                 |    4 +-
 kernel/rcutiny_plugin.h                          |    2 +-
 kernel/rcutorture.c                              |   56 +-
 kernel/rcutree.c                                 |   68 +-
 kernel/rcutree.h                                 |   24 +-
 kernel/rcutree_plugin.h                          |   20 +-
 kernel/rcutree_trace.c                           |   22 +-
 kernel/rtmutex-tester.c                          |   24 +-
 kernel/sched/auto_group.c                        |    4 +-
 kernel/sched/core.c                              |   51 +-
 kernel/sched/fair.c                              |    4 +-
 kernel/signal.c                                  |   12 +-
 kernel/smp.c                                     |    2 +-
 kernel/smpboot.c                                 |    4 +-
 kernel/softirq.c                                 |   18 +-
 kernel/srcu.c                                    |    4 +-
 kernel/sys.c                                     |   10 +-
 kernel/sysctl.c                                  |   39 +-
 kernel/time.c                                    |    2 +-
 kernel/time/alarmtimer.c                         |    2 +-
 kernel/time/tick-broadcast.c                     |    2 +-
 kernel/time/timer_stats.c                        |   10 +-
 kernel/timer.c                                   |    6 +-
 kernel/trace/blktrace.c                          |    6 +-
 kernel/trace/ftrace.c                            |   20 +-
 kernel/trace/ring_buffer.c                       |   76 +-
 kernel/trace/trace.c                             |    8 +-
 kernel/trace/trace.h                             |    2 +-
 kernel/trace/trace_events.c                      |   25 +-
 kernel/trace/trace_mmiotrace.c                   |    8 +-
 kernel/trace/trace_output.c                      |   12 +-
 kernel/trace/trace_stack.c                       |    2 +-
 kernel/user_namespace.c                          |    2 +-
 kernel/utsname_sysctl.c                          |    2 +-
 kernel/watchdog.c                                |    2 +-
 lib/Kconfig.debug                                |    6 +-
 lib/Makefile                                     |    2 +-
 lib/bitmap.c                                     |    8 +-
 lib/bug.c                                        |    2 +
 lib/debugobjects.c                               |    2 +-
 lib/devres.c                                     |    4 +-
 lib/div64.c                                      |    4 +-
 lib/dma-debug.c                                  |    4 +-
 lib/inflate.c                                    |    2 +-
 lib/ioremap.c                                    |    4 +-
 lib/kobject.c                                    |    4 +-
 lib/list_debug.c                                 |  126 +-
 lib/radix-tree.c                                 |    2 +-
 lib/strncpy_from_user.c                          |    2 +-
 lib/strnlen_user.c                               |    2 +-
 lib/swiotlb.c                                    |    2 +-
 lib/vsprintf.c                                   |   12 +-
 mm/Kconfig                                       |    6 +-
 mm/filemap.c                                     |    2 +-
 mm/fremap.c                                      |    5 +
 mm/highmem.c                                     |    7 +-
 mm/hugetlb.c                                     |   70 +-
 mm/internal.h                                    |    1 +
 mm/maccess.c                                     |    4 +-
 mm/madvise.c                                     |   41 +
 mm/memory-failure.c                              |   26 +-
 mm/memory.c                                      |  424 ++-
 mm/mempolicy.c                                   |   26 +
 mm/mlock.c                                       |   16 +-
 mm/mmap.c                                        |  576 ++-
 mm/mprotect.c                                    |  139 +-
 mm/mremap.c                                      |   44 +-
 mm/nommu.c                                       |   21 +-
 mm/page-writeback.c                              |    4 +-
 mm/page_alloc.c                                  |   41 +-
 mm/percpu.c                                      |    2 +-
 mm/process_vm_access.c                           |   14 +-
 mm/rmap.c                                        |   38 +-
 mm/shmem.c                                       |   19 +-
 mm/slab.c                                        |  105 +-
 mm/slab.h                                        |    5 +-
 mm/slab_common.c                                 |   11 +-
 mm/slob.c                                        |  201 +-
 mm/slub.c                                        |   99 +-
 mm/sparse-vmemmap.c                              |    4 +-
 mm/sparse.c                                      |    2 +-
 mm/swap.c                                        |    3 +
 mm/swapfile.c                                    |   12 +-
 mm/util.c                                        |    6 +
 mm/vmalloc.c                                     |   82 +-
 mm/vmstat.c                                      |   12 +-
 net/8021q/vlan.c                                 |    5 +-
 net/9p/mod.c                                     |    4 +-
 net/9p/trans_fd.c                                |    2 +-
 net/atm/atm_misc.c                               |    8 +-
 net/atm/lec.h                                    |    2 +-
 net/atm/proc.c                                   |    6 +-
 net/atm/resources.c                              |    4 +-
 net/ax25/sysctl_net_ax25.c                       |    2 +-
 net/batman-adv/bat_iv_ogm.c                      |    8 +-
 net/batman-adv/hard-interface.c                  |    4 +-
 net/batman-adv/soft-interface.c                  |    4 +-
 net/batman-adv/types.h                           |    6 +-
 net/batman-adv/unicast.c                         |    2 +-
 net/bluetooth/hci_sock.c                         |    2 +-
 net/bluetooth/l2cap_core.c                       |    6 +-
 net/bluetooth/l2cap_sock.c                       |   12 +-
 net/bluetooth/rfcomm/sock.c                      |    4 +-
 net/bluetooth/rfcomm/tty.c                       |   10 +-
 net/bridge/netfilter/ebtables.c                  |    6 +-
 net/caif/cfctrl.c                                |   11 +-
 net/can/af_can.c                                 |    2 +-
 net/can/gw.c                                     |    6 +-
 net/compat.c                                     |   34 +-
 net/core/datagram.c                              |    2 +-
 net/core/dev.c                                   |   16 +-
 net/core/flow.c                                  |    8 +-
 net/core/iovec.c                                 |    4 +-
 net/core/neighbour.c                             |    2 +-
 net/core/net-sysfs.c                             |    2 +-
 net/core/net_namespace.c                         |    8 +-
 net/core/rtnetlink.c                             |   13 +-
 net/core/scm.c                                   |    8 +-
 net/core/sock.c                                  |   24 +-
 net/core/sock_diag.c                             |    9 +-
 net/core/sysctl_net_core.c                       |   18 +-
 net/decnet/af_decnet.c                           |    1 +
 net/decnet/sysctl_net_decnet.c                   |    4 +-
 net/ipv4/af_inet.c                               |    8 +-
 net/ipv4/ah4.c                                   |    2 +-
 net/ipv4/devinet.c                               |   14 +-
 net/ipv4/esp4.c                                  |    2 +-
 net/ipv4/fib_frontend.c                          |    6 +-
 net/ipv4/fib_semantics.c                         |    2 +-
 net/ipv4/inet_connection_sock.c                  |    2 +-
 net/ipv4/inetpeer.c                              |    4 +-
 net/ipv4/ip_fragment.c                           |   15 +-
 net/ipv4/ip_gre.c                                |    6 +-
 net/ipv4/ip_sockglue.c                           |    2 +-
 net/ipv4/ip_vti.c                                |    4 +-
 net/ipv4/ipcomp.c                                |    2 +-
 net/ipv4/ipconfig.c                              |    6 +-
 net/ipv4/ipip.c                                  |    4 +-
 net/ipv4/netfilter/arp_tables.c                  |   12 +-
 net/ipv4/netfilter/ip_tables.c                   |   12 +-
 net/ipv4/ping.c                                  |    2 +-
 net/ipv4/raw.c                                   |   14 +-
 net/ipv4/route.c                                 |   18 +-
 net/ipv4/sysctl_net_ipv4.c                       |   45 +-
 net/ipv4/tcp_input.c                             |    2 +-
 net/ipv4/tcp_probe.c                             |    2 +-
 net/ipv4/udp.c                                   |   10 +-
 net/ipv4/xfrm4_policy.c                          |   14 +-
 net/ipv6/addrconf.c                              |    6 +-
 net/ipv6/icmp.c                                  |    2 +-
 net/ipv6/ip6_gre.c                               |    8 +-
 net/ipv6/ip6_tunnel.c                            |    4 +-
 net/ipv6/ipv6_sockglue.c                         |    2 +-
 net/ipv6/netfilter/ip6_tables.c                  |   12 +-
 net/ipv6/netfilter/nf_conntrack_reasm.c          |   14 +-
 net/ipv6/raw.c                                   |   19 +-
 net/ipv6/reassembly.c                            |   13 +-
 net/ipv6/route.c                                 |    2 +-
 net/ipv6/sit.c                                   |    4 +-
 net/ipv6/sysctl_net_ipv6.c                       |    2 +-
 net/ipv6/udp.c                                   |    8 +-
 net/ipv6/xfrm6_policy.c                          |   13 +-
 net/irda/ircomm/ircomm_tty.c                     |   18 +-
 net/iucv/af_iucv.c                               |    4 +-
 net/iucv/iucv.c                                  |    2 +-
 net/key/af_key.c                                 |    4 +-
 net/mac80211/cfg.c                               |    8 +-
 net/mac80211/ieee80211_i.h                       |    3 +-
 net/mac80211/iface.c                             |   14 +-
 net/mac80211/main.c                              |    2 +-
 net/mac80211/pm.c                                |    6 +-
 net/mac80211/rate.c                              |    2 +-
 net/mac80211/rc80211_pid_debugfs.c               |    2 +-
 net/mac80211/util.c                              |    2 +-
 net/netfilter/ipset/ip_set_core.c                |    2 +-
 net/netfilter/ipvs/ip_vs_conn.c                  |    6 +-
 net/netfilter/ipvs/ip_vs_core.c                  |    4 +-
 net/netfilter/ipvs/ip_vs_ctl.c                   |   14 +-
 net/netfilter/ipvs/ip_vs_lblc.c                  |    2 +-
 net/netfilter/ipvs/ip_vs_lblcr.c                 |    2 +-
 net/netfilter/ipvs/ip_vs_sync.c                  |    6 +-
 net/netfilter/ipvs/ip_vs_xmit.c                  |    4 +-
 net/netfilter/nf_conntrack_acct.c                |    2 +-
 net/netfilter/nf_conntrack_ecache.c              |    2 +-
 net/netfilter/nf_conntrack_helper.c              |    2 +-
 net/netfilter/nf_conntrack_proto.c               |    2 +-
 net/netfilter/nf_conntrack_standalone.c          |    2 +-
 net/netfilter/nf_conntrack_timestamp.c           |    2 +-
 net/netfilter/nf_log.c                           |   10 +-
 net/netfilter/nf_sockopt.c                       |    4 +-
 net/netfilter/nfnetlink_log.c                    |    4 +-
 net/netfilter/xt_statistic.c                     |    8 +-
 net/netlink/af_netlink.c                         |    4 +-
 net/netlink/genetlink.c                          |   16 +-
 net/packet/af_packet.c                           |   12 +-
 net/phonet/pep.c                                 |    6 +-
 net/phonet/socket.c                              |    2 +-
 net/phonet/sysctl.c                              |    2 +-
 net/rds/cong.c                                   |    6 +-
 net/rds/ib.h                                     |    2 +-
 net/rds/ib_cm.c                                  |    2 +-
 net/rds/ib_recv.c                                |    4 +-
 net/rds/iw.h                                     |    2 +-
 net/rds/iw_cm.c                                  |    2 +-
 net/rds/iw_recv.c                                |    4 +-
 net/rds/rds.h                                    |    2 +-
 net/rds/tcp.c                                    |    2 +-
 net/rds/tcp_send.c                               |    2 +-
 net/rxrpc/af_rxrpc.c                             |    2 +-
 net/rxrpc/ar-ack.c                               |   14 +-
 net/rxrpc/ar-call.c                              |    2 +-
 net/rxrpc/ar-connection.c                        |    2 +-
 net/rxrpc/ar-connevent.c                         |    2 +-
 net/rxrpc/ar-input.c                             |    4 +-
 net/rxrpc/ar-internal.h                          |    8 +-
 net/rxrpc/ar-local.c                             |    2 +-
 net/rxrpc/ar-output.c                            |    4 +-
 net/rxrpc/ar-peer.c                              |    2 +-
 net/rxrpc/ar-proc.c                              |    4 +-
 net/rxrpc/ar-transport.c                         |    2 +-
 net/rxrpc/rxkad.c                                |    4 +-
 net/sctp/ipv6.c                                  |    6 +-
 net/sctp/protocol.c                              |   10 +-
 net/sctp/sm_sideeffect.c                         |    2 +-
 net/sctp/socket.c                                |   21 +-
 net/sctp/sysctl.c                                |    4 +-
 net/socket.c                                     |   18 +-
 net/sunrpc/clnt.c                                |    4 +-
 net/sunrpc/sched.c                               |    4 +-
 net/sunrpc/svc.c                                 |    4 +-
 net/sunrpc/xprtrdma/svc_rdma.c                   |   38 +-
 net/sunrpc/xprtrdma/svc_rdma_recvfrom.c          |    6 +-
 net/sunrpc/xprtrdma/svc_rdma_sendto.c            |    2 +-
 net/sunrpc/xprtrdma/svc_rdma_transport.c         |   10 +-
 net/tipc/link.c                                  |    6 +-
 net/tipc/msg.c                                   |    2 +-
 net/tipc/subscr.c                                |    2 +-
 net/unix/sysctl_net_unix.c                       |    2 +-
 net/wireless/wext-core.c                         |   19 +-
 net/xfrm/xfrm_policy.c                           |   27 +-
 net/xfrm/xfrm_state.c                            |   29 +-
 net/xfrm/xfrm_sysctl.c                           |    2 +-
 scripts/Makefile.build                           |    2 +-
 scripts/Makefile.clean                           |    3 +-
 scripts/Makefile.host                            |   28 +-
 scripts/basic/fixdep.c                           |   12 +-
 scripts/gcc-plugin.sh                            |   17 +
 scripts/headers_install.pl                       |    1 +
 scripts/link-vmlinux.sh                          |    2 +-
 scripts/mod/file2alias.c                         |   14 +-
 scripts/mod/modpost.c                            |   25 +-
 scripts/mod/modpost.h                            |    6 +-
 scripts/mod/sumversion.c                         |    2 +-
 scripts/package/builddeb                         |    1 +
 scripts/pnmtologo.c                              |    6 +-
 scripts/sortextable.h                            |    6 +-
 security/Kconfig                                 |  675 +++-
 security/apparmor/lsm.c                          |    2 +-
 security/integrity/ima/ima.h                     |    4 +-
 security/integrity/ima/ima_api.c                 |    2 +-
 security/integrity/ima/ima_fs.c                  |    4 +-
 security/integrity/ima/ima_queue.c               |    2 +-
 security/keys/compat.c                           |    2 +-
 security/keys/key.c                              |   18 +-
 security/keys/keyctl.c                           |    8 +-
 security/keys/keyring.c                          |    6 +-
 security/security.c                              |    9 +-
 security/selinux/hooks.c                         |    2 +-
 security/selinux/include/xfrm.h                  |    2 +-
 security/smack/smack_lsm.c                       |    2 +-
 security/tomoyo/tomoyo.c                         |    2 +-
 security/yama/yama_lsm.c                         |   22 +-
 sound/aoa/codecs/onyx.c                          |    7 +-
 sound/aoa/codecs/onyx.h                          |    1 +
 sound/core/oss/pcm_oss.c                         |   18 +-
 sound/core/pcm_compat.c                          |    2 +-
 sound/core/pcm_native.c                          |    4 +-
 sound/core/seq/seq_device.c                      |    8 +-
 sound/drivers/mts64.c                            |   14 +-
 sound/drivers/opl4/opl4_lib.c                    |    2 +-
 sound/drivers/portman2x4.c                       |    3 +-
 sound/firewire/amdtp.c                           |    4 +-
 sound/firewire/amdtp.h                           |    2 +-
 sound/firewire/isight.c                          |   10 +-
 sound/firewire/scs1x.c                           |    8 +-
 sound/oss/sb_audio.c                             |    2 +-
 sound/oss/swarm_cs4297a.c                        |    6 +-
 sound/pci/ymfpci/ymfpci.h                        |    2 +-
 sound/pci/ymfpci/ymfpci_main.c                   |   12 +-
 tools/gcc/.gitignore                             |    1 +
 tools/gcc/Makefile                               |   45 +
 tools/gcc/checker_plugin.c                       |  171 +
 tools/gcc/colorize_plugin.c                      |  151 +
 tools/gcc/constify_plugin.c                      |  518 ++
 tools/gcc/generate_size_overflow_hash.sh         |   94 +
 tools/gcc/kallocstat_plugin.c                    |  170 +
 tools/gcc/kernexec_plugin.c                      |  465 ++
 tools/gcc/latent_entropy_plugin.c                |  327 ++
 tools/gcc/size_overflow_hash.data                | 5876 ++++++++++++++++++++++
 tools/gcc/size_overflow_plugin.c                 | 2114 ++++++++
 tools/gcc/stackleak_plugin.c                     |  327 ++
 tools/gcc/structleak_plugin.c                    |  276 +
 tools/perf/util/include/asm/alternative-asm.h    |    3 +
 tools/perf/util/include/linux/compiler.h         |    8 +
 virt/kvm/kvm_main.c                              |   32 +-
 1555 files changed, 30474 insertions(+), 7126 deletions(-)
commit a00016a11e35e91aec8e2d9b6ec4c6fbb11d6d2b
Merge: 0949bd4 fc53d63
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 22 19:03:44 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit fc53d6338964741b368070ec5c935bc579b8c2a6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 22 19:02:45 2012 -0400

    Update to pax-linux-3.2.12-test33.patch

commit 0949bd46a6455b308f66ad7c993bfee62412db35
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 22 16:56:09 2012 -0400

    Use current_umask() instead of current->fs->umask

commit 22f6432d0fe733619cfcb523782ed7d80c46d645
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 21 19:42:42 2012 -0400

    compile fix

commit 0cad49d6b8fbb32395da924c1665a1110a9a9eef
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 21 19:34:56 2012 -0400

    Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain
    uses of domains with particular hash collisions

commit 47fc52e0a068a29d6cca2f809daf0679cba33c44
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 20:25:49 2012 -0400

    zero kernel_role

commit b00953b43c69238d181d21121ef1577c988d5f6b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 19:29:34 2012 -0400

    zero real_root after releasing it

commit 0b3ab73ce5d34a2c3206955cd65eddd6bdfd32a1
Merge: b724f59 273f98e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 19:11:26 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit 273f98e58cdac555d3b5dce5c1ca168349f95878
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 19:10:52 2012 -0400

    Temporary workaround for (most) size_overflow plugin false-positives
    Increase randomization for brk-managed heap to 21 bits
    Update to pax-linux-3.2.12-test32.patch

commit b724f59125304460c2af8bd4b02921993afbb5d3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 18:58:53 2012 -0400

    compile fix

commit 329f1a9d0f137d0a973316c53bbec18a6eeecd4f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 18:52:23 2012 -0400

    Require default and kernel role

commit a7c5c4f55bdd61cfcd0fb1be7a67160429409878
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 18:47:28 2012 -0400

    Allow policies without special roles
    don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles)

commit 402ec3d24d66d38403dc543c84851f5e72d39e22
Merge: 8e012dc f14661a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 19 18:06:59 2012 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        fs/namei.c

commit f14661aaf202155c97f66626cea0269017bb7775
Merge: eae671f 058b017
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 19 18:05:44 2012 -0400

    Merge branch 'linux-3.2.y' into pax-test

commit 8e012dcf7a50b7cde34c2cec93ecedd049123b75
Author: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
Date:   Fri Mar 16 17:08:39 2012 -0700

    nilfs2: fix NULL pointer dereference in nilfs_load_super_block()
    
    According to the report from Slicky Devil, nilfs caused kernel oops at
    nilfs_load_super_block function during mount after he shrank the
    partition without resizing the filesystem:
    
     BUG: unable to handle kernel NULL pointer dereference at 00000048
     IP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2]
     *pde = 00000000
     Oops: 0000 [#1] PREEMPT SMP
     ...
     Call Trace:
      [<d0d7a87b>] init_nilfs+0x4b/0x2e0 [nilfs2]
      [<d0d6f707>] nilfs_mount+0x447/0x5b0 [nilfs2]
      [<c0226636>] mount_fs+0x36/0x180
      [<c023d961>] vfs_kern_mount+0x51/0xa0
      [<c023ddae>] do_kern_mount+0x3e/0xe0
      [<c023f189>] do_mount+0x169/0x700
      [<c023fa9b>] sys_mount+0x6b/0xa0
      [<c04abd1f>] sysenter_do_call+0x12/0x28
     Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43
     20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72
     48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00
     EIP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc
     CR2: 0000000000000048
    
    This turned out due to a defect in an error path which runs if the
    calculated location of the secondary super block was invalid.
    
    This patch fixes it and eliminates the reported oops.
    
    Reported-by: Slicky Devil <slicky.dvl@gmail.com>
    Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
    Tested-by: Slicky Devil <slicky.dvl@gmail.com>
    Cc: <stable@vger.kernel.org>        [2.6.30+]
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 8067d7f69bf27dc08057a771cf125e71e4575bf2
Author: Haogang Chen <haogangchen@gmail.com>
Date:   Fri Mar 16 17:08:38 2012 -0700

    nilfs2: clamp ns_r_segments_percentage to [1, 99]
    
    ns_r_segments_percentage is read from the disk.  Bogus or malicious
    value could cause integer overflow and malfunction due to meaningless
    disk usage calculation.  This patch reports error when mounting such
    bogus volumes.
    
    Signed-off-by: Haogang Chen <haogangchen@gmail.com>
    Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit e1a90645643f9b0194a5984ec8febd06360d5c8b
Author: Eric Dumazet <eric.dumazet@gmail.com>
Date:   Sat Mar 10 09:20:21 2012 +0000

    tcp: fix syncookie regression
    
    commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit())
    added a serious regression on synflood handling.
    
    Simon Kirby discovered a successful connection was delayed by 20 seconds
    before being responsive.
    
    In my tests, I discovered that xmit frames were lost, and needed ~4
    retransmits and a socket dst rebuild before being really sent.
    
    In case of syncookie initiated connection, we use a different path to
    initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared.
    
    As ip_queue_xmit() now depends on inet flow being setup, fix this by
    copying the temp flowi4 we use in cookie_v4_check().
    
    Reported-by: Simon Kirby <sim@netnation.com>
    Bisected-by: Simon Kirby <sim@netnation.com>
    Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
    Tested-by: Eric Dumazet <eric.dumazet@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 06c6c8628bf38b08b4d97f4c55cde9fdecfb5d65
Author: Stanislav Kinsbursky <skinsbursky@parallels.com>
Date:   Mon Mar 12 02:59:41 2012 +0000

    tun: don't hold network namespace by tun sockets
    
    v3: added previously removed sock_put() to the tun_release() callback, because
    sk_release_kernel() doesn't drop the socket reference.
    
    v2: sk_release_kernel() used for socket release. Dummy tun_release() is
    required for sk_release_kernel() ---> sock_release() ---> sock->ops->release()
    call.
    
    TUN was designed to destroy it's socket on network namesapce shutdown. But this
    will never happen for persistent device, because it's socket holds network
    namespace.
    This patch removes of holding network namespace by TUN socket and replaces it
    by creating socket in init_net and then changing it's net it to desired one. On
    shutdown socket is moved back to init_net prior to final put.
    
    Signed-off-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 46ae7374bd387c58d673a9e58852a9fd31042c5c
Author: Tyler Hicks <tyhicks@canonical.com>
Date:   Mon Dec 12 10:02:30 2011 -0600

    vfs: Correctly set the dir i_mutex lockdep class
    
    9a7aa12f3911853a introduced additional logic around setting the i_mutex
    lockdep class for directory inodes. The idea was that some filesystems
    may want their own special lockdep class for different directory
    inodes and calling unlock_new_inode() should not clobber one of
    those special classes.
    
    I believe that the added conditional, around the *negated* return value
    of lockdep_match_class(), caused directory inodes to be placed in the
    wrong lockdep class.
    
    inode_init_always() sets the i_mutex lockdep class with i_mutex_key for
    all inodes. If the filesystem did not change the class during inode
    initialization, then the conditional mentioned above was false and the
    directory inode was incorrectly left in the non-directory lockdep class.
    If the filesystem did set a special lockdep class, then the conditional
    mentioned above was true and that class was clobbered with
    i_mutex_dir_key.
    
    This patch removes the negation from the conditional so that the i_mutex
    lockdep class is properly set for directory inodes. Special classes are
    preserved and directory inodes with unmodified classes are set with
    i_mutex_dir_key.
    
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Reviewed-by: Jan Kara <jack@suse.cz>
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

commit 603590b0d2eca61ce26499eac9c563bc567a18c9
Author: Jan Kara <jack@suse.cz>
Date:   Mon Feb 20 17:54:00 2012 +0100

    udf: Fix deadlock in udf_release_file()
    
    udf_release_file() can be called from munmap() path with mmap_sem held.  Thus
    we cannot take i_mutex there because that ranks above mmap_sem. Luckily,
    i_mutex is not needed in udf_release_file() anymore since protection by
    i_data_sem is enough to protect from races with write and truncate.
    
    Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
    Reviewed-by: Namjae Jeon <linkinjeon@gmail.com>
    Signed-off-by: Jan Kara <jack@suse.cz>
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

commit ca79ab9034f3c2f7e3f65c35e0d9ed3ecea529bf
Author: Miklos Szeredi <mszeredi@suse.cz>
Date:   Tue Mar 6 13:56:33 2012 +0100

    vfs: fix double put after complete_walk()
    
    complete_walk() already puts nd->path, no need to do it again at cleanup time.
    
    This would result in Oopses if triggered, apparently the codepath is not too
    well exercised.
    
    Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
    CC: stable@vger.kernel.org
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

commit 13885ba2b18400f3ef6540497d30f1af896605e5
Author: Miklos Szeredi <mszeredi@suse.cz>
Date:   Tue Mar 6 13:56:34 2012 +0100

    vfs: fix return value from do_last()
    
    complete_walk() returns either ECHILD or ESTALE.  do_last() turns this into
    ECHILD unconditionally.  If not in RCU mode, this error will reach userspace
    which is complete nonsense.
    
    Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
    CC: stable@vger.kernel.org
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    
    Conflicts:
    
        fs/namei.c

commit f5ab7572c99ffb58953eb1070622307e904c3b7f
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Sat Mar 10 17:07:28 2012 -0500

    restore smp_mb() in unlock_new_inode()
    
    wait_on_inode() doesn't have ->i_lock
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

commit f3e758cd08e3881982d4b78eb72fe8a1ead6b872
Author: David S. Miller <davem@davemloft.net>
Date:   Tue Mar 13 18:19:51 2012 -0700

    sparc32: Add -Av8 to assembler command line.
    
    Newer version of binutils are more strict about specifying the
    correct options to enable certain classes of instructions.
    
    The sparc32 build is done for v7 in order to support sun4c systems
    which lack hardware integer multiply and divide instructions.
    
    So we have to pass -Av8 when building the assembler routines that
    use these instructions and get patched into the kernel when we find
    out that we have a v8 capable cpu.
    
    Reported-by: Paul Gortmaker <paul.gortmaker@windriver.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 66276ec78b2a971d2e704e5ef963cdc8b6a049a4
Author: Thomas Gleixner <tglx@linutronix.de>
Date:   Fri Mar 9 20:55:10 2012 +0100

    x86: Derandom delay_tsc for 64 bit
    
    Commit f0fbf0abc093 ("x86: integrate delay functions") converted
    delay_tsc() into a random delay generator for 64 bit.  The reason is
    that it merged the mostly identical versions of delay_32.c and
    delay_64.c.  Though the subtle difference of the result was:
    
     static void delay_tsc(unsigned long loops)
     {
    -   unsigned bclock, now;
    +   unsigned long bclock, now;
    
    Now the function uses rdtscl() which returns the lower 32bit of the
    TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64
    bit this fails when the lower 32bit are close to wrap around when
    bclock is read, because the following check
    
           if ((now - bclock) >= loops)
                        break;
    
    evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0
    because the unsigned long (now - bclock) of these values results in
    0xffffffff00000001 which is definitely larger than the loops
    value. That explains Tvortkos observation:
    
    "Because I am seeing udelay(500) (_occasionally_) being short, and
     that by delaying for some duration between 0us (yep) and 491us."
    
    Make those variables explicitely u32 again, so this works for both 32
    and 64 bit.
    
    Reported-by: Tvrtko Ursulin <tvrtko.ursulin@onelan.co.uk>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Cc: stable@vger.kernel.org # >= 2.6.27
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 2d0ddb60f5031bdf79b4d51225f9f2d5856255bf
Author: Al Viro <viro@ZenIV.linux.org.uk>
Date:   Thu Mar 8 17:51:19 2012 +0000

    aio: fix the "too late munmap()" race
    
    Current code has put_ioctx() called asynchronously from aio_fput_routine();
    that's done *after* we have killed the request that used to pin ioctx,
    so there's nothing to stop io_destroy() waiting in wait_for_all_aios()
    from progressing.  As the result, we can end up with async call of
    put_ioctx() being the last one and possibly happening during exit_mmap()
    or elf_core_dump(), neither of which expects stray munmap() being done
    to them...
    
    We do need to prevent _freeing_ ioctx until aio_fput_routine() is done
    with that, but that's all we care about - neither io_destroy() nor
    exit_aio() will progress past wait_for_all_aios() until aio_fput_routine()
    does really_put_req(), so the ioctx teardown won't be done until then
    and we don't care about the contents of ioctx past that point.
    
    Since actual freeing of these suckers is RCU-delayed, we don't need to
    bump ioctx refcount when request goes into list for async removal.
    All we need is rcu_read_lock held just over the ->ctx_lock-protected
    area in aio_fput_routine().
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
    Acked-by: Benjamin LaHaise <bcrl@kvack.org>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 002124c055afbf09b52226af65621999e8316448
Author: Al Viro <viro@ZenIV.linux.org.uk>
Date:   Wed Mar 7 05:16:35 2012 +0000

    aio: fix io_setup/io_destroy race
    
    Have ioctx_alloc() return an extra reference, so that caller would drop it
    on success and not bother with re-grabbing it on failure exit.  The current
    code is obviously broken - io_destroy() from another thread that managed
    to guess the address io_setup() would've returned would free ioctx right
    under us; gets especially interesting if aio_context_t * we pass to
    io_setup() points to PROT_READ mapping, so put_user() fails and we end
    up doing io_destroy() on kioctx another thread has just got freed...
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Acked-by: Benjamin LaHaise <bcrl@kvack.org>
    Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit a1cd2719b8ed8e40dbd98c87713ac23a2169f6d8
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Thu Mar 15 15:17:12 2012 -0700

    drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode
    
    strict_strtoul() writes a long but ->gamma_mode only has space to store an
    int, so on 64 bit systems we end up scribbling over ->gamma_table_count as
    well.  I've changed it to use kstrtouint() instead.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Acked-by: Inki Dae <inki.dae@samsung.com>
    Signed-off-by: Florian Tobias Schandinat <FlorianSchandinat@gmx.de>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit cf83f735a5571f4341ee6eab947a1f7d833cea6e
Merge: e4b05b6 eae671f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 16 21:04:27 2012 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        security/Kconfig

commit eae671fafe93f04685c04a089cc13efebc05d600
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 16 20:58:01 2012 -0400

    Update to pax-linux-3.2.11-test31.patch
    Introduction of the size_overflow plugin from Emese Revfy
    Many thanks to Emese for her hard work :)

commit e4b05b65c645c412eceb9c950ee7b4771627e6b1
Merge: e55aa68 258c015
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 15 20:59:19 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit 258c0159fa6dd5044ca984eeaad57bb6e21bacea
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 15 20:59:05 2012 -0400

    fix ARM compilation

commit e55aa68f4bb20e75cd7423123aa612c2a69590c0
Merge: 8f95ea9 55b7573
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 14 19:33:41 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit 55b7573f6c2f3be26fb39c7bd6a9d742d02811ca
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 14 19:33:15 2012 -0400

    Update to pax-linux-3.2.10-test28.patch

commit 8f95ea9f718c293794a1f6bdd2a5f5f336f7bd64
Merge: c8786a2 886ac5e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 13 17:38:13 2012 -0400

    Merge branch 'pax-test' into grsec-test
    
    Greets and thanks to snq for his assistance in testing/debugging REFCOUNT on ARM :)

commit 886ac5eeb1835e87cf7398b8aae9e9ba6b36bf77
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 13 17:37:44 2012 -0400

    Update to pax-linux-3.2.10-test26.patch

commit c8786a2abed5e5327f68efa520c04db99bb6a63a
Merge: 219c982 c061fcf
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 13 17:25:06 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit c061fcfa6b78f3774800821144d8ac2d94d7da3e
Merge: 89373d2 3f4b3b2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 13 17:25:02 2012 -0400

    Merge branch 'linux-3.2.y' into pax-test

commit 219c982a05abe47be4ea7d749e1b408e0cb86f1f
Merge: 54e19a3 89373d2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 12 17:23:57 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit 89373d2abafb9bda97f78bdb157d1d05cf21e008
Merge: a778588 7459f11
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 12 17:23:49 2012 -0400

    Merge branch 'linux-3.2.y' into pax-test

commit 54e19a3979978fca902b14ae25125f26fbbbc7a7
Merge: c4650f1 a778588
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 12 16:51:25 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit a778588c9d1b75c48c1f09aac98c1b28bd87a749
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 12 16:51:12 2012 -0400

    Update to pax-linux-3.2.9-test24.patch

commit c4650f14b13f84735fe3de06a1f3ff5776473eff
Merge: fb2abee 1015790
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 11 21:08:28 2012 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        security/Kconfig

commit 101579028a736c224e590c7e12a7357018c424e1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 11 21:07:27 2012 -0400

    Update to pax-linux-3.2.9-test22.patch

commit fb2abee4b9b49f5f18342a8cdf7aa3ba2b7c9100
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 11 11:02:17 2012 -0400

    Allow 4096 CPUs

commit 96bae28cbe6a41d48e3b56e5904814096e956000
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 11 10:25:58 2012 -0400

    Use a per-cpu 48-bit counter instead of a global atomic64
    Initialize each counter to have the cpu number in the lower 16 bits
    instead of incrementing the counter each time by 1, perform the increments
    above the cpu number so that wrapping/exhausting the counter doesn't corrupt
    any state
    idea from PaX Team

commit b975688101da6e966aebb1bc6b8c5c5983974f9c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 10 20:33:12 2012 -0500

    Special vnsec edition! :)
    Further reduce argv/env allowance for suid/sgid apps to 512KB
    Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap)
    Clear 3GB personality on suid/sgid binaries
    Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64)
      with the main purpose of throwing off program stack -> arg/env alignment
    Update documentation

commit e5cfa902c4e891d11dd2086543d2555aa0c27d33
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 10 19:54:47 2012 -0500

    Resolve skbuff.h warnings that turn into errors during compilation in
    the grsecurity directory with -Werror

commit 2023210ad43a944033fcacc660ce410888f562ee
Merge: ece4383 5f66adf
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 9 19:48:01 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 5f66adf72f83730a07bc79a2fab56afed6dbbd0e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 9 19:47:06 2012 -0500

    Add colorize plugin

commit ece4383e5e91c92d138c4df84225a70b552f4d69
Merge: a366d0e ab4a5a1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 9 17:56:46 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit ab4a5a1a67289c3585e2ff8aa64ecece7bd17eea
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 9 17:56:26 2012 -0500

    Update to pax-linux-3.2.9-test21.patch

commit a366d0ed963ce93fce10121c1100989d5f064e75
Author: Mikulas Patocka <mpatocka@redhat.com>
Date:   Sun Mar 4 19:52:03 2012 -0500

    mm: fix find_vma_prev
    
    Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory
    management on PA-RISC.
    
    After application of the patch, programs that allocate big arrays on the
    stack crash with segfault, for example, this will crash if compiled
    without optimization:
    
      int main()
      {
        char array[200000];
        array[199999] = 0;
        return 0;
      }
    
    The reason is that PA-RISC has up-growing stack and the stack is usually
    the last memory area.  In the above example, a page fault happens above
    the stack.
    
    Previously, if we passed too high address to find_vma_prev, it returned
    NULL and stored the last VMA in *pprev.  After "simplify find_vma_prev"
    change, it stores NULL in *pprev.  Consequently, the stack area is not
    found and it is not expanded, as it used to be before the change.
    
    This patch restores the old behavior and makes it return the last VMA in
    *pprev if the requested address is higher than address of any other VMA.
    
    Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
    Acked-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 9cd8dd4d56051099f11563f72fcd91cd0ce19604
Author: Hugh Dickins <hughd@google.com>
Date:   Tue Mar 6 12:28:52 2012 -0800

    mmap: EINVAL not ENOMEM when rejecting VM_GROWS
    
    Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP
    from shared anonymous: hoist the file case's -EINVAL up for both.
    
    Signed-off-by: Hugh Dickins <hughd@google.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 97745dce6c87f9d9ca5b4be9bd4c2fc1684ca04c
Author: Al Viro <viro@ZenIV.linux.org.uk>
Date:   Mon Mar 5 06:38:42 2012 +0000

    aout: move setup_arg_pages() prior to reading/mapping the binary
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 3b20ce55ae8cffee43cb4afdf5be438b5ac4fef0
Author: Jan Beulich <JBeulich@suse.com>
Date:   Mon Mar 5 16:49:24 2012 +0000

    vsprintf: make %pV handling compatible with kasprintf()
    
    kasprintf() (and potentially other functions that I didn't run across so
    far) want to evaluate argument lists twice.  Caring to do so for the
    primary list is obviously their job, but they can't reasonably be
    expected to check the format string for instances of %pV, which however
    need special handling too: On architectures like x86-64 (as opposed to
    e.g.  ix86), using the same argument list twice doesn't produce the
    expected results, as an internally managed cursor gets updated during
    the first run.
    
    Fix the problem by always acting on a copy of the original list when
    handling %pV.
    
    Signed-off-by: Jan Beulich <jbeulich@suse.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 4146896ab9674f51d4909f3a52bc7fe80f04e4cb
Author: Al Viro <viro@ZenIV.linux.org.uk>
Date:   Mon Mar 5 06:39:47 2012 +0000

    VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit a831bd53764695ea680cc1fa3c98759a610ed2ac
Author: Christian König <deathsimple@vodafone.de>
Date:   Tue Feb 28 23:19:20 2012 +0100

    drm/radeon: fix uninitialized variable
    
    Without this fix the driver randomly treats
    textures as arrays and I'm really wondering
    why gcc isn't complaining about it.
    
    Signed-off-by: Christian König <deathsimple@vodafone.de>
    Reviewed-by: Jerome Glisse <jglisse@redhat.com>
    Signed-off-by: Dave Airlie <airlied@redhat.com>

commit aa2cd55f97f3cc03bdd895b6e8ba99619ee69dfc
Author: H. Peter Anvin <hpa@zytor.com>
Date:   Fri Mar 2 10:43:48 2012 -0800

    regset: Prevent null pointer reference on readonly regsets
    
    The regset common infrastructure assumed that regsets would always
    have .get and .set methods, but not necessarily .active methods.
    Unfortunately people have since written regsets without .set methods.
    
    Rather than putting in stub functions everywhere, handle regsets with
    null .get or .set methods explicitly.
    
    Signed-off-by: H. Peter Anvin <hpa@zytor.com>
    Reviewed-by: Oleg Nesterov <oleg@redhat.com>
    Acked-by: Roland McGrath <roland@hack.frob.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 072ddd99401c79b53c6bf6bff9deb93022124c79
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 5 18:12:57 2012 -0500

    Fix compiler errors reported on forums

commit 1606774b48af24e6f99d99c624c0e447d4b66474
Merge: 3127bd5 4ca2ffd
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 5 17:31:35 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 4ca2ffd9da024f4ba2d0cb6245ba1b2726169452
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 5 17:31:21 2012 -0500

    Update to pax-linux-3.2.9-test20.patch

commit 3127bd581a292966b1057c7433219dac188c3720
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 2 21:30:37 2012 -0500

    Fix memory leak on logged exec_id check failure in /proc/pid/statm
    Thanks to Djalal Harouni for the report

commit d9f1a3be0e97e0632f97379322712d8deeb3ce23
Merge: 0a56be8 9aa8288
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 2 18:38:22 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 9aa8288a09e6e03ce37c08136b26bff17a093b5c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 2 18:37:43 2012 -0500

    Update to pax-linux-3.2.9-test19.patch

commit 0a56be884bbd7ce733cac0b879c45383494d73b0
Merge: 9e66745 3f5c52a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 1 20:18:01 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 3f5c52aba100b3bb252980f9d363aafde52da1a2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 1 20:16:56 2012 -0500

    Update to pax-linux-3.2.9-test18.patch

commit ae53ec231d12719a36bf871f8c5841020ed692ee
Merge: b255baf 44fb317
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 1 20:15:31 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test

commit 9e667456c03eadea2f305be761abe4de9a5877a3
Merge: 5e4e200 b255baf
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 27 20:53:59 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit b255baf50365d39b406f43aab2c64745607baaa2
Merge: 340ce90 1de504e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 27 20:53:29 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test
    Update to pax-linux-3.2.8-test17.patch
    
    Conflicts:
        arch/x86/include/asm/i387.h
        arch/x86/kernel/process_32.c
        arch/x86/kernel/traps.c

commit 5e4e200ac530452884b625cb75de240e1e98c731
Merge: 44306d7 340ce90
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 27 18:02:13 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 340ce90d98a043fa8e4ed9ffc229d4c1f86e2fec
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 27 18:01:48 2012 -0500

    Update to pax-linux-3.2.7-test17.patch

commit 44306d7b3097f77e73040dd25f4f6750751bae7a
Merge: 29d0b07 521c411
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 26 19:04:15 2012 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        Makefile

commit 521c411bb4ca66ce01146fde8bac9dd22414076d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 26 19:03:33 2012 -0500

    Update to pax-linux-3.2.7-test16.patch

commit 29d0b07290bb9a10cdfcc3c30058e16265330dea
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 26 17:12:44 2012 -0500

    fix typo

commit 344f6d84e5d3fdc6ec40a078fc2f5861d340b2ef
Merge: f45b3be caa8f83
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 20:59:27 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit caa8f83456c4d0b204beefffaa1d1993f2348d08
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 20:59:12 2012 -0500

    Update to pax-linux-3.2.7-test15.patch

commit f45b3be34a345502a302e736af9a65742ddef7cb
Merge: 62f35fd 9f1309b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 11:40:15 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 9f1309b0b935e3b30fc87a9e3009b84cf943ef47
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 11:39:57 2012 -0500

    Update to pax-linux-3.2.7-test14.patch

commit 62f35fdbecc58f2988fe13638d907b87a15776bb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 09:08:55 2012 -0500

    We could log on attempted exploits of writing /proc/self/mem, but the current
    log function declares the access a read, so just swap the ordering for now

commit 066ee8f9c26f1549b4ad893508777b549c8d4b79
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 08:46:14 2012 -0500

    Log /proc/pid/mem attempts

commit 674471e581893a94d475acac3e3c4496209b3ac9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 08:15:00 2012 -0500

    Make use of f_version for protecting /proc file structs (fine since we're not a directory
    or seq_file)

commit eab42cfdd237ffcdd8ec24bedecc275a3a9e987f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 24 20:02:19 2012 -0500

    Fix ia64 compilation

commit 50dfea412fd395e0183c2ade368efa525d38b267
Merge: 12db845 4c6f99b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 24 19:00:53 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 4c6f99bf338e03966356b147d0360cb3b522a44f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 24 19:00:36 2012 -0500

    (6:57:09 PM) pipacs: but you can be proactive
    (Fix other-arch atomic64/REFCOUNT compilation failures)

commit 12db8453f6bb0a756f369c9151668ba1249bc478
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 23 21:10:12 2012 -0500

    Remove unnecessary copies, as suggested by solar

commit cc02cab84368467ea03cb35f861a8a7092d91ab4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 23 20:59:35 2012 -0500

    Make global_exec_counter static, as suggested by solar

commit e642091a475ebb3a30e81f85e7751233d0c2af43
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 23 19:00:26 2012 -0500

    sync with stable tree

commit 6df09c3d8e371905b7b8fe90c4188f23614c6be5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 23 18:48:47 2012 -0500

    Remove unneeded gr_acl_handle_fchmod, as the code is shared now by gr_acl_handle_chmod
    Remove handling of old kludge in chmod/fchmod

commit 815cb62f2ca7b58efc39778b3a855feb675ab56c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 23 18:18:49 2012 -0500

    Apply umask checks to chmod/fchmod as well, as requested by sponsor
    Union the enforced umask with the existing one to produce minimal privilege
    Change umask type to u16

commit 0e7668c6abbdbcd3f7f9759e3994d6f4bc9953f0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 22 18:16:11 2012 -0500

    Add per-role umask enforcement to RBAC, requested by a sponsor

commit ad5ac943fe58199f1cc475912a39edb157acb77b
Merge: dda0bb5 41722e3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 20 20:04:42 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 41722e342e116d95f3d3556d66c97c888d752d39
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 20 20:04:00 2012 -0500

    Merge changes from pax-linux-3.2.7-test12.patch, fixes KVM incompatibility with
    KERNEXEC plugin

commit dda0bb57137846a476a866c60db2681aaf6052c0
Merge: 4fd554e d70927a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 20 20:01:41 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit d70927afec977d489a54c106a3c3ddc32e953050
Merge: 1daebf1 9d0231c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 20 20:01:33 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test

commit 4fd554e3a097b22c5049fcdc423897477deff5ef
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 20 09:17:57 2012 -0500

    Fix wrong logic on capability checks for switching roles, broke policies
    Thanks to Richard Kojedzinszky for reporting

commit 12f97d52ac603f24344f8d71569c412a307e9422
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 21:20:10 2012 -0500

    sparc64 compile fix

commit 07af3d8e76a6a47ce1836e5b20ed8c0f879c8201
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 18:38:32 2012 -0500

    Update configuration help and name for GRKERNSEC_PROC_MEMMAP

commit 5ced6f8def06c2176b40b5fa07345fc723dc4dcb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 18:18:01 2012 -0500

    optimize the check a bit

commit 03159050f64989be44ae03be769cbed62a7cd2e5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 18:00:45 2012 -0500

    smile VUPEN :D
    (limit argv+env to 1MB for suid/sgid binaries)

commit dd759d8800d225a397e4de49fe729c7d601298d2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 17:49:33 2012 -0500

    Address Space Protection -> Memory Protections (suggested on IRC for consistency)

commit 4de635bda8ebfb85312e3bf851bdbff93de400da
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 17:45:06 2012 -0500

    Change the long long type for exec_id to the proper u64

commit 4feb07e7cb64b3d0f0f8cca1aef70bc725cae6fa
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Thu Feb 9 00:46:47 2012 +0000

    isdn: type bug in isdn_net_header()
    
    We use len to store the return value from eth_header().  eth_header()
    can return -ETH_HLEN (-14).  We want to pass this back instead of
    truncating it to 65522 and returning that.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Acked-by: Neil Horman <nhorman@tuxdriver.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 134ac8545b47f0f27d550ea6e1edb3a1ed7a9748
Author: Heiko Carstens <heiko.carstens@de.ibm.com>
Date:   Sat Feb 4 10:47:10 2012 +0100

    exec: fix use-after-free bug in setup_new_exec()
    
    Setting the task name is done within setup_new_exec() by accessing
    bprm->filename. However this happens after flush_old_exec().
    This may result in a use after free bug, flush_old_exec() may
    "complete" vfork_done, which will wake up the parent which in turn
    may free the passed in filename.
    To fix this add a new tcomm field in struct linux_binprm which
    contains the now early generated task name until it is used.
    
    Fixes this bug on s390:
    
      Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000
      Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818)
      Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374)
      Call Trace:
      ([<0000000000282e2c>] setup_new_exec+0x38/0x374)
       [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4
       [<0000000000280a42>] search_binary_handler+0x38e/0x5bc
       [<0000000000282b6c>] do_execve_common+0x410/0x514
       [<0000000000282cb6>] do_execve+0x46/0x58
       [<00000000005bce58>] kernel_execve+0x28/0x70
       [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140
       [<00000000005bc8da>] kernel_thread_starter+0x6/0xc
       [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc
      Last Breaking-Event-Address:
       [<00000000002830f0>] setup_new_exec+0x2fc/0x374
    
      Kernel panic - not syncing: Fatal exception: panic_on_oops
    
    Reported-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
    Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit d758ee9f5230893dabb5aab737b3109684bde196
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Fri Feb 10 09:03:58 2012 +0100

    relay: prevent integer overflow in relay_open()
    
    "subbuf_size" and "n_subbufs" come from the user and they need to be
    capped to prevent an integer overflow.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Cc: stable@kernel.org
    Signed-off-by: Jens Axboe <axboe@kernel.dk>

commit 40ed7b34848b8e0d7bf9a3fc21a7c75ce1ae507c
Merge: b1baadf 1daebf1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 13 17:47:04 2012 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        fs/proc/base.c

commit 1daebf1d623fe5b0efdd329f78562eb7078bc772
Merge: 1413df2 c2db2e2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 13 17:45:54 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test

commit b1baadf5047ab67cf61cd20bf58c6afb09c37c7d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 12 16:44:05 2012 -0500

    add missing declaration

commit 3981059c35e8463002517935c28f3d74b8e3703c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 12 16:36:04 2012 -0500

    Require CAP_SETUID/CAP_SETGID in a subject in order to change roles
    in addition to existing checks (this handles the setresuid ruid = euid case)

commit 0beab03263c773f463412c350ad9064b44b6ede0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 12 16:13:40 2012 -0500

    Revert setreuid changes when RBAC is enabled, breaks freeradius
    I'll fix the learning issue Lavish reported a different way through
    gradm modifications
    
    This reverts commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111.

commit 0c61cb1cfbbfec7d07647268c922d51434d22621
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 11 14:22:46 2012 -0500

    copy exec_id on fork

commit 000c08e0890630086b2ed04084050ed856a7ec31
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 10 20:00:36 2012 -0500

    compile fix

commit 54b8c8f54484e5ee18040657827158bc4b63bccc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 10 19:19:52 2012 -0500

    Introduce enhancement to CONFIG_GRKERNSEC_PROC_MEMMAP
    denies reading of sensitive /proc/pid entries where the file descriptor
    was opened in a different task than the one performing the read

commit dd19579049186e2648b9ae5e42af04cfda7ab2dc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 10 17:43:24 2012 -0500

    Remove duplicate signal check

commit 6ff60c34155bb73a4eec7bbfe6f59e9d35e1c0c6
Merge: 4eba97e 1413df2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 8 19:24:34 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 1413df258d4664d928b876ffb57e1bdc1ccd06f6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 8 19:24:08 2012 -0500

    Merge changes from pax-linux-3.2.4-test11.patch

commit 4eba97eda7f7d25b7ab6ad5c9de094545e749044
Merge: 0e058dd 8dd90a2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 6 17:50:12 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 8dd90a21adfeefd86134d1fedf77b958bc59eaa3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 6 17:49:07 2012 -0500

    Merge changes from pax-linux-3.2.4-test10.patch, fixes BPF JIT double-free

commit a6b5dfed0937a0eb386b4b519a387f8e8177ffdc
Merge: 7e4169c 6133971
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 6 17:48:57 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test

commit 0e058dd6d14e0c67c44dd332a871f1fe1bb06095
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 5 19:24:45 2012 -0500

    We now allow configurations with no PaX markings, giving the system no way to override the defaults

commit 9afb0110287e31c3c56d861b4927f64f8dbd7857
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 5 10:01:23 2012 -0500

    Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory

commit a6a0ad24a5f7bef90236d94c1bdfe21d291fc834
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 4 21:01:16 2012 -0500

    Improve security of ptrace-based monitoring/sandboxing
    See:
    http://article.gmane.org/gmane.linux.kernel.lsm/15156

commit ca4ca5a1027b41f9528794e52a53ce9c47926101
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 20:42:55 2012 -0500

    fix typo

commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 20:25:38 2012 -0500

    Reported by lavish on IRC:
    If a suid/sgid binary did not learn any setuid/setgid call during learning,
    we would not any CAP_SETUID/CAP_SETGID capability to the task, nor
    any restrictions on uid/gid changes.  uid and gid can however be changed
    within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to
    euid/egid.
    
    My fix:
    POSIX doesn't specify whether unprivileged users can perform the above
    setresuid/setresgid as an unprivileged user, though Linux has historically
    permitted them.  Modify this behavior when RBAC is enabled to require
    CAP_SETUID/CAP_SETGID for these operations.
    
    Thanks to Lavish for the report!
    
    Conflicts:
    
        kernel/sys.c

commit e55be1f30908f1ad4450cb0558cde71ff5c7247f
Merge: ba586eb 7e4169c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 20:10:21 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 7e4169c6c880ec9641f1178c88545913c8a21e1f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 20:10:05 2012 -0500

    Merge changes from pax-linux-3.2.4-test9.patch

commit ba586ebbcd0ed781e38a99c580a757a00347c6eb
Author: Christopher Yeoh <cyeoh@au1.ibm.com>
Date:   Thu Feb 2 11:34:09 2012 +1030

    Fix race in process_vm_rw_core
    
    This fixes the race in process_vm_core found by Oleg (see
    
      http://article.gmane.org/gmane.linux.kernel/1235667/
    
    for details).
    
    This has been updated since I last sent it as the creation of the new
    mm_access() function did almost exactly the same thing as parts of the
    previous version of this patch did.
    
    In order to use mm_access() even when /proc isn't enabled, we move it to
    kernel/fork.c where other related process mm access functions already
    are.
    
    Signed-off-by: Chris Yeoh <yeohc@au1.ibm.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    Conflicts:
    
        fs/proc/base.c
        mm/process_vm_access.c

commit b9194d60fb9fe579f5c34817ed822abde18939a0
Author: Oleg Nesterov <oleg@redhat.com>
Date:   Tue Jan 31 17:15:11 2012 +0100

    proc: make sure mem_open() doesn't pin the target's memory
    
    Once /proc/pid/mem is opened, the memory can't be released until
    mem_release() even if its owner exits.
    
    Change mem_open() to do atomic_inc(mm_count) + mmput(), this only
    pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count)
    before access_remote_vm(), this verifies that this mm is still alive.
    
    I am not sure what should mem_rw() return if atomic_inc_not_zero()
    fails. With this patch it returns zero to match the "mm == NULL" case,
    may be it should return -EINVAL like it did before e268337d.
    
    Perhaps it makes sense to add the additional fatal_signal_pending()
    check into the main loop, to ensure we do not hold this memory if
    the target task was oom-killed.
    
    Cc: stable@kernel.org
    Signed-off-by: Oleg Nesterov <oleg@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit d4500134f9363bc79556e0e7a1fd811cd8552cc4
Author: Oleg Nesterov <oleg@redhat.com>
Date:   Tue Jan 31 17:14:38 2012 +0100

    proc: mem_release() should check mm != NULL
    
    mem_release() can hit mm == NULL, add the necessary check.
    
    Cc: stable@kernel.org
    Signed-off-by: Oleg Nesterov <oleg@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 5d1c11221a86f233fdbb232312a561f85d0a3a05
Author: Oleg Nesterov <oleg@redhat.com>
Date:   Tue Jan 31 17:14:54 2012 +0100

    note: redisabled mem_write
    
    proc: unify mem_read() and mem_write()
    
    No functional changes, cleanup and preparation.
    
    mem_read() and mem_write() are very similar. Move this code into the
    new common helper, mem_rw(), which takes the additional "int write"
    argument.
    
    Cc: stable@kernel.org
    Signed-off-by: Oleg Nesterov <oleg@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    Conflicts:
    
        fs/proc/base.c

commit af966b421d9f55ab7e1a8b2741beba44b22bc2e0
Merge: 3903f01 01fee18
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 19:50:40 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 01fee1851aef26b898ccba5312cabf1f919b74cb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 19:49:46 2012 -0500

    Merge changes from pax-linux-3.2.4-test8.patch

commit c2490ddbfc3f5dd664dd0e1b8575856c3be01879
Merge: 201c0db 141936c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 19:49:01 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test

commit 3903f0172ecadf7a575ba3535402a1506133640a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jan 30 23:26:44 2012 -0500

    Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT
    
    We'll whitelist required directories for compatibility instead of requiring
    that people disable the feature entirely if they use SELinux, fuse, etc
    
    Conflicts:
    
        fs/sysfs/mount.c

commit e3618feaa7e63807f1b88c199882075b3ec9bd05
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 29 01:12:19 2012 -0500

    perform RBAC check if TPE is on but match fails, matches previous behavior

commit 627b7fe22799a86e2f81a74f0e0c53474bec3100
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jan 28 13:17:06 2012 -0500

    log more information about the reason for a TPE denial for novice users, requested by a sponsor

commit efefd67008cbad8a8591e2484410966a300a39a5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:58:53 2012 -0500

    merge upstream sha512 changes

commit 8a79280377db78fb2091fe01eddb9e24f75d9fe1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:49:07 2012 -0500

    drop lock on error in xfs_readlink
    
    http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0

commit aa5f2f63e37f426bf2211c5fb8f7bc70de14f08a
Author: Li Wang <liwang@nudt.edu.cn>
Date:   Thu Jan 19 09:44:36 2012 +0800

    eCryptfs: Infinite loop due to overflow in ecryptfs_write()
    
    ecryptfs_write() can enter an infinite loop when truncating a file to a
    size larger than 4G. This only happens on architectures where size_t is
    represented by 32 bits.
    
    This was caused by a size_t overflow due to it incorrectly being used to
    store the result of a calculation which uses potentially large values of
    type loff_t.
    
    [tyhicks@canonical.com: rewrite subject and commit message]
    Signed-off-by: Li Wang <liwang@nudt.edu.cn>
    Signed-off-by: Yunchuan Wen <wenyunchuan@kylinos.com.cn>
    Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>

commit a7607747d0f74f357d78bb796d70635dd05f46e8
Author: Tyler Hicks <tyhicks@canonical.com>
Date:   Thu Jan 19 20:33:44 2012 -0600

    eCryptfs: Check inode changes in setattr
    
    Most filesystems call inode_change_ok() very early in ->setattr(), but
    eCryptfs didn't call it at all. It allowed the lower filesystem to make
    the call in its ->setattr() function. Then, eCryptfs would copy the
    appropriate inode attributes from the lower inode to the eCryptfs inode.
    
    This patch changes that and actually calls inode_change_ok() on the
    eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call
    would happen earlier in ecryptfs_setattr(), but there are some possible
    inode initialization steps that must happen first.
    
    Since the call was already being made on the lower inode, the change in
    functionality should be minimal, except for the case of a file extending
    truncate call. In that case, inode_newsize_ok() was never being
    called on the eCryptfs inode. Rather than inode_newsize_ok() catching
    maximum file size errors early on, eCryptfs would encrypt zeroed pages
    and write them to the lower filesystem until the lower filesystem's
    write path caught the error in generic_write_checks(). This patch
    introduces a new function, called ecryptfs_inode_newsize_ok(), which
    checks if the new lower file size is within the appropriate limits when
    the truncate operation will be growing the lower file.
    
    In summary this change prevents eCryptfs truncate operations (and the
    resulting page encryptions), which would exceed the lower filesystem
    limits or FSIZE rlimits, from ever starting.
    
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Reviewed-by: Li Wang <liwang@nudt.edu.cn>
    Cc: <stable@vger.kernel.org>

commit 0d96f190a39505254ace4e9330219aaeda9b64e3
Author: Tyler Hicks <tyhicks@canonical.com>
Date:   Wed Jan 18 18:30:04 2012 -0600

    eCryptfs: Make truncate path killable
    
    ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a
    page, zeroes out the appropriate portions, and then encrypts the page
    before writing it to the lower filesystem. It was unkillable and due to
    the lack of sparse file support could result in tying up a large portion
    of system resources, while encrypting pages of zeros, with no way for
    the truncate operation to be stopped from userspace.
    
    This patch adds the ability for ecryptfs_write() to detect a pending
    fatal signal and return as gracefully as possible. The intent is to
    leave the lower file in a useable state, while still allowing a user to
    break out of the encryption loop. If a pending fatal signal is detected,
    the eCryptfs inode size is updated to reflect the modified inode size
    and then -EINTR is returned.
    
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Cc: <stable@vger.kernel.org>

commit a02d0d2516b9e92edffeb8fca87462bca49c1f6f
Author: Tyler Hicks <tyhicks@canonical.com>
Date:   Tue Jan 24 10:02:22 2012 -0600

    eCryptfs: Fix oops when printing debug info in extent crypto functions
    
    If pages passed to the eCryptfs extent-based crypto functions are not
    mapped and the module parameter ecryptfs_verbosity=1 was specified at
    loading time, a NULL pointer dereference will occur.
    
    Note that this wouldn't happen on a production system, as you wouldn't
    pass ecryptfs_verbosity=1 on a production system. It leaks private
    information to the system logs and is for debugging only.
    
    The debugging info printed in these messages is no longer very useful
    and rather than doing a kmap() in these debugging paths, it will be
    better to simply remove the debugging paths completely.
    
    https://launchpad.net/bugs/913651
    
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Reported-by: Daniel DeFreez
    Cc: <stable@vger.kernel.org>

commit b1c44d3054dc7f293b2e0a98c0e9e5e03e01f04c
Author: Tyler Hicks <tyhicks@canonical.com>
Date:   Thu Jan 12 11:30:44 2012 +0100

    eCryptfs: Sanitize write counts of /dev/ecryptfs
    
    A malicious count value specified when writing to /dev/ecryptfs may
    result in a a very large kernel memory allocation.
    
    This patch peeks at the specified packet payload size, adds that to the
    size of the packet headers and compares the result with the write count
    value. The resulting maximum memory allocation size is approximately 532
    bytes.
    
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Reported-by: Sasha Levin <levinsasha928@gmail.com>
    Cc: <stable@vger.kernel.org>

commit 96dcb7282d323813181a1791f51c0ab7696b675b
Merge: 6c09fa5 201c0db
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:44:15 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 201c0dbf177527367676028151e36d340923f033
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:43:24 2012 -0500

    Merge changes from pax-linux-3.2.2-test6.patch, fixes 0 order vmalloc allocation errors
    on loading modules with empty sections

commit 6c09fa566a7c29f00556ca12f343f2db91c4f42b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:42:13 2012 -0500

    compile fix

commit 917ae526b4fcec2b3e1afefa13de9dff7d8a5423
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:39:28 2012 -0500

    use LSM flags instead of duplicating checks

commit 0cf3be2ea2ae43c9dd4933fb26c0429041b8acb8
Merge: 44b9f11 558718b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 18:56:23 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 558718b2217beff69edf60f34a6f9893d910e9ac
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 18:56:04 2012 -0500

    Merge changes from pax-linux-3.2.2-test6.patch

commit 44b9f1132b2de7cbf5f57525fe0f7f9fb0a76507
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 18:53:55 2012 -0500

    don't increase the size of task_struct when unnecessary
    change ptrace_readexec log message

commit a9c9626e054adb885883aa64f85506852894dd33
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 18:16:28 2012 -0500

    Update documentation for CONFIG_GRKERNSEC_PTRACE_READEXEC --
    the protection applies to all unreadable binaries.

commit 98fdf4ab69eba7a72efb2054295daafdbbc2fb8f
Merge: 7b3f3af 05a1349
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 25 20:52:09 2012 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        block/scsi_ioctl.c
        drivers/scsi/sd.c
        fs/proc/base.c

commit 05a134966efb9cb9346ad3422888969ffc79ac1d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 25 20:47:36 2012 -0500

    Resync with pax-linux-3.2.2-test5.patch

commit 5ecaafd81b229aeeb5656df36f9c8da86307f82a
Merge: c6d443d 3499d64
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 25 20:45:16 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test (and pax-linux-3.2.2-test5.patch)
    
    Conflicts:
        ipc/shm.c

commit 7b3f3afd7444613c759d68ff8c2efaebfae3bab1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 24 19:42:01 2012 -0500

    Add two new features, one is automatic by enabling CONFIG_GRKERNSEC
    (may be changed if it breaks some userland), the other has its own
    config option
    
    First feature requires CAP_SYS_ADMIN to write to any sysctl entry via
    the syscall or /proc/sys.
    
    Second feature requires read access to a suid/sgid binary in order
    to ptrace it, preventing infoleaking of binaries in situations where
    the admin has specified 4711 or 2711 perms.  Feature has been
    given the config option CONFIG_GRKERNSEC_PTRACE_READEXEC and
    a sysctl entry of ptrace_readexec

commit 11a7bb25c411c9dccfdca5718639b4becdffd388
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 22 14:37:10 2012 -0500

    Compilation fixes

commit cd400e21c7c352baba47d6f375297a7847afb33a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 22 14:20:27 2012 -0500

    Initial port of grsecurity 2.2.2 for Linux 3.2.1
    Note that the new syscalls added to this kernel for remote process read/write
    are subject to ptrace hardening/other relevant RBAC features
    /proc/slabinfo is S_IRUSR via mainline now, so I made slab_allocators S_IRUSR by default
    as well
    pax_track_stack has been removed from support for this kernel -- if you're running this kernel
    you should be using a version of gcc with plugin support

commit c6d443d1270f455c56a4ffe0f1dd3d3e7ec12a2f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 22 11:47:31 2012 -0500

    Import pax-linux-3.2.1-test5.patch
commit bfd7db842f835f9837cd43644459b3a95b0b488d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 22 11:02:02 2012 -0500

    Allow processes to access others' /proc/pid/maps files (subject to the normal modification of data)
    instead of returning -EACCES
    thanks to Wraith from irc for the report

commit 873ac13576506cd48ddb527c2540f274e249da50
Merge: 34083dd 8a44fcc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 20 18:04:02 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 8a44fcc90cf3368003dc84e1ed013b2e4248c9b2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 20 18:02:15 2012 -0500

    Merge the diff between pax-linux-3.2.1-test4.patch and pax-linux-3.2.1-test5.patch
    Denies executable shared memory when MPROTECT is active
    Fixes ia32 emulation crash on 64bit host introduced in a recent patch

commit 34083ddf5c0b2b1c0f5e9f7d9e32ddcba223446b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jan 19 20:23:14 2012 -0500

    Introduce new GRKERNSEC_SETXID implementation
    We're not able to change the credentials of other threads in the process until at most
    one syscall after the first thread does it, since we mark the threads as needing rescheduling
    and such work occurs on syscall exit.
    This does however ensure that we're only modifying the current task's credentials
    which upholds RCU expectations
    
    Many thanks to corsac for testing

commit 5f900ad54d3992a4e1cda88273acc2f897a42e71
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jan 19 17:42:48 2012 -0500

    Simplify backport

commit f02e444f7b2fb286f99d3b4031ff4e44a4606c37
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jan 19 17:08:16 2012 -0500

    Commit the latest silent fix for a local privilege escalation from Linus
    Also disable writing to /proc/pid/mem
    http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc

commit 814d38c72b1ee3338294576a05af4f6ca9cffa6c
Merge: 0394a3f 7e6299b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 18 20:22:09 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 7e6299b4733c082dde930375dd207b63237751ec
Merge: 83555fb 9bb1282
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 18 20:21:37 2012 -0500

    Merge branch 'linux-3.1.y' into pax-test

commit 0394a3f36c6195dcaf22e265c94d11bb7338c6f7
Author: Jesper Juhl <jj@chaosbits.net>
Date:   Sun Jan 8 22:44:29 2012 +0100

    audit: always follow va_copy() with va_end()
    
    A call to va_copy() should always be followed by a call to va_end() in
    the same function.  In kernel/autit.c::audit_log_vformat() this is not
    always done.  This patch makes sure va_end() is always called.
    
    Signed-off-by: Jesper Juhl <jj@chaosbits.net>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: Eric Paris <eparis@redhat.com>
    Cc: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit fcbb39319e88bfdf70efe3931cf80a9f23b1a4d9
Author: Andi Kleen <ak@linux.intel.com>
Date:   Thu Jan 12 17:20:30 2012 -0800

    panic: don't print redundant backtraces on oops
    
    When an oops causes a panic and panic prints another backtrace it's pretty
    common to have the original oops data be scrolled away on a 80x50 screen.
    
    The second backtrace is quite redundant and not needed anyways.
    
    So don't print the panic backtrace when oops_in_progress is true.
    
    [akpm@linux-foundation.org: add comment]
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
    Cc: Michael Holzheu <holzheu@linux.vnet.ibm.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 22e4717d04333e2aff6d5d1b2c1b16045f367a1f
Author: Miklos Szeredi <mszeredi@suse.cz>
Date:   Thu Jan 12 17:59:46 2012 +0100

    fsnotify: don't BUG in fsnotify_destroy_mark()
    
    Removing the parent of a watched file results in "kernel BUG at
    fs/notify/mark.c:139".
    
    To reproduce
    
      add "-w /tmp/audit/dir/watched_file" to audit.rules
      rm -rf /tmp/audit/dir
    
    This is caused by fsnotify_destroy_mark() being called without an
    extra reference taken by the caller.
    
    Reported by Francesco Cosoleto here:
    
      https://bugzilla.novell.com/show_bug.cgi?id=689860
    
    Fix by removing the BUG_ON and adding a comment about not accessing mark after
    the iput.
    
    Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
    CC: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 1a90cff66ed00cd57bf00a990d13e95060fa362c
Author: Paolo Bonzini <pbonzini@redhat.com>
Date:   Thu Jan 12 16:01:28 2012 +0100

    block: fail SCSI passthrough ioctls on partition devices
    
    Linux allows executing the SG_IO ioctl on a partition or LVM volume, and
    will pass the command to the underlying block device.  This is
    well-known, but it is also a large security problem when (via Unix
    permissions, ACLs, SELinux or a combination thereof) a program or user
    needs to be granted access only to part of the disk.
    
    This patch lets partitions forward a small set of harmless ioctls;
    others are logged with printk so that we can see which ioctls are
    actually sent.  In my tests only CDROM_GET_CAPABILITY actually occurred.
    Of course it was being sent to a (partition on a) hard disk, so it would
    have failed with ENOTTY and the patch isn't changing anything in
    practice.  Still, I'm treating it specially to avoid spamming the logs.
    
    In principle, this restriction should include programs running with
    CAP_SYS_RAWIO.  If for example I let a program access /dev/sda2 and
    /dev/sdb, it still should not be able to read/write outside the
    boundaries of /dev/sda2 independent of the capabilities.  However, for
    now programs with CAP_SYS_RAWIO will still be allowed to send the
    ioctls.  Their actions will still be logged.
    
    This patch does not affect the non-libata IDE driver.  That driver
    however already tests for bd != bd->bd_contains before issuing some
    ioctl; it could be restricted further to forbid these ioctls even for
    programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO.
    
    Cc: linux-scsi@vger.kernel.org
    Cc: Jens Axboe <axboe@kernel.dk>
    Cc: James Bottomley <JBottomley@parallels.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    [ Make it also print the command name when warning - Linus ]
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit b41a1178caa15bd7d6d5b36c04c7b1ead05717e2
Author: Paolo Bonzini <pbonzini@redhat.com>
Date:   Thu Jan 12 16:01:27 2012 +0100

    block: add and use scsi_blk_cmd_ioctl
    
    Introduce a wrapper around scsi_cmd_ioctl that takes a block device.
    
    The function will then be enhanced to detect partition block devices
    and, in that case, subject the ioctls to whitelisting.
    
    Cc: linux-scsi@vger.kernel.org
    Cc: Jens Axboe <axboe@kernel.dk>
    Cc: James Bottomley <JBottomley@parallels.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 97a79814903fc350e1d13704ea31528a42705401
Author: Kees Cook <keescook@chromium.org>
Date:   Sat Jan 7 10:41:04 2012 -0800

    audit: treat s_id as an untrusted string
    
    The use of s_id should go through the untrusted string path, just to be
    extra careful.
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Acked-by: Mimi Zohar <zohar@us.ibm.com>
    Signed-off-by: Eric Paris <eparis@redhat.com>

commit 2d3f39e9dd73f26a8248fd4442f110d983c5b419
Author: Xi Wang <xi.wang@gmail.com>
Date:   Tue Dec 20 18:39:41 2011 -0500

    audit: fix signedness bug in audit_log_execve_info()
    
    In the loop, a size_t "len" is used to hold the return value of
    audit_log_single_execve_arg(), which returns -1 on error.  In that
    case the error handling (len <= 0) will be bypassed since "len" is
    unsigned, and the loop continues with (p += len) being wrapped.
    Change the type of "len" to signed int to fix the error handling.
    
        size_t len;
        ...
        for (...) {
                len = audit_log_single_execve_arg(...);
                if (len <= 0)
                        break;
                p += len;
        }
    
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Signed-off-by: Eric Paris <eparis@redhat.com>

commit 1b3dc2ea3204fb22b9d0d30b2b7953991f5be594
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Tue Jan 17 03:28:51 2012 -0300

    [media] ds3000: using logical && instead of bitwise &
    
    The intent here was to test if the FE_HAS_LOCK was set.  The current
    test is equivalent to "if (status) { ..."
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>

commit 36522330dc59d2fc70c042f3f081d75c32b6259a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jan 16 13:10:38 2012 -0500

    Ignore the 0 signal for protected task RBAC checks

commit d513acd55f7a683f6e146a4f570cdb63300479ab
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jan 16 11:56:13 2012 -0500

    whitespace cleanup

commit ced261c4b82818c700aff8487f647f6f3e5b5122
Merge: d48751f 83555fb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 13 20:12:54 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 83555fb431e5be6c0e09687ff3bdc583f0caf9d9
Merge: fcd8129 93dad39
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 13 20:12:43 2012 -0500

    Merge branch 'linux-3.1.y' into pax-test

commit d48751f3919ae855fda0ff6c149db82442329253
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 11 19:05:47 2012 -0500

    Call our own set_user when forcing change to new id

commit 26d9d497f6b926bc1699980aa18c360a3d3c52a0
Merge: e6578ff fcd8129
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 10 16:00:10 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit fcd8129277601f2e2d5a2066120cf8b2472d7d1f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 10 15:58:43 2012 -0500

    Merge changes from pax-linux-3.1.8-test23.patch

commit e6578ff3e7629c432ed9b99bde6af2a1c00279b5
Merge: 8859ec3 a120549
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 21:45:56 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit a12054967a77090de1caa07c41e694a77db4e237
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 21:45:30 2012 -0500

    Merge changes from pax-linux-3.1.8-test22.patch

commit 8859ec32f9815c274df65448f9f2960176c380d3
Merge: a5016b4 ddd4114
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 21:26:08 2012 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        fs/binfmt_elf.c
        security/Kconfig

commit ddd41147e158a79704983a409b7433eba797cf66
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 21:12:42 2012 -0500

    Resync with PaX patch (whitespace difference)

commit 29e569df8205c5f0e043fe4803aa984406c8b118
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 21:09:47 2012 -0500

    Merge changes from pax-linux-3.1.8-test21.patch

commit a5016b4f9c09c337b17e063a7f369af1e86d944d
Merge: 0124c92 04231d5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 18:52:20 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 04231d52dc8d0d6788a6bc6709dc046d3eb37097
Merge: 7bdddeb a919904
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 18:51:50 2012 -0500

    Merge branch 'linux-3.1.y' into pax-test
    
    Conflicts:
        include/net/flow.h

commit 0124c9264234c450904a0a5fa2f8c608ab8e3796
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 18:33:05 2012 -0500

    Make GRKERNSEC_SETXID option compatible with credential debugging

commit 69919c6da7cf8a781439da15b597a7d6bc9b3abe
Author: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Date:   Wed Dec 28 15:57:11 2011 -0800

    mm/mempolicy.c: refix mbind_range() vma issue
    
    commit 8aacc9f550 ("mm/mempolicy.c: fix pgoff in mbind vma merge") is the
    slightly incorrect fix.
    
    Why? Think following case.
    
    1. map 4 pages of a file at offset 0
    
       [0123]
    
    2. map 2 pages just after the first mapping of the same file but with
       page offset 2
    
       [0123][23]
    
    3. mbind() 2 pages from the first mapping at offset 2.
       mbind_range() should treat new vma is,
    
       [0123][23]
         |23|
         mbind vma
    
       but it does
    
       [0123][23]
         |01|
         mbind vma
    
       Oops. then, it makes wrong vma merge and splitting ([01][0123] or similar).
    
    This patch fixes it.
    
    [testcase]
      test result - before the patch
    
        case4: 126: test failed. expect '2,4', actual '2,2,2'
                case5: passed
        case6: passed
        case7: passed
        case8: passed
        case_n: 246: test failed. expect '4,2', actual '1,4'
    
        ------------[ cut here ]------------
        kernel BUG at mm/filemap.c:135!
        invalid opcode: 0000 [#4] SMP DEBUG_PAGEALLOC
    
        (snip long bug on messages)
    
      test result - after the patch
    
        case4: passed
                case5: passed
        case6: passed
        case7: passed
        case8: passed
        case_n: passed
    
      source:  mbind_vma_test.c
    ============================================================
     #include <numaif.h>
     #include <numa.h>
     #include <sys/mman.h>
     #include <stdio.h>
     #include <unistd.h>
     #include <stdlib.h>
     #include <string.h>
    
    static unsigned long pagesize;
    void* mmap_addr;
    struct bitmask *nmask;
    char buf[1024];
    FILE *file;
    char retbuf[10240] = "";
    int mapped_fd;
    
    char *rubysrc = "ruby -e '\
      pid = %d; \
      vstart = 0x%llx; \
      vend = 0x%llx; \
      s = `pmap -q #{pid}`; \
      rary = []; \
      s.each_line {|line|; \
        ary=line.split(\" \"); \
        addr = ary[0].to_i(16); \
        if(vstart <= addr && addr < vend) then \
          rary.push(ary[1].to_i()/4); \
        end; \
      }; \
      print rary.join(\",\"); \
    '";
    
    void init(void)
    {
        void* addr;
        char buf[128];
    
        nmask = numa_allocate_nodemask();
        numa_bitmask_setbit(nmask, 0);
    
        pagesize = getpagesize();
    
        sprintf(buf, "%s", "mbind_vma_XXXXXX");
        mapped_fd = mkstemp(buf);
        if (mapped_fd == -1)
                perror("mkstemp "), exit(1);
        unlink(buf);
    
        if (lseek(mapped_fd, pagesize*8, SEEK_SET) < 0)
                perror("lseek "), exit(1);
        if (write(mapped_fd, "\0", 1) < 0)
                perror("write "), exit(1);
    
        addr = mmap(NULL, pagesize*8, PROT_NONE,
                    MAP_SHARED, mapped_fd, 0);
        if (addr == MAP_FAILED)
                perror("mmap "), exit(1);
    
        if (mprotect(addr+pagesize, pagesize*6, PROT_READ|PROT_WRITE) < 0)
                perror("mprotect "), exit(1);
    
        mmap_addr = addr + pagesize;
    
        /* make page populate */
        memset(mmap_addr, 0, pagesize*6);
    }
    
    void fin(void)
    {
        void* addr = mmap_addr - pagesize;
        munmap(addr, pagesize*8);
    
        memset(buf, 0, sizeof(buf));
        memset(retbuf, 0, sizeof(retbuf));
    }
    
    void mem_bind(int index, int len)
    {
        int err;
    
        err = mbind(mmap_addr+pagesize*index, pagesize*len,
                    MPOL_BIND, nmask->maskp, nmask->size, 0);
        if (err)
                perror("mbind "), exit(err);
    }
    
    void mem_interleave(int index, int len)
    {
        int err;
    
        err = mbind(mmap_addr+pagesize*index, pagesize*len,
                    MPOL_INTERLEAVE, nmask->maskp, nmask->size, 0);
        if (err)
                perror("mbind "), exit(err);
    }
    
    void mem_unbind(int index, int len)
    {
        int err;
    
        err = mbind(mmap_addr+pagesize*index, pagesize*len,
                    MPOL_DEFAULT, NULL, 0, 0);
        if (err)
                perror("mbind "), exit(err);
    }
    
    void Assert(char *expected, char *value, char *name, int line)
    {
        if (strcmp(expected, value) == 0) {
                fprintf(stderr, "%s: passed\n", name);
                return;
        }
        else {
                fprintf(stderr, "%s: %d: test failed. expect '%s', actual '%s'\n",
                        name, line,
                        expected, value);
    //          exit(1);
        }
    }
    
    /*
          AAAA
        PPPPPPNNNNNN
        might become
        PPNNNNNNNNNN
        case 4 below
    */
    void case4(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        mem_bind(0, 4);
        mem_unbind(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("2,4", retbuf, "case4", __LINE__);
    
        fin();
    }
    
    /*
           AAAA
     PPPPPPNNNNNN
     might become
     PPPPPPPPPPNN
     case 5 below
    */
    void case5(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        mem_bind(0, 2);
        mem_bind(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("4,2", retbuf, "case5", __LINE__);
    
        fin();
    }
    
    /*
            AAAA
        PPPPNNNNXXXX
        might become
        PPPPPPPPPPPP 6
    */
    void case6(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        mem_bind(0, 2);
        mem_bind(4, 2);
        mem_bind(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("6", retbuf, "case6", __LINE__);
    
        fin();
    }
    
    /*
        AAAA
    PPPPNNNNXXXX
    might become
    PPPPPPPPXXXX 7
    */
    void case7(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        mem_bind(0, 2);
        mem_interleave(4, 2);
        mem_bind(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("4,2", retbuf, "case7", __LINE__);
    
        fin();
    }
    
    /*
        AAAA
    PPPPNNNNXXXX
    might become
    PPPPNNNNNNNN 8
    */
    void case8(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        mem_bind(0, 2);
        mem_interleave(4, 2);
        mem_interleave(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("2,4", retbuf, "case8", __LINE__);
    
        fin();
    }
    
    void case_n(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        /* make redundunt mappings [0][1234][34][7] */
        mmap(mmap_addr + pagesize*4, pagesize*2, PROT_READ|PROT_WRITE,
             MAP_FIXED|MAP_SHARED, mapped_fd, pagesize*3);
    
        /* Expect to do nothing. */
        mem_unbind(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("4,2", retbuf, "case_n", __LINE__);
    
        fin();
    }
    
    int main(int argc, char** argv)
    {
        case4();
        case5();
        case6();
        case7();
        case8();
        case_n();
    
        return 0;
    }
    =============================================================
    
    Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
    Acked-by: Johannes Weiner <hannes@cmpxchg.org>
    Cc: Minchan Kim <minchan.kim@gmail.com>
    Cc: Caspar Zhang <caspar@casparzhang.com>
    Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
    Cc: Christoph Lameter <cl@linux.com>
    Cc: Hugh Dickins <hugh.dickins@tiscali.co.uk>
    Cc: Mel Gorman <mel@csn.ul.ie>
    Cc: Lee Schermerhorn <lee.schermerhorn@hp.com>
    Cc: <stable@vger.kernel.org>                [3.1.x]
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit f3a1082005781777086df235049f8c0b7efe524e
Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Date:   Tue Dec 27 22:32:41 2011 -0500

    packet: fix possible dev refcnt leak when bind fail
    
    If bind is fail when bind is called after set PACKET_FANOUT
    sock option, the dev refcnt will leak.
    
    Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 915f8b08dac68839dc7204ee81cf9852fda16d24
Author: Haogang Chen <haogangchen@gmail.com>
Date:   Mon Dec 19 17:11:56 2011 -0800

    nilfs2: potential integer overflow in nilfs_ioctl_clean_segments()
    
    There is a potential integer overflow in nilfs_ioctl_clean_segments().
    When a large argv[n].v_nmembs is passed from the userspace, the subsequent
    call to vmalloc() will allocate a buffer smaller than expected, which
    leads to out-of-bound access in nilfs_ioctl_move_blocks() and
    lfs_clean_segments().
    
    The following check does not prevent the overflow because nsegs is also
    controlled by the userspace and could be very large.
    
                if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment)
                        goto out_free;
    
    This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and
    returns -EINVAL when overflow.
    
    Signed-off-by: Haogang Chen <haogangchen@gmail.com>
    Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 006afb6eb7a7398edc0068c3a7b9510ffaf80f72
Author: Kautuk Consul <consul.kautuk@gmail.com>
Date:   Mon Dec 19 17:12:04 2011 -0800

    mm/vmalloc.c: remove static declaration of va from __get_vm_area_node
    
    Static storage is not required for the struct vmap_area in
    __get_vm_area_node.
    
    Removing "static" to store this variable on the stack instead.
    
    Signed-off-by: Kautuk Consul <consul.kautuk@gmail.com>
    Acked-by: David Rientjes <rientjes@google.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 461ecdf221edb089e5fa0d5563e1688cd0a36f66
Author: Michel Lespinasse <walken@google.com>
Date:   Mon Dec 19 17:12:06 2011 -0800

    binary_sysctl(): fix memory leak
    
    binary_sysctl() calls sysctl_getname() which allocates from names_cache
    slab usin __getname()
    
    The matching function to free the name is __putname(), and not putname()
    which should be used only to match getname() allocations.
    
    This is because when auditing is enabled, putname() calls audit_putname
    *instead* (not in addition) to __putname().  Then, if a syscall is in
    progress, audit_putname does not release the name - instead, it expects
    the name to get released when the syscall completes, but that will happen
    only if audit_getname() was called previously, i.e.  if the name was
    allocated with getname() rather than the naked __getname().  So,
    __getname() followed by putname() ends up leaking memory.
    
    Signed-off-by: Michel Lespinasse <walken@google.com>
    Acked-by: Al Viro <viro@zeniv.linux.org.uk>
    Cc: Christoph Hellwig <hch@infradead.org>
    Cc: Eric Paris <eparis@redhat.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 0a2cd3ef50c0bae70d59c74a77db0455d26fde56
Author: Sean Hefty <sean.hefty@intel.com>
Date:   Tue Dec 6 21:17:11 2011 +0000

    RDMA/cma: Verify private data length
    
    private_data_len is defined as a u8.  If the user specifies a large
    private_data size (> 220 bytes), we will calculate a total length that
    exceeds 255, resulting in private_data_len wrapping back to 0.  This
    can lead to overwriting random kernel memory.  Avoid this by verifying
    that the resulting size fits into a u8.
    
    Reported-by: B. Thery <benjamin.thery@bull.net>
    Addresses: <http://bugs.openfabrics.org/bugzilla/show_bug.cgi?id=2335>
    Signed-off-by: Sean Hefty <sean.hefty@intel.com>
    Signed-off-by: Roland Dreier <roland@purestorage.com>

commit 6b618c54aaec99078629ec5b9575cb7d6fc31176
Author: Xi Wang <xi.wang@gmail.com>
Date:   Sun Dec 11 23:40:56 2011 -0800

    Input: cma3000_d0x - fix signedness bug in cma3000_thread_irq()
    
    The error check (intr_status < 0) didn't work because intr_status is
    a u8.  Change its type to signed int.
    
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Signed-off-by: Dmitry Torokhov <dtor@mail.ru>

commit e27f34e383d7863b2528a63b81b23db09781f6b6
Author: Xi Wang <xi.wang@gmail.com>
Date:   Fri Dec 16 12:44:15 2011 +0000

    sctp: fix incorrect overflow check on autoclose
    
    Commit 8ffd3208 voids the previous patches f6778aab and 810c0719 for
    limiting the autoclose value.  If userspace passes in -1 on 32-bit
    platform, the overflow check didn't work and autoclose would be set
    to 0xffffffff.
    
    This patch defines a max_autoclose (in seconds) for limiting the value
    and exposes it through sysctl, with the following intentions.
    
    1) Avoid overflowing autoclose * HZ.
    
    2) Keep the default autoclose bound consistent across 32- and 64-bit
       platforms (INT_MAX / HZ in this patch).
    
    3) Keep the autoclose value consistent between setsockopt() and
       getsockopt() calls.
    
    Suggested-by: Vlad Yasevich <vladislav.yasevich@hp.com>
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 8ebdfaad2f46ff0ac9fef9858e436bcc712a1ac8
Author: Xi Wang <xi.wang@gmail.com>
Date:   Wed Dec 21 05:18:33 2011 -0500

    vmwgfx: fix incorrect VRAM size check in vmw_kms_fb_create()
    
    Commit e133e737 didn't correctly fix the integer overflow issue.
    
    -   unsigned int required_size;
    +   u64 required_size;
        ...
        required_size = mode_cmd->pitch * mode_cmd->height;
    -   if (unlikely(required_size > dev_priv->vram_size)) {
    +   if (unlikely(required_size > (u64) dev_priv->vram_size)) {
    
    Note that both pitch and height are u32.  Their product is still u32 and
    would overflow before being assigned to required_size.  A correct way is
    to convert pitch and height to u64 before the multiplication.
    
        required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height;
    
    This patch calls the existing vmw_kms_validate_mode_vram() for
    validation.
    
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Reviewed-and-tested-by: Thomas Hellstrom <thellstrom@vmware.com>
    Signed-off-by: Dave Airlie <airlied@redhat.com>
    
    Conflicts:
    
        drivers/gpu/drm/vmwgfx/vmwgfx_kms.c

commit eb8f0bd01fb994c9abc77dc84729794cd841753d
Author: Xi Wang <xi.wang@gmail.com>
Date:   Thu Dec 22 13:35:22 2011 +0000

    rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt()
    
    Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will
    cause a kernel oops due to insufficient bounds checking.
    
        if (count > 1<<30) {
                /* Enforce a limit to prevent overflow */
                return -EINVAL;
        }
        count = roundup_pow_of_two(count);
        table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count));
    
    Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as:
    
        ... + (count * sizeof(struct rps_dev_flow))
    
    where sizeof(struct rps_dev_flow) is 8.  (1 << 30) * 8 will overflow
    32 bits.
    
    This patch replaces the magic number (1 << 30) with a symbolic bound.
    
    Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 648188958672024b616c42c1f6c98c8cfc85619d
Author: Xi Wang <xi.wang@gmail.com>
Date:   Fri Dec 30 10:40:17 2011 -0500

    netfilter: ctnetlink: fix timeout calculation
    
    The sanity check (timeout < 0) never works; the dividend is unsigned
    and so is the division, which should have been a signed division.
    
        long timeout = (ct->timeout.expires - jiffies) / HZ;
        if (timeout < 0)
                timeout = 0;
    
    This patch converts the time values to signed for the division.
    
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

commit ab03a0973cee73f88655ff4981812ad316a6cd59
Merge: 76f82df 7bdddeb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 3 17:42:50 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 7bdddebd9d274a344a1c57a561152160c9e9a32a
Merge: 3e59cb5 55cc81a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 3 17:42:36 2012 -0500

    Merge branch 'linux-3.1.y' into pax-test

commit 76f82df18ba181687f454426fa9ced7a92b2ac1f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 22 20:15:02 2011 -0500

    Only further restrict futex targeting another process -- our modified
    permission check also happened to allow a case where a process retaining
    uid 0 could issue futex syscalls against other uid 0 tasks, despite the euid
    being non-zero (reported on forums by ben_w)

commit 6b235a4450a5fea41663ec35fa0608988b6078c6
Merge: 97c16f0 3e59cb5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 22 19:11:06 2011 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        fs/hfs/btree.c

commit 3e59cb503d4ca6ce0954b8d3eb508cf7d1a31f50
Merge: 285eb4e c26f60b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 22 19:09:57 2011 -0500

    Merge branch 'linux-3.1.y' into pax-test
    
    Conflicts:
        arch/x86/kernel/process.c

commit 97c16f0fcff592160c1787bd1c56ae7ad070ac17
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Dec 19 21:54:01 2011 -0500

    Add new option: "Enforce consistent multithreaded privileges"

commit 7d125a16a5245b2bafc9184b8f93e864394ba1cb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Dec 7 19:58:31 2011 -0500

    Remove harmless duplicate code -- exec_file would be null already so the
    second check would never pass.

commit 4e3304e94aa72737810bc50169519af157dce4ce
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Dec 7 19:50:39 2011 -0500

    Revert back to (possibly?) undocumented /proc/pid behavior that gdb
    depended on for attaching to a thread.  Entries exist in /proc for
    threads, but are not visible in a readdir.

commit 1bd899335f23815cfe8deac44c6b346398f3b95e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 18:03:28 2011 -0500

    Put the already-walked path if in RCU-walk mode

commit ec7ae36b7159f10649709779443a988662965d66
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 17:35:21 2011 -0500

    Fix memory leak introduced by recent (unpublished) commit
    75ab998b94a29d464518d6d501bdde3fbfcbfa14

commit 1e2318a8ea2e67eaf17236be374b5da8a5ba5e04
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 13:56:10 2011 -0500

    Explicitly check size copied to userland in override_release to silence gcc

commit c30a85d0fff67e0724e726febb934c0b6fa01c6c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 13:54:02 2011 -0500

    Initialize variable to silence erroneous gcc warning

commit 2cf8e7a3bf4e97b2cd3de9ebc453bc505dc7eb78
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 13:47:47 2011 -0500

    Future-proof other potential RCU-aware locations where we can log.

commit 0c904e8c7ea0338c47c7ae825e093a152dc8f8a8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 13:02:54 2011 -0500

    Fix freeze reported by 'vs' on the forums.  Bug occurred due to
    MAY_NOT_BLOCK added to Linux 3.1.  Our logging code, when a capability used
    in generic_permission() was in the task's effective set but disallowed by
    RBAC, would block when acquiring locks resulting in the freeze.
    
    Also update the ordering of checks so that CAP_DAC_READ_SEARCH isn't logged
    as being required when CAP_DAC_OVERRIDE is present (consistent with
    older patches).

commit ab694e5eccfbc369baa593ebc1269d1908cf16dc
Author: Xi Wang <xi.wang@gmail.com>
Date:   Tue Nov 29 09:26:30 2011 +0000

    sctp: better integer overflow check in sctp_auth_create_key()
    
    The check from commit 30c2235c is incomplete and cannot prevent
    cases like key_len = 0x80000000 (INT_MAX + 1).  In that case, the
    left-hand side of the check (INT_MAX - key_len), which is unsigned,
    becomes 0xffffffff (UINT_MAX) and bypasses the check.
    
    However this shouldn't be a security issue.  The function is called
    from the following two code paths:
    
     1) setsockopt()
    
     2) sctp_auth_asoc_set_secret()
    
    In case (1), sca_keylength is never going to exceed 65535 since it's
    bounded by a u16 from the user API.  As such, the key length will
    never overflow.
    
    In case (2), sca_keylength is computed based on the user key (1 short)
    and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still
    will not overflow.
    
    In other words, this overflow check is not really necessary.  Just
    make it more correct.
    
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Cc: Vlad Yasevich <vladislav.yasevich@hp.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit e565e28c3635a1d50f80541fbf6b606d742fec76
Author: Josh Boyer <jwboyer@redhat.com>
Date:   Fri Aug 19 14:50:26 2011 -0400

    fs/minix: Verify bitmap block counts before mounting
    
    Newer versions of MINIX can create filesystems that allocate an extra
    bitmap block.  Mounting of this succeeds, but doing a statfs call will
    result in an oops in count_free because of a negative number being used
    for the bh index.
    
    Avoid this by verifying the number of allocated blocks at mount time,
    erroring out if there are not enough and make statfs ignore the extras
    if there are too many.
    
    This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792
    
    Signed-off-by: Josh Boyer <jwboyer@redhat.com>
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

commit 6e134e398ec1a3f428261680e83df4319e64bed9
Author: Julia Lawall <julia@diku.dk>
Date:   Tue Nov 15 14:53:11 2011 -0800

    drivers/gpu/vga/vgaarb.c: add missing kfree
    
    kbuf is a buffer that is local to this function, so all of the error paths
    leaving the function should release it.
    
    Signed-off-by: Julia Lawall <julia@diku.dk>
    Cc: Jesper Juhl <jj@chaosbits.net>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Dave Airlie <airlied@redhat.com>

commit 2b9057b321e36860e8d63985b5c4e496f254b717
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Dec 3 21:33:28 2011 -0500

    Import changes between pax-linux-3.1.4-test18.patch and grsecurity-2.2.2-3.1.4-201112021740.patch

commit 5dfe6091dca281a456eaff5e7b4692d768a05cfd
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Dec 3 21:29:37 2011 -0500

    Import pax-linux-3.1.4-test18.patch

commit 285eb4ea45d853ae00426b3315a61c1368080dad
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Dec 10 18:33:46 2011 -0500

    Import changes from pax-linux-3.1.5-test20.patch

commit a6bda918fc90ec1d5c387e978d147ad2044153f1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 8 20:55:54 2011 -0500

    Import changes from pax-linux-3.1.4-test19.patch

commit e6d987bdb782b280f882cc20055e3d9cb28ad3a5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Dec 3 21:29:37 2011 -0500

    Import pax-linux-3.1.4-test18.patch
commit c982acca364cbd7677bad7e53b9c7ecfaa6dfeb7
Merge: 814820a 3a59a59
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun May 12 21:51:18 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        security/Kconfig

commit 3a59a59cf5e1bf88f96b05c64f7969e97f7f051f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun May 12 21:50:07 2013 -0400

    Update to pax-linux-3.8.13-test24.patch:
    - fixed sparc/constification compile error, reported by blake
    - UDEREF/amd64 should be a bit more efficient when disabled at boot time
    - fixed some unnecessary integer truncations that could trip up the size overflow plugin

 arch/arm/kernel/vmlinux.lds.S       |    4 ++--
 arch/sparc/kernel/us3_cpufreq.c     |    4 ++--
 arch/x86/ia32/ia32entry.S           |    4 ++--
 arch/x86/include/asm/pgtable.h      |    6 ++++--
 arch/x86/include/asm/uaccess.h      |    6 +++---
 arch/x86/kernel/kprobes-opt.c       |    4 ++++
 arch/x86/lib/copy_user_nocache_64.S |    2 +-
 arch/x86/lib/getuser.S              |    8 ++++----
 arch/x86/lib/putuser.S              |    8 ++++----
 arch/x86/mm/fault.c                 |    6 +++---
 drivers/net/slip/slhc.c             |    2 +-
 drivers/staging/iio/ring_sw.c       |    2 +-
 fs/binfmt_elf.c                     |    6 +++---
 fs/nfsd/nfscache.c                  |    2 +-
 fs/xattr.c                          |   21 +++++++++++++++++++++
 include/linux/syscalls.h            |    2 +-
 include/linux/xattr.h               |    3 +++
 init/main.c                         |    3 +++
 kernel/futex_compat.c               |    2 +-
 kernel/trace/trace.h                |    2 +-
 net/socket.c                        |    2 +-
 security/Kconfig                    |    2 +-
 22 files changed, 67 insertions(+), 34 deletions(-)

commit 814820abfe5b9a34401d838b2510431a4cd92be9
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Mon May 6 09:31:17 2013 +0000

    Upstream commit: 6bf15191f666c5965d212561d7a5c7b78b808dfa
    
    tipc: potential divide by zero in tipc_link_recv_fragment()
    
    The worry here is that fragm_sz could be zero since it comes from
    skb->data.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/tipc/link.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

commit b58503d2784f0a4dbf4d9dbef9bdcc7bf163e3c1
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Mon May 6 08:28:41 2013 +0000

    Upstream commit: cb4b102f0ab29fcbaf945c6b1f85ef006cdb8edc
    
    tipc: add a bounds check in link_recv_changeover_msg()
    
    The bearer_id here comes from skb->data and it can be a number from 0 to
    7.  The problem is that the ->links[] array has only 2 elements so I
    have added a range check.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/tipc/link.c |    5 ++++-
 1 files changed, 4 insertions(+), 1 deletions(-)

commit ed0428c4ef6c5498870772f212ac651216eb8d0c
Merge: 2452d8d dbf932a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun May 12 21:18:25 2013 -0400

    Merge branch 'linux-3.8.y' into pax-test
    
    Conflicts:
        arch/x86/kernel/cpu/perf_event_intel_uncore.c
        arch/x86/mm/init.c

commit a113d6ac19303cd76d405df5aef5a4d190e6e7d7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun May 12 20:24:01 2013 -0400

    compile fix

 grsecurity/gracl.c      |    1 +
 grsecurity/gracl_segv.c |    1 +
 2 files changed, 2 insertions(+), 0 deletions(-)

commit 1bd664ee9054a28bbcf1dad6f9ffbc9e8500bb00
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun May 12 18:25:26 2013 -0400

    fix btrfs support here as well

 grsecurity/gracl_segv.c |   17 +++++++++--------
 1 files changed, 9 insertions(+), 8 deletions(-)

commit c75e4664fe4d20da1639f70d9def097c4f20856b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun May 12 18:12:57 2013 -0400

    Fix RBAC compatibility with btrfs compiled as a module, as
    reported on the forums by YuHg at:
    http://forums.grsecurity.net/viewtopic.php?t=2575&p=12952#p12952

 fs/btrfs/inode.c            |   11 +----------
 grsecurity/gracl.c          |   19 ++++++++++---------
 grsecurity/gracl_segv.c     |    2 +-
 grsecurity/grsec_disabled.c |    2 +-
 4 files changed, 13 insertions(+), 21 deletions(-)

commit e40c5804acc5b83e10d16ca3ba92502a3e5f7f27
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat May 11 12:12:00 2013 -0400

    allow copies just up to the start of kernel code

 fs/exec.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 04638852588cf243f865f5a73aa9dab94fab53b7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri May 10 16:53:07 2013 -0400

    MODULES_EXEC_VADDR is a virtual address

 fs/exec.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 017fc58a177b8b3fd9c2a7a4366f3590c9d49435
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri May 10 16:51:03 2013 -0400

    exempt module rx areas from usercopy protection under i386 kernexec
    their .rodata will be placed between stext/etext causing copies of
    constant strings to trigger usercopy reports/terminations

 fs/exec.c |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

commit c1b2cc5dd5f5ae5c88402c7acbcb270f8d36a9da
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed May 8 20:25:52 2013 -0400

    User jorgus on the forums:
    http://forums.grsecurity.net/viewtopic.php?f=3&t=3446
    discovered that the upstreamed version of enforcing RLIMIT_NPROC
    at setuid/exec time missed an important corner case:
    If RLIMIT_NPROC is set after a setuid occurs and the user's process
    limit is reached elsewhere, no enforcement of RLIMIT_NPROC will
    happen at exec time for the task with a modified RLIMIT_NPROC.
    
    This patch fixes that.

 kernel/sys.c |    7 +++++++
 1 files changed, 7 insertions(+), 0 deletions(-)

commit 85ffce8c95bd1d9114852f74db8c66ddbc2e77ff
Merge: 539fff0 2452d8d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed May 8 18:13:41 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 2452d8d0416d5c9c32805443dd89e5c9778dea4a
Merge: 6c850d8 9c9ab76
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed May 8 18:13:31 2013 -0400

    Merge branch 'linux-3.8.y' into pax-test
    
    Conflicts:
        arch/x86/kernel/irq.c
        kernel/trace/trace_stack.c

commit 539fff0cf95c3dcc02c5e0ac3ef8da4519efdb9a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue May 7 21:43:00 2013 -0400

    turn counter into a flag

 grsecurity/Kconfig        |    2 +-
 grsecurity/grsec_chroot.c |    8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

commit 3da48c0f89377e1ef76470d4b19f19df793fdf32
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue May 7 21:02:39 2013 -0400

    add GRKERNSEC_CHROOT_INITRD to work around Plymouth stupidity
    useful for Fedora/RHEL users

 grsecurity/Kconfig        |   10 ++++++++++
 grsecurity/grsec_chroot.c |   17 +++++++++++++++--
 2 files changed, 25 insertions(+), 2 deletions(-)

commit 418102925c0cfb0de51b0a021abaa575e28fafa6
Author: Peter Zijlstra <a.p.zijlstra@chello.nl>
Date:   Fri May 3 14:11:25 2013 +0200

    Upstream commit: 7cc23cd6c0c7d7f4bee057607e7ce01568925717
    
    perf/x86/intel/lbr: Demand proper privileges for PERF_SAMPLE_BRANCH_KERNEL
    
    We should always have proper privileges when requesting kernel
    data.
    
    Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
    Cc: <stable@kernel.org>
    Cc: Andi Kleen <ak@linux.intel.com>
    Cc: eranian@google.com
    Link: http://lkml.kernel.org/r/20130503121256.230745028@chello.nl
    [ Fix build error reported by fengguang.wu@intel.com, propagate error code back. ]
    Signed-off-by: Ingo Molnar <mingo@kernel.org>
    Link: http://lkml.kernel.org/n/tip-v0x9ky3ahzr6nm3c6ilwrili@git.kernel.org

 arch/x86/kernel/cpu/perf_event_intel_lbr.c |   13 ++++++++++---
 1 files changed, 10 insertions(+), 3 deletions(-)

commit f9e1af27cca1722a4c6a801000b5b3b5410401a2
Author: Eric Dumazet <edumazet@google.com>
Date:   Mon Apr 29 05:58:52 2013 +0000

    Upstream commit: aebda156a570782a86fc4426842152237a19427d
    
    net: defer net_secret[] initialization
    
    Instead of feeding net_secret[] at boot time, defer the init
    at the point first socket is created.
    
    This permits some platforms to use better entropy sources than
    the ones available at boot time.
    
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 include/net/secure_seq.h |    1 +
 net/core/secure_seq.c    |    4 +---
 net/ipv4/af_inet.c       |    5 ++++-
 3 files changed, 6 insertions(+), 4 deletions(-)

commit a9229d75129cd9744a5e486ec99a0fe6aeaf10ac
Author: Daniel Borkmann <dborkman@redhat.com>
Date:   Wed May 1 02:59:23 2013 +0000

    Upstream commit: be3e45810bb1ee0bdfa93f6b9532d8c451e50f48
    
    net: sctp: attribute printl with __printf for gcc fmt checks
    
    Let GCC check for format string errors in sctp's probe printl
    function. This patch fixes the warning when compiled with W=1:
    
    net/sctp/probe.c:73:2: warning: function might be possible candidate
    for 'gnu_printf' format attribute [-Wmissing-format-attribute]
    
    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/sctp/probe.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 81b98190c66a90f0ed2de4560f542b1dea7664f2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu May 2 19:58:54 2013 -0400

    remove no-longer-needed vmware 8 compat fix

 mm/page_alloc.c |    6 ------
 1 files changed, 0 insertions(+), 6 deletions(-)

commit a7716a90c1dbe09a8a6d98c74ea2f7fe2a530e94
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu May 2 19:55:23 2013 -0400

    remove unnecessary < 0 check

 net/phonet/af_phonet.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit a4e8dd5b1cca13c2e4145af75694a04aaa811f3f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed May 1 18:30:48 2013 -0400

    remove references to CONFIG_X86_WP_WORKS_OK

 arch/um/defconfig |    1 -
 security/Kconfig  |    2 +-
 2 files changed, 1 insertions(+), 2 deletions(-)

commit 408da6791f93ffe00d26bfe919f1b2218fe0804d
Merge: a8dbe8e 6c850d8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed May 1 18:28:44 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        arch/sparc/mm/ultra.S
        drivers/tty/tty_io.c

commit 6c850d8b76b375e418b6a18a33cc8263f36fabcf
Merge: cdbcbef 9fa1d01
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed May 1 18:25:18 2013 -0400

    Merge branch 'linux-3.8.y' into pax-test

commit a8dbe8ee7a0a3ace489e2f95d69d33e14d5f0b78
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Apr 29 18:44:23 2013 -0400

    add module.h to silence compiler warning, thanks to
    Sergei Trofimovich

 fs/btrfs/inode.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 55eba82aca97aa56378e000840c48965557721e8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Apr 29 18:43:03 2013 -0400

    compilation fix

 kernel/trace/trace.h |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit e3bf912b54af6df7fbebc68b5999554562056c5c
Merge: 5b72e37 cdbcbef
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Apr 29 18:34:42 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit cdbcbef45c4f003cbee11e10668a35d424c17c60
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Apr 29 18:33:35 2013 -0400

    Update to pax-linux-3.8.10-test21.patch:
    - removed size overflow coverage of resource_size(), reported at http://forums.grsecurity.net/viewtopic.php?f=3&t=3412
    - fixed bad pointer arithmetic in nfsd_cache_update, reported by Jason A. Donenfeld and http://forums.grsecurity.net/viewtopic.php?f=3&t=3438
      note that the false positive is not fixed yet
    - fixed a few unintended bitmask computations found by a not-yet-public gcc plugin
    - fixed the kernel stack leak bug in do_tgkill, found by the size overflow plugin (https://code.google.com/p/chromium/issues/detail?id=223444)
    - reverted the nested NMI fix in search for a real one
    - simplified the arm_delay_ops constification

 arch/arm/include/asm/delay.h     |    8 ++++----
 arch/arm/lib/delay.c             |   17 +++++------------
 arch/x86/kernel/entry_64.S       |   11 ++++++++++-
 arch/x86/kernel/i8259.c          |    2 +-
 arch/x86/kernel/pci-calgary_64.c |    2 +-
 arch/x86/kvm/vmx.c               |    4 ++--
 drivers/block/pktcdvd.c          |    2 +-
 fs/btrfs/extent-tree.c           |    2 +-
 fs/nfsd/nfscache.c               |    6 ++++--
 kernel/trace/trace.c             |    2 +-
 tools/gcc/structleak_plugin.c    |    4 ++++
 11 files changed, 34 insertions(+), 26 deletions(-)

commit 5b72e3790fa0e8a16a09c0ef745d8065620a1e74
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Apr 26 20:53:06 2013 -0400

    don't use file_inode()

 drivers/tty/tty_io.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit a2df9595fa2e3c7a0c63b1acac75425fd4feb946
Author: Jiri Slaby <jslaby@suse.cz>
Date:   Fri Apr 26 13:48:53 2013 +0200

    Upstream commit: 37b7f3c76595e23257f61bd80b223de8658617ee
    
    TTY: fix atime/mtime regression
    
    In commit b0de59b5733d ("TTY: do not update atime/mtime on read/write")
    we removed timestamps from tty inodes to fix a security issue and waited
    if something breaks.  Well, 'w', the utility to find out logged users
    and their inactivity time broke.  It shows that users are inactive since
    the time they logged in.
    
    To revert to the old behaviour while still preventing attackers to
    guess the password length, we update the timestamps in one-minute
    intervals by this patch.
    
    Signed-off-by: Jiri Slaby <jslaby@suse.cz>
    Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    Conflicts:
    
        drivers/tty/tty_io.c

 drivers/tty/tty_io.c |   15 ++++++++++++++-
 1 files changed, 14 insertions(+), 1 deletions(-)

commit c9c76fe07da7611a5062dd3234e5d2369e0a78ec
Author: Jiri Slaby <jslaby@suse.cz>
Date:   Fri Feb 15 15:25:05 2013 +0100

    Upstream commit: b0de59b5733d
    
    TTY: do not update atime/mtime on read/write
    
    On http://vladz.devzero.fr/013_ptmx-timing.php, we can see how to find
    out length of a password using timestamps of /dev/ptmx. It is
    documented in "Timing Analysis of Keystrokes and Timing Attacks on
    SSH". To avoid that problem, do not update time when reading
    from/writing to a TTY.
    
    I am afraid of regressions as this is a behavior we have since 0.97
    and apps may expect the time to be current, e.g. for monitoring
    whether there was a change on the TTY. Now, there is no change. So
    this would better have a lot of testing before it goes upstream.
    
    References: CVE-2013-0160
    
    Signed-off-by: Jiri Slaby <jslaby@suse.cz>
    Cc: stable <stable@vger.kernel.org> # after 3.9 is out
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 drivers/tty/tty_io.c |    8 ++------
 1 files changed, 2 insertions(+), 6 deletions(-)

commit 5344a24e2320d61dbdb88aae04922f0799deefd0
Author: Zhao Hongjiang <zhaohongjiang@huawei.com>
Date:   Fri Apr 26 11:03:53 2013 +0800

    Upstream commit: 91d80a84bbc8f28375cca7e65ec666577b4209ad
    
    aio: fix possible invalid memory access when DEBUG is enabled
    
    dprintk() shouldn't access @ring after it's unmapped.
    
    Signed-off-by: Zhao Hongjiang <zhaohongjiang@huawei.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 fs/aio.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 786841cb279bbd8e458d67e112a1d01a3d4598a7
Author: John David Anglin <dave.anglin@bell.net>
Date:   Tue Apr 23 22:42:07 2013 +0200

    Upstream commit: bda079d336cd8183e1d844a265ea87ae3e1bbe78
    
    parisc: use spin_lock_irqsave/spin_unlock_irqrestore for PTE updates
    
    User applications running on SMP kernels have long suffered from instability
    and random segmentation faults.  This patch improves the situation although
    there is more work to be done.
    
    One of the problems is the various routines in pgtable.h that update page table
    entries use different locking mechanisms, or no lock at all (set_pte_at).  This
    change modifies the routines to all use the same lock pa_dbit_lock.  This lock
    is used for dirty bit updates in the interruption code. The patch also purges
    the TLB entries associated with the PTE to ensure that inconsistent values are
    not used after the page table entry is updated.  The UP and SMP code are now
    identical.
    
    The change also includes a minor update to the purge_tlb_entries function in
    cache.c to improve its efficiency.
    
    Signed-off-by: John David Anglin <dave.anglin@bell.net>
    Cc: Helge Deller <deller@gmx.de>
    Signed-off-by: Helge Deller <deller@gmx.de>

 arch/parisc/include/asm/pgtable.h |   47 +++++++++++++++++++-----------------
 arch/parisc/kernel/cache.c        |    5 +---
 2 files changed, 26 insertions(+), 26 deletions(-)

commit 775a77ad179d4c25bc94e85ef81135cbdffcfdc1
Merge: ba54c97 4d05084
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Apr 26 18:17:20 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        arch/x86/kvm/x86.c
        include/linux/capability.h

commit 4d0508463d0ee3ec4b9eca1ea6bed3be03a3df21
Merge: c664779 bb8dd67
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Apr 26 18:15:45 2013 -0400

    Merge branch 'linux-3.8.y' into pax-test

commit ba54c977fe8c3afc4a9efd7afc3f30cf10b02fa2
Author: David S. Miller <davem@davemloft.net>
Date:   Wed Apr 24 16:52:18 2013 -0700

    Upstream commit: f0af97070acbad5d6a361f485828223a4faaa0ee
    
    sparc64: Fix missing put_cpu_var() in tlb_batch_add_one() when not batching.
    
    Reported-by: Meelis Roos <mroos@linux.ee>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 arch/sparc/mm/tlb.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit dc080cfd57c7cdc426f8c6c2da11911ac99959d8
Author: David S. Miller <davem@davemloft.net>
Date:   Fri Apr 19 17:26:26 2013 -0400

    Upstream commit: f36391d2790d04993f48da6a45810033a2cdf847
    
    sparc64: Fix race in TLB batch processing.
    
    As reported by Dave Kleikamp, when we emit cross calls to do batched
    TLB flush processing we have a race because we do not synchronize on
    the sibling cpus completing the cross call.
    
    So meanwhile the TLB batch can be reset (tb->tlb_nr set to zero, etc.)
    and either flushes are missed or flushes will flush the wrong
    addresses.
    
    Fix this by using generic infrastructure to synchonize on the
    completion of the cross call.
    
    This first required getting the flush_tlb_pending() call out from
    switch_to() which operates with locks held and interrupts disabled.
    The problem is that smp_call_function_many() cannot be invoked with
    IRQs disabled and this is explicitly checked for with WARN_ON_ONCE().
    
    We get the batch processing outside of locked IRQ disabled sections by
    using some ideas from the powerpc port. Namely, we only batch inside
    of arch_{enter,leave}_lazy_mmu_mode() calls.  If we're not in such a
    region, we flush TLBs synchronously.
    
    1) Get rid of xcall_flush_tlb_pending and per-cpu type
       implementations.
    
    2) Do TLB batch cross calls instead via:
    
        smp_call_function_many()
                tlb_pending_func()
                        __flush_tlb_pending()
    
    3) Batch only in lazy mmu sequences:
    
        a) Add 'active' member to struct tlb_batch
        b) Define __HAVE_ARCH_ENTER_LAZY_MMU_MODE
        c) Set 'active' in arch_enter_lazy_mmu_mode()
        d) Run batch and clear 'active' in arch_leave_lazy_mmu_mode()
        e) Check 'active' in tlb_batch_add_one() and do a synchronous
               flush if it's clear.
    
    4) Add infrastructure for synchronous TLB page flushes.
    
        a) Implement __flush_tlb_page and per-cpu variants, patch
           as needed.
        b) Likewise for xcall_flush_tlb_page.
        c) Implement smp_flush_tlb_page() to invoke the cross-call.
        d) Wire up global_flush_tlb_page() to the right routine based
               upon CONFIG_SMP
    
    5) It turns out that singleton batches are very common, 2 out of every
       3 batch flushes have only a single entry in them.
    
       The batch flush waiting is very expensive, both because of the poll
       on sibling cpu completeion, as well as because passing the tlb batch
       pointer to the sibling cpus invokes a shared memory dereference.
    
       Therefore, in flush_tlb_pending(), if there is only one entry in
       the batch perform a completely asynchronous global_flush_tlb_page()
       instead.
    
    Reported-by: Dave Kleikamp <dave.kleikamp@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Acked-by: Dave Kleikamp <dave.kleikamp@oracle.com>

 arch/sparc/include/asm/pgtable_64.h   |    1 +
 arch/sparc/include/asm/switch_to_64.h |    3 +-
 arch/sparc/include/asm/tlbflush_64.h  |   37 +++++++++--
 arch/sparc/kernel/smp_64.c            |   41 ++++++++++-
 arch/sparc/mm/tlb.c                   |   38 +++++++++-
 arch/sparc/mm/tsb.c                   |   57 ++++++++++++----
 arch/sparc/mm/ultra.S                 |  119 ++++++++++++++++++++++++++-------
 7 files changed, 241 insertions(+), 55 deletions(-)

commit cd80cc3cfd122295e6ec6db1e5e16e5b7a5d3b59
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date:   Fri Apr 19 15:32:32 2013 +0000

    Upstream commit: 83f1b4ba917db5dc5a061a44b3403ddb6e783494
    
    net: fix incorrect credentials passing
    
    Commit 257b5358b32f ("scm: Capture the full credentials of the scm
    sender") changed the credentials passing code to pass in the effective
    uid/gid instead of the real uid/gid.
    
    Obviously this doesn't matter most of the time (since normally they are
    the same), but it results in differences for suid binaries when the wrong
    uid/gid ends up being used.
    
    This just undoes that (presumably unintentional) part of the commit.
    
    Reported-by: Andy Lutomirski <luto@amacapital.net>
    Cc: Eric W. Biederman <ebiederm@xmission.com>
    Cc: Serge E. Hallyn <serge@hallyn.com>
    Cc: David S. Miller <davem@davemloft.net>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 include/net/scm.h |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit e126225d1fcaa405ff2a7f1518d615cffe42e7d5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Apr 18 19:22:40 2013 -0400

    move _etext to only cover kernel code, not read-only data, as reported by Gu1

 arch/arm/kernel/vmlinux.lds.S |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 98ad6adbc48759e4f9eae435d3e51ba487155685
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Apr 18 19:17:24 2013 -0400

    add asm/sections.h for USERCOPY change

 fs/exec.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit c403a6c43da1bcac9b1ef2bca9bba0fb84a40f10
Author: Dmitry Popov <dp@highloadlab.com>
Date:   Thu Apr 11 08:55:07 2013 +0000

    Upstream commit: d66954a066158781ccf9c13c91d0316970fe57b6
    
    tcp: incoming connections might use wrong route under synflood
    
    There is a bug in cookie_v4_check (net/ipv4/syncookies.c):
        flowi4_init_output(&fl4, 0, sk->sk_mark, RT_CONN_FLAGS(sk),
                           RT_SCOPE_UNIVERSE, IPPROTO_TCP,
                           inet_sk_flowi_flags(sk),
                           (opt && opt->srr) ? opt->faddr : ireq->rmt_addr,
                           ireq->loc_addr, th->source, th->dest);
    
    Here we do not respect sk->sk_bound_dev_if, therefore wrong dst_entry may be
    taken. This dst_entry is used by new socket (get_cookie_sock ->
    tcp_v4_syn_recv_sock), so its packets may take the wrong path.
    
    Signed-off-by: Dmitry Popov <dp@highloadlab.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/syncookies.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 3600395e8fef3ae712e72f9b68c3609639616df8
Author: Thomas Graf <tgraf@suug.ch>
Date:   Thu Apr 11 10:57:18 2013 +0000

    Upstream commit: 50bceae9bd3569d56744882f3012734d48a1d413
    
    tcp: Reallocate headroom if it would overflow csum_start
    
    If a TCP retransmission gets partially ACKed and collapsed multiple
    times it is possible for the headroom to grow beyond 64K which will
    overflow the 16bit skb->csum_start which is based on the start of
    the headroom. It has been observed rarely in the wild with IPoIB due
    to the 64K MTU.
    
    Verify if the acking and collapsing resulted in a headroom exceeding
    what csum_start can cover and reallocate the headroom if so.
    
    A big thank you to Jim Foraker <foraker1@llnl.gov> and the team at
    LLNL for helping out with the investigation and testing.
    
    Reported-by: Jim Foraker <foraker1@llnl.gov>
    Signed-off-by: Thomas Graf <tgraf@suug.ch>
    Acked-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/tcp_output.c |    8 ++++++--
 1 files changed, 6 insertions(+), 2 deletions(-)

commit 4b0b9a5038da806a2b6eba9efc3f3a53c5188a61
Author: Ivan Vecera <ivecera@redhat.com>
Date:   Fri Apr 12 16:49:24 2013 +0200

    Upstream commit: f11a869d4e38397ac81f2a3d22e8d2aeb3992b0f
    
    be2net: take care of __vlan_put_tag return value
    
    The driver should use return value of __vlan_put_tag with appropriate
    NULL-check instead of old skb pointer.
    
    Signed-off-by: Ivan Vecera <ivecera@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/ethernet/emulex/benet/be_main.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

commit 8d3aca40a891f13b9b1e0d957913fa788fd1cc55
Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Date:   Fri Apr 12 03:17:12 2013 +0000

    Upstream commit: 3be8fbab18fbc06b6ff94a56f9c225e29ea64a73
    
    tuntap: fix error return code in tun_set_iff()
    
    Fix to return a negative error code from the error handling
    case instead of 0, as returned elsewhere in this function.
    
    [ Bug added in linux-3.8 , commit 4008e97f866db665
      ("tuntap: fix ambigious multiqueue API") ]
    
    Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
    Acked-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/tun.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 42cfd101287e0ffa5e8425ca7dd3c4131a7a601c
Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Date:   Sat Apr 13 15:49:03 2013 +0000

    Upstream commit: 06848c10f720cbc20e3b784c0df24930b7304b93
    
    esp4: fix error return code in esp_output()
    
    Fix to return a negative error code from the error handling
    case instead of 0, as returned elsewhere in this function.
    
    Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
    Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/esp4.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

commit 2b45b5f52c2a8930f80c62de392a62516c83e225
Author: Bjørn Mork <bjorn@mork.no>
Date:   Tue Apr 16 00:17:07 2013 +0000

    Upstream commit: 32b161aa88aa40a83888a995c6e2ef81140219b1
    
    net: cdc_mbim: remove bogus sizeof()
    
    The intention was to test against the constant, not the size of
    the constant.
    
    Signed-off-by: Bjørn Mork <bjorn@mork.no>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/usb/cdc_mbim.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 17d7408795519037a5a1272c7888238e20830bfe
Author: Vyacheslav Dubeyko <slava@dubeyko.com>
Date:   Wed Apr 17 15:58:33 2013 -0700

    Upstream commit: 12f267a20aecf8b84a2a9069b9011f1661c779b4
    
    hfsplus: fix potential overflow in hfsplus_file_truncate()
    
    Change a u32 to loff_t hfsplus_file_truncate().
    
    Signed-off-by: Vyacheslav Dubeyko <slava@dubeyko.com>
    Cc: Christoph Hellwig <hch@infradead.org>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: Hin-Tak Leung <htl10@users.sourceforge.net>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 fs/hfsplus/extents.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 5c9574e7f16e7a9b3ea9b419c46ddc57110a555b
Author: Emese Revfy <re.emese@gmail.com>
Date:   Wed Apr 17 15:58:36 2013 -0700

    Upstream commit: b9e146d8eb3b9ecae5086d373b50fa0c1f3e7f0f
    
    kernel/signal.c: stop info leak via the tkill and the tgkill syscalls
    
    This fixes a kernel memory contents leak via the tkill and tgkill syscalls
    for compat processes.
    
    This is visible in the siginfo_t->_sifields._rt.si_sigval.sival_ptr field
    when handling signals delivered from tkill.
    
    The place of the infoleak:
    
    int copy_siginfo_to_user32(compat_siginfo_t __user *to, siginfo_t *from)
    {
            ...
            put_user_ex(ptr_to_compat(from->si_ptr), &to->si_ptr);
            ...
    }
    
    Signed-off-by: Emese Revfy <re.emese@gmail.com>
    Reviewed-by: PaX Team <pageexec@freemail.hu>
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: Oleg Nesterov <oleg@redhat.com>
    Cc: "Eric W. Biederman" <ebiederm@xmission.com>
    Cc: Serge Hallyn <serge.hallyn@canonical.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 kernel/signal.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 0942d16614b0ef59d50b10151d77ec52fc98c2d0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 17 20:17:00 2013 -0400

    Improve PAX_USERCOPY to reject direct copies to/from main kernel text

 fs/exec.c |   29 +++++++++++++++++++++++++++--
 1 files changed, 27 insertions(+), 2 deletions(-)

commit 3cb37d0c0c77dc3928ff8417f982139f95366eba
Merge: e87c19f c664779
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 17 20:06:08 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit c664779987cb0c27a242029f0e0db812e3236203
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 17 19:54:09 2013 -0400

    add intentional_overflow marking for resource_size() as reasoned by:
    http://forums.grsecurity.net/viewtopic.php?f=3&t=3412

 include/linux/ioport.h |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit e87c19f8312355b8658e5138c16bfa6043a379c8
Merge: 802d119 d0c636c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 17 16:57:12 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit d0c636ceaaf406e606898ce3e770e32fb043ea8a
Merge: bc88628 2396403
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 17 16:57:01 2013 -0400

    Merge branch 'linux-3.8.y' into pax-test
    
    Conflicts:
        arch/x86/kernel/paravirt.c

commit 802d1193dcb507b2a62a2de0a869a7dbadd66b9b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Apr 14 21:39:51 2013 -0400

    move location of RBAC user check on setfsuid until after capability checks
    for consistency with other checks

 kernel/sys.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

commit 1a860d7d67051559ab2e6d10f9888649c92904e6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Apr 14 21:34:46 2013 -0400

    A denied setfsuid by the RBAC system would result in an abort_creds() being called
    with an uninitalized pointer, introduced by a bad forward-port

 kernel/sys.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

commit 9f94b84d0e5e101fe8ea8ebcc8eeb141d8a6edb9
Merge: c38d142 bc88628
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Apr 14 21:28:33 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        security/Kconfig

commit bc88628a6a8fcccaabb90908640809b0540df225
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Apr 14 21:26:41 2013 -0400

    Update to pax-linux-3.8.7-test20.patch:
    - fixed KERNEXEC and NMI nesting problem reported by stef&hunger
    - changed PHYSICAL_ALIGN/START to fix http://forums.grsecurity.net/viewtopic.php?f=3&t=3414
    - CONSTIFY depends on KERNEXEC (for the kernel open/close feature)
    - fixed CONSTIFY and powerpc interference, reported by  John Hardin (https://bugs.gentoo.org/show_bug.cgi?id=456364)

 arch/powerpc/include/asm/smp.h |    2 +-
 arch/x86/Kconfig               |    4 ++--
 arch/x86/kernel/entry_64.S     |    8 ++++----
 security/Kconfig               |    2 +-
 4 files changed, 8 insertions(+), 8 deletions(-)

commit c38d142744489fc4d9be80188b6435a278438fd9
Author: Suleiman Souhlal <suleiman@google.com>
Date:   Sat Apr 13 16:03:06 2013 -0700

    Upstream commit: 5b55d708335a9e3e4f61f2dadf7511502205ccd1
    
    vfs: Revert spurious fix to spinning prevention in prune_icache_sb
    
    Revert commit 62a3ddef6181 ("vfs: fix spinning prevention in prune_icache_sb").
    
    This commit doesn't look right: since we are looking at the tail of the
    list (sb->s_inode_lru.prev) if we want to skip an inode, we should put
    it back at the head of the list instead of the tail, otherwise we will
    keep spinning on it.
    
    Discovered when investigating why prune_icache_sb came top in perf
    reports of a swapping load.
    
    Signed-off-by: Suleiman Souhlal <suleiman@google.com>
    Signed-off-by: Hugh Dickins <hughd@google.com>
    Cc: stable@vger.kernel.org # v3.2+
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 fs/inode.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 93019624b80ba59798393942798d7f6ed0c1dbc6
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date:   Sat Apr 13 15:15:30 2013 -0700

    Upstream commit: a49b7e82cab0f9b41f483359be83f44fbb6b4979
    
    kobject: fix kset_find_obj() race with concurrent last kobject_put()
    
    Anatol Pomozov identified a race condition that hits module unloading
    and re-loading.  To quote Anatol:
    
     "This is a race codition that exists between kset_find_obj() and
      kobject_put().  kset_find_obj() might return kobject that has refcount
      equal to 0 if this kobject is freeing by kobject_put() in other
      thread.
    
      Here is timeline for the crash in case if kset_find_obj() searches for
      an object tht nobody holds and other thread is doing kobject_put() on
      the same kobject:
    
        THREAD A (calls kset_find_obj())     THREAD B (calls kobject_put())
        splin_lock()
                                             atomic_dec_return(kobj->kref), counter gets zero here
                                             ... starts kobject cleanup ....
                                             spin_lock() // WAIT thread A in kobj_kset_leave()
        iterate over kset->list
        atomic_inc(kobj->kref) (counter becomes 1)
        spin_unlock()
                                             spin_lock() // taken
                                             // it does not know that thread A increased counter so it
                                             remove obj from list
                                             spin_unlock()
                                             vfree(module) // frees module object with containing kobj
    
        // kobj points to freed memory area!!
        kobject_put(kobj) // OOPS!!!!
    
      The race above happens because module.c tries to use kset_find_obj()
      when somebody unloads module.  The module.c code was introduced in
      commit 6494a93d55fa"
    
    Anatol supplied a patch specific for module.c that worked around the
    problem by simply not using kset_find_obj() at all, but rather than make
    a local band-aid, this just fixes kset_find_obj() to be thread-safe
    using the proper model of refusing the get a new reference if the
    refcount has already dropped to zero.
    
    See examples of this proper refcount handling not only in the kref
    documentation, but in various other equivalent uses of this pattern by
    grepping for atomic_inc_not_zero().
    
    [ Side note: the module race does indicate that module loading and
      unloading is not properly serialized wrt sysfs information using the
      module mutex.  That may require further thought, but this is the
      correct fix at the kobject layer regardless. ]
    
    Reported-analyzed-and-tested-by: Anatol Pomozov <anatol.pomozov@gmail.com>
    Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 lib/kobject.c |    9 ++++++++-
 1 files changed, 8 insertions(+), 1 deletions(-)

commit 5277b052b5fab36729e1255fb3b12f47a4b12867
Author: Dave Hansen <dave@sr71.net>
Date:   Fri Apr 12 16:23:54 2013 -0700

    Upstream commit: 1de14c3c5cbc9bb17e9dcc648cda51c0c85d54b9
    
    x86-32: Fix possible incomplete TLB invalidate with PAE pagetables
    
    This patch attempts to fix:
    
        https://bugzilla.kernel.org/show_bug.cgi?id=56461
    
    The symptom is a crash and messages like this:
    
        chrome: Corrupted page table at address 34a03000
        *pdpt = 0000000000000000 *pde = 0000000000000000
        Bad pagetable: 000f [#1] PREEMPT SMP
    
    Ingo guesses this got introduced by commit 611ae8e3f520 ("x86/tlb:
    enable tlb flush range support for x86") since that code started to free
    unused pagetables.
    
    On x86-32 PAE kernels, that new code has the potential to free an entire
    PMD page and will clear one of the four page-directory-pointer-table
    (aka pgd_t entries).
    
    The hardware aggressively "caches" these top-level entries and invlpg
    does not actually affect the CPU's copy.  If we clear one we *HAVE* to
    do a full TLB flush, otherwise we might continue using a freed pmd page.
    (note, we do this properly on the population side in pud_populate()).
    
    This patch tracks whenever we clear one of these entries in the 'struct
    mmu_gather', and ensures that we follow up with a full tlb flush.
    
    BTW, I disassembled and checked that:
    
        if (tlb->fullmm == 0)
    and
        if (!tlb->fullmm && !tlb->need_flush_all)
    
    generate essentially the same code, so there should be zero impact there
    to the !PAE case.
    
    Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
    Cc: Peter Anvin <hpa@zytor.com>
    Cc: Ingo Molnar <mingo@kernel.org>
    Cc: Artem S Tashkinov <t.artem@mailcity.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 arch/x86/include/asm/tlb.h |    2 +-
 arch/x86/mm/pgtable.c      |    7 +++++++
 include/asm-generic/tlb.h  |    7 ++++++-
 mm/memory.c                |    1 +
 4 files changed, 15 insertions(+), 2 deletions(-)

commit 521e573fc77d1783c1d4636dfbb4617a922f043d
Merge: 032f626 f807619
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Apr 12 19:29:34 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit f80761993b85df96fc142dfc3a317cadc0f8eae5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Apr 12 19:28:21 2013 -0400

    Update to pax-linux-3.8.7-test19.patch:
    - fixed STACKLEAK/XEN interference once again, reported by Jason A. Donenfeld
    - fixed small typo, reported by mlarm (http://forums.grsecurity.net/viewtopic.php?f=3&t=3411)
    - fixed the structleak plugin to compile for gcc 4.5-4.6 as well

 Makefile                      |    2 +-
 arch/x86/xen/enlighten.c      |    6 +++---
 tools/gcc/structleak_plugin.c |    5 +++--
 3 files changed, 7 insertions(+), 6 deletions(-)

commit 032f626a4ae9bc3196313a2e762650c3d9abdc96
Merge: a3a770e 89886f5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Apr 12 18:38:40 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 89886f561cc0d1c42a99624ec8c3704711088155
Merge: 9123489 531ec28
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Apr 12 18:38:30 2013 -0400

    Merge branch 'linux-3.8.y' into pax-test

commit a3a770e18578841e4fbe2aa0831a22811b4812cf
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Apr 11 20:46:20 2013 -0400

    Revert "Don't auto-enable stackleak if kernel is used for xen dom0, kernel will not boot"
    Will be fixed with the next PaX patch
    
    This reverts commit 63badcd2023717cc62b6c3ad5f25fe504c49e6d7.

 security/Kconfig |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit fc98763e4f1f1487928750b26a63098b9e0ed5b1
Author: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Date:   Fri Mar 29 10:20:56 2013 -0400

    Upstream commit: b22227944b8fe92b19150b4c36421e37979d9a16
    
    xen/mmu: On early bootup, flush the TLB when changing RO->RW bits Xen provided pagetables.
    
    Occassionaly on a DL380 G4 the guest would crash quite early with this:
    
    (XEN) d244:v0: unhandled page fault (ec=0003)
    (XEN) Pagetable walk from ffffffff84dc7000:
    (XEN)  L4[0x1ff] = 00000000c3f18067 0000000000001789
    (XEN)  L3[0x1fe] = 00000000c3f14067 000000000000178d
    (XEN)  L2[0x026] = 00000000dc8b2067 0000000000004def
    (XEN)  L1[0x1c7] = 00100000dc8da067 0000000000004dc7
    (XEN) domain_crash_sync called from entry.S
    (XEN) Domain 244 (vcpu#0) crashed on cpu#3:
    (XEN) ----[ Xen-4.1.3OVM  x86_64  debug=n  Not tainted ]----
    (XEN) CPU:    3
    (XEN) RIP:    e033:[<ffffffff81263f22>]
    (XEN) RFLAGS: 0000000000000216   EM: 1   CONTEXT: pv guest
    (XEN) rax: 0000000000000000   rbx: ffffffff81785f88   rcx: 000000000000003f
    (XEN) rdx: 0000000000000000   rsi: 00000000dc8da063   rdi: ffffffff84dc7000
    
    The offending code shows it to be a loop writting the value zero
    (%rax) in the %rdi (the L4 provided by Xen) register:
    
       0: 44 00 00             add    %r8b,(%rax)
       3: 31 c0                 xor    %eax,%eax
       5: b9 40 00 00 00       mov    $0x40,%ecx
       a: 66 0f 1f 84 00 00 00 nopw   0x0(%rax,%rax,1)
      11: 00 00
      13: ff c9                 dec    %ecx
      15:* 48 89 07             mov    %rax,(%rdi)     <-- trapping instruction
      18: 48 89 47 08           mov    %rax,0x8(%rdi)
      1c: 48 89 47 10           mov    %rax,0x10(%rdi)
    
    which fails. xen_setup_kernel_pagetable recycles some of the Xen's
    page-table entries when it has switched over to its Linux page-tables.
    
    Right before try to clear the page, we  make a hypercall to change
    it from _RO to  _RW and that works (otherwise we would hit an BUG()).
    And the _RW flag is set for that page:
    (XEN)  L1[0x1c7] = 001000004885f067 0000000000004dc7
    
    The error code is 3, so PFEC_page_present and PFEC_write_access, so page is
    present (correct), and we tried to write to the page, but a violation
    occurred. The one theory is that the the page entries in hardware
    (which are cached) are not up to date with what we just set. Especially
    as we have just done an CR3 write and flushed the multicalls.
    
    This patch does solve the problem by flusing out the TLB page
    entry after changing it from _RO to _RW and we don't hit this
    issue anymore.
    
    Fixed-Oracle-Bug: 16243091 [ON OCCASIONS VM START GOES INTO
    'CRASH' STATE: CLEAR_PAGE+0X12 ON HP DL380 G4]
    Reported-and-Tested-by: Saar Maoz <Saar.Maoz@oracle.com>
    Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>

 arch/x86/xen/mmu.c |   12 ++++++++----
 1 files changed, 8 insertions(+), 4 deletions(-)

commit d56bdc2595e76ca48cbfd695def7f82c3ab80c11
Author: Namhyung Kim <namhyung.kim@lge.com>
Date:   Mon Apr 1 21:46:23 2013 +0900

    Upstream commit: 83e03b3fe4daffdebbb42151d5410d730ae50bd1
    
    tracing: Fix double free when function profile init failed
    
    On the failure path, stat->start and stat->pages will refer same page.
    So it'll attempt to free the same page again and get kernel panic.
    
    Link: http://lkml.kernel.org/r/1364820385-32027-1-git-send-email-namhyung@kernel.org
    
    Cc: Frederic Weisbecker <fweisbec@gmail.com>
    Cc: Namhyung Kim <namhyung.kim@lge.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Namhyung Kim <namhyung@kernel.org>
    Signed-off-by: Steven Rostedt <rostedt@goodmis.org>

 kernel/trace/ftrace.c |    1 -
 1 files changed, 0 insertions(+), 1 deletions(-)

commit c86b0de9f4c42a7ede40df5af9436e87ccc784bb
Author: Neil Horman <nhorman@tuxdriver.com>
Date:   Tue Apr 9 23:19:00 2013 +0000

    Upstream commit: 61a0f6efc8932e9914e1782ff3a027e23c687fc6
    
    e100: Add dma mapping error check
    
    e100 uses pci_map_single, but fails to check for a dma mapping error after its
    use, resulting in a stack trace:
    
    [   46.656594] ------------[ cut here ]------------
    [   46.657004] WARNING: at lib/dma-debug.c:933 check_unmap+0x47b/0x950()
    [   46.657004] Hardware name: To Be Filled By O.E.M.
    [   46.657004] e100 0000:00:0e.0: DMA-API: device driver failed to check map
    error[device address=0x000000007a4540fa] [size=90 bytes] [mapped as single]
    [   46.657004] Modules linked in:
    [   46.657004]  w83627hf hwmon_vid snd_via82xx ppdev snd_ac97_codec ac97_bus
    snd_seq snd_pcm snd_mpu401 snd_mpu401_uart ns558 snd_rawmidi gameport parport_pc
    e100 snd_seq_device parport snd_page_alloc snd_timer snd soundcore skge shpchp
    k8temp mii edac_core i2c_viapro edac_mce_amd nfsd auth_rpcgss nfs_acl lockd
    sunrpc binfmt_misc uinput ata_generic pata_acpi radeon i2c_algo_bit
    drm_kms_helper ttm firewire_ohci drm firewire_core pata_via sata_via i2c_core
    sata_promise crc_itu_t
    [   46.657004] Pid: 792, comm: ip Not tainted 3.8.0-0.rc6.git0.1.fc19.x86_64 #1
    [   46.657004] Call Trace:
    [   46.657004]  <IRQ>  [<ffffffff81065ed0>] warn_slowpath_common+0x70/0xa0
    [   46.657004]  [<ffffffff81065f4c>] warn_slowpath_fmt+0x4c/0x50
    [   46.657004]  [<ffffffff81364cfb>] check_unmap+0x47b/0x950
    [   46.657004]  [<ffffffff8136522f>] debug_dma_unmap_page+0x5f/0x70
    [   46.657004]  [<ffffffffa030f0f0>] ? e100_tx_clean+0x30/0x210 [e100]
    [   46.657004]  [<ffffffffa030f1a8>] e100_tx_clean+0xe8/0x210 [e100]
    [   46.657004]  [<ffffffffa030fc6f>] e100_poll+0x56f/0x6c0 [e100]
    [   46.657004]  [<ffffffff8159dce1>] ? net_rx_action+0xa1/0x370
    [   46.657004]  [<ffffffff8159ddb2>] net_rx_action+0x172/0x370
    [   46.657004]  [<ffffffff810703bf>] __do_softirq+0xef/0x3d0
    [   46.657004]  [<ffffffff816e4ebc>] call_softirq+0x1c/0x30
    [   46.657004]  [<ffffffff8101c485>] do_softirq+0x85/0xc0
    [   46.657004]  [<ffffffff81070885>] irq_exit+0xd5/0xe0
    [   46.657004]  [<ffffffff816e5756>] do_IRQ+0x56/0xc0
    [   46.657004]  [<ffffffff816dacb2>] common_interrupt+0x72/0x72
    [   46.657004]  <EOI>  [<ffffffff816da1eb>] ?
    _raw_spin_unlock_irqrestore+0x3b/0x70
    [   46.657004]  [<ffffffff816d124d>] __slab_free+0x58/0x38b
    [   46.657004]  [<ffffffff81214424>] ? fsnotify_clear_marks_by_inode+0x34/0x120
    [   46.657004]  [<ffffffff811b0417>] ? kmem_cache_free+0x97/0x320
    [   46.657004]  [<ffffffff8157fc14>] ? sock_destroy_inode+0x34/0x40
    [   46.657004]  [<ffffffff8157fc14>] ? sock_destroy_inode+0x34/0x40
    [   46.657004]  [<ffffffff811b0692>] kmem_cache_free+0x312/0x320
    [   46.657004]  [<ffffffff8157fc14>] sock_destroy_inode+0x34/0x40
    [   46.657004]  [<ffffffff811e8c28>] destroy_inode+0x38/0x60
    [   46.657004]  [<ffffffff811e8d5e>] evict+0x10e/0x1a0
    [   46.657004]  [<ffffffff811e9605>] iput+0xf5/0x180
    [   46.657004]  [<ffffffff811e4338>] dput+0x248/0x310
    [   46.657004]  [<ffffffff811ce0e1>] __fput+0x171/0x240
    [   46.657004]  [<ffffffff811ce26e>] ____fput+0xe/0x10
    [   46.657004]  [<ffffffff8108d54c>] task_work_run+0xac/0xe0
    [   46.657004]  [<ffffffff8106c6ed>] do_exit+0x26d/0xc30
    [   46.657004]  [<ffffffff8109eccc>] ? finish_task_switch+0x7c/0x120
    [   46.657004]  [<ffffffff816dad58>] ? retint_swapgs+0x13/0x1b
    [   46.657004]  [<ffffffff8106d139>] do_group_exit+0x49/0xc0
    [   46.657004]  [<ffffffff8106d1c4>] sys_exit_group+0x14/0x20
    [   46.657004]  [<ffffffff816e3b19>] system_call_fastpath+0x16/0x1b
    [   46.657004] ---[ end trace 4468c44e2156e7d1 ]---
    [   46.657004] Mapped at:
    [   46.657004]  [<ffffffff813663d1>] debug_dma_map_page+0x91/0x140
    [   46.657004]  [<ffffffffa030e8eb>] e100_xmit_prepare+0x12b/0x1c0 [e100]
    [   46.657004]  [<ffffffffa030c924>] e100_exec_cb+0x84/0x140 [e100]
    [   46.657004]  [<ffffffffa030e56a>] e100_xmit_frame+0x3a/0x190 [e100]
    [   46.657004]  [<ffffffff8159ee89>] dev_hard_start_xmit+0x259/0x6c0
    
    Easy fix, modify the cb paramter to e100_exec_cb to return an error, and do the
    dma_mapping_error check in the obvious place
    
    This was reported previously here:
    http://article.gmane.org/gmane.linux.network/257893
    
    But nobody stepped up and fixed it.
    
    CC: Josh Boyer <jwboyer@redhat.com>
    CC: e1000-devel@lists.sourceforge.net
    Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
    Reported-by: Michal Jaegermann <michal@harddata.com>
    Tested-by: Aaron Brown <aaron.f.brown@intel.com>
    Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/ethernet/intel/e100.c |   36 +++++++++++++++++++++++++-----------
 1 files changed, 25 insertions(+), 11 deletions(-)

commit df93708573ce6c512b9a9406a83a6fd4e87ff6a6
Author: Trond Myklebust <Trond.Myklebust@netapp.com>
Date:   Wed Apr 10 12:44:18 2013 -0400

    Upstream commit: eb04e0ac198cec3bab407ad220438dfa65c19c67
    
    NFSv4: Doh! Typo in the fix to nfs41_walk_client_list
    
    Make sure that we set the status to 0 on success. Missed in testing
    because it never appears when doing multiple mounts to _different_
    servers.
    
    Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
    Cc: <stable@vger.kernel.org> # 3.7.x: 7b1f1fd: NFSv4/4.1: Fix bugs in nfs4[01]_walk_client_list

 fs/nfs/nfs4client.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 0ea7b7294f627588b0b3dc26a8a0ff8e1e27b5ea
Author: Yuval Mintz <yuvalmin@broadcom.com>
Date:   Wed Apr 10 13:34:39 2013 +0300

    Upstream commit: fea75645342c7ad574214497a78e562db12dfd7b
    
    bnx2x: Prevent null pointer dereference in AFEX mode
    
    The cnic module is responsible for initializing various bnx2x structs
    via callbacks provided by the bnx2x module.
    One such struct is the queue object for the FCoE queue.
    
    If a device is working in AFEX mode and its configuration allows FCoE yet
    the cnic module is not loaded, it's very likely a null pointer dereference
    will occur, as the bnx2x will erroneously access the FCoE's queue object.
    
    Prevent said access until cnic properly registers itself.
    
    Signed-off-by: Yuval Mintz <yuvalmin@broadcom.com>
    Signed-off-by: Ariel Elior <ariele@broadcom.com>
    Signed-off-by: Eilon Greenstein <eilong@broadcom.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 2908830232725db624aaa052f7ad38d1f98bf541
Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Date:   Tue Apr 9 14:16:04 2013 +0800

    Upstream commit: 3480a2125923e4b7a56d79efc76743089bf273fc
    
    can: gw: use kmem_cache_free() instead of kfree()
    
    Memory allocated by kmem_cache_alloc() should be freed using
    kmem_cache_free(), not kfree().
    
    Cc: linux-stable <stable@vger.kernel.org> # >= v3.2
    Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
    Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
    Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>

 net/can/gw.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

commit d40b572e845a5fb561e3c4a80cc306cd38888a4e
Author: Christoph Paasch <christoph.paasch@uclouvain.be>
Date:   Sun Apr 7 04:53:15 2013 +0000

    Upstream commit: 50a75a8914539c5dcd441c5f54d237a666a426fd
    
    ipv6/tcp: Stop processing ICMPv6 redirect messages
    
    Tetja Rediske found that if the host receives an ICMPv6 redirect message
    after sending a SYN+ACK, the connection will be reset.
    
    He bisected it down to 093d04d (ipv6: Change skb->data before using
    icmpv6_notify() to propagate redirect), but the origin of the bug comes
    from ec18d9a26 (ipv6: Add redirect support to all protocol icmp error
    handlers.). The bug simply did not trigger prior to 093d04d, because
    skb->data did not point to the inner IP header and thus icmpv6_notify
    did not call the correct err_handler.
    
    This patch adds the missing "goto out;" in tcp_v6_err. After receiving
    an ICMPv6 Redirect, we should not continue processing the ICMP in
    tcp_v6_err, as this may trigger the removal of request-socks or setting
    sk_err(_soft).
    
    Reported-by: Tetja Rediske <tetja@tetja.de>
    Signed-off-by: Christoph Paasch <christoph.paasch@uclouvain.be>
    Acked-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv6/tcp_ipv6.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit c7d5c2524456ef3ea9194840e7a9a75069a46824
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 10 20:32:54 2013 -0400

    - fixed typo in Makefile reported by mlarm (https://forums.grsecurity.net/viewtopic.php?t=3411)

 Makefile |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit acac2380fd97acee4367d2aa24c74322dcf1d22b
Author: Trond Myklebust <Trond.Myklebust@netapp.com>
Date:   Fri Apr 5 16:11:11 2013 -0400

    Upstream commit: 7b1f1fd1842e6ede25183c267ae733a7f67f00bc
    
    NFSv4/4.1: Fix bugs in nfs4[01]_walk_client_list
    
    It is unsafe to use list_for_each_entry_safe() here, because
    when we drop the nn->nfs_client_lock, we pin the _current_ list
    entry and ensure that it stays in the list, but we don't do the
    same for the _next_ list entry. Use of list_for_each_entry() is
    therefore the correct thing to do.
    
    Also fix the refcounting in nfs41_walk_client_list().
    
    Finally, ensure that the nfs_client has finished being initialised
    and, in the case of NFSv4.1, that the session is set up.
    
    Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
    Cc: Chuck Lever <chuck.lever@oracle.com>
    Cc: Bryan Schumaker <bjschuma@netapp.com>
    Cc: stable@vger.kernel.org [>= 3.7]

 fs/nfs/nfs4client.c |   44 ++++++++++++++++++++++++++++----------------
 1 files changed, 28 insertions(+), 16 deletions(-)

commit a6cf5f387b882ac0ce655b75f623f86c075517be
Author: Chuck Lever <chuck.lever@oracle.com>
Date:   Fri Mar 22 12:52:59 2013 -0400

    Upstream commit: a58e0be6f6b3eb2079b0b8fedc9df6fa86869f1e
    
    SUNRPC: Remove extra xprt_put()
    
    While testing error cases where rpc_new_client() fails, I saw
    some oopses.
    
    If rpc_new_client() fails, it already invokes xprt_put().  Thus
    __rpc_clone_client() does not need to invoke it again.
    
    Introduced by commit 1b63a751 "SUNRPC: Refactor rpc_clone_client()"
    Fri Sep 14, 2012.
    
    Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
    Cc: stable@vger.kernel.org [>=3.7]
    Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>

 net/sunrpc/clnt.c |    4 +---
 1 files changed, 1 insertions(+), 3 deletions(-)

commit a744b307c1f65ceb100412dc18cdd7ecc9a8ae00
Author: Trond Myklebust <Trond.Myklebust@netapp.com>
Date:   Fri Apr 5 14:13:21 2013 -0400

    Upstream commit: f05c124a70a4953a66acbd6d6c601ea1eb5d0fa7
    
    SUNRPC: Fix a potential memory leak in rpc_new_client
    
    If the call to rpciod_up() fails, we currently leak a reference to the
    struct rpc_xprt.
    As part of the fix, we also remove the redundant check for xprt!=NULL.
    This is already taken care of by the callers.
    
    Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>

 net/sunrpc/clnt.c |    7 ++-----
 1 files changed, 2 insertions(+), 5 deletions(-)

commit 43b9f1b9b8380984c5c100978bd33e8f16da06ac
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 10 19:16:05 2013 -0400

    From https://lkml.org/lkml/2013/4/8/469:
    [PATCH] rtnetlink: call nlmsg_parse() with correct header length

 net/core/rtnetlink.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 9529169b8c405874fd543b785f53c74fa0501c2a
Author: Christopher Harvey <charvey@matrox.com>
Date:   Fri Apr 5 10:51:15 2013 -0400

    Upstream commit: 1812a3db0874be1d1524086da9e84397b800f546
    
    drm/mgag200: Index 24 in extended CRTC registers is 24 in hex, not decimal.
    
    This change properly enables the "requester" in G200ER cards that is
    responsible for getting pixels out of memory and clocking them out to
    the screen.
    
    Signed-off-by: Christopher Harvey <charvey@matrox.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Dave Airlie <airlied@redhat.com>

 drivers/gpu/drm/mgag200/mgag200_mode.c |   13 +++----------
 1 files changed, 3 insertions(+), 10 deletions(-)

commit 07c42243c7b01e2a7a9d168ad491e28b9ef9082a
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Thu Mar 28 13:30:23 2013 -0400

    Upstream commit: 52f21999c7b921a0390708b66ed286282c2e4bee
    
    ecryptfs: close rmmod race
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

 fs/ecryptfs/miscdev.c |   14 ++------------
 1 files changed, 2 insertions(+), 12 deletions(-)

commit 2800bdcf9cd642b967e5fdc2a15c1c4aefbadd9b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 10 19:03:45 2013 -0400

    Backport overflow fix from upstream commit: ccf932042fa7785832d8989ba1369cd7c7f5d7a1

 arch/ia64/kernel/palinfo.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 83280e384ae3ceadad30369ced111dc7d4b46085
Author: Andrey Vagin <avagin@openvz.org>
Date:   Tue Apr 9 17:33:29 2013 +0400

    Upstream commit: e9c5d8a562f01b211926d70443378eb14b29a676
    
    mnt: release locks on error path in do_loopback
    
    do_loopback calls lock_mount(path) and forget to unlock_mount
    if clone_mnt or copy_mnt fails.
    
    [   77.661566] ================================================
    [   77.662939] [ BUG: lock held when returning to user space! ]
    [   77.664104] 3.9.0-rc5+ #17 Not tainted
    [   77.664982] ------------------------------------------------
    [   77.666488] mount/514 is leaving the kernel with locks still held!
    [   77.668027] 2 locks held by mount/514:
    [   77.668817]  #0:  (&sb->s_type->i_mutex_key#7){+.+.+.}, at: [<ffffffff811cca22>] lock_mount+0x32/0xe0
    [   77.671755]  #1:  (&namespace_sem){+++++.}, at: [<ffffffff811cca3a>] lock_mount+0x4a/0xe0
    
    Signed-off-by: Andrey Vagin <avagin@openvz.org>
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

 fs/namespace.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 679e536b9d9536d804f049fe942367a596253e6d
Author: Alex Williamson <alex.williamson@redhat.com>
Date:   Tue Mar 26 11:33:16 2013 -0600

    Upstream commit: 904c680c7bf016a8619a045850937427f8d7368c
    
    vfio-pci: Fix possible integer overflow
    
    The VFIO_DEVICE_SET_IRQS ioctl takes a start and count parameter, both
    of which are unsigned.  We attempt to bounds check these, but fail to
    account for the case where start is a very large number, allowing
    start + count to wrap back into the valid range.  Bounds check both
    start and start + count.
    
    Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Alex Williamson <alex.williamson@redhat.com>

 drivers/vfio/pci/vfio_pci.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 63badcd2023717cc62b6c3ad5f25fe504c49e6d7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 10 18:48:45 2013 -0400

    Don't auto-enable stackleak if kernel is used for xen dom0, kernel will not boot

 security/Kconfig |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit b5261a6384ee42499b29495aaae40b271e77d394
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Apr 9 17:30:45 2013 -0400

    some undefined behavior fixups

 grsecurity/gracl.c      |    4 ++--
 grsecurity/gracl_ip.c   |   10 +++++-----
 grsecurity/gracl_segv.c |    4 ++--
 3 files changed, 9 insertions(+), 9 deletions(-)

commit 9f83caa35e78be1f3e753586ab217555c3b21ff4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Apr 9 17:28:54 2013 -0400

    don't whine about denied ipv6 when it's not enabled

 grsecurity/gracl_ip.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit 5a02f8bc96bd0c31f9ff09e63f9d85d560b8be61
Merge: 97bca88 9123489
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Apr 9 17:18:45 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 9123489428c58668a89f316db6619739cbdd2c2a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Apr 9 17:17:46 2013 -0400

    Update to pax-linux-3.8.6-test18.patch:
    - new size overflow plugin from Emese to work around a gcc optimization
      resulting in an intentional overflow, reported by Carlos Carvalho
      (http://forums.grsecurity.net/viewtopic.php?f=3&t=3409)

 tools/gcc/size_overflow_plugin.c |   68 ++++++++++++++++++++++++++++++++++++-
 1 files changed, 66 insertions(+), 2 deletions(-)

commit 97bca8889e0f1e853f16b7026c39c6729a8587ab
Merge: 675a41e e9d6073
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Apr 8 21:32:59 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        arch/sparc/kernel/us3_cpufreq.c

commit e9d6073f15010ccace0b6b0f0a19ed63cf1adeef
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Apr 8 21:19:03 2013 -0400

    Update to pax-linux-3.8.6-test17.patch:
    - fixed ia64/ppc/sparc compilation by spender
    - improved the STRUCTLEAK gcc plugin to cover a few more cases (credit to stef for the bugreport)

 arch/ia64/include/asm/uaccess.h    |    2 -
 arch/powerpc/include/asm/uaccess.h |    2 -
 arch/sparc/include/asm/uaccess.h   |    7 ----
 arch/sparc/kernel/prom_common.c    |    2 +-
 arch/sparc/kernel/us3_cpufreq.c    |   69 ++++++++++--------------------------
 tools/gcc/structleak_plugin.c      |   15 ++++----
 6 files changed, 28 insertions(+), 69 deletions(-)

commit 675a41e42a636dcb1e97bffe0f0fa6262242e64b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Apr 7 12:00:50 2013 -0400

    fix similar leaks in sys_recvfrom as fixed in recvmsg, already handled by the new structleak plugin

 net/socket.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 5a216624a06429488f24ce47db093da042f90e48
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Apr 6 13:22:24 2013 -0400

    fix typo

 arch/sparc/kernel/us3_cpufreq.c |    5 +----
 1 files changed, 1 insertions(+), 4 deletions(-)

commit e476ca18d21788898cd3acd1b57049971a2fb70f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Apr 6 13:16:13 2013 -0400

    properly fix cpufreq_driver for ultrasparc III with constification

 arch/sparc/kernel/us3_cpufreq.c |   35 +++++++++++++++++------------------
 1 files changed, 17 insertions(+), 18 deletions(-)

commit 3ef64a33c8a38d17db7d1e6ff13d9036c75598ae
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Apr 6 12:58:48 2013 -0400

    mark prom_sparc_ops __initconst

 arch/sparc/kernel/prom_common.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit daaa8e290cb1eb08e86c6d3f0fb1a8270d897439
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Apr 6 12:53:16 2013 -0400

    fix ia64/powerpc/sparc compilation

 arch/ia64/include/asm/uaccess.h    |    2 --
 arch/powerpc/include/asm/uaccess.h |    2 --
 arch/sparc/include/asm/uaccess.h   |    7 -------
 3 files changed, 0 insertions(+), 11 deletions(-)

commit 4a0cd3af0fd8788bd1c84de775743c8ae51e9a39
Author: Johannes Berg <johannes.berg@intel.com>
Date:   Tue Mar 19 20:26:57 2013 +0100

    Upstream commit: ce1eadda6badef9e4e3460097ede674fca47383d
    
    cfg80211: fix wdev tracing crash
    
    Arend reported a crash in tracing if the driver returns an
    ERR_PTR() value from the add_virtual_intf() callback. This
    is due to the tracing then still attempting to dereference
    the "pointer", fix this by using IS_ERR_OR_NULL().
    
    Reported-by: Arend van Spriel <arend@broadcom.com>
    Tested-by: Arend van Spriel <arend@broadcom.com>
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>

 net/wireless/trace.h |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 68e6eafdaf9a3b37c780b3916a35a1961b1559fd
Author: Johannes Berg <johannes.berg@intel.com>
Date:   Mon Mar 25 11:51:14 2013 +0100

    Upstream commit: 3fbd45ca8d1c98f3c2582ef8bc70ade42f70947b
    
    mac80211: fix remain-on-channel cancel crash
    
    If a ROC item is canceled just as it expires, the work
    struct may be scheduled while it is running (and waiting
    for the mutex). This results in it being run after being
    freed, which obviously crashes.
    
    To fix this don't free it when aborting is requested but
    instead mark it as "to be freed", which makes the work a
    no-op and allows freeing it outside.
    
    Cc: stable@vger.kernel.org [3.6+]
    Reported-by: Jouni Malinen <j@w1.fi>
    Tested-by: Jouni Malinen <j@w1.fi>
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>

 net/mac80211/cfg.c         |    6 ++++--
 net/mac80211/ieee80211_i.h |    3 ++-
 net/mac80211/offchannel.c  |   23 +++++++++++++++++------
 3 files changed, 23 insertions(+), 9 deletions(-)

commit dd5df32b00e3c2344ba39fe01071e7b67b83e1e4
Author: Stone Piao <piaoyun@marvell.com>
Date:   Fri Mar 29 19:21:21 2013 -0700

    Upstream commit: 901ceba4e81e9dd6b4a3c4c37ee22000a6c5c65f
    
    mwifiex: limit channel number not to overflow memory
    
    Limit the channel number in scan request, or the driver scan
    config structure memory will be overflowed.
    
    Cc: <stable@vger.kernel.org> # 3.5+
    Signed-off-by: Stone Piao <piaoyun@marvell.com>
    Signed-off-by: Bing Zhao <bzhao@marvell.com>
    Signed-off-by: John W. Linville <linville@tuxdriver.com>

 drivers/net/wireless/mwifiex/cfg80211.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 207c411512bdaf0e4271f93ecac6ca26588da36f
Author: Gao feng <gaofeng@cn.fujitsu.com>
Date:   Thu Mar 21 19:48:41 2013 +0000

    Upstream commit: 130549fed828cc34c22624c6195afcf9e7ae56fe
    
    netfilter: reset nf_trace in nf_reset
    
    We forgot to clear the nf_trace of sk_buff in nf_reset,
    When we use veth device, this nf_trace information will
    be leaked from one net namespace to another net namespace.
    
    Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

 include/linux/skbuff.h |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit 3b12800d73c763265b2de5f2a7a745d9caa62c6f
Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Date:   Fri Mar 22 01:28:18 2013 +0000

    Upstream commit: 558724a5b2a73ad0c7638e21e8dffc419d267b6c
    
    netfilter: nfnetlink_queue: fix error return code in nfnetlink_queue_init()
    
    Fix to return a negative error code from the error handling
    case instead of 0, as returned elsewhere in this function.
    
    Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

 net/netfilter/nfnetlink_queue_core.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

commit a79feb7d3251eca577d83d7f69eee2b961ab2924
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date:   Sat Mar 23 16:57:59 2013 +0100

    Upstream commit: deadcfc3324410726cd6a663fb4fc46be595abe7
    
    netfilter: nfnetlink_acct: return -EINVAL if object name is empty
    
    If user-space tries to create accounting object with an empty
    name, then return -EINVAL.
    
    Reported-by: Michael Zintakis <michael.zintakis@googlemail.com>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

 net/netfilter/nfnetlink_acct.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 1a51dca4fc16538d90a7a4c92b1ffe7e0fd76cf7
Author: Matthias Schiffer <mschiffer@universe-factory.net>
Date:   Sat Mar 30 10:23:12 2013 +0000

    Upstream commit: 906b1c394d0906a154fbdc904ca506bceb515756
    
    netfilter: ip6t_NPT: Fix translation for non-multiple of 32 prefix lengths
    
    The bitmask used for the prefix mangling was being calculated
    incorrectly, leading to the wrong part of the address being replaced
    when the prefix length wasn't a multiple of 32.
    
    Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

 net/ipv6/netfilter/ip6t_NPT.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 3425de1e3dc22e1602f9c77fe8d258da58416d5e
Author: Veaceslav Falico <vfalico@redhat.com>
Date:   Wed Apr 3 05:46:33 2013 +0000

    Upstream commit: 4de79c737b200492195ebc54a887075327e1ec1d
    
    bonding: remove sysfs before removing devices
    
    We have a race condition if we try to rmmod bonding and simultaneously add
    a bond master through sysfs. In bonding_exit() we first remove the devices
    (through rtnl_link_unregister() ) and only after that we remove the sysfs.
    If we manage to add a device through sysfs after that the devices were
    removed - we'll end up with that device/sysfs structure and with the module
    unloaded.
    
    Fix this by first removing the sysfs and only after that calling
    rtnl_link_unregister().
    
    Signed-off-by: Veaceslav Falico <vfalico@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/bonding/bond_main.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit d12cae44a9d12441d81c489178803237219d403d
Author: Eric W. Biederman <ebiederm@xmission.com>
Date:   Wed Apr 3 16:14:47 2013 +0000

    Upstream commit: 0e82e7f6dfeec1013339612f74abc2cdd29d43d2
    
    af_unix: If we don't care about credentials coallesce all messages
    
    It was reported that the following LSB test case failed
    https://lsbbugs.linuxfoundation.org/attachment.cgi?id=2144 because we
    were not coallescing unix stream messages when the application was
    expecting us to.
    
    The problem was that the first send was before the socket was accepted
    and thus sock->sk_socket was NULL in maybe_add_creds, and the second
    send after the socket was accepted had a non-NULL value for sk->socket
    and thus we could tell the credentials were not needed so we did not
    bother.
    
    The unnecessary credentials on the first message cause
    unix_stream_recvmsg to start verifying that all messages had the same
    credentials before coallescing and then the coallescing failed because
    the second message had no credentials.
    
    Ignoring credentials when we don't care in unix_stream_recvmsg fixes a
    long standing pessimization which would fail to coallesce messages when
    reading from a unix stream socket if the senders were different even if
    we did not care about their credentials.
    
    I have tested this and verified that the in the LSB test case mentioned
    above that the messages do coallesce now, while the were failing to
    coallesce without this change.
    
    Reported-by: Karel Srot <ksrot@redhat.com>
    Reported-by: Ding Tianhong <dingtianhong@huawei.com>
    Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/unix/af_unix.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 126d882492b130da6367f71cdf3ac59bf4f4c1bf
Author: Eric W. Biederman <ebiederm@xmission.com>
Date:   Wed Apr 3 16:13:35 2013 +0000

    Upstream commit: 25da0e3e9d3fb2b522bc2a598076735850310eb1
    
    Revert "af_unix: dont send SCM_CREDENTIAL when dest socket is NULL"
    
    This reverts commit 14134f6584212d585b310ce95428014b653dfaf6.
    
    The problem that the above patch was meant to address is that af_unix
    messages are not being coallesced because we are sending unnecesarry
    credentials.  Not sending credentials in maybe_add_creds totally
    breaks unconnected unix domain sockets that wish to send credentails
    to other sockets.
    
    In practice this break some versions of udev because they receive a
    message and the sending uid is bogus so they drop the message.
    
    Reported-by: Sven Joachim <svenjoac@gmx.de>
    Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/unix/af_unix.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 1295b4f600e8f5ab56af71e5a89e4c0e74e95663
Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Date:   Wed Mar 20 21:31:42 2013 +0000

    Upstream commit: cb0e51d80694fc9964436be1a1a15275e991cb1e
    
    lantiq_etop: use free_netdev(netdev) instead of kfree()
    
    Freeing netdev without free_netdev() leads to net, tx leaks.
    And it may lead to dereferencing freed pointer.
    
    Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/ethernet/lantiq_etop.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 1dcdddf846697fbd0b474e7b12ff92f7b408fe5f
Author: Cong Wang <amwang@redhat.com>
Date:   Fri Mar 22 19:14:07 2013 +0000

    Upstream commit: 4a7df340ed1bac190c124c1601bfc10cde9fb4fb
    
    8021q: fix a potential use-after-free
    
    vlan_vid_del() could possibly free ->vlan_info after a RCU grace
    period, however, we may still refer to the freed memory area
    by 'grp' pointer. Found by code inspection.
    
    This patch moves vlan_vid_del() as behind as possible.
    
    Cc: Patrick McHardy <kaber@trash.net>
    Cc: "David S. Miller" <davem@davemloft.net>
    Signed-off-by: Cong Wang <amwang@redhat.com>
    Acked-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/8021q/vlan.c |    7 +++++++
 1 files changed, 7 insertions(+), 0 deletions(-)

commit fff29c277024a39845d4b535083c8dafc21b45d9
Author: Hong zhi guo <honkiko@gmail.com>
Date:   Sat Mar 23 02:27:50 2013 +0000

    Upstream commit: 9b46922e15f4d9d2aedcd320c3b7f7f54d956da7
    
    bridge: fix crash when set mac address of br interface
    
    When I tried to set mac address of a bridge interface to a mac
    address which already learned on this bridge, I got system hang.
    
    The cause is straight forward: function br_fdb_change_mac_address
    calls fdb_insert with NULL source nbp. Then an fdb lookup is
    performed. If an fdb entry is found and it's local, it's OK. But
    if it's not local, source is dereferenced for printk without NULL
    check.
    
    Signed-off-by: Hong Zhiguo <honkiko@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/bridge/br_fdb.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit b72eca0f8495b4b084bcf3eb4fbb425281ba5349
Author: Kumar Amit Mehta <gmate.amit@gmail.com>
Date:   Sat Mar 23 20:10:25 2013 +0000

    Upstream commit: 8fe7f99a9e11a43183bc27420309ae105e1fec1a
    
    bnx2x: fix assignment of signed expression to unsigned variable
    
    fix for incorrect assignment of signed expression to unsigned variable.
    
    Signed-off-by: Kumar Amit Mehta <gmate.amit@gmail.com>
    Acked-by: Dmitry Kravkov <dmitry@broadcom.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/ethernet/broadcom/bnx2x/bnx2x_dcb.c |   18 +++++++++---------
 1 files changed, 9 insertions(+), 9 deletions(-)

commit 4d2d5e3694574d8e9d7594bf6111f144dccc873e
Author: dingtianhong <dingtianhong@huawei.com>
Date:   Mon Mar 25 17:02:04 2013 +0000

    Upstream commit: 14134f6584212d585b310ce95428014b653dfaf6
    
    af_unix: dont send SCM_CREDENTIAL when dest socket is NULL
    
    SCM_SCREDENTIALS should apply to write() syscalls only either source or destination
    socket asserted SOCK_PASSCRED. The original implememtation in maybe_add_creds is wrong,
    and breaks several LSB testcases ( i.e. /tset/LSB.os/netowkr/recvfrom/T.recvfrom).
    
    Origionally-authored-by: Karel Srot <ksrot@redhat.com>
    Signed-off-by: Ding Tianhong <dingtianhong@huawei.com>
    Acked-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/unix/af_unix.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit b964e1e61f0f0ccaa380be3342f956c604054bdc
Author: Eric W. Biederman <ebiederm@xmission.com>
Date:   Thu Mar 21 02:30:41 2013 -0700

    Upstream commit: eddc0a3abff273842a94784d2d022bbc36dc9015
    
    yama:  Better permission check for ptraceme
    
    Change the permission check for yama_ptrace_ptracee to the standard
    ptrace permission check, testing if the traceer has CAP_SYS_PTRACE
    in the tracees user namespace.
    
    Reviewed-by: Kees Cook <keescook@chromium.org>
    Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>

 security/yama/yama_lsm.c |    4 +---
 1 files changed, 1 insertions(+), 3 deletions(-)

commit b94e71c7b6abe75989edff18aca2781233fa143b
Author: Stanislav Kinsbursky <skinsbursky@parallels.com>
Date:   Mon Apr 1 11:40:51 2013 +0400

    Upstream commit: 2dc958fa2fe6987e7ab106bd97029a09a82fcd8d
    
    ipc: set msg back to -EAGAIN if copy wasn't performed
    
    Make sure that msg pointer is set back to error value in case of
    MSG_COPY flag is set and desired message to copy wasn't found.  This
    garantees that msg is either a error pointer or a copy address.
    
    Otherwise the last message in queue will be freed without unlinking from
    the queue (which leads to memory corruption) and the dummy allocated
    copy won't be released.
    
    Signed-off-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 ipc/msg.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit a997fbbe7a37ffd805f4784a18b8e530da6978d1
Author: Jan Kara <jack@suse.cz>
Date:   Fri Mar 29 15:39:16 2013 +0100

    Upstream commit: 35e5cbc0af240778e61113286c019837e06aeec6
    
    reiserfs: Fix warning and inode leak when deleting inode with xattrs
    
    After commit 21d8a15a (lookup_one_len: don't accept . and ..) reiserfs
    started failing to delete xattrs from inode. This was due to a buggy
    test for '.' and '..' in fill_with_dentries() which resulted in passing
    '.' and '..' entries to lookup_one_len() in some cases. That returned
    error and so we failed to iterate over all xattrs of and inode.
    
    Fix the test in fill_with_dentries() along the lines of the one in
    lookup_one_len().
    
    Reported-by: Pawel Zawora <pzawora@gmail.com>
    CC: stable@vger.kernel.org
    Signed-off-by: Jan Kara <jack@suse.cz>

 fs/reiserfs/xattr.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 9f07957378e0f55abb81da8e23b124a608fbe1cc
Author: Paul Bolle <pebolle@tiscali.nl>
Date:   Wed Apr 3 12:24:45 2013 +0100

    Upstream commit: 4e1db26a0b42e2b6e27c05d68adcc01709c2eed2
    
    ARM: 7690/1: mm: fix CONFIG_LPAE typos
    
    CONFIG_LPAE doesn't exist: the correct option is CONFIG_ARM_LPAE, so fix
    up the two typos under arch/arm/.
    
    The fix to head.S is slightly scary, but this is just for setting up
    an early io-mapping for the serial port when running on a big-endian,
    LPAE system. Since these systems don't exist in the wild (at least, I
    have no access to one outside of kvmtool, which doesn't provide a serial
    port suitable for earlyprintk), then we can revisit the code later if it
    causes any problems.
    
    Signed-off-by: Paul Bolle <pebolle@tiscali.nl>
    Signed-off-by: Will Deacon <will.deacon@arm.com>
    Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>

 arch/arm/kernel/head.S  |    2 +-
 arch/arm/kernel/setup.c |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

commit 984ba346b2d8f158473e9723ba145031368431ed
Author: Catalin Marinas <catalin.marinas@arm.com>
Date:   Tue Mar 26 23:35:04 2013 +0100

    Upstream commit: 93dc68876b608da041fe40ed39424b0fcd5aa2fb
    
    ARM: 7684/1: errata: Workaround for Cortex-A15 erratum 798181 (TLBI/DSB operations)
    
    On Cortex-A15 (r0p0..r3p2) the TLBI/DSB are not adequately shooting down
    all use of the old entries. This patch implements the erratum workaround
    which consists of:
    
    1. Dummy TLBIMVAIS and DSB on the CPU doing the TLBI operation.
    2. Send IPI to the CPUs that are running the same mm (and ASID) as the
       one being invalidated (or all the online CPUs for global pages).
    3. CPU receiving the IPI executes a DMB and CLREX (part of the exception
       return code already).
    
    Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
    Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
    
    Conflicts:
    
        arch/arm/include/asm/tlbflush.h
        arch/arm/kernel/smp_tlb.c
        arch/arm/mm/context.c

 arch/arm/Kconfig                   |   10 +++++
 arch/arm/include/asm/highmem.h     |    7 ++++
 arch/arm/include/asm/mmu_context.h |    2 +
 arch/arm/include/asm/tlbflush.h    |   15 ++++++++
 arch/arm/kernel/smp_tlb.c          |   66 ++++++++++++++++++++++++++++++++++++
 arch/arm/mm/context.c              |    6 ++-
 6 files changed, 104 insertions(+), 2 deletions(-)

commit 9a6ef010c38b3d5471886d2dea6e3c1622e2a286
Author: Jan Stancek <jstancek@redhat.com>
Date:   Thu Apr 4 11:35:10 2013 -0700

    Upstream commit: b6a9b7f6b1f21735a7456d534dc0e68e61359d2c
    
    mm: prevent mmap_cache race in find_vma()
    
    find_vma() can be called by multiple threads with read lock
    held on mm->mmap_sem and any of them can update mm->mmap_cache.
    Prevent compiler from re-fetching mm->mmap_cache, because other
    readers could update it in the meantime:
    
                   thread 1                             thread 2
                                            |
      find_vma()                            |  find_vma()
        struct vm_area_struct *vma = NULL;  |
        vma = mm->mmap_cache;               |
        if (!(vma && vma->vm_end > addr     |
            && vma->vm_start <= addr)) {    |
                                            |    mm->mmap_cache = vma;
        return vma;                         |
         ^^ compiler may optimize this      |
            local variable out and re-read  |
            mm->mmap_cache                  |
    
    This issue can be reproduced with gcc-4.8.0-1 on s390x by running
    mallocstress testcase from LTP, which triggers:
    
      kernel BUG at mm/rmap.c:1088!
        Call Trace:
         ([<000003d100c57000>] 0x3d100c57000)
          [<000000000023a1c0>] do_wp_page+0x2fc/0xa88
          [<000000000023baae>] handle_pte_fault+0x41a/0xac8
          [<000000000023d832>] handle_mm_fault+0x17a/0x268
          [<000000000060507a>] do_protection_exception+0x1e2/0x394
          [<0000000000603a04>] pgm_check_handler+0x138/0x13c
          [<000003fffcf1f07a>] 0x3fffcf1f07a
        Last Breaking-Event-Address:
          [<000000000024755e>] page_add_new_anon_rmap+0xc2/0x168
    
    Thanks to Jakub Jelinek for his insight on gcc and helping to
    track this down.
    
    Signed-off-by: Jan Stancek <jstancek@redhat.com>
    Acked-by: David Rientjes <rientjes@google.com>
    Signed-off-by: Hugh Dickins <hughd@google.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 mm/mmap.c  |    2 +-
 mm/nommu.c |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

commit 53f5096daa14967938bc154e6c41f9119863fb36
Merge: e988d7c 0a45285
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Apr 5 17:32:31 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        drivers/net/ethernet/broadcom/tg3.c

commit 0a452855444d02502df6eb21ef3083cf303f71e1
Merge: 0277fa1 00cfbb8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Apr 5 17:31:15 2013 -0400

    Update to pax-linux-3.8.6-test16.patch:
    - fixed some attribute leakage into userland headers, patch by Mathias Krause
    - fixed some of the access_*_vm related breakage that trigger size overflows, reported by Hunger
    
    Merge branch 'linux-3.8.y' into pax-test
    
    Conflicts:
        drivers/gpu/drm/i915/intel_display.c

commit e988d7c8d946c816a2cb97f0d38048a1584966b8
Merge: baec40e 0277fa1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 3 22:05:41 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 0277fa123b486cf11420967e4568d7653e225fd3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 3 22:04:48 2013 -0400

    Update to pax-linux-3.8.5-test15.patch:
    - fixed section mismatch error caused by CONSTIFY (http://forums.grsecurity.net/viewtopic.php?f=3&t=3388 and http://forums.grsecurity.net/viewtopic.php?f=3&t=3391)
    - fixed integer type mixup in the cx88 driver (http://forums.grsecurity.net/viewtopic.php?f=3&t=3394)

 drivers/media/pci/cx88/cx88-video.c |    6 +++---
 include/net/net_namespace.h         |    4 ++++
 2 files changed, 7 insertions(+), 3 deletions(-)

commit baec40e6708fd5ae2000cad6c70c5980c998b91c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Apr 2 19:50:32 2013 -0400

    fix compilation as reported on forums for gcc versions lacking plugin
    support

 include/net/net_namespace.h |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

commit f6da5efca8a7edc9d3af02d6c35fddae0d2fd095
Merge: 6b69c35 0db9d15
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Apr 2 17:47:27 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 0db9d156826bdd50510086fde837648a3dfd370e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Apr 2 17:46:05 2013 -0400

    Update to pax-linux-3.8.5-test14.patch:
    - removed some no longer necessary __size_overflow marks and updated the overflow plugin's hash table

 arch/x86/include/asm/uaccess_64.h |    6 +-
 include/linux/moduleloader.h      |    4 +-
 tools/gcc/size_overflow_hash.data |   98 +++++++++++++++++++++----------------
 3 files changed, 61 insertions(+), 47 deletions(-)

commit 6b69c3589fa97b454a08c28ecfac5a512f610f4d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Apr 2 17:35:06 2013 -0400

    remove duplicate compiler.h

 include/linux/sysrq.h |    1 -
 1 files changed, 0 insertions(+), 1 deletions(-)

commit 01e1d503fd2220adaaec0b92ea19441bdff73555
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 29 19:53:50 2013 -0400

    fix intentional_overflow marking on sys_sendto

 include/linux/syscalls.h |    2 +-
 net/socket.c             |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

commit cd5ff114d958470f471c63775278e8c05e774630
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 29 18:46:16 2013 -0400

    fix size_overflow false positive

 kernel/futex_compat.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 295ba16cc53df2375261accbedd6575ea327770a
Merge: 18340f1 278a989
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 29 17:36:18 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        fs/exec.c
        include/linux/thread_info.h

commit 278a989c831d62193c7b3d119fe2302babd45d12
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 29 17:34:34 2013 -0400

    Resync with pax-linux-3.8.5-test13.patch

 arch/arm/include/asm/pgtable.h |    3 ++-
 arch/arm/lib/delay.c           |    1 +
 fs/exec.c                      |    8 ++++----
 include/linux/compiler.h       |    1 +
 include/linux/proc_fs.h        |    2 +-
 include/linux/thread_info.h    |    6 +++---
 include/linux/zlib.h           |    3 ++-
 init/main.c                    |    4 ++--
 kernel/user_namespace.c        |    2 +-
 lib/list_debug.c               |    4 ++--
 mm/slab.c                      |    1 +
 mm/slob.c                      |    1 +
 mm/slub.c                      |    1 +
 net/core/sysctl_net_core.c     |    3 +--
 tools/gcc/constify_plugin.c    |    1 +
 15 files changed, 24 insertions(+), 17 deletions(-)

commit 18340f14bd42d06c60995ab04cf6bb235bcaade6
Merge: 05f01ae e8cfeae
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 29 17:30:57 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit e8cfeae7751abb844911a15114dff5c9b2b9fcd9
Merge: b461cb7 aa4cfde
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 29 17:30:44 2013 -0400

    Merge branch 'linux-3.8.y' into pax-test
    
    Conflicts:
        drivers/gpu/drm/i915/i915_gem_execbuffer.c
        fs/nfsd/vfs.c

commit 05f01ae4c3479541586a2387f916a6620889c479
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 29 17:05:39 2013 -0400

    Another infoleak, up to 128 bytes on the stack in __sys_recvmsg
    takes user-provided length, copies up to that amount in a sockaddr_storage
    struct on the stack, then takes an upper-bounded-only user-provided length
    and copies the sockaddr_storage struct back out to userland, complete with
    uninitialized data

 net/socket.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit eea6ade59490784e83e08ec67322288fcf14cb31
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 28 23:07:37 2013 -0400

    return a proper error, otherwise we could be accessing uninitialized data
    (previous define was a positive value)

 drivers/usb/storage/realtek_cr.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 3cc43b90104c3016adb40f412ce2e4b0dcdd4c9e
Merge: c3dc9a6 b461cb7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 28 20:54:24 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit b461cb7b1d85490430ef7896c247794af72c3749
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 28 20:54:11 2013 -0400

    Add structleak plugin

 tools/gcc/structleak_plugin.c |  270 +++++++++++++++++++++++++++++++++++++++++
 1 files changed, 270 insertions(+), 0 deletions(-)

commit c3dc9a6ef10782894bb11fd088fd712db44d8062
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 28 20:53:22 2013 -0400

    Enable structleak by default for the security auto-config

 security/Kconfig |   11 +++++++----
 1 files changed, 7 insertions(+), 4 deletions(-)

commit 6568e7348222fbe00256c9d337c4c24ee57e3f7e
Merge: d8503a3 74bec16
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 28 20:47:10 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 74bec16b657147a5575b1f14f4423a717ba317a6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 28 20:46:13 2013 -0400

    Update to pax-linux-3.8.4-test13.patch:
    - fixed bug with the old PAGEEXEC method and hugetlb, reported by Alex Efros (https://bugs.gentoo.org/show_bug.cgi?id=437722)
    - added a new gcc plugin to plug (pun intended) some of the kernel stack leaks to userland

 Makefile                      |    5 +++-
 arch/x86/include/asm/compat.h |    2 +-
 arch/x86/mm/fault.c           |    3 +-
 fs/binfmt_elf.c               |    2 +-
 include/linux/compiler.h      |   42 ++++++++++++++--------------------------
 security/Kconfig              |   16 +++++++++++++++
 tools/gcc/Makefile            |    2 +
 tools/gcc/constify_plugin.c   |    7 +++++-
 8 files changed, 47 insertions(+), 32 deletions(-)

commit d8503a3a35d68b9ba1615d29335aef3f70d51465
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 28 20:02:40 2013 -0400

    Fix 8-byte stack infoleak in ia32_rt_sigpending
    User controls length, kernel only performs check on the upper bound, will
    fill in any amount less than sizeof(sigset_t) via a copy_to_user under
    KERNEL_DS in sys_rt_sigpending, then will copy the full size of compat_sigset_t
    regardless of whether the sigset_t content copied into it has been initialized
    or not

 arch/x86/ia32/sys_ia32.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 46a9f4b871ebf298ee67cc3f799dbd6c2382022b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 26 21:05:05 2013 -0400

    commit 814d9d4f9164c3d778dadd093a54bb55d9a0c576
    Author: J. Bruce Fields <bfields@redhat.com>
    Date:   Tue Mar 26 14:11:13 2013 -0400
    
        nfsd4: reject "negative" acl lengths
    
        Since we only enforce an upper bound, not a lower bound, a "negative"
        length can get through here.
    
        The symptom seen was a warning when we attempt to a kmalloc with an
        excessive size.
    
        Reported-by: Toralf Förster <toralf.foerster@gmx.de>
        Signed-off-by: J. Bruce Fields <bfields@redhat.com>

 fs/nfsd/nfs4xdr.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 2cf84a1843bfdf9298e2a1dc8df4e52d11a1af89
Author: Jeff Layton <jlayton@redhat.com>
Date:   Mon Mar 11 09:52:19 2013 -0400

    Upstream commit: f853c616883a8de966873a1dab283f1369e275a1
    
    cifs: ignore everything in SPNEGO blob after mechTypes
    
    We've had several reports of people attempting to mount Windows 8 shares
    and getting failures with a return code of -EINVAL. The default sec=
    mode changed recently to sec=ntlmssp. With that, we expect and parse a
    SPNEGO blob from the server in the NEGOTIATE reply.
    
    The current decode_negTokenInit function first parses all of the
    mechTypes and then tries to parse the rest of the negTokenInit reply.
    The parser however currently expects a mechListMIC or nothing to follow the
    mechTypes, but Windows 8 puts a mechToken field there instead to carry
    some info for the new NegoEx stuff.
    
    In practice, we don't do anything with the fields after the mechTypes
    anyway so I don't see any real benefit in continuing to parse them.
    This patch just has the kernel ignore the fields after the mechTypes.
    We'll probably need to reinstate some of this if we ever want to support
    NegoEx.
    
    Reported-by: Jason Burgess <jason@jacknife2.dns2go.com>
    Reported-by: Yan Li <elliot.li.tech@gmail.com>
    Signed-off-by: Jeff Layton <jlayton@redhat.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Steve French <sfrench@us.ibm.com>

 fs/cifs/asn1.c |   53 +++++------------------------------------------------
 1 files changed, 5 insertions(+), 48 deletions(-)

commit 0b1c6223105a05d5a84e39a5e951868e37610e1c
Merge: 93ff726 0deb54c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 25 18:35:15 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 0deb54c1f47145aef38f4d2bf0b7de3e9fbab959
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 25 18:35:05 2013 -0400

    fix typo

 arch/x86/mm/ioremap.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 93ff72680353534d4b0b213aecb61f1fc2f9a152
Merge: be9f8b8 f95e53a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 25 18:30:06 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit f95e53abadb6e4665866e4502ff9f518514193e1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 25 18:29:25 2013 -0400

    Update to pax-linux-3.8.4-test12.patch:
    
    - fixed perf compilation reported by Michael Tremer
    - fixed USERCOPY reports triggered by SCTP, reported by mcp
    - last fix for aslr gap accounting, promise (thanks to spender)

 arch/x86/mm/ioremap.c                    |    3 +++
 fs/binfmt_elf.c                          |    5 ++---
 mm/mmap.c                                |    2 +-
 net/sctp/socket.c                        |   19 +++++++++++++++----
 tools/perf/util/include/linux/compiler.h |    8 ++++++++
 5 files changed, 29 insertions(+), 8 deletions(-)

commit be9f8b82b0d8a21d7515fb6e44a907623381c5df
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 25 16:48:34 2013 -0400

    From: Al Viro <viro@ZenIV.linux.org.uk>
    To: Brad Spengler <spender@grsecurity.net>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    
    Umm...  I see what you are describing, and AFAICS you are correct; let me
    see if I am misreading your analysis:
            * vfsmount_lock may act fair; A holding it shared, with B spinning
    on attempt to take it exclusive may lead to C spinning on attempt to take
    it shared.
            * path_is_under() tries get rename_lock while holding vfsmount_lock
    shared.
            * d_path() et.al. try to take vfsmount_lock shared, while holding
    rename_lock.
    
    All true and yes, it's a bug (I'd probably classify it as a livelock, but
    that doesn't make any real difference).  There are three possible solutions,
    AFAICS:
            1) two-liner in path_is_under() replacing the use of vfsmount_lock
    with that of namespace_sem; trivial, but results in function unexpectedly
    blocking.  The current callers are fine with that, but it's a trouble
    waiting to happen.
            2) replace write_seqlock() in prepend_path() callers with
    read_seqbegin/read_seqretry loops; bigger and more brittle, since unlike
    is_subdir() we need more than just ->d_parent not pointing to something
    freed - we also care about ->d_name.len being in sync with ->d_name.name.
    It probably can be worked around, but...
    
            3) declare that rename_lock nests inside vfsmount_lock and let
    the callers of prepend_path() take vfsmount_lock().  I'd probably prefer
    that one...
    
    Nest rename_lock inside vfsmount_lock
    
    ... lest we get livelocks between path_is_under() and d_path() and friends.
    
    [ add grsec-specific bits, thanks to Alexey Vlasov for his patience in reproducing
      the issue ]
    
    Spotted-by: Brad Spengler <spender@grsecurity.net>
    Cc: stable@vger.kernel.org
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

 fs/dcache.c        |   16 +++++++++++-----
 grsecurity/gracl.c |   20 ++++++++++----------
 2 files changed, 21 insertions(+), 15 deletions(-)

commit d9253ae96e0e88510ae7b8adb8ab3ef089be6dee
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date:   Fri Mar 22 11:44:04 2013 -0700

    Upstream commit: 51f0885e5415b4cc6535e9cdcc5145bfbc134353
    
    vfs,proc: guarantee unique inodes in /proc
    
    Dave Jones found another /proc issue with his Trinity tool: thanks to
    the namespace model, we can have multiple /proc dentries that point to
    the same inode, aliasing directories in /proc/<pid>/net/ for example.
    
    This ends up being a total disaster, because it acts like hardlinked
    directories, and causes locking problems.  We rely on the topological
    sort of the inodes pointed to by dentries, and if we have aliased
    directories, that odering becomes unreliable.
    
    In short: don't do this.  Multiple dentries with the same (directory)
    inode is just a bad idea, and the namespace code should never have
    exposed things this way.  But we're kind of stuck with it.
    
    This solves things by just always allocating a new inode during /proc
    dentry lookup, instead of using "iget_locked()" to look up existing
    inodes by superblock and number.  That actually simplies the code a bit,
    at the cost of potentially doing more inode [de]allocations.
    
    That said, the inode lookup wasn't free either (and did a lot of locking
    of inodes), so it is probably not that noticeable.  We could easily keep
    the old lookup model for non-directory entries, but rather than try to
    be excessively clever this just implements the minimal and simplest
    workaround for the problem.
    
    Reported-and-tested-by: Dave Jones <davej@redhat.com>
    Analyzed-by: Al Viro <viro@zeniv.linux.org.uk>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    Conflicts:
    
        fs/proc/inode.c

 fs/proc/inode.c |    9 +++------
 1 files changed, 3 insertions(+), 6 deletions(-)

commit 399d3bbdb82db765c86118ae5a0bf1d2d17762fb
Author: Vladimir Davydov <vdavydov@parallels.com>
Date:   Fri Mar 22 15:04:51 2013 -0700

    Upstream commit: 38d78e587d4960d0db94add518d27ee74bad2301
    
    mqueue: sys_mq_open: do not call mnt_drop_write() if read-only
    
    mnt_drop_write() must be called only if mnt_want_write() succeeded,
    otherwise the mnt_writers counter will diverge.
    
    mnt_writers counters are used to check if remounting FS as read-only is
    OK, so after an extra mnt_drop_write() call, it would be impossible to
    remount mqueue FS as read-only.  Besides, on umount a warning would be
    printed like this one:
    
      =====================================
      [ BUG: bad unlock balance detected! ]
      3.9.0-rc3 #5 Not tainted
      -------------------------------------
      a.out/12486 is trying to release lock (sb_writers) at:
      mnt_drop_write+0x1f/0x30
      but there are no more locks to release!
    
    Signed-off-by: Vladimir Davydov <vdavydov@parallels.com>
    Cc: Doug Ledford <dledford@redhat.com>
    Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
    Cc: "Eric W. Biederman" <ebiederm@xmission.com>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 ipc/mqueue.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit d3859c71e2ec174b6f3e5cbe06d3011cdddaa59e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 23 13:02:32 2013 -0400

    Don't use constify plugin if not enabled in config,
    reported by Alexey Vlasov

 Makefile |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 3afb82e020593249ac394e9859397c3e0ef5341c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 23 12:50:13 2013 -0400

    oded 0day #2
    http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf
    slide 20

 drivers/net/ethernet/broadcom/tg3.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

commit 4cc4b98b29faff2530540be16e0fcd8a74800b06
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 23 12:15:50 2013 -0400

    oded 0day #1
    http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf
    slide 18

 drivers/net/wireless/zd1211rw/zd_usb.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 8a3292af6fdae4b88b49a2a4ef96eee145b4d479
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 23 12:13:12 2013 -0400

    remove warning on accessing this /proc entry, HIDESYM already caught the infoleak

 drivers/gpu/drm/i915/i915_debugfs.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 44cb11a9470f72157601d0ad4d572d111f90f504
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 22 18:11:42 2013 -0400

    use VM_DONTDUMP

 fs/binfmt_elf.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 92dd7f850ae63e3ddc3d262f2b7134cf54b51abb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 22 17:53:09 2013 -0400

    fix recent RLIMIT_AS changes (due to vm_flags typo)
    
    Conflicts:
    
        fs/binfmt_elf.c

 fs/binfmt_elf.c |    2 +-
 mm/mmap.c       |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

commit fd5f0d92b0fbec02029dad124501a9c80e527a32
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 22 17:08:48 2013 -0400

    complete_walk drops rcu-walk mode, no need for our own dropping
    method outside of generic_permission

 fs/namei.c |   30 ------------------------------
 1 files changed, 0 insertions(+), 30 deletions(-)

commit b49ab1c73edb6442eec609b26bba4d850b3111b6
Merge: 5e9a707 783ade9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 21 21:56:28 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 783ade9f97f0f736e3c83275b7c9fcb2d6e9d9c4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 21 21:55:31 2013 -0400

    Update to pax-linux-3.8.3-test11.patch:
    - rewrote the ASLR gap accounting code once again
    - fixed ptrace compat bug found by the size overflow plugin

 fs/binfmt_elf.c          |   25 ++++++++++++-------------
 fs/exec.c                |    7 ++-----
 include/linux/compat.h   |    2 +-
 include/linux/mm.h       |    5 +++++
 include/linux/mm_types.h |    2 +-
 kernel/ptrace.c          |    2 +-
 mm/mmap.c                |   15 ++++++++++-----
 7 files changed, 32 insertions(+), 26 deletions(-)

commit 5e9a7077d935b2279f25428c5d32fd53cbbfb92a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 21 19:37:33 2013 -0400

    Make the constify plugin usage actually depend on the introduced config option
    (it was still forced on)

 tools/gcc/Makefile |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 1974b4f58d9d729c80ac1987785446115304a54c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 21 16:12:38 2013 -0400

    fix failed merge

 arch/arm/mm/fault.c |   15 +++------------
 1 files changed, 3 insertions(+), 12 deletions(-)

commit 675a8ab4a8fe8315df348735a37a302a7535224c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 20 23:36:14 2013 -0400

    From c4dab66c31612717f798e1e8ff11b57253a81a31 Mon Sep 17 00:00:00 2001
    From: Kees Cook <keescook@chromium.org>
    Date: Sun, 10 Mar 2013 20:09:31 +0000
    Subject: drm/i915: bounds check execbuffer relocation count
    
    It is possible to wrap the counter used to allocate the buffer for
    relocation copies. This could lead to heap writing overflows.
    
    CVE-2013-0913
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Reported-by: Pinkie Pie
    Cc: stable@vger.kernel.org

 drivers/gpu/drm/i915/i915_gem_execbuffer.c |   11 ++++++++---
 1 files changed, 8 insertions(+), 3 deletions(-)

commit ddeac12cbb9076bffd51c544e03463f94c9eaa39
Author: Andy Honig <ahonig@google.com>
Date:   Wed Feb 20 14:48:10 2013 -0800

    Upstream commit: 0b79459b482e85cb7426aa7da683a9f2c97aeae1
    
    KVM: x86: Convert MSR_KVM_SYSTEM_TIME to use gfn_to_hva_cache functions (CVE-2013-1797)
    
    There is a potential use after free issue with the handling of
    MSR_KVM_SYSTEM_TIME.  If the guest specifies a GPA in a movable or removable
    memory such as frame buffers then KVM might continue to write to that
    address even after it's removed via KVM_SET_USER_MEMORY_REGION.  KVM pins
    the page in memory so it's unlikely to cause an issue, but if the user
    space component re-purposes the memory previously used for the guest, then
    the guest will be able to corrupt that memory.
    
    Tested: Tested against kvmclock unit test
    
    Signed-off-by: Andrew Honig <ahonig@google.com>
    Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>

 arch/x86/include/asm/kvm_host.h |    4 +-
 arch/x86/kvm/x86.c              |   47 ++++++++++++++++----------------------
 2 files changed, 22 insertions(+), 29 deletions(-)

commit 0bcac31b57c381001feb69fd6ec8069e61e03432
Author: Andy Honig <ahonig@google.com>
Date:   Mon Mar 11 09:34:52 2013 -0700

    Upstream commit: c300aa64ddf57d9c5d9c898a64b36877345dd4a9
    
    KVM: x86: fix for buffer overflow in handling of MSR_KVM_SYSTEM_TIME (CVE-2013-1796)
    
    If the guest sets the GPA of the time_page so that the request to update the
    time straddles a page then KVM will write onto an incorrect page.  The
    write is done byusing kmap atomic to get a pointer to the page for the time
    structure and then performing a memcpy to that page starting at an offset
    that the guest controls.  Well behaved guests always provide a 32-byte aligned
    address, however a malicious guest could use this to corrupt host kernel
    memory.
    
    Tested: Tested against kvmclock unit test.
    
    Signed-off-by: Andrew Honig <ahonig@google.com>
    Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>

 arch/x86/kvm/x86.c |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

commit 695c59887e4ec10b0b695ab4f645d1226c433be0
Author: Andy Honig <ahonig@google.com>
Date:   Wed Feb 20 14:49:16 2013 -0800

    Upstream commit: a2c118bfab8bc6b8bb213abfc35201e441693d55
    
    KVM: Fix bounds checking in ioapic indirect register reads (CVE-2013-1798)
    
    If the guest specifies a IOAPIC_REG_SELECT with an invalid value and follows
    that with a read of the IOAPIC_REG_WINDOW KVM does not properly validate
    that request.  ioapic_read_indirect contains an
    ASSERT(redir_index < IOAPIC_NUM_PINS), but the ASSERT has no effect in
    non-debug builds.  In recent kernels this allows a guest to cause a kernel
    oops by reading invalid memory.  In older kernels (pre-3.3) this allows a
    guest to read from large ranges of host memory.
    
    Tested: tested against apic unit tests.
    
    Signed-off-by: Andrew Honig <ahonig@google.com>
    Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>

 virt/kvm/ioapic.c |    7 +++++--
 1 files changed, 5 insertions(+), 2 deletions(-)

commit c77e4017f6f372ac09751b6fcd85c35781dc2d9e
Merge: aec3cd4 c522e3a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 20 19:38:25 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit c522e3a2167ff5e18996e55ca8cca5ca6f6d29e3
Merge: c57d855 405acc3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 20 19:38:11 2013 -0400

    Merge branch 'linux-3.8.y' into pax-test

commit aec3cd4d2bd54673b155d9ae3fb9c44becc790d1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 19 19:56:04 2013 -0400

    include linux/compiler.h

 include/linux/zlib.h |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 1f1109e97bc609218e52e4bb57683d3b23cf2e8e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 19 18:42:20 2013 -0400

    fix missing sock_release()

 net/irda/af_irda.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

commit dd65c05cd24faf8946d4941434a553ee285c35a3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 19 18:36:17 2013 -0400

    fix mpt fusion infoleak

 drivers/message/fusion/mptbase.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

commit e297b4f150b769efdc4c547d3caf1e3c0f24735f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 19 18:33:45 2013 -0400

    Fix size_overflow false positive reported by slashbeast

 include/linux/zlib.h |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 5b9982733764361c7102c2b1a9cbe42e5bf4f4be
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 19 17:35:36 2013 -0400

    fix up failed merge

 arch/arm/mm/fault.c |    9 ++-------
 1 files changed, 2 insertions(+), 7 deletions(-)

commit a1bdc34d1d882da3abf47923a760e5b0bbdaf0bd
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 19 17:34:36 2013 -0400

    update documentation on consequences of building without gcc plugin support

 Makefile |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit f49ae0f6c3bbedf6b3817ee2b1b232e0da7fa537
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 19 17:18:13 2013 -0400

    fix compilation failure associated with the latent entropy plugin and lack of gcc plugin support reported on the forums

 init/main.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit f00195c633f91cfbd8c1f530d2c371b713026e20
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 18 22:27:33 2013 -0400

    Fix compile error reported by KDE on the forums

 kernel/user_namespace.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 2979c6ee78aabb4421873ea53581380c6bb6ed05
Merge: 0949569 c57d855
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 18 22:20:46 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        arch/arm/mm/fault.c
        arch/x86/mm/fault.c
        fs/exec.c

commit c57d8557f5f2d77c2c7fa1f58316819a5e1f9293
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 18 21:22:03 2013 -0400

    Update to pax-linux-3.8.2-test9.patch:
     arm changes from spender
      - removed userland access to the vectors page
      - removed obsolete sigreturn trampoline handling
      - added emulation for __kuser_get_tls
      - fixed missing uderef instrumentation in unaligned memory accessors (failed safe)
    - fixed recent sysfs/power_supply attr breakage reported by Steven Allen
    - hopefully fixed the remaining issues with aslr_gap accounting (http://forums.grsecurity.net/viewtopic.php?f=3&t=2960)
    - changed debian packager rules to include the compiler plugins, from Tyler Coumbes <coumbes@gmail.com>
    - fixed the sa_restorer leak discovered and reported by Emese Revfy (CVE-2013-0914, google chromium bug #177956)
    - new size overflow plugin from Emese that instruments a whole lot more code due to tracking function return values
      and more type casts as well. this found the above mentioned sa_restorer leak and would have protected against CVE-2013-0913.

 arch/arm/kernel/process.c                     |    5 +-
 arch/arm/kernel/signal.c                      |   24 +-
 arch/arm/kernel/traps.c                       |    7 -
 arch/arm/mm/alignment.c                       |    8 +
 arch/arm/mm/fault.c                           |   23 +-
 arch/arm/mm/mmu.c                             |    2 +-
 arch/x86/include/asm/bitops.h                 |    2 +-
 arch/x86/include/asm/desc.h                   |    2 +-
 arch/x86/include/asm/div64.h                  |    2 +-
 arch/x86/include/asm/io.h                     |    8 +-
 arch/x86/include/asm/paravirt.h               |    2 +-
 arch/x86/kernel/cpu/perf_event_intel_uncore.c |   16 +-
 arch/x86/kernel/setup_percpu.c                |    2 +-
 arch/x86/mm/fault.c                           |    4 +-
 arch/x86/mm/numa.c                            |    2 +-
 arch/x86/mm/physaddr.c                        |    4 +-
 drivers/ata/libahci.c                         |    2 +-
 drivers/gpu/drm/i915/i915_gem_execbuffer.c    |    2 +-
 drivers/infiniband/hw/mthca/mthca_cmd.c       |    2 +-
 drivers/infiniband/hw/mthca/mthca_mr.c        |    2 +-
 drivers/lguest/page_tables.c                  |    2 +-
 drivers/net/wireless/at76c50x-usb.c           |    2 +-
 drivers/oprofile/oprofile_files.c             |    2 +-
 drivers/power/power_supply_core.c             |    1 +
 drivers/usb/core/message.c                    |    2 +-
 fs/befs/endian.h                              |    4 +-
 fs/binfmt_elf.c                               |    5 +-
 fs/exec.c                                     |    4 +-
 fs/qnx6/qnx6.h                                |    4 +-
 fs/sysv/sysv.h                                |    2 +-
 fs/ubifs/io.c                                 |    2 +-
 fs/ufs/swab.h                                 |    4 +-
 include/linux/compat.h                        |    4 +-
 include/linux/completion.h                    |    6 +-
 include/linux/cpumask.h                       |   12 +-
 include/linux/ctype.h                         |    2 +-
 include/linux/err.h                           |    4 +-
 include/linux/math64.h                        |    6 +-
 include/linux/sched.h                         |    2 +-
 include/linux/unaligned/access_ok.h           |   12 +-
 include/linux/usb.h                           |    2 +-
 include/uapi/linux/byteorder/little_endian.h  |    4 +-
 include/uapi/linux/swab.h                     |    6 +-
 kernel/sched/core.c                           |    6 +-
 kernel/signal.c                               |    3 +
 kernel/time.c                                 |    2 +-
 kernel/timer.c                                |    2 +-
 lib/div64.c                                   |    4 +-
 mm/page-writeback.c                           |    2 +-
 net/socket.c                                  |    2 +
 scripts/package/builddeb                      |    1 +
 tools/gcc/size_overflow_hash.data             | 8869 +++++++++++++++----------
 tools/gcc/size_overflow_plugin.c              | 1072 ++--
 53 files changed, 6227 insertions(+), 3951 deletions(-)

commit 09495691bb31f11ec14d9127429f9a0f3f716f22
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 17 20:51:50 2013 -0400

    fix typo

 grsecurity/gracl.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit deb85b00d0f9f886e264e116313f298401ec5c59
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 17 20:03:33 2013 -0400

    Call update_rlimit_cpu to immediately change RLIMIT_CPU on the task
    with a subject applied to it with RES_CPU.  Otherwise, the limit will only
    begin to be applied at fork time.
    
    Thanks to Bjornar Ness for the report.

 grsecurity/gracl.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

commit 2126421f123513f604ceef2b23ba9ed516de7e58
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 16 22:07:43 2013 -0400

    Move inode auditing prior to our refcnt dropping

 fs/namei.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 4d4e665885aab4bacfe662ad6d2190fc9d817146
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 16 22:00:30 2013 -0400

    Drop reference on completed path walked in RCU mode or when violating
    the chroot fchdir check inside a chroot -- possible culprit for a reported
    vfsmount_lock hang during unmount

 fs/namei.c |    8 ++++++--
 1 files changed, 6 insertions(+), 2 deletions(-)

commit 53a8a413f45340ee176dd36dd283de3a1ebb7417
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 16 16:43:45 2013 -0400

    add user_arg_ptr back to exec.c

 fs/exec.c |   12 ++++++++++++
 1 files changed, 12 insertions(+), 0 deletions(-)

commit 83d285953c7e75db388c7f65be5cf1e16fcedec8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 16 11:22:36 2013 -0400

    Don't globally include compat.h -- with the new X32 support it
    changes some definitions involving ELF binaries resulting in invalid
    coredumps, as reported by KDE on the forums:
    http://forums.grsecurity.net/viewtopic.php?f=3&t=3310
    Thanks to the PaX Team for debugging

 fs/exec.c                  |    3 +++
 grsecurity/grsec_exec.c    |   13 +++++++++++++
 include/linux/grsecurity.h |   15 ---------------
 3 files changed, 16 insertions(+), 15 deletions(-)

commit 67a94583659cf6c583fbbb023ec2a8ed471ba94a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 14 20:59:26 2013 -0400

    Add peer information to /proc/net/unix from Kenan Kalajdzic:
    http://marc.info/?l=linux-netdev&m=126745636809191&w=2
    
    We use a "P" prefix to the inode number instead of "peer=".  This
    additional information can be used, for instance, to find what processes
    are connected to MySQL's unix domain socket.

 net/unix/af_unix.c |   12 +++++++++---
 1 files changed, 9 insertions(+), 3 deletions(-)

commit 1cd623d11a462d151ea8a5cace4521e1724911a3
Author: Oliver Neukum <oneukum@suse.de>
Date:   Tue Mar 12 14:52:42 2013 +0100

    Upstream commit: c0f5ecee4e741667b2493c742b60b6218d40b3aa
    
    USB: cdc-wdm: fix buffer overflow
    
    The buffer for responses must not overflow.
    If this would happen, set a flag, drop the data and return
    an error after user space has read all remaining data.
    
    Signed-off-by: Oliver Neukum <oliver@neukum.org>
    CC: stable@kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 drivers/usb/class/cdc-wdm.c |   23 ++++++++++++++++++++---
 1 files changed, 20 insertions(+), 3 deletions(-)

commit 3e9e7beb379eaf424d0634c0c556e47c07d367fc
Merge: 9cdf9bc db4cb92
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 14 20:23:14 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        security/keys/compat.c

commit db4cb924546e3fec3a59f78d056f48176eaf7100
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 14 20:22:24 2013 -0400

    Update to pax-linux-3.8.2-test8.patch

 arch/arm/include/asm/cache.h                |    2 ++
 arch/arm/mach-omap2/gpmc.c                  |   22 ++++++++++++----------
 arch/arm/mach-omap2/omap_device.c           |    4 ++--
 arch/arm/mach-omap2/omap_device.h           |    4 ++--
 arch/arm/plat-orion/include/plat/addr-map.h |    2 +-
 5 files changed, 19 insertions(+), 15 deletions(-)

commit 5e72fcce7c468d29168c64c72c18ff5ff0d3b4ae
Merge: 3c865f9 1a45c31
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 14 20:20:54 2013 -0400

    Merge branch 'linux-3.8.y' into pax-test
    
    Conflicts:
        arch/arm/include/asm/delay.h
        arch/arm/include/asm/pgtable.h
        arch/arm/lib/delay.c
        security/keys/compat.c

commit 9cdf9bccf22d6a6741e4152bb5d32335beb8caf1
Author: Al Viro <viro@ZenIV.linux.org.uk>
Date:   Tue Mar 12 02:59:49 2013 +0000

    Upstream commit: a930d8790552658140d7d0d2e316af4f0d76a512
    
    vfs: fix pipe counter breakage
    
    If you open a pipe for neither read nor write, the pipe code will not
    add any usage counters to the pipe, causing the 'struct pipe_inode_info"
    to be potentially released early.
    
    That doesn't normally matter, since you cannot actually use the pipe,
    but the pipe release code - particularly fasync handling - still expects
    the actual pipe infrastructure to all be there.  And rather than adding
    NULL pointer checks, let's just disallow this case, the same way we
    already do for the named pipe ("fifo") case.
    
    This is ancient going back to pre-2.4 days, and until trinity, nobody
    naver noticed.
    
    Reported-by: Dave Jones <davej@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 fs/pipe.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit c11fa4be226659a40a6c73f0fa09fee074fba1b2
Author: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Date:   Mon Feb 25 10:20:36 2013 -0500

    Upstream commit: 8aec0f5d4137532de14e6554fd5dd201ff3a3c49
    
    Fix: compat_rw_copy_check_uvector() misuse in aio, readv, writev, and security keys
    
    Looking at mm/process_vm_access.c:process_vm_rw() and comparing it to
    compat_process_vm_rw() shows that the compatibility code requires an
    explicit "access_ok()" check before calling
    compat_rw_copy_check_uvector(). The same difference seems to appear when
    we compare fs/read_write.c:do_readv_writev() to
    fs/compat.c:compat_do_readv_writev().
    
    This subtle difference between the compat and non-compat requirements
    should probably be debated, as it seems to be error-prone. In fact,
    there are two others sites that use this function in the Linux kernel,
    and they both seem to get it wrong:
    
    Now shifting our attention to fs/aio.c, we see that aio_setup_iocb()
    also ends up calling compat_rw_copy_check_uvector() through
    aio_setup_vectored_rw(). Unfortunately, the access_ok() check appears to
    be missing. Same situation for
    security/keys/compat.c:compat_keyctl_instantiate_key_iov().
    
    I propose that we add the access_ok() check directly into
    compat_rw_copy_check_uvector(), so callers don't have to worry about it,
    and it therefore makes the compat call code similar to its non-compat
    counterpart. Place the access_ok() check in the same location where
    copy_from_user() can trigger a -EFAULT error in the non-compat code, so
    the ABI behaviors are alike on both compat and non-compat.
    
    While we are here, fix compat_do_readv_writev() so it checks for
    compat_rw_copy_check_uvector() negative return values.
    
    And also, fix a memory leak in compat_keyctl_instantiate_key_iov() error
    handling.
    
    Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
    Acked-by: Al Viro <viro@ZenIV.linux.org.uk>
    Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    Conflicts:
    
        security/keys/compat.c

 fs/compat.c            |   15 +++++++--------
 mm/process_vm_access.c |    8 --------
 security/keys/compat.c |    3 ++-
 3 files changed, 9 insertions(+), 17 deletions(-)

commit 13487f197ab2d5bc76156224c24c45a44bbd6a11
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 11 18:38:38 2013 -0400

    Fix leak of signal handler addresses across execve, found by Emese Revfy

 kernel/signal.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit 79b130c4b11c7940daf2b33d653a17666331c634
Merge: 6480ce9 3c865f9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 10 20:04:03 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 3c865f9184c6fd56c634bce0096cfc8039d5c43d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 10 20:03:12 2013 -0400

    Update to pax-linux-3.8.2-test7.patch:
    - fixed gcc asserts reported by KDE (http://forums.grsecurity.net/viewtopic.php?f=3&t=3342)
    - adjusted RLIMIT_AS accounting for the extra ASLR gap mappings, reported by Alexander Stoll (https://bugs.gentoo.org/show_bug.cgi?id=459268)

 fs/binfmt_elf.c                   |    3 ++-
 fs/exec.c                         |    3 +++
 include/linux/mm_types.h          |    2 +-
 init/main.c                       |    4 ++--
 mm/mmap.c                         |    2 +-
 mm/page_alloc.c                   |    4 ++--
 tools/gcc/latent_entropy_plugin.c |   11 +++++++----
 7 files changed, 18 insertions(+), 11 deletions(-)

commit 6480ce919bd7d68ba14f3194e4bdd7b61bc8e491
Merge: 4a5305e 25b3569
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 10 10:41:16 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 25b356980568bed9958315bb5a551fdc610055ed
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 10 10:40:48 2013 -0400

    Update to pax-linux-3.8.2-test6.patch:
    - fixed a KERNEXEC false positive on arm reported by Gu1
    - fixed various compile errors reported by x14sg1 (http://forums.grsecurity.net/viewtopic.php?f=3&t=3340)
    - fixed too strict mmap parameter checking on i386, reported by browndav (http://forums.grsecurity.net/viewtopic.php?f=1&t=3339)
    - added fix from spender for some namespace breakage reported by zakalwe
    - small latent entropy improvement: pass pax_extra_latent_entropy to the kernel to extract entropy from RAM content during boot

 Documentation/kernel-parameters.txt |    5 +++++
 arch/arm/kernel/patch.c             |    2 ++
 arch/x86/kernel/sys_i386_32.c       |    5 +++--
 drivers/acpi/blacklist.c            |    2 +-
 drivers/video/aty/mach64_cursor.c   |    1 +
 init/main.c                         |    4 ----
 mm/page_alloc.c                     |   27 +++++++++++++++++++++++++++
 net/ipv4/ip_fragment.c              |    2 +-
 security/Kconfig                    |    5 +++++
 tools/gcc/latent_entropy_plugin.c   |    7 +++++--
 10 files changed, 50 insertions(+), 10 deletions(-)

commit 4a5305eb7b6c5e49c332feeca9b6bfead9ab917f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 9 11:19:06 2013 -0500

    From: Mathias Krause <minipli@googlemail.com>
    To: "David S. Miller" <davem@davemloft.net>
    Cc: netdev@vger.kernel.org, Mathias Krause <minipli@googlemail.com>,
            Stephen Hemminger <stephen@networkplumber.org>
    Subject: [PATCH 1/3] bridge: fix mdb info leaks
    Date: Sat,  9 Mar 2013 16:52:19 +0100
    
    The bridging code discloses heap and stack bytes via the RTM_GETMDB
    netlink interface and via the notify messages send to group RTNLGRP_MDB
    afer a successful add/del.
    
    Fix both cases by initializing all unset members/padding bytes with
    memset(0).
    
    Cc: Stephen Hemminger <stephen@networkplumber.org>
    Signed-off-by: Mathias Krause <minipli@googlemail.com>
    
    From: Mathias Krause <minipli@googlemail.com>
    To: "David S. Miller" <davem@davemloft.net>
    Cc: netdev@vger.kernel.org, Mathias Krause <minipli@googlemail.com>
    Subject: [PATCH 2/3] rtnl: fix info leak on RTM_GETLINK request for VF devices
    Date: Sat,  9 Mar 2013 16:52:20 +0100
    
    Initialize the mac address buffer with 0 as the driver specific function
    will probably not fill the whole buffer. In fact, all in-kernel drivers
    fill only ETH_ALEN of the MAX_ADDR_LEN bytes, i.e. 6 of the 32 possible
    bytes. Therefore we currently leak 26 bytes of stack memory to userland
    via the netlink interface.
    
    Signed-off-by: Mathias Krause <minipli@googlemail.com>
    
    From: Mathias Krause <minipli@googlemail.com>
    To: "David S. Miller" <davem@davemloft.net>
    Cc: netdev@vger.kernel.org, Mathias Krause <minipli@googlemail.com>
    Subject: [PATCH 3/3] dcbnl: fix various netlink info leaks
    Date: Sat,  9 Mar 2013 16:52:21 +0100
    
    The dcb netlink interface leaks stack memory in various places:
    * perm_addr[] buffer is only filled at max with 12 of the 32 bytes but
      copied completely,
    * no in-kernel driver fills all fields of an IEEE 802.1Qaz subcommand,
      so we're leaking up to 58 bytes for ieee_ets structs, up to 136 bytes
      for ieee_pfc structs, etc.,
    * the same is true for CEE -- no in-kernel driver fills the whole
      struct,
    
    Prevent all of the above stack info leaks by properly initializing the
    buffers/structures involved.
    
    Signed-off-by: Mathias Krause <minipli@googlemail.com>

 net/bridge/br_mdb.c  |    4 ++++
 net/core/rtnetlink.c |    1 +
 net/dcb/dcbnl.c      |    8 ++++++++
 3 files changed, 13 insertions(+), 0 deletions(-)

commit 601dd446f896e3a362f706943df18a68d50420a1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 9 09:35:25 2013 -0500

    add open/close wrappers in __patch_text() as reported by Gu1 on IRC

 arch/arm/kernel/patch.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit ae39966fd85a493e9079b357e3faa62245a41222
Author: Peter Hurley <peter@hurleysoftware.com>
Date:   Fri Mar 8 12:43:27 2013 -0800

    Upstream commit: 88b9e456b1649722673ffa147914299799dc9041
    
    ipc: don't allocate a copy larger than max
    
    When MSG_COPY is set, a duplicate message must be allocated for the copy
    before locking the queue.  However, the copy could not be larger than was
    sent which is limited to msg_ctlmax.
    
    Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
    Acked-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 ipc/msg.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

commit 61240e99650ea3e540a03a3e994349c5086f166b
Author: Peter Hurley <peter@hurleysoftware.com>
Date:   Fri Mar 8 12:43:26 2013 -0800

    Upstream commit: e1082f45f1e2bbf6e25f6b614fc6616ebf709d19
    
    ipc: fix potential oops when src msg > 4k w/ MSG_COPY
    
    If the src msg is > 4k, then dest->next points to the
    next allocated segment; resetting it just prior to dereferencing
    is bad.
    
    Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
    Acked-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 ipc/msgutil.c |    3 ---
 1 files changed, 0 insertions(+), 3 deletions(-)

commit 51727f602a267f34fb2e0dc9557f1714028d51a2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 8 22:14:06 2013 -0500

    add missing 'else' in recent constify fixups

 net/ipv4/ip_fragment.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit a38c1a640729b3d8e584d1ab98e908c221bc12cf
Merge: 1580bb3 47c3f47
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 8 18:18:37 2013 -0500

    Merge branch 'pax-test' into grsec-test

commit 47c3f47ba4f874f5c72e4c04b76b6b92e44daebe
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 8 18:17:22 2013 -0500

    Update to pax-linux-3.8.2-test5.patch:
    - fixed some fallout after the last round of constification changes, reported by several people

 arch/arm/common/gic.c                   |    4 ++--
 arch/arm/include/asm/hardware/gic.h     |    3 ++-
 arch/x86/include/asm/nmi.h              |    2 +-
 arch/x86/kernel/nmi.c                   |    2 +-
 arch/x86/pci/irq.c                      |    2 +-
 drivers/base/power/domain.c             |    4 ++--
 drivers/cpufreq/cpufreq_governor.c      |    4 ++--
 drivers/mfd/twl4030-irq.c               |    1 +
 drivers/video/vesafb.c                  |    7 +++++--
 include/linux/irq.h                     |    1 +
 include/linux/pm_domain.h               |    2 +-
 kernel/sched/core.c                     |    4 ++++
 lib/Kconfig.debug                       |    4 ++--
 net/core/sysctl_net_core.c              |    2 +-
 net/decnet/af_decnet.c                  |    1 +
 net/ipv4/devinet.c                      |    2 +-
 net/ipv4/ip_fragment.c                  |    2 +-
 net/ipv4/route.c                        |    2 +-
 net/ipv4/sysctl_net_ipv4.c              |    2 +-
 net/ipv6/netfilter/nf_conntrack_reasm.c |    2 +-
 net/ipv6/reassembly.c                   |    2 +-
 scripts/sortextable.h                   |    6 +++---
 22 files changed, 36 insertions(+), 25 deletions(-)

commit 1580bb38b4db0bf2a46316599815e8b234edad81
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 7 22:02:59 2013 -0500

    add an additional open/close wrapper

 kernel/sched/core.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 21622672d28d58e0d93a805cd1f9650a894a752a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 7 21:58:24 2013 -0500

    fix oops at shutdown with new constify code

 kernel/sched/core.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit f6b9ab9fcc747bb1b14a4857d59e6681936220ec
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 7 21:18:44 2013 -0500

    Add PAX_CONSTIFY_PLUGIN, which we previously enabled unconditionally
    it currently conflicts with some lock debugging options, so made as an
    option to allow for debugging when necessary

 Makefile          |    2 --
 lib/Kconfig.debug |    6 +++---
 security/Kconfig  |   18 ++++++++++++++++++
 3 files changed, 21 insertions(+), 5 deletions(-)

commit 0885b00b8373a1597b69c38032a0c9eee279303b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 7 20:55:19 2013 -0500

    disable DEBUG_LOCK_ALLOC, as it conflicts with the new constify

 lib/Kconfig.debug |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit c8a2617165e7127a54f293cbf57d22d50dd83abd
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 7 20:30:41 2013 -0500

    Fix error:
    drivers/video/vesafb.c:502:3: error: assignment of member ‘fb_pan_display’ in read-only object
    with cast and proper kernexec accessors

 drivers/video/vesafb.c |    7 +++++--
 1 files changed, 5 insertions(+), 2 deletions(-)

commit 99f2814d3e2a6db25985edc47c7e09c4a2d8c408
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 7 20:20:28 2013 -0500

    fix typo

 grsecurity/gracl.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 399674de6c42bbcae2d01b082d6d9ce9d183b000
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 7 20:12:17 2013 -0500

    fix compilation error -- no reason for task_pid_nr to not take a const task ptr

 include/linux/sched.h |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit a6c239eacf683f9dd2aeebb1b1adb71e5eedbd9f
Author: Kees Cook <keescook@chromium.org>
Date:   Mon Feb 25 21:32:25 2013 +0000

    Upstream commit: e70ab977991964a5a7ad1182799451d067e62669
    
    proc connector: reject unprivileged listener bumps
    
    While PROC_CN_MCAST_LISTEN/IGNORE is entirely advisory, it was possible
    for an unprivileged user to turn off notifications for all listeners by
    sending PROC_CN_MCAST_IGNORE. Instead, require the same privileges as
    required for a multicast bind.
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: Evgeniy Polyakov <zbr@ioremap.net>
    Cc: Matt Helsley <matthltc@us.ibm.com>
    Cc: stable@vger.kernel.org
    Acked-by: Evgeniy Polyakov <zbr@ioremap.net>
    Acked-by: Matt Helsley <matthltc@us.ibm.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/connector/cn_proc.c |    8 ++++++++
 1 files changed, 8 insertions(+), 0 deletions(-)

commit ac6014ded57101e3e608941555ff507e20c1ece3
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Tue Feb 26 19:15:02 2013 +0000

    Upstream commit: 90c7881ecee1f08e0a49172cf61371cf2509ee4a
    
    irda: small read beyond end of array in debug code
    
    charset comes from skb->data.  It's a number in the 0-255 range.
    If we have debugging turned on then this could cause a read beyond
    the end of the array.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/irda/iriap.c |    7 +++++--
 1 files changed, 5 insertions(+), 2 deletions(-)

commit e60bd2aad9bfdb68731cc888eae14a7600bd2ffe
Author: Guenter Roeck <linux@roeck-us.net>
Date:   Wed Feb 27 10:57:31 2013 +0000

    Upstream commit: 726bc6b092da4c093eb74d13c07184b18c1af0f1
    
    net/sctp: Validate parameter size for SCTP_GET_ASSOC_STATS
    
    Building sctp may fail with:
    
    In function ‘copy_from_user’,
        inlined from ‘sctp_getsockopt_assoc_stats’ at
        net/sctp/socket.c:5656:20:
    arch/x86/include/asm/uaccess_32.h:211:26: error: call to
        ‘copy_from_user_overflow’ declared with attribute error: copy_from_user()
        buffer size is not provably correct
    
    if built with W=1 due to a missing parameter size validation
    before the call to copy_from_user.
    
    Signed-off-by: Guenter Roeck <linux@roeck-us.net>
    Acked-by: Vlad Yasevich <vyasevich@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/sctp/socket.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

commit be49e0ae9a4d0e8daa831d7d8d6f3a56beda3e3c
Author: Guillaume Nault <g.nault@alphalink.fr>
Date:   Fri Mar 1 05:02:02 2013 +0000

    Upstream commit: 8b82547e33e85fc24d4d172a93c796de1fefa81a
    
    l2tp: Restore socket refcount when sendmsg succeeds
    
    The sendmsg() syscall handler for PPPoL2TP doesn't decrease the socket
    reference counter after successful transmissions. Any successful
    sendmsg() call from userspace will then increase the reference counter
    forever, thus preventing the kernel's session and tunnel data from
    being freed later on.
    
    The problem only happens when writing directly on L2TP sockets.
    PPP sockets attached to L2TP are unaffected as the PPP subsystem
    uses pppol2tp_xmit() which symmetrically increase/decrease reference
    counters.
    
    This patch adds the missing call to sock_put() before returning from
    pppol2tp_sendmsg().
    
    Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/l2tp/l2tp_ppp.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 98a9a5f981f5deda4059a255c1196886f2f27e2f
Author: Cong Wang <amwang@redhat.com>
Date:   Sun Mar 3 16:18:11 2013 +0000

    Upstream commit: ece6b0a2b25652d684a7ced4ae680a863af041e0
    
    rds: limit the size allocated by rds_message_alloc()
    
    Dave Jones reported the following bug:
    
    "When fed mangled socket data, rds will trust what userspace gives it,
    and tries to allocate enormous amounts of memory larger than what
    kmalloc can satisfy."
    
    WARNING: at mm/page_alloc.c:2393 __alloc_pages_nodemask+0xa0d/0xbe0()
    Hardware name: GA-MA78GM-S2H
    Modules linked in: vmw_vsock_vmci_transport vmw_vmci vsock fuse bnep dlci bridge 8021q garp stp mrp binfmt_misc l2tp_ppp l2tp_core rfcomm s
    Pid: 24652, comm: trinity-child2 Not tainted 3.8.0+ #65
    Call Trace:
     [<ffffffff81044155>] warn_slowpath_common+0x75/0xa0
     [<ffffffff8104419a>] warn_slowpath_null+0x1a/0x20
     [<ffffffff811444ad>] __alloc_pages_nodemask+0xa0d/0xbe0
     [<ffffffff8100a196>] ? native_sched_clock+0x26/0x90
     [<ffffffff810b2128>] ? trace_hardirqs_off_caller+0x28/0xc0
     [<ffffffff810b21cd>] ? trace_hardirqs_off+0xd/0x10
     [<ffffffff811861f8>] alloc_pages_current+0xb8/0x180
     [<ffffffff8113eaaa>] __get_free_pages+0x2a/0x80
     [<ffffffff811934fe>] kmalloc_order_trace+0x3e/0x1a0
     [<ffffffff81193955>] __kmalloc+0x2f5/0x3a0
     [<ffffffff8104df0c>] ? local_bh_enable_ip+0x7c/0xf0
     [<ffffffffa0401ab3>] rds_message_alloc+0x23/0xb0 [rds]
     [<ffffffffa04043a1>] rds_sendmsg+0x2b1/0x990 [rds]
     [<ffffffff810b21cd>] ? trace_hardirqs_off+0xd/0x10
     [<ffffffff81564620>] sock_sendmsg+0xb0/0xe0
     [<ffffffff810b2052>] ? get_lock_stats+0x22/0x70
     [<ffffffff810b24be>] ? put_lock_stats.isra.23+0xe/0x40
     [<ffffffff81567f30>] sys_sendto+0x130/0x180
     [<ffffffff810b872d>] ? trace_hardirqs_on+0xd/0x10
     [<ffffffff816c547b>] ? _raw_spin_unlock_irq+0x3b/0x60
     [<ffffffff816cd767>] ? sysret_check+0x1b/0x56
     [<ffffffff810b8695>] ? trace_hardirqs_on_caller+0x115/0x1a0
     [<ffffffff81341d8e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
     [<ffffffff816cd742>] system_call_fastpath+0x16/0x1b
    ---[ end trace eed6ae990d018c8b ]---
    
    Reported-by: Dave Jones <davej@redhat.com>
    Cc: Dave Jones <davej@redhat.com>
    Cc: David S. Miller <davem@davemloft.net>
    Cc: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
    Signed-off-by: Cong Wang <amwang@redhat.com>
    Acked-by: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/rds/message.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit b46df323e01c63c62fdb82cf2c47e4386f5a0499
Author: Cong Wang <amwang@redhat.com>
Date:   Sun Mar 3 16:28:27 2013 +0000

    Upstream commit: 3f736868b47687d1336fe88185560b22bb92021e
    
    sctp: use KMALLOC_MAX_SIZE instead of its own MAX_KMALLOC_SIZE
    
    Don't definite its own MAX_KMALLOC_SIZE, use the one
    defined in mm.
    
    Cc: Vlad Yasevich <vyasevich@gmail.com>
    Cc: Sridhar Samudrala <sri@us.ibm.com>
    Cc: Neil Horman <nhorman@tuxdriver.com>
    Cc: David S. Miller <davem@davemloft.net>
    Signed-off-by: Cong Wang <amwang@redhat.com>
    Acked-by: Neil Horman <nhorman@tuxdriver.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/sctp/ssnmap.c |    8 +++-----
 1 files changed, 3 insertions(+), 5 deletions(-)

commit 4295a024e812f903fc580c81de5e81cc149503fa
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 7 17:57:49 2013 -0500

    Upstream commit: https://lkml.org/lkml/2013/3/6/535

 security/keys/process_keys.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 33edd486a9899a145a15586d7134636b0300aaee
Merge: 4eeeaf3 a2a2094
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 7 17:53:00 2013 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        arch/arm/include/asm/domain.h

commit a2a20947f5e1332e474160a39af520738b3c8c19
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 7 17:51:04 2013 -0500

    Update to pax-linux-3.8.2-test4.patch:
     fixed arm compilation problems reported by Michael Tremer
    - the constify plugin got smarter that enabled, with some additional patching,
      the elimination of about half the static function pointers on amd64/allmod
      (up from about 18%), depending on the kernel config it can be even more (70%)

 Documentation/dontdiff                        |    2 +
 arch/arm/include/asm/domain.h                 |    1 +
 arch/x86/include/asm/i8259.h                  |    2 +-
 arch/x86/include/asm/nmi.h                    |    4 +-
 arch/x86/kernel/acpi/boot.c                   |    4 +-
 arch/x86/kernel/apic/apic_noop.c              |    2 +-
 arch/x86/kernel/apic/es7000_32.c              |    2 +-
 arch/x86/kernel/apic/io_apic.c                |   10 +-
 arch/x86/kernel/cpu/mcheck/mce.c              |    2 +-
 arch/x86/kernel/cpu/perf_event.c              |    6 +-
 arch/x86/kernel/cpu/perf_event_intel_uncore.c |    2 +-
 arch/x86/kernel/cpu/perf_event_intel_uncore.h |    2 +-
 arch/x86/kernel/i8259.c                       |    6 +-
 arch/x86/kernel/io_delay.c                    |    2 +-
 arch/x86/kernel/nmi.c                         |    6 +-
 arch/x86/kernel/nmi_selftest.c                |    4 +-
 arch/x86/kernel/pci-swiotlb.c                 |    2 +-
 arch/x86/oprofile/nmi_int.c                   |    8 +-
 arch/x86/oprofile/op_model_amd.c              |    8 +-
 arch/x86/oprofile/op_model_ppro.c             |    7 +-
 arch/x86/oprofile/op_x86_model.h              |    2 +-
 arch/x86/pci/irq.c                            |    6 +-
 drivers/acpi/apei/apei-internal.h             |    2 +-
 drivers/acpi/bgrt.c                           |    6 +-
 drivers/acpi/blacklist.c                      |    2 +-
 drivers/acpi/processor_idle.c                 |    2 +-
 drivers/acpi/sysfs.c                          |    4 +-
 drivers/base/bus.c                            |    4 +-
 drivers/base/node.c                           |    2 +-
 drivers/base/syscore.c                        |    4 +-
 drivers/block/drbd/drbd_receiver.c            |    4 +-
 drivers/char/random.c                         |    2 +-
 drivers/cpufreq/acpi-cpufreq.c                |   20 ++-
 drivers/cpufreq/cpufreq.c                     |    7 +-
 drivers/cpufreq/cpufreq_governor.c            |    4 +-
 drivers/cpufreq/cpufreq_governor.h            |    2 +-
 drivers/cpufreq/p4-clockmod.c                 |   12 +-
 drivers/cpufreq/speedstep-centrino.c          |    7 +-
 drivers/cpuidle/cpuidle.c                     |    2 +-
 drivers/cpuidle/governor.c                    |    4 +-
 drivers/cpuidle/sysfs.c                       |    2 +-
 drivers/devfreq/devfreq.c                     |    4 +-
 drivers/edac/edac_mc_sysfs.c                  |    2 +-
 drivers/edac/edac_pci_sysfs.c                 |    2 +-
 drivers/firewire/core-device.c                |    2 +-
 drivers/firmware/dmi-id.c                     |    2 +-
 drivers/firmware/efivars.c                    |    2 +-
 drivers/firmware/google/memconsole.c          |    4 +-
 drivers/gpio/gpio-ich.c                       |    2 +-
 drivers/gpu/drm/drm_drv.c                     |    2 +-
 drivers/gpu/drm/drm_ioc32.c                   |    9 +-
 drivers/gpu/drm/i915/i915_ioc32.c             |   11 +-
 drivers/gpu/drm/i915/intel_display.c          |   26 ++-
 drivers/gpu/drm/mga/mga_ioc32.c               |   11 +-
 drivers/gpu/drm/nouveau/nouveau_ioc32.c       |    2 +-
 drivers/gpu/drm/r128/r128_ioc32.c             |   11 +-
 drivers/gpu/drm/radeon/radeon_ioc32.c         |   11 +-
 drivers/gpu/drm/radeon/radeon_ttm.c           |   33 ++--
 drivers/gpu/drm/udl/udl_fb.c                  |    1 -
 drivers/hwmon/acpi_power_meter.c              |    4 +-
 drivers/hwmon/applesmc.c                      |    2 +-
 drivers/hwmon/asus_atk0110.c                  |   10 +-
 drivers/hwmon/ibmaem.c                        |    2 +-
 drivers/hwmon/pmbus/pmbus_core.c              |    2 +-
 drivers/iio/industrialio-core.c               |    2 +-
 drivers/input/mouse/psmouse.h                 |    2 +-
 drivers/iommu/iommu.c                         |    2 +-
 drivers/leds/leds-clevo-mail.c                |    2 +-
 drivers/leds/leds-ss4200.c                    |    2 +-
 drivers/media/v4l2-core/v4l2-ioctl.c          |    5 +-
 drivers/mfd/twl4030-irq.c                     |    8 +-
 drivers/mfd/twl6030-irq.c                     |   10 +-
 drivers/misc/c2port/core.c                    |    4 +-
 drivers/mtd/sm_ftl.c                          |    2 +-
 drivers/net/bonding/bond_main.c               |    2 +-
 drivers/net/macvlan.c                         |   16 +-
 drivers/net/vxlan.c                           |    2 +-
 drivers/pci/hotplug/acpiphp_ibm.c             |    4 +-
 drivers/pci/hotplug/pci_hotplug_core.c        |    6 +-
 drivers/pci/hotplug/pciehp_core.c             |    2 +-
 drivers/pci/pci-sysfs.c                       |    6 +-
 drivers/pci/pci.h                             |    2 +-
 drivers/platform/x86/msi-laptop.c             |   14 +-
 drivers/platform/x86/sony-laptop.c            |    2 +-
 drivers/power/power_supply.h                  |    4 +-
 drivers/power/power_supply_core.c             |    6 +-
 drivers/power/power_supply_sysfs.c            |    6 +-
 drivers/rtc/rtc-cmos.c                        |    4 +-
 drivers/rtc/rtc-ds1307.c                      |    2 +-
 drivers/rtc/rtc-m48t59.c                      |    4 +-
 drivers/scsi/bfa/bfa.h                        |    2 +-
 drivers/staging/iio/iio_hwmon.c               |    2 +-
 drivers/usb/storage/usb.h                     |    2 +-
 drivers/video/aty/atyfb_base.c                |    8 +-
 drivers/video/aty/mach64_cursor.c             |    4 +-
 drivers/video/backlight/kb3886_bl.c           |    2 +-
 drivers/video/fb_defio.c                      |    6 +-
 drivers/video/mb862xx/mb862xxfb_accel.c       |   16 +-
 drivers/video/nvidia/nvidia.c                 |   27 ++-
 drivers/video/s1d13xxxfb.c                    |    6 +-
 drivers/video/smscufx.c                       |    4 +-
 drivers/video/udlfb.c                         |    4 +-
 drivers/video/uvesafb.c                       |   14 +-
 fs/exec.c                                     |    6 +-
 fs/ext4/super.c                               |    2 +-
 fs/jfs/super.c                                |    4 +-
 fs/nfs/callback_xdr.c                         |    2 +-
 fs/nfsd/nfs4proc.c                            |    2 +-
 fs/nfsd/nfs4xdr.c                             |    6 +-
 fs/nls/nls_base.c                             |   18 +-
 fs/nls/nls_euc-jp.c                           |    6 +-
 fs/nls/nls_koi8-ru.c                          |    6 +-
 fs/proc/proc_sysctl.c                         |   18 +-
 include/drm/drmP.h                            |   12 +-
 include/keys/asymmetric-subtype.h             |    2 +-
 include/linux/atmdev.h                        |    2 +-
 include/linux/binfmts.h                       |    2 +-
 include/linux/configfs.h                      |    2 +-
 include/linux/cpufreq.h                       |    3 +-
 include/linux/cpuidle.h                       |    5 +-
 include/linux/devfreq.h                       |    2 +-
 include/linux/device.h                        |    7 +-
 include/linux/extcon.h                        |    2 +-
 include/linux/fb.h                            |    2 +-
 include/linux/fscache.h                       |    2 +-
 include/linux/genl_magic_func.h               |    2 +-
 include/linux/hwmon-sysfs.h                   |    5 +-
 include/linux/iommu.h                         |    2 +-
 include/linux/irq.h                           |    2 +-
 include/linux/key-type.h                      |    2 +-
 include/linux/kobject.h                       |    1 +
 include/linux/kobject_ns.h                    |    2 +-
 include/linux/list.h                          |   14 +-
 include/linux/mod_devicetable.h               |    2 +-
 include/linux/module.h                        |    5 +-
 include/linux/net.h                           |    2 +-
 include/linux/netfilter.h                     |    2 +-
 include/linux/nls.h                           |    2 +-
 include/linux/pci_hotplug.h                   |    3 +-
 include/linux/platform_data/usb-exynos.h      |    2 +-
 include/linux/pnp.h                           |    2 +-
 include/linux/ppp-comp.h                      |    2 +-
 include/linux/rculist.h                       |   16 ++
 include/linux/sched.h                         |    2 +-
 include/linux/sock_diag.h                     |    2 +-
 include/linux/sunrpc/clnt.h                   |    2 +-
 include/linux/sunrpc/svc.h                    |    2 +-
 include/linux/sunrpc/svcauth.h                |    2 +-
 include/linux/swiotlb.h                       |    3 +-
 include/linux/syscore_ops.h                   |    2 +-
 include/linux/sysctl.h                        |    6 +-
 include/linux/sysfs.h                         |   10 +-
 include/linux/sysrq.h                         |    1 +
 include/linux/xattr.h                         |    2 +-
 include/net/9p/transport.h                    |    2 +-
 include/net/bluetooth/l2cap.h                 |    2 +-
 include/net/genetlink.h                       |    2 +-
 include/net/ip.h                              |    2 +-
 include/net/ip_vs.h                           |    4 +-
 include/net/llc_c_ac.h                        |    2 +-
 include/net/llc_c_ev.h                        |    4 +-
 include/net/llc_c_st.h                        |    2 +-
 include/net/llc_s_ac.h                        |    2 +-
 include/net/llc_s_st.h                        |    2 +-
 include/net/mac80211.h                        |    2 +-
 include/net/net_namespace.h                   |    2 +-
 include/net/netns/conntrack.h                 |    6 +-
 include/net/rtnetlink.h                       |    2 +-
 include/net/sctp/sm.h                         |    4 +-
 include/net/sctp/structs.h                    |    2 +-
 include/net/xfrm.h                            |    4 +-
 ipc/ipc_sysctl.c                              |   10 +-
 ipc/mq_sysctl.c                               |    2 +-
 kernel/kmod.c                                 |    2 +-
 kernel/ksysfs.c                               |    2 +-
 kernel/module.c                               |    4 +-
 kernel/pid_namespace.c                        |    2 +-
 kernel/rcutree_plugin.h                       |    2 +-
 kernel/sched/core.c                           |   39 ++--
 kernel/smpboot.c                              |    4 +-
 kernel/softirq.c                              |    2 +-
 kernel/sysctl.c                               |    2 +-
 kernel/utsname_sysctl.c                       |    2 +-
 kernel/watchdog.c                             |    2 +-
 lib/Kconfig.debug                             |    2 +-
 lib/kobject.c                                 |    4 +-
 lib/list_debug.c                              |   57 ++++-
 lib/swiotlb.c                                 |    2 +-
 mm/hugetlb.c                                  |   16 +-
 mm/memory-failure.c                           |    2 +-
 mm/slab_common.c                              |    2 +-
 net/9p/mod.c                                  |    4 +-
 net/ax25/sysctl_net_ax25.c                    |    2 +-
 net/core/neighbour.c                          |    2 +-
 net/core/net-sysfs.c                          |    2 +-
 net/core/net_namespace.c                      |    8 +-
 net/core/rtnetlink.c                          |   11 +-
 net/core/sock_diag.c                          |    9 +-
 net/core/sysctl_net_core.c                    |   15 +-
 net/ipv4/af_inet.c                            |    8 +-
 net/ipv4/devinet.c                            |   12 +-
 net/ipv4/inet_connection_sock.c               |    2 +-
 net/ipv4/ip_fragment.c                        |    9 +-
 net/ipv4/ip_gre.c                             |    6 +-
 net/ipv4/ip_vti.c                             |    4 +-
 net/ipv4/ipip.c                               |    4 +-
 net/ipv4/route.c                              |   14 +-
 net/ipv4/sysctl_net_ipv4.c                    |   43 ++--
 net/ipv6/addrconf.c                           |    4 +-
 net/ipv6/icmp.c                               |    2 +-
 net/ipv6/ip6_gre.c                            |    6 +-
 net/ipv6/ip6_tunnel.c                         |    4 +-
 net/ipv6/netfilter/nf_conntrack_reasm.c       |   12 +-
 net/ipv6/reassembly.c                         |   11 +-
 net/ipv6/route.c                              |    2 +-
 net/ipv6/sit.c                                |    4 +-
 net/ipv6/sysctl_net_ipv6.c                    |    2 +-
 net/netfilter/ipset/ip_set_core.c             |    2 +-
 net/netfilter/ipvs/ip_vs_ctl.c                |    4 +-
 net/netfilter/ipvs/ip_vs_lblc.c               |    2 +-
 net/netfilter/ipvs/ip_vs_lblcr.c              |    2 +-
 net/netfilter/nf_conntrack_acct.c             |    2 +-
 net/netfilter/nf_conntrack_ecache.c           |    2 +-
 net/netfilter/nf_conntrack_helper.c           |    2 +-
 net/netfilter/nf_conntrack_proto.c            |    2 +-
 net/netfilter/nf_conntrack_standalone.c       |    2 +-
 net/netfilter/nf_conntrack_timestamp.c        |    2 +-
 net/netfilter/nf_log.c                        |   10 +-
 net/netfilter/nf_sockopt.c                    |    4 +-
 net/netlink/genetlink.c                       |   16 +-
 net/phonet/sysctl.c                           |    2 +-
 net/rds/rds.h                                 |    2 +-
 net/sctp/ipv6.c                               |    6 +-
 net/sctp/protocol.c                           |   10 +-
 net/sctp/sm_sideeffect.c                      |    2 +-
 net/sctp/sysctl.c                             |    4 +-
 net/sunrpc/clnt.c                             |    4 +-
 net/sunrpc/svc.c                              |    4 +-
 net/unix/sysctl_net_unix.c                    |    2 +-
 net/xfrm/xfrm_policy.c                        |   11 +-
 net/xfrm/xfrm_state.c                         |   29 ++-
 net/xfrm/xfrm_sysctl.c                        |    2 +-
 security/apparmor/lsm.c                       |    2 +-
 security/keys/key.c                           |   18 +-
 security/yama/yama_lsm.c                      |   22 +-
 tools/gcc/Makefile                            |    4 +-
 tools/gcc/constify_plugin.c                   |  299 +++++++++++++++++++------
 tools/gcc/size_overflow_plugin.c              |    7 +-
 248 files changed, 994 insertions(+), 668 deletions(-)

commit 4eeeaf3a560e25d1685f8973ef676b205efaa81b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 6 12:58:21 2013 -0500

    Make slab_state __read_only, it's only written to during init

 mm/slab_common.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit e7067b68d36fb9e0e8818de5d9ce1b4ba19ce24a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 6 12:31:35 2013 -0500

    Make two new helper functions:
    gr_is_global_root() and gr_is_global_nonroot()

 grsecurity/gracl.c      |   10 +++++-----
 grsecurity/gracl_segv.c |    2 +-
 grsecurity/grsec_link.c |    4 ++--
 grsecurity/grsec_sig.c  |   10 +++++-----
 grsecurity/grsec_tpe.c  |    6 +++---
 include/linux/uidgid.h  |    2 ++
 6 files changed, 18 insertions(+), 16 deletions(-)

commit d45d88eddd4998b280b1e5b5384289ee11ca7088
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 6 12:14:41 2013 -0500

    convert remaining task->pid to task_pid_nr(task)

 grsecurity/gracl.c        |   22 +++++++++++-----------
 grsecurity/gracl_shm.c    |    2 +-
 grsecurity/grsec_chroot.c |    4 ++--
 grsecurity/grsec_sig.c    |    4 ++--
 4 files changed, 16 insertions(+), 16 deletions(-)

commit c877f2ece03ee2232dd281c1977ae59507297124
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 5 17:29:54 2013 -0500

    compat-log is only used anymore by vm86-on-64bit and allows unlimited
    spamming of the kernel log buffer (and since it includes the changable
    process name, can avoid syslog log deduplication)
    Turn it off by default

 fs/compat.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 7c1964c4b7276889d7967bee70e46918cdca1b14
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 4 17:19:10 2013 -0500

    fix compilation error reported on IRC and forums when GRKERNSEC_PROC_USERGROUP
    is enabled, introduced with recent userns support

 init/main.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit c3ce01b94d8dd42b9c7942c0d513b152613e0656
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 3 18:46:12 2013 -0500

    Prevent TOMOYO from auto-loading modules by unprivileged users
    (Only reachable if TOMOYO is actually used)

 security/tomoyo/mount.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

commit 79e142f9455b398759ff9d93d4963a21b98dddda
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 3 18:28:45 2013 -0500

    For now, don't permit any special access to /proc in a user namespace
    Later we can go back and allow a userns-uid0 special access to a /proc
    with a non-global pid namespace

 fs/proc/base.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 8b91fb393049ce5f3c0a86f62247409853fd9700
Merge: d931eb8 603ef05
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 3 17:42:09 2013 -0500

    Merge branch 'pax-test' into grsec-test

commit 603ef0579b9c3765d999c1938cb7a120d8c8e00b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 3 17:41:31 2013 -0500

    Fix compilation error on ARM reported by Michael Tremer

 arch/arm/mach-omap2/wd_timer.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

commit b4c9ce81fdd7839a150c97873c710c479e788280
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 3 17:39:53 2013 -0500

    Fix compilation error on ARM reported by Michael Tremer

 arch/arm/kernel/armksyms.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit d931eb81ab3da46896268fd61373a6aa7bbea930
Merge: bfa7f44 5948f93
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 3 17:34:36 2013 -0500

    Merge branch 'pax-test' into grsec-test

commit 5948f930bc1c2d22138c1c76ca7e1bc94b6a3ce0
Merge: ab30472 19b00d2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 3 17:34:08 2013 -0500

    Merge branch 'linux-3.8.y' into pax-test

commit bfa7f445c5d484de51a5828b92ad2ff65053cc87
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 3 15:12:12 2013 -0500

    Initial support for user namespaces, as we previously didn't allow
    the option to be enabled at all.
    
    RBAC will act on the global uids/gids only, so all uids/gids in user
    namespaces will be converted
    
    Because Eric Biederman is insulted that I didn't support his
    backdoor prior to it receiving proper review.  I still have the CAP_SYS_ADMIN
    check in for user namespaces, so this is generally irrelevant.

 fs/exec.c                   |    6 +-
 fs/proc/base.c              |    2 +-
 fs/proc/proc_net.c          |    4 +-
 grsecurity/gracl.c          |  128 +++++++++++++++++++++++++++++-------------
 grsecurity/gracl_cap.c      |    4 +-
 grsecurity/gracl_ip.c       |   16 +++---
 grsecurity/gracl_segv.c     |   12 +++-
 grsecurity/gracl_shm.c      |    4 +-
 grsecurity/grsec_disabled.c |   10 ++--
 grsecurity/grsec_fifo.c     |    6 +-
 grsecurity/grsec_init.c     |   24 ++++----
 grsecurity/grsec_log.c      |    3 -
 grsecurity/grsec_tpe.c      |    6 +-
 include/linux/grinternal.h  |   12 ++--
 include/linux/grsecurity.h  |   12 ++--
 include/linux/uidgid.h      |    3 +
 init/Kconfig                |    2 -
 ipc/shm.c                   |    2 +-
 kernel/cred.c               |    5 +-
 kernel/kallsyms.c           |    2 +-
 kernel/kmod.c               |    6 +-
 kernel/sys.c                |   12 ++--
 22 files changed, 166 insertions(+), 115 deletions(-)

commit 27a8cc1a9f22f95de6fe8740bdc900a160274dff
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date:   Wed Feb 27 08:36:04 2013 -0800

    Upstream commit: 09884964335e85e897876d17783c2ad33cf8a2e0
    
    mm: do not grow the stack vma just because of an overrun on preceding vma
    
    The stack vma is designed to grow automatically (marked with VM_GROWSUP
    or VM_GROWSDOWN depending on architecture) when an access is made beyond
    the existing boundary.  However, particularly if you have not limited
    your stack at all ("ulimit -s unlimited"), this can cause the stack to
    grow even if the access was really just one past *another* segment.
    
    And that's wrong, especially since we first grow the segment, but then
    immediately later enforce the stack guard page on the last page of the
    segment.  So _despite_ first growing the stack segment as a result of
    the access, the kernel will then make the access cause a SIGSEGV anyway!
    
    So do the same logic as the guard page check does, and consider an
    access to within one page of the next segment to be a bad access, rather
    than growing the stack to abut the next segment.
    
    Reported-and-tested-by: Heiko Carstens <heiko.carstens@de.ibm.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 mm/mmap.c |   27 +++++++++++++++++++++++++++
 1 files changed, 27 insertions(+), 0 deletions(-)

commit 5596211af754867ca825f58e6e0300a8439950fe
Author: H. Peter Anvin <hpa@linux.intel.com>
Date:   Wed Feb 27 12:46:40 2013 -0800

    Upstream commit: 7c10093692ed2e6f318387d96b829320aa0ca64c
    
    x86: Make sure we can boot in the case the BDA contains pure garbage
    
    On non-BIOS platforms it is possible that the BIOS data area contains
    garbage instead of being zeroed or something equivalent (firmware
    people: we are talking of 1.5K here, so please do the sane thing.)
    
    We need on the order of 20-30K of low memory in order to boot, which
    may grow up to < 64K in the future.  We probably want to avoid the
    lowest of the low memory.  At the same time, it seems extremely
    unlikely that a legitimate EBDA would ever reach down to the 128K
    (which would require it to be over half a megabyte in size.)  Thus,
    pick 128K as the cutoff for "this is insane, ignore."  We may still
    end up reserving a bunch of extra memory on the low megabyte, but that
    is not really a major issue these days.  In the worst case we lose
    512K of RAM.
    
    This code really should be merged with trim_bios_range() in
    arch/x86/kernel/setup.c, but that is a bigger patch for a later merge
    window.
    
    Reported-by: Darren Hart <dvhart@linux.intel.com>
    Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
    Cc: Matt Fleming <matt.fleming@intel.com>
    Cc: <stable@vger.kernel.org>
    Link: http://lkml.kernel.org/n/tip-oebml055yyfm8yxmria09rja@git.kernel.org

 arch/x86/kernel/head.c |   53 ++++++++++++++++++++++++++++++-----------------
 1 files changed, 34 insertions(+), 19 deletions(-)

commit 10eb1dabfb743fb22dcbcf186bb8d2192d2d55ea
Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Date:   Wed Feb 27 17:05:46 2013 -0800

    Upstream commit: 940da353a83e895ea600cb8ab17dceefb1bcb469
    
    memstick: move the dereference below the NULL test
    
    The dereference should be moved below the NULL test.
    
    spatch with a semantic match is used to found this.
    (http://coccinelle.lip6.fr/)
    
    Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
    Cc: Maxim Levitsky <maximlevitsky@gmail.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 drivers/memstick/host/r592.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 1a63cb1ca50a10748cbf766894ecedf34a89baa3
Author: Xi Wang <xi.wang@gmail.com>
Date:   Wed Feb 27 17:05:21 2013 -0800

    Upstream commit: df1778be1a33edffa51d094eeda87c858ded6560
    
    sysctl: fix null checking in bin_dn_node_address()
    
    The null check of `strchr() + 1' is broken, which is always non-null,
    leading to OOB read.  Instead, check the result of strchr().
    
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Cc: "Eric W. Biederman" <ebiederm@xmission.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 kernel/sysctl_binary.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 7ca96db0817416fd40761e7437d1939fc0731380
Author: Tejun Heo <tj@kernel.org>
Date:   Wed Feb 27 17:03:34 2013 -0800

    Upstream commit: 6cdae7416a1c45c2ce105a78187d9b7e8feb9e24
    
    idr: fix a subtle bug in idr_get_next()
    
    The iteration logic of idr_get_next() is borrowed mostly verbatim from
    idr_for_each().  It walks down the tree looking for the slot matching
    the current ID.  If the matching slot is not found, the ID is
    incremented by the distance of single slot at the given level and
    repeats.
    
    The implementation assumes that during the whole iteration id is aligned
    to the layer boundaries of the level closest to the leaf, which is true
    for all iterations starting from zero or an existing element and thus is
    fine for idr_for_each().
    
    However, idr_get_next() may be given any point and if the starting id
    hits in the middle of a non-existent layer, increment to the next layer
    will end up skipping the same offset into it.  For example, an IDR with
    IDs filled between [64, 127] would look like the following.
    
              [  0  64 ... ]
           /----/   |
           |        |
          NULL    [ 64 ... 127 ]
    
    If idr_get_next() is called with 63 as the starting point, it will try
    to follow down the pointer from 0.  As it is NULL, it will then try to
    proceed to the next slot in the same level by adding the slot distance
    at that level which is 64 - making the next try 127.  It goes around the
    loop and finds and returns 127 skipping [64, 126].
    
    Note that this bug also triggers in idr_for_each_entry() loop which
    deletes during iteration as deletions can make layers go away leaving
    the iteration with unaligned ID into missing layers.
    
    Fix it by ensuring proceeding to the next slot doesn't carry over the
    unaligned offset - ie.  use round_up(id + 1, slot_distance) instead of
    id += slot_distance.
    
    Signed-off-by: Tejun Heo <tj@kernel.org>
    Reported-by: David Teigland <teigland@redhat.com>
    Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 lib/idr.c |    9 ++++++++-
 1 files changed, 8 insertions(+), 1 deletions(-)

commit 745362f28034f54242ba2e64eaa7374ab9869613
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 1 20:31:42 2013 -0500

    Fix dentry use-after-free after failed complete_walk() with RBAC enabled
    Many thanks to zakalwe from #grsecurity for the report and debugging help

 fs/namei.c |    8 +++-----
 1 files changed, 3 insertions(+), 5 deletions(-)

commit b53b3b14330920c6f7cfb74c8508a3026e1be620
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 28 18:29:26 2013 -0500

    Fix bad git merge

 fs/namespace.c |    8 --------
 1 files changed, 0 insertions(+), 8 deletions(-)

commit 71886f69ea10fa22e593dba1bdbe5c0334c6fede
Merge: 1cce1dd ab30472
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 28 17:45:14 2013 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        net/core/sock_diag.c

commit ab3047280e1dfb43f1b301a296123757b4ac4f6e
Merge: 4b61d21 4c91a0e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 28 17:43:56 2013 -0500

    Merge branch 'linux-3.8.y' into pax-test

commit 1cce1ddd17c584c80465521834c3faf1a7c607d7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 27 22:20:22 2013 -0500

    add compiler.h to sysrq.h to fix compilation problem reported by micu on forums

 include/linux/sysrq.h |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 9f1e7fe130803fde83eb903b575335f59cd2bd18
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 27 17:52:31 2013 -0500

    declare check_syslog_permissions() earlier in file, fix bug in syslog_action_restricted() in upstream kernel

 kernel/printk.c |   12 +++++++-----
 1 files changed, 7 insertions(+), 5 deletions(-)

commit 11dd499888fa76f3466821ce4daa5e0c55e43d39
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 27 17:23:46 2013 -0500

    Fix upstream vulnerability from addition of a /dev/kmsg device
    while neglecting to add the same set of existing permission checks
    from do_syslog.  This bit both dmesg_restrict and GRKERNSEC_DMESG.
    A temporary workaround without this patch would be to
    chmod 0600 /dev/kmsg (and is likely a good idea anyway).
    
    Notified in #grsecurity IRC by Jason A. Donenfeld and Petr Matousek
    Initially reported to Redhat bugzilla by Christian Kujau:
    https://bugzilla.redhat.com/show_bug.cgi?id=903192

 kernel/printk.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

commit 66c04806f5660988c3cb4855e60de294e77e3d0e
Author: David Howells <dhowells@redhat.com>
Date:   Thu Feb 21 12:00:25 2013 +0000

    Upstream commit: fe9453a1dcb5fb146f9653267e78f4a558066f6f
    
    KEYS: Revert one application of "Fix unreachable code" patch
    
    A patch to fix some unreachable code in search_my_process_keyrings() got
    applied twice by two different routes upstream as commits e67eab39bee2
    and b010520ab3d2 (both "fix unreachable code").
    
    Unfortunately, the second application removed something it shouldn't
    have and this wasn't detected by GIT.  This is due to the patch not
    having sufficient lines of context to distinguish the two places of
    application.
    
    The effect of this is relatively minor: inside the kernel, the keyring
    search routines may search multiple keyrings and then prioritise the
    errors if no keys or negative keys are found in any of them.  With the
    extra deletion, the presence of a negative key in the thread keyring
    (causing ENOKEY) is incorrectly overridden by an error searching the
    process keyring.
    
    So revert the second application of the patch.
    
    Signed-off-by: David Howells <dhowells@redhat.com>
    Cc: Jiri Kosina <jkosina@suse.cz>
    Cc: Andrew Morton <akpm@linux-foundation.org>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 security/keys/process_keys.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 954b0c8a95b08c09c3d15ec38106ce403bf714da
Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Date:   Thu Feb 21 16:42:43 2013 -0800

    Upstream commit: 49deb4bc227cb9db5b8ebf9434367f8bed057c7a
    
    configfs: move the dereference below the NULL test
    
    The dereference should be moved below the NULL test.
    
    spatch with a semantic match is used to found this.
    (http://coccinelle.lip6.fr/)
    
    Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
    Cc: Joel Becker <jlbec@evilplan.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 fs/configfs/dir.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

commit d16d42c4fdc8baca5816d75b4a115102bf3d3423
Author: Nicolas Pitre <nicolas.pitre@linaro.org>
Date:   Sun Feb 24 20:06:09 2013 -0500

    Upstream commit: a883b70d8e0a88278c0a1f80753b4dc99962b541
    
    tty vt: fix character insertion overflow
    
    Commit 81732c3b2fed ("tty vt: Fix line garbage in virtual console on
    command line edition") broke insert_char() in multiple ways.  Then
    commit b1a925f44a3a ("tty vt: Fix a regression in command line edition")
    partially fixed it.  However, the buffer being moved is still too large
    and overflowing beyond the end of the current line, corrupting existing
    characters on the next line.
    
    Example test case:
    
    echo -e "abc\nde\x1b[A\x1b[4h \x1b[4l\x1b[B"
    
    Expected result:
    
    ab c
    de
    
    Current result:
    
    ab c
     e
    
    Needless to say that this is very annoying when inserting words in the
    middle of paragraphs with certain text editors.
    
    Signed-off-by: Nicolas Pitre <nico@linaro.org>
    Cc: Jean-François Moine <moinejf@free.fr>
    Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 drivers/tty/vt/vt.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 6cda35071669b4aabde081bd039e0ffea36f997a
Author: Robin Holt <holt@sgi.com>
Date:   Fri Feb 22 16:35:34 2013 -0800

    Upstream commit: 751efd8610d3d7d67b7bdf7f62646edea7365dd7
    
    mmu_notifier_unregister NULL Pointer deref and multiple ->release() callouts
    
    There is a race condition between mmu_notifier_unregister() and
    __mmu_notifier_release().
    
    Assume two tasks, one calling mmu_notifier_unregister() as a result of a
    filp_close() ->flush() callout (task A), and the other calling
    mmu_notifier_release() from an mmput() (task B).
    
                    A                               B
    t1                                              srcu_read_lock()
    t2              if (!hlist_unhashed())
    t3                                              srcu_read_unlock()
    t4              srcu_read_lock()
    t5                                              hlist_del_init_rcu()
    t6                                              synchronize_srcu()
    t7              srcu_read_unlock()
    t8              hlist_del_rcu()  <--- NULL pointer deref.
    
    Additionally, the list traversal in __mmu_notifier_release() is not
    protected by the by the mmu_notifier_mm->hlist_lock which can result in
    callouts to the ->release() notifier from both mmu_notifier_unregister()
    and __mmu_notifier_release().
    
    -stable suggestions:
    
    The stable trees prior to 3.7.y need commits 21a92735f660 and
    70400303ce0c cherry-picked in that order prior to cherry-picking this
    commit.  The 3.7.y tree already has those two commits.
    
    Signed-off-by: Robin Holt <holt@sgi.com>
    Cc: Andrea Arcangeli <aarcange@redhat.com>
    Cc: Wanpeng Li <liwanp@linux.vnet.ibm.com>
    Cc: Xiao Guangrong <xiaoguangrong@linux.vnet.ibm.com>
    Cc: Avi Kivity <avi@redhat.com>
    Cc: Hugh Dickins <hughd@google.com>
    Cc: Marcelo Tosatti <mtosatti@redhat.com>
    Cc: Sagi Grimberg <sagig@mellanox.co.il>
    Cc: Haggai Eran <haggaie@mellanox.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 mm/mmu_notifier.c |   82 +++++++++++++++++++++++++++--------------------------
 1 files changed, 42 insertions(+), 40 deletions(-)

commit bf5167ed78ba6131c6874887f714bda50c2cab83
Author: Mike Galbraith <bitbucket@online.de>
Date:   Mon Jan 28 12:19:25 2013 +0100

    Upstream commit: e0a79f529d5ba2507486d498b25da40911d95cf6
    
    sched: Fix select_idle_sibling() bouncing cow syndrome
    
    If the previous CPU is cache affine and idle, select it.
    
    The current implementation simply traverses the sd_llc domain,
    taking the first idle CPU encountered, which walks buddy pairs
    hand in hand over the package, inflicting excruciating pain.
    
    1 tbench pair (worst case) in a 10 core + SMT package:
    
      pre   15.22 MB/sec 1 procs
      post 252.01 MB/sec 1 procs
    
    Signed-off-by: Mike Galbraith <bitbucket@online.de>
    Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
    Link: http://lkml.kernel.org/r/1359371965.5783.127.camel@marge.simpson.net
    Signed-off-by: Ingo Molnar <mingo@kernel.org>

 kernel/sched/fair.c |   21 +++++++--------------
 1 files changed, 7 insertions(+), 14 deletions(-)

commit cf7c2d257836fdcb5d51ad142cbc56ac12f7a37c
Author: Eric W. Biederman <ebiederm@xmission.com>
Date:   Fri Dec 28 18:58:39 2012 -0800

    Upstream commit: c61a2810a2161986353705b44d9503e6bb079f4f
    
    userns: Avoid recursion in put_user_ns
    
    When freeing a deeply nested user namespace free_user_ns calls
    put_user_ns on it's parent which may in turn call free_user_ns again.
    When -fno-optimize-sibling-calls is passed to gcc one stack frame per
    user namespace is left on the stack, potentially overflowing the
    kernel stack.  CONFIG_FRAME_POINTER forces -fno-optimize-sibling-calls
    so we can't count on gcc to optimize this code.
    
    Remove struct kref and use a plain atomic_t.  Making the code more
    flexible and easier to comprehend.  Make the loop in free_user_ns
    explict to guarantee that the stack does not overflow with
    CONFIG_FRAME_POINTER enabled.
    
    I have tested this fix with a simple program that uses unshare to
    create a deeply nested user namespace structure and then calls exit.
    With 1000 nesteuser namespaces before this change running my test
    program causes the kernel to die a horrible death.  With 10,000,000
    nested user namespaces after this change my test program runs to
    completion and causes no harm.
    
    Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
    Pointed-out-by: Vasily Kulikov <segoon@openwall.com>
    Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>

 include/linux/user_namespace.h |   10 +++++-----
 kernel/user.c                  |    4 +---
 kernel/user_namespace.c        |   17 +++++++++--------
 3 files changed, 15 insertions(+), 16 deletions(-)

commit 81501c7106ccc186c94806f4db954626295b5ebe
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Feb 26 17:12:30 2013 -0500

    Pass the same flags to kern_path_create as the original function

 fs/namei.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit a677c8eee35afe48868f92c7d6745bfe809cd481
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Fri Feb 22 22:45:42 2013 -0500

    Upstream commit: 9b40bc90abd126bcc5da5658059b8e72e285e559
    
    get rid of unprotected dereferencing of mnt->mnt_ns
    
    It's safe only under namespace_sem or vfsmount_lock; all places
    in fs/namespace.c that want mnt->mnt_ns->user_ns actually want to use
    current->nsproxy->mnt_ns->user_ns (note the calls of check_mnt() in
    there).
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

 fs/namespace.c |   29 +++++++++++++++++------------
 1 files changed, 17 insertions(+), 12 deletions(-)

commit 89298124d0c96dc34a60377e7a1308f8f532ff75
Author: Greg Thelen <gthelen@google.com>
Date:   Fri Feb 22 16:36:01 2013 -0800

    Upstream fix: 5f00110f7273f9ff04ac69a5f85bb535a4fd0987
    
    tmpfs: fix use-after-free of mempolicy object
    
    The tmpfs remount logic preserves filesystem mempolicy if the mpol=M
    option is not specified in the remount request.  A new policy can be
    specified if mpol=M is given.
    
    Before this patch remounting an mpol bound tmpfs without specifying
    mpol= mount option in the remount request would set the filesystem's
    mempolicy object to a freed mempolicy object.
    
    To reproduce the problem boot a DEBUG_PAGEALLOC kernel and run:
        # mkdir /tmp/x
    
        # mount -t tmpfs -o size=100M,mpol=interleave nodev /tmp/x
    
        # grep /tmp/x /proc/mounts
        nodev /tmp/x tmpfs rw,relatime,size=102400k,mpol=interleave:0-3 0 0
    
        # mount -o remount,size=200M nodev /tmp/x
    
        # grep /tmp/x /proc/mounts
        nodev /tmp/x tmpfs rw,relatime,size=204800k,mpol=??? 0 0
            # note ? garbage in mpol=... output above
    
        # dd if=/dev/zero of=/tmp/x/f count=1
            # panic here
    
    Panic:
        BUG: unable to handle kernel NULL pointer dereference at           (null)
        IP: [<          (null)>]           (null)
        [...]
        Oops: 0010 [#1] SMP DEBUG_PAGEALLOC
        Call Trace:
          mpol_shared_policy_init+0xa5/0x160
          shmem_get_inode+0x209/0x270
          shmem_mknod+0x3e/0xf0
          shmem_create+0x18/0x20
          vfs_create+0xb5/0x130
          do_last+0x9a1/0xea0
          path_openat+0xb3/0x4d0
          do_filp_open+0x42/0xa0
          do_sys_open+0xfe/0x1e0
          compat_sys_open+0x1b/0x20
          cstar_dispatch+0x7/0x1f
    
    Non-debug kernels will not crash immediately because referencing the
    dangling mpol will not cause a fault.  Instead the filesystem will
    reference a freed mempolicy object, which will cause unpredictable
    behavior.
    
    The problem boils down to a dropped mpol reference below if
    shmem_parse_options() does not allocate a new mpol:
    
        config = *sbinfo
        shmem_parse_options(data, &config, true)
        mpol_put(sbinfo->mpol)
        sbinfo->mpol = config.mpol  /* BUG: saves unreferenced mpol */
    
    This patch avoids the crash by not releasing the mempolicy if
    shmem_parse_options() doesn't create a new mpol.
    
    How far back does this issue go? I see it in both 2.6.36 and 3.3.  I did
    not look back further.
    
    Signed-off-by: Greg Thelen <gthelen@google.com>
    Acked-by: Hugh Dickins <hughd@google.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 mm/shmem.c |   10 ++++++++--
 1 files changed, 8 insertions(+), 2 deletions(-)

commit 614943c76d9e49f12f3e1154f1dea80dc4bb2743
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 23 11:08:05 2013 -0500

    Userland can send a netlink message requesting SOCK_DIAG_BY_FAMILY
    with a family greater or equal then AF_MAX -- the array size of
    sock_diag_handlers[]. The current code does not test for this
    condition therefore is vulnerable to an out-of-bound access opening
    doors for a privilege escalation.
    
    Signed-off-by: Mathias Krause <minipli@googlemail.com>
    
    The sock_diag_lock_handler() and sock_diag_unlock_handler() actually
    make the code less readable. Get rid of them and make the lock usage
    and access to sock_diag_handlers[] clear on the first sight.
    
    Signed-off-by: Mathias Krause <minipli@googlemail.com>

 net/core/sock_diag.c |   27 ++++++++++-----------------
 1 files changed, 10 insertions(+), 17 deletions(-)

commit e8d44970f8ac5ceda7b0e3f2c2ab33cefb800990
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 23 10:58:52 2013 -0500

    Fix compilation failure reported by Hinnerk van Bruinehsen when CPU_USE_DOMAINS is not defined

 arch/arm/include/asm/domain.h |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 7b729586eb81f344fdedf0942fab0acc738a6725
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 22 19:02:51 2013 -0500

    Add back capability check for user namespaces.  They have not seen enough proper review and needlessly exposes additional attack surface for all users.

 kernel/fork.c |   17 +++++++++++++++++
 1 files changed, 17 insertions(+), 0 deletions(-)

commit fadc560d0c486af88da83177735f5515e88acdcc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 21 23:06:48 2013 -0500

    put is_hugetlbfs_mnt inside ifdefs

 grsecurity/gracl.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 8252176922d405484f986eb2cc350b7cd3ae586e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 21 23:02:07 2013 -0500

    remove unused label

 kernel/module.c |    1 -
 1 files changed, 0 insertions(+), 1 deletions(-)

commit dad4a980f0b625059e215d13da728aa7fd02a374
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 21 23:00:52 2013 -0500

    compile fix

 fs/open.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 13e3266c41b98a40f3d8a4a7fb8ee5c0983156b7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 21 22:57:49 2013 -0500

    remove kmalloc_array_error for the same reasons as kcalloc_error

 include/linux/slab.h |    9 ---------
 1 files changed, 0 insertions(+), 9 deletions(-)

commit 0c24df0e81ae880c4523cc78ff91609b9aa6133a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 21 22:49:35 2013 -0500

    Initial port of grsecurity for Linux 3.8

 Documentation/kernel-parameters.txt                |    4 +
 Makefile                                           |   10 +-
 arch/alpha/include/asm/cache.h                     |    4 +-
 arch/alpha/kernel/osf_sys.c                        |   14 +-
 arch/arm/include/asm/cache.h                       |    2 +
 arch/arm/include/asm/thread_info.h                 |    9 +-
 arch/arm/kernel/process.c                          |    4 +-
 arch/arm/kernel/ptrace.c                           |    9 +
 arch/arm/kernel/traps.c                            |    7 +-
 arch/arm/mm/fault.c                                |   27 +-
 arch/arm/mm/mmap.c                                 |    6 +-
 arch/avr32/include/asm/cache.h                     |    4 +-
 arch/blackfin/include/asm/cache.h                  |    3 +-
 arch/cris/include/arch-v10/arch/cache.h            |    3 +-
 arch/cris/include/arch-v32/arch/cache.h            |    3 +-
 arch/frv/include/asm/cache.h                       |    3 +-
 arch/frv/mm/elf-fdpic.c                            |    7 +-
 arch/hexagon/include/asm/cache.h                   |    6 +-
 arch/ia64/include/asm/cache.h                      |    3 +-
 arch/ia64/kernel/sys_ia64.c                        |    3 +-
 arch/ia64/mm/hugetlbpage.c                         |    3 +-
 arch/m32r/include/asm/cache.h                      |    4 +-
 arch/m68k/include/asm/cache.h                      |    4 +-
 arch/microblaze/include/asm/cache.h                |    3 +-
 arch/mips/include/asm/cache.h                      |    3 +-
 arch/mips/include/asm/thread_info.h                |    9 +-
 arch/mips/kernel/ptrace.c                          |    9 +
 arch/mips/kernel/scall32-o32.S                     |    2 +-
 arch/mips/kernel/scall64-64.S                      |    2 +-
 arch/mips/kernel/scall64-n32.S                     |    2 +-
 arch/mips/kernel/scall64-o32.S                     |    2 +-
 arch/mips/mm/mmap.c                                |    3 +-
 arch/mn10300/proc-mn103e010/include/proc/cache.h   |    4 +-
 arch/mn10300/proc-mn2ws0050/include/proc/cache.h   |    4 +-
 arch/openrisc/include/asm/cache.h                  |    4 +-
 arch/parisc/include/asm/cache.h                    |    5 +-
 arch/parisc/kernel/sys_parisc.c                    |   19 +-
 arch/powerpc/include/asm/cache.h                   |    3 +-
 arch/powerpc/include/asm/thread_info.h             |    8 +-
 arch/powerpc/kernel/process.c                      |   10 +-
 arch/powerpc/kernel/ptrace.c                       |   14 +
 arch/powerpc/kernel/traps.c                        |    5 +
 arch/powerpc/mm/slice.c                            |    8 +-
 arch/s390/include/asm/cache.h                      |    4 +-
 arch/score/include/asm/cache.h                     |    4 +-
 arch/sh/include/asm/cache.h                        |    3 +-
 arch/sh/mm/mmap.c                                  |    6 +-
 arch/sparc/include/asm/cache.h                     |    4 +-
 arch/sparc/include/asm/thread_info_64.h            |    9 +-
 arch/sparc/kernel/process_32.c                     |    6 +-
 arch/sparc/kernel/process_64.c                     |    8 +-
 arch/sparc/kernel/ptrace_64.c                      |   14 +
 arch/sparc/kernel/sys_sparc_64.c                   |    6 +-
 arch/sparc/kernel/syscalls.S                       |    8 +-
 arch/sparc/kernel/traps_32.c                       |    8 +-
 arch/sparc/kernel/traps_64.c                       |   28 +-
 arch/sparc/kernel/unaligned_64.c                   |    2 +-
 arch/sparc/mm/fault_64.c                           |    2 +-
 arch/sparc/mm/hugetlbpage.c                        |    3 +-
 arch/tile/include/asm/cache.h                      |    3 +-
 arch/um/include/asm/cache.h                        |    3 +-
 arch/unicore32/include/asm/cache.h                 |    6 +-
 arch/x86/Kconfig                                   |    5 +-
 arch/x86/Kconfig.debug                             |    2 +-
 arch/x86/ia32/ia32_aout.c                          |    2 +
 arch/x86/include/asm/thread_info.h                 |    8 +-
 arch/x86/kernel/dumpstack.c                        |    8 +
 arch/x86/kernel/entry_32.S                         |    2 +-
 arch/x86/kernel/entry_64.S                         |    2 +-
 arch/x86/kernel/ioport.c                           |   13 +
 arch/x86/kernel/ptrace.c                           |   14 +
 arch/x86/kernel/smpboot.c                          |    3 +
 arch/x86/kernel/sys_i386_32.c                      |   14 +-
 arch/x86/kernel/sys_x86_64.c                       |    3 +-
 arch/x86/kernel/verify_cpu.S                       |    1 +
 arch/x86/kernel/vm86_32.c                          |   16 +
 arch/x86/mm/fault.c                                |   12 +-
 arch/x86/mm/hugetlbpage.c                          |    3 +-
 arch/x86/mm/init.c                                 |   66 +-
 arch/x86/net/bpf_jit_comp.c                        |  126 +-
 arch/xtensa/variants/dc232b/include/variant/core.h |    2 +-
 arch/xtensa/variants/fsf/include/variant/core.h    |    3 +-
 arch/xtensa/variants/s6000/include/variant/core.h  |    3 +-
 crypto/ablkcipher.c                                |   12 +-
 crypto/aead.c                                      |    9 +-
 crypto/ahash.c                                     |    2 +-
 crypto/blkcipher.c                                 |    6 +-
 crypto/crypto_user.c                               |   38 +-
 crypto/pcompress.c                                 |    3 +-
 crypto/rng.c                                       |    2 +-
 crypto/shash.c                                     |    3 +-
 drivers/block/cciss.c                              |    2 +
 drivers/char/Kconfig                               |    4 +-
 drivers/char/genrtc.c                              |    1 +
 drivers/char/mem.c                                 |   17 +
 drivers/char/random.c                              |   12 +
 drivers/gpu/drm/drm_info.c                         |    4 +
 drivers/hid/hid-wiimote-debug.c                    |    2 +-
 drivers/media/radio/radio-cadet.c                  |    2 +-
 drivers/message/fusion/mptbase.c                   |    5 +
 drivers/net/phy/mdio-bitbang.c                     |    1 +
 drivers/pci/proc.c                                 |    9 +
 drivers/rtc/rtc-dev.c                              |    3 +
 drivers/tty/sysrq.c                                |    2 +-
 drivers/tty/vt/keyboard.c                          |   22 +-
 drivers/video/logo/logo_linux_clut224.ppm          | 2721 ++++++--------
 drivers/xen/xenfs/xenstored.c                      |    5 +
 fs/attr.c                                          |    1 +
 fs/autofs4/waitq.c                                 |    9 +
 fs/binfmt_aout.c                                   |    7 +
 fs/binfmt_elf.c                                    |    6 +
 fs/btrfs/inode.c                                   |   10 +-
 fs/btrfs/ioctl.c                                   |    6 +-
 fs/compat.c                                        |   18 +
 fs/coredump.c                                      |   10 +-
 fs/debugfs/inode.c                                 |    4 +
 fs/exec.c                                          |  155 +-
 fs/ext2/balloc.c                                   |    4 +-
 fs/ext3/balloc.c                                   |    4 +-
 fs/ext4/balloc.c                                   |    4 +-
 fs/fcntl.c                                         |    5 +
 fs/file.c                                          |    4 +
 fs/filesystems.c                                   |    5 +
 fs/fs_struct.c                                     |   26 +-
 fs/hugetlbfs/inode.c                               |    5 +-
 fs/namei.c                                         |  269 ++-
 fs/namespace.c                                     |   24 +
 fs/open.c                                          |   38 +
 fs/pipe.c                                          |    2 +-
 fs/proc/Kconfig                                    |   10 +-
 fs/proc/array.c                                    |   59 +-
 fs/proc/base.c                                     |  168 +-
 fs/proc/cmdline.c                                  |    4 +
 fs/proc/devices.c                                  |    4 +
 fs/proc/fd.c                                       |   17 +-
 fs/proc/inode.c                                    |   17 +
 fs/proc/internal.h                                 |    3 +
 fs/proc/kcore.c                                    |    3 +
 fs/proc/proc_net.c                                 |   12 +
 fs/proc/proc_sysctl.c                              |   43 +-
 fs/proc/root.c                                     |    8 +
 fs/proc/task_mmu.c                                 |   75 +-
 fs/readdir.c                                       |   19 +
 fs/select.c                                        |    2 +
 fs/seq_file.c                                      |   12 +-
 fs/stat.c                                          |   19 +-
 fs/sysfs/dir.c                                     |   12 +
 fs/utimes.c                                        |    7 +
 fs/xattr.c                                         |   19 +-
 grsecurity/Kconfig                                 | 1021 +++++
 grsecurity/Makefile                                |   38 +
 grsecurity/gracl.c                                 | 4017 ++++++++++++++++++++
 grsecurity/gracl_alloc.c                           |  105 +
 grsecurity/gracl_cap.c                             |  110 +
 grsecurity/gracl_fs.c                              |  431 +++
 grsecurity/gracl_ip.c                              |  384 ++
 grsecurity/gracl_learn.c                           |  207 +
 grsecurity/gracl_res.c                             |   68 +
 grsecurity/gracl_segv.c                            |  299 ++
 grsecurity/gracl_shm.c                             |   40 +
 grsecurity/grsec_chdir.c                           |   19 +
 grsecurity/grsec_chroot.c                          |  357 ++
 grsecurity/grsec_disabled.c                        |  434 +++
 grsecurity/grsec_exec.c                            |  174 +
 grsecurity/grsec_fifo.c                            |   24 +
 grsecurity/grsec_fork.c                            |   23 +
 grsecurity/grsec_init.c                            |  283 ++
 grsecurity/grsec_link.c                            |   58 +
 grsecurity/grsec_log.c                             |  329 ++
 grsecurity/grsec_mem.c                             |   40 +
 grsecurity/grsec_mount.c                           |   62 +
 grsecurity/grsec_pax.c                             |   36 +
 grsecurity/grsec_ptrace.c                          |   30 +
 grsecurity/grsec_sig.c                             |  222 ++
 grsecurity/grsec_sock.c                            |  244 ++
 grsecurity/grsec_sysctl.c                          |  469 +++
 grsecurity/grsec_time.c                            |   16 +
 grsecurity/grsec_tpe.c                             |   73 +
 grsecurity/grsum.c                                 |   61 +
 include/linux/capability.h                         |    5 +
 include/linux/cred.h                               |    3 +
 include/linux/fs.h                                 |   10 +
 include/linux/fsnotify.h                           |    6 +
 include/linux/gracl.h                              |  319 ++
 include/linux/gralloc.h                            |    9 +
 include/linux/grdefs.h                             |  140 +
 include/linux/grinternal.h                         |  215 ++
 include/linux/grmsg.h                              |  111 +
 include/linux/grsecurity.h                         |  257 ++
 include/linux/grsock.h                             |   19 +
 include/linux/kallsyms.h                           |   14 +-
 include/linux/kmod.h                               |    2 +
 include/linux/netfilter/xt_gradm.h                 |    9 +
 include/linux/printk.h                             |    3 +-
 include/linux/proc_fs.h                            |   12 +
 include/linux/sched.h                              |   66 +-
 include/linux/security.h                           |    1 +
 include/linux/seq_file.h                           |    3 +
 include/linux/shm.h                                |    4 +
 include/linux/sysctl.h                             |    2 +
 include/linux/thread_info.h                        |    2 +
 include/linux/vermagic.h                           |    9 +-
 include/trace/events/fs.h                          |   53 +
 include/uapi/linux/personality.h                   |    1 +
 init/Kconfig                                       |    5 +-
 init/main.c                                        |   14 +
 ipc/mqueue.c                                       |    1 +
 ipc/shm.c                                          |   28 +
 kernel/capability.c                                |   39 +-
 kernel/cgroup.c                                    |    2 +-
 kernel/compat.c                                    |    1 +
 kernel/configs.c                                   |   11 +
 kernel/cred.c                                      |  109 +-
 kernel/exit.c                                      |   10 +-
 kernel/fork.c                                      |   24 +-
 kernel/futex.c                                     |    1 +
 kernel/kallsyms.c                                  |    9 +
 kernel/kcmp.c                                      |    4 +
 kernel/kmod.c                                      |   71 +-
 kernel/kprobes.c                                   |    4 +-
 kernel/ksysfs.c                                    |    2 +
 kernel/lockdep_proc.c                              |   10 +-
 kernel/module.c                                    |   80 +-
 kernel/panic.c                                     |    4 +-
 kernel/pid.c                                       |   19 +-
 kernel/posix-timers.c                              |    8 +
 kernel/printk.c                                    |    5 +
 kernel/ptrace.c                                    |   20 +-
 kernel/resource.c                                  |   10 +
 kernel/sched/core.c                                |    6 +-
 kernel/signal.c                                    |   37 +-
 kernel/sys.c                                       |   38 +-
 kernel/sysctl.c                                    |   39 +-
 kernel/taskstats.c                                 |    6 +
 kernel/time.c                                      |    5 +
 kernel/time/timekeeping.c                          |    3 +
 kernel/time/timer_list.c                           |   12 +
 kernel/time/timer_stats.c                          |   10 +-
 lib/Kconfig.debug                                  |    5 +-
 lib/is_single_threaded.c                           |    3 +
 lib/vsprintf.c                                     |   35 +-
 localversion-grsec                                 |    1 +
 mm/Kconfig                                         |    4 +-
 mm/filemap.c                                       |    1 +
 mm/kmemleak.c                                      |    4 +-
 mm/mempolicy.c                                     |   12 +-
 mm/migrate.c                                       |    3 +-
 mm/mlock.c                                         |    3 +
 mm/mmap.c                                          |   62 +-
 mm/mprotect.c                                      |    8 +
 mm/page_alloc.c                                    |    6 +
 mm/process_vm_access.c                             |    6 +
 mm/shmem.c                                         |    2 +-
 mm/slab.c                                          |    2 +-
 mm/slub.c                                          |   14 +-
 mm/vmalloc.c                                       |    4 +
 mm/vmstat.c                                        |   18 +-
 net/core/dev.c                                     |    9 +
 net/core/sock_diag.c                               |    7 +
 net/ipv4/inet_hashtables.c                         |    5 +
 net/ipv4/ip_sockglue.c                             |    3 +-
 net/ipv4/tcp_input.c                               |    4 +-
 net/ipv4/tcp_ipv4.c                                |   24 +-
 net/ipv4/tcp_minisocks.c                           |    9 +-
 net/ipv4/tcp_timer.c                               |   11 +
 net/ipv4/udp.c                                     |   24 +
 net/ipv6/tcp_ipv6.c                                |   23 +-
 net/ipv6/udp.c                                     |    7 +
 net/netfilter/Kconfig                              |   10 +
 net/netfilter/Makefile                             |    1 +
 net/netfilter/nf_conntrack_core.c                  |    8 +
 net/netfilter/xt_gradm.c                           |   51 +
 net/netrom/af_netrom.c                             |    2 +-
 net/phonet/af_phonet.c                             |    4 +-
 net/sctp/proc.c                                    |    3 +-
 net/socket.c                                       |   62 +-
 net/sysctl_net.c                                   |    2 +-
 net/unix/af_unix.c                                 |   19 +
 security/Kconfig                                   |  320 ++-
 security/apparmor/lsm.c                            |    2 +-
 security/commoncap.c                               |   29 +
 security/min_addr.c                                |    2 +
 security/security.c                                |    2 -
 security/selinux/hooks.c                           |    2 -
 security/yama/Kconfig                              |    2 +-
 tools/gcc/Makefile                                 |    2 +-
 286 files changed, 15083 insertions(+), 2067 deletions(-)

commit 4b61d2188de70da9dc9b3e67fc0565077370eb27
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 20 21:00:42 2013 -0500

    Initial import of pax-linux-3.8-test3.patch

 Documentation/dontdiff                           |   43 +-
 Documentation/kernel-parameters.txt              |    7 +
 Makefile                                         |   97 +-
 arch/alpha/include/asm/atomic.h                  |   10 +
 arch/alpha/include/asm/elf.h                     |    7 +
 arch/alpha/include/asm/pgalloc.h                 |    6 +
 arch/alpha/include/asm/pgtable.h                 |   11 +
 arch/alpha/kernel/module.c                       |    2 +-
 arch/alpha/kernel/osf_sys.c                      |   10 +-
 arch/alpha/mm/fault.c                            |  141 +-
 arch/arm/Kconfig                                 |    2 +-
 arch/arm/include/asm/atomic.h                    |  421 +++-
 arch/arm/include/asm/cache.h                     |    3 +-
 arch/arm/include/asm/cacheflush.h                |    2 +-
 arch/arm/include/asm/checksum.h                  |   14 +-
 arch/arm/include/asm/cmpxchg.h                   |    2 +
 arch/arm/include/asm/delay.h                     |    8 +-
 arch/arm/include/asm/domain.h                    |   32 +-
 arch/arm/include/asm/elf.h                       |   13 +-
 arch/arm/include/asm/fncpy.h                     |    2 +
 arch/arm/include/asm/futex.h                     |   10 +
 arch/arm/include/asm/kmap_types.h                |    2 +-
 arch/arm/include/asm/mach/dma.h                  |    2 +-
 arch/arm/include/asm/mach/map.h                  |    7 +-
 arch/arm/include/asm/outercache.h                |    2 +-
 arch/arm/include/asm/page.h                      |    2 +-
 arch/arm/include/asm/pgalloc.h                   |   22 +-
 arch/arm/include/asm/pgtable-2level-hwdef.h      |    5 +
 arch/arm/include/asm/pgtable-2level.h            |    1 +
 arch/arm/include/asm/pgtable-3level-hwdef.h      |    4 +
 arch/arm/include/asm/pgtable-3level.h            |    2 +
 arch/arm/include/asm/pgtable.h                   |   56 +-
 arch/arm/include/asm/proc-fns.h                  |    2 +-
 arch/arm/include/asm/processor.h                 |    5 +-
 arch/arm/include/asm/smp.h                       |    2 +-
 arch/arm/include/asm/thread_info.h               |    6 +-
 arch/arm/include/asm/uaccess.h                   |   92 +-
 arch/arm/include/uapi/asm/ptrace.h               |    2 +-
 arch/arm/kernel/armksyms.c                       |    4 +-
 arch/arm/kernel/entry-armv.S                     |  107 +-
 arch/arm/kernel/entry-common.S                   |   41 +-
 arch/arm/kernel/entry-header.S                   |   60 +
 arch/arm/kernel/fiq.c                            |    2 +
 arch/arm/kernel/head.S                           |    6 +-
 arch/arm/kernel/hw_breakpoint.c                  |    2 +-
 arch/arm/kernel/module.c                         |   29 +-
 arch/arm/kernel/perf_event_cpu.c                 |    2 +-
 arch/arm/kernel/process.c                        |   10 +-
 arch/arm/kernel/setup.c                          |   22 +-
 arch/arm/kernel/smp.c                            |    2 +-
 arch/arm/kernel/traps.c                          |    8 +-
 arch/arm/kernel/vmlinux.lds.S                    |   20 +-
 arch/arm/lib/clear_user.S                        |    6 +-
 arch/arm/lib/copy_from_user.S                    |    6 +-
 arch/arm/lib/copy_page.S                         |    1 +
 arch/arm/lib/copy_to_user.S                      |    6 +-
 arch/arm/lib/csumpartialcopyuser.S               |    4 +-
 arch/arm/lib/delay.c                             |   14 +-
 arch/arm/lib/uaccess_with_memcpy.c               |    2 +-
 arch/arm/mach-kirkwood/common.c                  |   19 +-
 arch/arm/mach-omap2/board-n8x0.c                 |    2 +-
 arch/arm/mach-omap2/omap-wakeupgen.c             |    2 +-
 arch/arm/mach-omap2/omap_hwmod.c                 |    4 +-
 arch/arm/mach-ux500/include/mach/setup.h         |    7 -
 arch/arm/mm/Kconfig                              |    3 +-
 arch/arm/mm/fault.c                              |   78 +
 arch/arm/mm/fault.h                              |   12 +
 arch/arm/mm/init.c                               |   41 +
 arch/arm/mm/ioremap.c                            |    4 +-
 arch/arm/mm/mmap.c                               |   36 +-
 arch/arm/mm/mmu.c                                |  186 +-
 arch/arm/mm/proc-v7-2level.S                     |    3 +
 arch/arm/plat-omap/sram.c                        |    2 +
 arch/arm/plat-orion/include/plat/addr-map.h      |    2 +-
 arch/arm/plat-samsung/include/plat/dma-ops.h     |    2 +-
 arch/arm64/kernel/debug-monitors.c               |    2 +-
 arch/arm64/kernel/hw_breakpoint.c                |    2 +-
 arch/avr32/include/asm/elf.h                     |    8 +-
 arch/avr32/include/asm/kmap_types.h              |    4 +-
 arch/avr32/mm/fault.c                            |   27 +
 arch/frv/include/asm/atomic.h                    |   10 +
 arch/frv/include/asm/kmap_types.h                |    2 +-
 arch/frv/mm/elf-fdpic.c                          |    7 +-
 arch/ia64/include/asm/atomic.h                   |   10 +
 arch/ia64/include/asm/elf.h                      |    7 +
 arch/ia64/include/asm/pgalloc.h                  |   12 +
 arch/ia64/include/asm/pgtable.h                  |   13 +-
 arch/ia64/include/asm/spinlock.h                 |    2 +-
 arch/ia64/include/asm/uaccess.h                  |   28 +-
 arch/ia64/kernel/err_inject.c                    |    2 +-
 arch/ia64/kernel/mca.c                           |    2 +-
 arch/ia64/kernel/module.c                        |   48 +-
 arch/ia64/kernel/palinfo.c                       |    2 +-
 arch/ia64/kernel/salinfo.c                       |    2 +-
 arch/ia64/kernel/sys_ia64.c                      |   13 +-
 arch/ia64/kernel/topology.c                      |    2 +-
 arch/ia64/kernel/vmlinux.lds.S                   |    2 +-
 arch/ia64/mm/fault.c                             |   32 +-
 arch/ia64/mm/hugetlbpage.c                       |    2 +-
 arch/ia64/mm/init.c                              |   13 +
 arch/m32r/lib/usercopy.c                         |    6 +
 arch/mips/include/asm/atomic.h                   |   14 +
 arch/mips/include/asm/elf.h                      |   11 +-
 arch/mips/include/asm/exec.h                     |    2 +-
 arch/mips/include/asm/page.h                     |    2 +-
 arch/mips/include/asm/pgalloc.h                  |    5 +
 arch/mips/kernel/binfmt_elfn32.c                 |    7 +
 arch/mips/kernel/binfmt_elfo32.c                 |    7 +
 arch/mips/kernel/process.c                       |   12 -
 arch/mips/mm/fault.c                             |   17 +
 arch/mips/mm/mmap.c                              |   51 +-
 arch/parisc/include/asm/atomic.h                 |   10 +
 arch/parisc/include/asm/elf.h                    |    7 +
 arch/parisc/include/asm/pgalloc.h                |    6 +
 arch/parisc/include/asm/pgtable.h                |   11 +
 arch/parisc/include/asm/uaccess.h                |    4 +-
 arch/parisc/kernel/module.c                      |   50 +-
 arch/parisc/kernel/sys_parisc.c                  |    6 +-
 arch/parisc/kernel/traps.c                       |    4 +-
 arch/parisc/mm/fault.c                           |  140 +-
 arch/powerpc/include/asm/atomic.h                |   10 +
 arch/powerpc/include/asm/elf.h                   |   19 +-
 arch/powerpc/include/asm/exec.h                  |    2 +-
 arch/powerpc/include/asm/kmap_types.h            |    2 +-
 arch/powerpc/include/asm/mman.h                  |    2 +-
 arch/powerpc/include/asm/page.h                  |    8 +-
 arch/powerpc/include/asm/page_64.h               |    7 +-
 arch/powerpc/include/asm/pgalloc-64.h            |    7 +
 arch/powerpc/include/asm/pgtable.h               |    1 +
 arch/powerpc/include/asm/pte-hash32.h            |    1 +
 arch/powerpc/include/asm/reg.h                   |    1 +
 arch/powerpc/include/asm/uaccess.h               |  142 +-
 arch/powerpc/kernel/exceptions-64e.S             |    4 +-
 arch/powerpc/kernel/exceptions-64s.S             |    2 +-
 arch/powerpc/kernel/module_32.c                  |   13 +-
 arch/powerpc/kernel/process.c                    |   55 -
 arch/powerpc/kernel/signal_32.c                  |    2 +-
 arch/powerpc/kernel/signal_64.c                  |    2 +-
 arch/powerpc/kernel/sysfs.c                      |    2 +-
 arch/powerpc/kernel/vdso.c                       |    5 +-
 arch/powerpc/lib/usercopy_64.c                   |   18 -
 arch/powerpc/mm/fault.c                          |   54 +-
 arch/powerpc/mm/mmap_64.c                        |   16 +
 arch/powerpc/mm/mmu_context_nohash.c             |    2 +-
 arch/powerpc/mm/numa.c                           |    2 +-
 arch/powerpc/mm/slice.c                          |   23 +-
 arch/powerpc/platforms/powermac/smp.c            |    2 +-
 arch/s390/include/asm/atomic.h                   |   10 +
 arch/s390/include/asm/elf.h                      |   13 +-
 arch/s390/include/asm/exec.h                     |    2 +-
 arch/s390/include/asm/uaccess.h                  |   15 +-
 arch/s390/kernel/module.c                        |   22 +-
 arch/s390/kernel/process.c                       |   36 -
 arch/s390/mm/mmap.c                              |   24 +
 arch/score/include/asm/exec.h                    |    2 +-
 arch/score/kernel/process.c                      |    5 -
 arch/sh/kernel/cpu/sh4a/smp-shx3.c               |    2 +-
 arch/sh/mm/mmap.c                                |   22 +-
 arch/sparc/include/asm/atomic_64.h               |  106 +-
 arch/sparc/include/asm/cache.h                   |    2 +-
 arch/sparc/include/asm/elf_32.h                  |    7 +
 arch/sparc/include/asm/elf_64.h                  |    7 +
 arch/sparc/include/asm/pgalloc_32.h              |    1 +
 arch/sparc/include/asm/pgalloc_64.h              |    1 +
 arch/sparc/include/asm/pgtable_32.h              |   15 +-
 arch/sparc/include/asm/pgtsrmmu.h                |    5 +
 arch/sparc/include/asm/spinlock_64.h             |   35 +-
 arch/sparc/include/asm/thread_info_32.h          |    2 +
 arch/sparc/include/asm/thread_info_64.h          |    2 +
 arch/sparc/include/asm/uaccess.h                 |    8 +
 arch/sparc/include/asm/uaccess_32.h              |   27 +-
 arch/sparc/include/asm/uaccess_64.h              |   19 +-
 arch/sparc/kernel/Makefile                       |    2 +-
 arch/sparc/kernel/sys_sparc_32.c                 |    2 +-
 arch/sparc/kernel/sys_sparc_64.c                 |   48 +-
 arch/sparc/kernel/sysfs.c                        |    2 +-
 arch/sparc/kernel/traps_64.c                     |   13 +-
 arch/sparc/lib/Makefile                          |    2 +-
 arch/sparc/lib/atomic_64.S                       |  136 +-
 arch/sparc/lib/ksyms.c                           |    6 +
 arch/sparc/mm/Makefile                           |    2 +-
 arch/sparc/mm/fault_32.c                         |  292 ++
 arch/sparc/mm/fault_64.c                         |  486 +++
 arch/sparc/mm/hugetlbpage.c                      |   21 +-
 arch/tile/include/asm/atomic_64.h                |   10 +
 arch/tile/include/asm/uaccess.h                  |    4 +-
 arch/um/Makefile                                 |    4 +
 arch/um/include/asm/kmap_types.h                 |    2 +-
 arch/um/include/asm/page.h                       |    3 +
 arch/um/include/asm/pgtable-3level.h             |    1 +
 arch/um/kernel/process.c                         |   16 -
 arch/x86/Kconfig                                 |   10 +-
 arch/x86/Kconfig.cpu                             |    6 +-
 arch/x86/Kconfig.debug                           |    6 +-
 arch/x86/Makefile                                |   10 +
 arch/x86/boot/Makefile                           |    3 +
 arch/x86/boot/bitops.h                           |    4 +-
 arch/x86/boot/boot.h                             |    4 +-
 arch/x86/boot/compressed/Makefile                |    3 +
 arch/x86/boot/compressed/eboot.c                 |    2 -
 arch/x86/boot/compressed/head_32.S               |    7 +-
 arch/x86/boot/compressed/head_64.S               |    4 +-
 arch/x86/boot/compressed/misc.c                  |    4 +-
 arch/x86/boot/cpucheck.c                         |   28 +-
 arch/x86/boot/header.S                           |    6 +-
 arch/x86/boot/memory.c                           |    2 +-
 arch/x86/boot/video-vesa.c                       |    1 +
 arch/x86/boot/video.c                            |    2 +-
 arch/x86/crypto/aes-x86_64-asm_64.S              |    4 +
 arch/x86/crypto/aesni-intel_asm.S                |   31 +
 arch/x86/crypto/blowfish-x86_64-asm_64.S         |    8 +
 arch/x86/crypto/camellia-x86_64-asm_64.S         |    8 +
 arch/x86/crypto/cast5-avx-x86_64-asm_64.S        |    8 +
 arch/x86/crypto/cast6-avx-x86_64-asm_64.S        |    8 +
 arch/x86/crypto/salsa20-x86_64-asm_64.S          |    5 +
 arch/x86/crypto/serpent-avx-x86_64-asm_64.S      |    8 +
 arch/x86/crypto/serpent-sse2-x86_64-asm_64.S     |    5 +
 arch/x86/crypto/sha1_ssse3_asm.S                 |    3 +
 arch/x86/crypto/twofish-avx-x86_64-asm_64.S      |    8 +
 arch/x86/crypto/twofish-x86_64-asm_64-3way.S     |    5 +
 arch/x86/crypto/twofish-x86_64-asm_64.S          |    3 +
 arch/x86/ia32/ia32_signal.c                      |   14 +-
 arch/x86/ia32/ia32entry.S                        |  141 +-
 arch/x86/ia32/sys_ia32.c                         |   12 +-
 arch/x86/include/asm/alternative-asm.h           |   39 +
 arch/x86/include/asm/alternative.h               |    4 +-
 arch/x86/include/asm/apic.h                      |    2 +-
 arch/x86/include/asm/apm.h                       |    4 +-
 arch/x86/include/asm/atomic.h                    |  307 ++-
 arch/x86/include/asm/atomic64_32.h               |  100 +
 arch/x86/include/asm/atomic64_64.h               |  202 ++-
 arch/x86/include/asm/bitops.h                    |    2 +-
 arch/x86/include/asm/boot.h                      |    7 +-
 arch/x86/include/asm/cache.h                     |    5 +-
 arch/x86/include/asm/cacheflush.h                |    2 +-
 arch/x86/include/asm/checksum_32.h               |   12 +-
 arch/x86/include/asm/cmpxchg.h                   |   35 +
 arch/x86/include/asm/cpufeature.h                |    4 +-
 arch/x86/include/asm/desc.h                      |   65 +-
 arch/x86/include/asm/desc_defs.h                 |    6 +
 arch/x86/include/asm/elf.h                       |   31 +-
 arch/x86/include/asm/emergency-restart.h         |    2 +-
 arch/x86/include/asm/fpu-internal.h              |    6 +-
 arch/x86/include/asm/futex.h                     |   16 +-
 arch/x86/include/asm/hw_irq.h                    |    4 +-
 arch/x86/include/asm/io.h                        |   13 +-
 arch/x86/include/asm/irqflags.h                  |    5 +
 arch/x86/include/asm/kprobes.h                   |    9 +-
 arch/x86/include/asm/local.h                     |  142 +-
 arch/x86/include/asm/mman.h                      |   15 +
 arch/x86/include/asm/mmu.h                       |   16 +-
 arch/x86/include/asm/mmu_context.h               |   76 +-
 arch/x86/include/asm/module.h                    |   17 +-
 arch/x86/include/asm/page_64_types.h             |    2 +-
 arch/x86/include/asm/paravirt.h                  |   44 +-
 arch/x86/include/asm/paravirt_types.h            |   17 +-
 arch/x86/include/asm/pgalloc.h                   |   23 +
 arch/x86/include/asm/pgtable-2level.h            |    2 +
 arch/x86/include/asm/pgtable-3level.h            |    4 +
 arch/x86/include/asm/pgtable.h                   |  110 +-
 arch/x86/include/asm/pgtable_32.h                |   14 +-
 arch/x86/include/asm/pgtable_32_types.h          |   15 +-
 arch/x86/include/asm/pgtable_64.h                |   19 +-
 arch/x86/include/asm/pgtable_64_types.h          |    5 +
 arch/x86/include/asm/pgtable_types.h             |   36 +-
 arch/x86/include/asm/processor.h                 |   39 +-
 arch/x86/include/asm/ptrace.h                    |   26 +-
 arch/x86/include/asm/realmode.h                  |    4 +-
 arch/x86/include/asm/reboot.h                    |   10 +-
 arch/x86/include/asm/rwsem.h                     |   60 +-
 arch/x86/include/asm/segment.h                   |   24 +-
 arch/x86/include/asm/smp.h                       |   14 +-
 arch/x86/include/asm/spinlock.h                  |   36 +-
 arch/x86/include/asm/stackprotector.h            |    4 +-
 arch/x86/include/asm/stacktrace.h                |   32 +-
 arch/x86/include/asm/switch_to.h                 |    4 +-
 arch/x86/include/asm/thread_info.h               |   83 +-
 arch/x86/include/asm/uaccess.h                   |   96 +-
 arch/x86/include/asm/uaccess_32.h                |  106 +-
 arch/x86/include/asm/uaccess_64.h                |  232 +-
 arch/x86/include/asm/word-at-a-time.h            |    2 +-
 arch/x86/include/asm/x86_init.h                  |   10 +-
 arch/x86/include/asm/xsave.h                     |   10 +-
 arch/x86/include/uapi/asm/e820.h                 |    2 +-
 arch/x86/kernel/Makefile                         |    2 +-
 arch/x86/kernel/acpi/sleep.c                     |    4 +
 arch/x86/kernel/acpi/wakeup_32.S                 |    6 +-
 arch/x86/kernel/alternative.c                    |   65 +-
 arch/x86/kernel/apic/apic.c                      |    6 +-
 arch/x86/kernel/apic/apic_flat_64.c              |    4 +-
 arch/x86/kernel/apic/bigsmp_32.c                 |    2 +-
 arch/x86/kernel/apic/es7000_32.c                 |    5 +-
 arch/x86/kernel/apic/io_apic.c                   |    8 +-
 arch/x86/kernel/apic/numaq_32.c                  |    3 +-
 arch/x86/kernel/apic/probe_32.c                  |    2 +-
 arch/x86/kernel/apic/summit_32.c                 |    2 +-
 arch/x86/kernel/apic/x2apic_cluster.c            |    4 +-
 arch/x86/kernel/apic/x2apic_phys.c               |    2 +-
 arch/x86/kernel/apic/x2apic_uv_x.c               |    2 +-
 arch/x86/kernel/apm_32.c                         |   19 +-
 arch/x86/kernel/asm-offsets.c                    |   20 +
 arch/x86/kernel/asm-offsets_64.c                 |    1 +
 arch/x86/kernel/cpu/Makefile                     |    4 -
 arch/x86/kernel/cpu/amd.c                        |    2 +-
 arch/x86/kernel/cpu/common.c                     |   75 +-
 arch/x86/kernel/cpu/intel.c                      |    2 +-
 arch/x86/kernel/cpu/intel_cacheinfo.c            |   50 +-
 arch/x86/kernel/cpu/mcheck/mce.c                 |   29 +-
 arch/x86/kernel/cpu/mcheck/p5.c                  |    3 +
 arch/x86/kernel/cpu/mcheck/therm_throt.c         |    2 +-
 arch/x86/kernel/cpu/mcheck/winchip.c             |    3 +
 arch/x86/kernel/cpu/mtrr/main.c                  |    2 +-
 arch/x86/kernel/cpu/mtrr/mtrr.h                  |    2 +-
 arch/x86/kernel/cpu/perf_event.c                 |    4 +-
 arch/x86/kernel/cpu/perf_event_intel.c           |    6 +-
 arch/x86/kernel/cpu/perf_event_intel_uncore.c    |    2 +-
 arch/x86/kernel/cpuid.c                          |    2 +-
 arch/x86/kernel/crash.c                          |    4 +-
 arch/x86/kernel/doublefault_32.c                 |    8 +-
 arch/x86/kernel/dumpstack.c                      |   30 +-
 arch/x86/kernel/dumpstack_32.c                   |   34 +-
 arch/x86/kernel/dumpstack_64.c                   |   63 +-
 arch/x86/kernel/early_printk.c                   |    1 +
 arch/x86/kernel/entry_32.S                       |  354 ++-
 arch/x86/kernel/entry_64.S                       |  512 +++-
 arch/x86/kernel/ftrace.c                         |   14 +-
 arch/x86/kernel/head32.c                         |    4 +-
 arch/x86/kernel/head_32.S                        |  237 ++-
 arch/x86/kernel/head_64.S                        |  158 +-
 arch/x86/kernel/i386_ksyms_32.c                  |    8 +
 arch/x86/kernel/i387.c                           |    2 +-
 arch/x86/kernel/i8259.c                          |    2 +-
 arch/x86/kernel/ioport.c                         |    2 +-
 arch/x86/kernel/irq.c                            |   10 +-
 arch/x86/kernel/irq_32.c                         |   69 +-
 arch/x86/kernel/irq_64.c                         |    2 +-
 arch/x86/kernel/kdebugfs.c                       |    2 +-
 arch/x86/kernel/kgdb.c                           |   25 +-
 arch/x86/kernel/kprobes-opt.c                    |   12 +-
 arch/x86/kernel/kprobes.c                        |   30 +-
 arch/x86/kernel/kvm.c                            |    2 +-
 arch/x86/kernel/ldt.c                            |   31 +-
 arch/x86/kernel/machine_kexec_32.c               |    6 +-
 arch/x86/kernel/microcode_core.c                 |    2 +-
 arch/x86/kernel/microcode_intel.c                |    4 +-
 arch/x86/kernel/module.c                         |   76 +-
 arch/x86/kernel/msr.c                            |    2 +-
 arch/x86/kernel/nmi.c                            |   11 +
 arch/x86/kernel/paravirt-spinlocks.c             |    2 +-
 arch/x86/kernel/paravirt.c                       |   43 +-
 arch/x86/kernel/pci-iommu_table.c                |    2 +-
 arch/x86/kernel/process.c                        |   57 +-
 arch/x86/kernel/process_32.c                     |   29 +-
 arch/x86/kernel/process_64.c                     |   15 +-
 arch/x86/kernel/ptrace.c                         |   25 +-
 arch/x86/kernel/pvclock.c                        |    8 +-
 arch/x86/kernel/reboot.c                         |   44 +-
 arch/x86/kernel/relocate_kernel_64.S             |    4 +-
 arch/x86/kernel/setup.c                          |   14 +-
 arch/x86/kernel/setup_percpu.c                   |   27 +-
 arch/x86/kernel/signal.c                         |   15 +-
 arch/x86/kernel/smp.c                            |    2 +-
 arch/x86/kernel/smpboot.c                        |   15 +-
 arch/x86/kernel/step.c                           |   10 +-
 arch/x86/kernel/sys_i386_32.c                    |  247 ++
 arch/x86/kernel/sys_x86_64.c                     |   19 +-
 arch/x86/kernel/tboot.c                          |   14 +-
 arch/x86/kernel/time.c                           |   10 +-
 arch/x86/kernel/tls.c                            |    7 +-
 arch/x86/kernel/traps.c                          |   64 +-
 arch/x86/kernel/uprobes.c                        |    2 +-
 arch/x86/kernel/vm86_32.c                        |    6 +-
 arch/x86/kernel/vmlinux.lds.S                    |  148 +-
 arch/x86/kernel/vsyscall_64.c                    |   12 +-
 arch/x86/kernel/x8664_ksyms_64.c                 |    2 -
 arch/x86/kernel/x86_init.c                       |    8 +-
 arch/x86/kernel/xsave.c                          |    2 +
 arch/x86/kvm/cpuid.c                             |   21 +-
 arch/x86/kvm/emulate.c                           |    4 +-
 arch/x86/kvm/lapic.c                             |    2 +-
 arch/x86/kvm/paging_tmpl.h                       |    2 +-
 arch/x86/kvm/svm.c                               |    8 +
 arch/x86/kvm/vmx.c                               |   47 +-
 arch/x86/kvm/x86.c                               |   10 +-
 arch/x86/lguest/boot.c                           |    3 +-
 arch/x86/lib/atomic64_386_32.S                   |  164 +
 arch/x86/lib/atomic64_cx8_32.S                   |  103 +-
 arch/x86/lib/checksum_32.S                       |  100 +-
 arch/x86/lib/clear_page_64.S                     |    5 +-
 arch/x86/lib/cmpxchg16b_emu.S                    |    2 +
 arch/x86/lib/copy_page_64.S                      |   24 +-
 arch/x86/lib/copy_user_64.S                      |   47 +-
 arch/x86/lib/copy_user_nocache_64.S              |   20 +-
 arch/x86/lib/csum-copy_64.S                      |    2 +
 arch/x86/lib/csum-wrappers_64.c                  |    4 +-
 arch/x86/lib/getuser.S                           |   68 +-
 arch/x86/lib/insn.c                              |    6 +-
 arch/x86/lib/iomap_copy_64.S                     |    2 +
 arch/x86/lib/memcpy_64.S                         |   18 +-
 arch/x86/lib/memmove_64.S                        |   34 +-
 arch/x86/lib/memset_64.S                         |    7 +-
 arch/x86/lib/mmx_32.c                            |  243 +-
 arch/x86/lib/msr-reg.S                           |   18 +-
 arch/x86/lib/putuser.S                           |   90 +-
 arch/x86/lib/rwlock.S                            |   42 +
 arch/x86/lib/rwsem.S                             |    6 +-
 arch/x86/lib/thunk_64.S                          |    2 +
 arch/x86/lib/usercopy_32.c                       |  376 ++-
 arch/x86/lib/usercopy_64.c                       |   25 +-
 arch/x86/mm/extable.c                            |   25 +-
 arch/x86/mm/fault.c                              |  555 +++-
 arch/x86/mm/gup.c                                |    2 +-
 arch/x86/mm/highmem_32.c                         |    4 +
 arch/x86/mm/hugetlbpage.c                        |   30 +-
 arch/x86/mm/init.c                               |   92 +-
 arch/x86/mm/init_32.c                            |  122 +-
 arch/x86/mm/init_64.c                            |   48 +-
 arch/x86/mm/iomap_32.c                           |    4 +
 arch/x86/mm/ioremap.c                            |   12 +-
 arch/x86/mm/kmemcheck/kmemcheck.c                |    4 +-
 arch/x86/mm/mmap.c                               |   41 +-
 arch/x86/mm/mmio-mod.c                           |   10 +-
 arch/x86/mm/pageattr-test.c                      |    2 +-
 arch/x86/mm/pageattr.c                           |   33 +-
 arch/x86/mm/pat.c                                |   12 +-
 arch/x86/mm/pf_in.c                              |   10 +-
 arch/x86/mm/pgtable.c                            |  137 +-
 arch/x86/mm/pgtable_32.c                         |    3 +
 arch/x86/mm/setup_nx.c                           |    7 +
 arch/x86/mm/tlb.c                                |    4 +
 arch/x86/net/bpf_jit.S                           |   14 +
 arch/x86/net/bpf_jit_comp.c                      |   37 +-
 arch/x86/oprofile/backtrace.c                    |    8 +-
 arch/x86/pci/amd_bus.c                           |    2 +-
 arch/x86/pci/mrst.c                              |    4 +-
 arch/x86/pci/pcbios.c                            |  144 +-
 arch/x86/platform/efi/efi_32.c                   |   19 +
 arch/x86/platform/efi/efi_stub_32.S              |   64 +-
 arch/x86/platform/efi/efi_stub_64.S              |    8 +
 arch/x86/platform/mrst/mrst.c                    |    6 +-
 arch/x86/platform/olpc/olpc_dt.c                 |    2 +-
 arch/x86/power/cpu.c                             |    4 +-
 arch/x86/realmode/init.c                         |    8 +-
 arch/x86/realmode/rm/Makefile                    |    3 +
 arch/x86/realmode/rm/header.S                    |    4 +-
 arch/x86/realmode/rm/trampoline_32.S             |   12 +-
 arch/x86/realmode/rm/trampoline_64.S             |    2 +-
 arch/x86/tools/relocs.c                          |   95 +-
 arch/x86/vdso/Makefile                           |    2 +-
 arch/x86/vdso/vdso32-setup.c                     |   23 +-
 arch/x86/vdso/vma.c                              |   29 +-
 arch/x86/xen/enlighten.c                         |   47 +-
 arch/x86/xen/mmu.c                               |    9 +
 arch/x86/xen/smp.c                               |   18 +-
 arch/x86/xen/xen-asm_32.S                        |   12 +-
 arch/x86/xen/xen-head.S                          |   11 +
 arch/x86/xen/xen-ops.h                           |    2 -
 block/blk-iopoll.c                               |    4 +-
 block/blk-map.c                                  |    2 +-
 block/blk-softirq.c                              |    4 +-
 block/bsg.c                                      |   12 +-
 block/compat_ioctl.c                             |    2 +-
 block/partitions/efi.c                           |    8 +-
 block/scsi_ioctl.c                               |   27 +-
 crypto/cryptd.c                                  |    4 +-
 drivers/acpi/apei/cper.c                         |    8 +-
 drivers/acpi/ec_sys.c                            |   12 +-
 drivers/acpi/processor_driver.c                  |    2 +-
 drivers/ata/libata-core.c                        |    8 +-
 drivers/ata/pata_arasan_cf.c                     |    4 +-
 drivers/atm/adummy.c                             |    2 +-
 drivers/atm/ambassador.c                         |    8 +-
 drivers/atm/atmtcp.c                             |   14 +-
 drivers/atm/eni.c                                |   10 +-
 drivers/atm/firestream.c                         |    8 +-
 drivers/atm/fore200e.c                           |   14 +-
 drivers/atm/he.c                                 |   18 +-
 drivers/atm/horizon.c                            |    4 +-
 drivers/atm/idt77252.c                           |   36 +-
 drivers/atm/iphase.c                             |   34 +-
 drivers/atm/lanai.c                              |   12 +-
 drivers/atm/nicstar.c                            |   46 +-
 drivers/atm/solos-pci.c                          |    4 +-
 drivers/atm/suni.c                               |    4 +-
 drivers/atm/uPD98402.c                           |   16 +-
 drivers/atm/zatm.c                               |    6 +-
 drivers/base/devtmpfs.c                          |    2 +-
 drivers/base/power/wakeup.c                      |    8 +-
 drivers/block/cciss.c                            |   28 +-
 drivers/block/cciss.h                            |    2 +-
 drivers/block/cpqarray.c                         |   28 +-
 drivers/block/cpqarray.h                         |    2 +-
 drivers/block/drbd/drbd_int.h                    |    6 +-
 drivers/block/drbd/drbd_main.c                   |    8 +-
 drivers/block/drbd/drbd_receiver.c               |   18 +-
 drivers/block/loop.c                             |    2 +-
 drivers/cdrom/cdrom.c                            |    9 +-
 drivers/cdrom/gdrom.c                            |    1 -
 drivers/char/agp/frontend.c                      |    2 +-
 drivers/char/hpet.c                              |    2 +-
 drivers/char/ipmi/ipmi_msghandler.c              |    8 +-
 drivers/char/ipmi/ipmi_si_intf.c                 |    8 +-
 drivers/char/mem.c                               |   41 +-
 drivers/char/nvram.c                             |    2 +-
 drivers/char/pcmcia/synclink_cs.c                |   18 +-
 drivers/char/random.c                            |    8 +-
 drivers/char/sonypi.c                            |    9 +-
 drivers/char/tpm/tpm.c                           |    2 +-
 drivers/char/tpm/tpm_acpi.c                      |    3 +-
 drivers/char/tpm/tpm_eventlog.c                  |    7 +-
 drivers/char/virtio_console.c                    |    4 +-
 drivers/clocksource/arm_generic.c                |    2 +-
 drivers/cpufreq/cpufreq.c                        |    2 +-
 drivers/cpufreq/cpufreq_stats.c                  |    2 +-
 drivers/dma/sh/shdma.c                           |    2 +-
 drivers/edac/edac_pci_sysfs.c                    |   20 +-
 drivers/edac/mce_amd.h                           |    2 +-
 drivers/firewire/core-card.c                     |    2 +-
 drivers/firewire/core-cdev.c                     |    3 +-
 drivers/firewire/core-transaction.c              |    1 +
 drivers/firewire/core.h                          |    1 +
 drivers/firmware/dmi_scan.c                      |    7 +-
 drivers/firmware/efivars.c                       |    2 +-
 drivers/gpio/gpio-vr41xx.c                       |    2 +-
 drivers/gpu/drm/drm_crtc_helper.c                |    2 +-
 drivers/gpu/drm/drm_drv.c                        |    4 +-
 drivers/gpu/drm/drm_fops.c                       |   18 +-
 drivers/gpu/drm/drm_global.c                     |   14 +-
 drivers/gpu/drm/drm_info.c                       |   14 +-
 drivers/gpu/drm/drm_ioc32.c                      |    4 +-
 drivers/gpu/drm/drm_ioctl.c                      |    2 +-
 drivers/gpu/drm/drm_lock.c                       |    4 +-
 drivers/gpu/drm/drm_stub.c                       |    2 +-
 drivers/gpu/drm/i810/i810_dma.c                  |    8 +-
 drivers/gpu/drm/i810/i810_drv.h                  |    4 +-
 drivers/gpu/drm/i915/i915_debugfs.c              |    2 +-
 drivers/gpu/drm/i915/i915_dma.c                  |    2 +-
 drivers/gpu/drm/i915/i915_drv.h                  |    6 +-
 drivers/gpu/drm/i915/i915_gem_execbuffer.c       |    6 +-
 drivers/gpu/drm/i915/i915_irq.c                  |   22 +-
 drivers/gpu/drm/i915/intel_display.c             |    9 +-
 drivers/gpu/drm/mga/mga_drv.h                    |    4 +-
 drivers/gpu/drm/mga/mga_irq.c                    |    8 +-
 drivers/gpu/drm/nouveau/nouveau_bios.c           |    2 +-
 drivers/gpu/drm/nouveau/nouveau_drm.h            |    2 +-
 drivers/gpu/drm/nouveau/nouveau_fence.h          |    2 +-
 drivers/gpu/drm/nouveau/nouveau_gem.c            |    2 +-
 drivers/gpu/drm/nouveau/nouveau_vga.c            |    2 +-
 drivers/gpu/drm/r128/r128_cce.c                  |    2 +-
 drivers/gpu/drm/r128/r128_drv.h                  |    4 +-
 drivers/gpu/drm/r128/r128_irq.c                  |    4 +-
 drivers/gpu/drm/r128/r128_state.c                |    4 +-
 drivers/gpu/drm/radeon/mkregtable.c              |    4 +-
 drivers/gpu/drm/radeon/radeon_device.c           |    2 +-
 drivers/gpu/drm/radeon/radeon_drv.h              |    2 +-
 drivers/gpu/drm/radeon/radeon_ioc32.c            |    2 +-
 drivers/gpu/drm/radeon/radeon_irq.c              |    6 +-
 drivers/gpu/drm/radeon/radeon_state.c            |    4 +-
 drivers/gpu/drm/radeon/radeon_ttm.c              |    4 +-
 drivers/gpu/drm/radeon/rs690.c                   |    4 +-
 drivers/gpu/drm/ttm/ttm_page_alloc.c             |    4 +-
 drivers/gpu/drm/via/via_drv.h                    |    4 +-
 drivers/gpu/drm/via/via_irq.c                    |   18 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_drv.h              |    2 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c             |    8 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_irq.c              |    4 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_marker.c           |    2 +-
 drivers/hid/hid-core.c                           |    4 +-
 drivers/hv/channel.c                             |    4 +-
 drivers/hv/hv.c                                  |    2 +-
 drivers/hv/hyperv_vmbus.h                        |    2 +-
 drivers/hv/vmbus_drv.c                           |    4 +-
 drivers/hwmon/coretemp.c                         |    2 +-
 drivers/hwmon/sht15.c                            |   12 +-
 drivers/hwmon/via-cputemp.c                      |    2 +-
 drivers/i2c/busses/i2c-amd756-s4882.c            |    2 +-
 drivers/i2c/busses/i2c-nforce2-s4985.c           |    2 +-
 drivers/ide/ide-cd.c                             |    2 +-
 drivers/infiniband/core/cm.c                     |   32 +-
 drivers/infiniband/core/fmr_pool.c               |   20 +-
 drivers/infiniband/hw/cxgb4/mem.c                |    4 +-
 drivers/infiniband/hw/ipath/ipath_rc.c           |    6 +-
 drivers/infiniband/hw/ipath/ipath_ruc.c          |    6 +-
 drivers/infiniband/hw/nes/nes.c                  |    4 +-
 drivers/infiniband/hw/nes/nes.h                  |   40 +-
 drivers/infiniband/hw/nes/nes_cm.c               |   62 +-
 drivers/infiniband/hw/nes/nes_mgt.c              |    8 +-
 drivers/infiniband/hw/nes/nes_nic.c              |   40 +-
 drivers/infiniband/hw/nes/nes_verbs.c            |   10 +-
 drivers/infiniband/hw/qib/qib.h                  |    1 +
 drivers/input/gameport/gameport.c                |    4 +-
 drivers/input/input.c                            |    4 +-
 drivers/input/joystick/sidewinder.c              |    1 +
 drivers/input/joystick/xpad.c                    |    4 +-
 drivers/input/mousedev.c                         |    2 +-
 drivers/input/serio/serio.c                      |    4 +-
 drivers/isdn/capi/capi.c                         |   10 +-
 drivers/isdn/gigaset/interface.c                 |    8 +-
 drivers/isdn/hardware/avm/b1.c                   |    4 +-
 drivers/isdn/i4l/isdn_tty.c                      |   22 +-
 drivers/isdn/icn/icn.c                           |    2 +-
 drivers/lguest/core.c                            |   10 +-
 drivers/lguest/x86/core.c                        |   12 +-
 drivers/lguest/x86/switcher_32.S                 |   27 +-
 drivers/md/bitmap.c                              |    2 +-
 drivers/md/dm-ioctl.c                            |    2 +-
 drivers/md/dm-raid1.c                            |   16 +-
 drivers/md/dm-stripe.c                           |   10 +-
 drivers/md/dm-table.c                            |    2 +-
 drivers/md/dm-thin-metadata.c                    |    4 +-
 drivers/md/dm.c                                  |   16 +-
 drivers/md/md.c                                  |   26 +-
 drivers/md/md.h                                  |    6 +-
 drivers/md/persistent-data/dm-space-map.h        |    1 +
 drivers/md/raid1.c                               |    4 +-
 drivers/md/raid10.c                              |   16 +-
 drivers/md/raid5.c                               |   10 +-
 drivers/media/dvb-core/dvbdev.c                  |    2 +-
 drivers/media/dvb-frontends/dib3000.h            |    2 +-
 drivers/media/platform/omap/omap_vout.c          |   11 +-
 drivers/media/platform/s5p-tv/mixer.h            |    2 +-
 drivers/media/platform/s5p-tv/mixer_grp_layer.c  |    2 +-
 drivers/media/platform/s5p-tv/mixer_reg.c        |    2 +-
 drivers/media/platform/s5p-tv/mixer_video.c      |   24 +-
 drivers/media/platform/s5p-tv/mixer_vp_layer.c   |    2 +-
 drivers/media/radio/radio-cadet.c                |    2 +
 drivers/media/usb/dvb-usb/cxusb.c                |    2 +-
 drivers/media/usb/dvb-usb/dw2102.c               |    2 +-
 drivers/message/fusion/mptsas.c                  |   34 +-
 drivers/message/fusion/mptscsih.c                |   19 +-
 drivers/message/i2o/i2o_proc.c                   |   51 +-
 drivers/message/i2o/iop.c                        |    8 +-
 drivers/mfd/janz-cmodio.c                        |    1 +
 drivers/misc/kgdbts.c                            |    4 +-
 drivers/misc/lis3lv02d/lis3lv02d.c               |    8 +-
 drivers/misc/lis3lv02d/lis3lv02d.h               |    2 +-
 drivers/misc/sgi-gru/gruhandles.c                |    4 +-
 drivers/misc/sgi-gru/gruprocfs.c                 |    8 +-
 drivers/misc/sgi-gru/grutables.h                 |  154 +-
 drivers/misc/sgi-xp/xp.h                         |    2 +-
 drivers/misc/sgi-xp/xpc.h                        |    3 +-
 drivers/misc/sgi-xp/xpc_main.c                   |    4 +-
 drivers/mmc/core/mmc_ops.c                       |    2 +-
 drivers/mmc/host/dw_mmc.h                        |    2 +-
 drivers/mmc/host/sdhci-s3c.c                     |    8 +-
 drivers/mtd/devices/doc2000.c                    |    2 +-
 drivers/mtd/nand/denali.c                        |    1 +
 drivers/mtd/nftlmount.c                          |    1 +
 drivers/net/ethernet/8390/ax88796.c              |    4 +-
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h  |    2 +-
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c   |   11 +-
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h   |    3 +-
 drivers/net/ethernet/broadcom/tg3.h              |    1 +
 drivers/net/ethernet/chelsio/cxgb3/l2t.h         |    2 +-
 drivers/net/ethernet/dec/tulip/de4x5.c           |    4 +-
 drivers/net/ethernet/emulex/benet/be_main.c      |    2 +-
 drivers/net/ethernet/faraday/ftgmac100.c         |    2 +
 drivers/net/ethernet/faraday/ftmac100.c          |    2 +
 drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c     |    2 +-
 drivers/net/ethernet/neterion/vxge/vxge-config.c |    7 +-
 drivers/net/ethernet/realtek/r8169.c             |    8 +-
 drivers/net/ethernet/sfc/ptp.c                   |    2 +-
 drivers/net/ethernet/stmicro/stmmac/mmc_core.c   |    4 +-
 drivers/net/hyperv/hyperv_net.h                  |    2 +-
 drivers/net/hyperv/rndis_filter.c                |    4 +-
 drivers/net/ieee802154/fakehard.c                |    2 +-
 drivers/net/macvlan.c                            |    2 +-
 drivers/net/macvtap.c                            |    2 +-
 drivers/net/ppp/ppp_generic.c                    |    4 +-
 drivers/net/team/team.c                          |    2 +-
 drivers/net/tun.c                                |    5 +-
 drivers/net/usb/hso.c                            |   23 +-
 drivers/net/wireless/ath/ath9k/ar9002_mac.c      |   30 +-
 drivers/net/wireless/ath/ath9k/ar9003_mac.c      |   58 +-
 drivers/net/wireless/ath/ath9k/hw.h              |    4 +-
 drivers/net/wireless/iwlegacy/3945-mac.c         |    4 +-
 drivers/net/wireless/iwlwifi/dvm/debugfs.c       |   26 +-
 drivers/net/wireless/iwlwifi/pcie/trans.c        |    4 +-
 drivers/net/wireless/mac80211_hwsim.c            |   32 +-
 drivers/net/wireless/rndis_wlan.c                |    2 +-
 drivers/net/wireless/rt2x00/rt2x00.h             |    2 +-
 drivers/net/wireless/rt2x00/rt2x00queue.c        |    4 +-
 drivers/net/wireless/ti/wl1251/sdio.c            |   12 +-
 drivers/net/wireless/ti/wl12xx/main.c            |    8 +-
 drivers/net/wireless/ti/wl18xx/main.c            |    6 +-
 drivers/oprofile/buffer_sync.c                   |    8 +-
 drivers/oprofile/event_buffer.c                  |    2 +-
 drivers/oprofile/oprof.c                         |    2 +-
 drivers/oprofile/oprofile_stats.c                |   10 +-
 drivers/oprofile/oprofile_stats.h                |   10 +-
 drivers/oprofile/oprofilefs.c                    |    2 +-
 drivers/oprofile/timer_int.c                     |    2 +-
 drivers/parport/procfs.c                         |    4 +-
 drivers/pci/hotplug/cpcihp_generic.c             |    6 +-
 drivers/pci/hotplug/cpcihp_zt5550.c              |   14 +-
 drivers/pci/hotplug/cpqphp_nvram.c               |    4 +
 drivers/pci/pcie/aspm.c                          |    6 +-
 drivers/pci/probe.c                              |    2 +-
 drivers/platform/x86/thinkpad_acpi.c             |   70 +-
 drivers/pnp/pnpbios/bioscalls.c                  |   14 +-
 drivers/pnp/resource.c                           |    4 +-
 drivers/power/pda_power.c                        |    7 +-
 drivers/regulator/max8660.c                      |    6 +-
 drivers/regulator/max8973-regulator.c            |    8 +-
 drivers/regulator/mc13892-regulator.c            |    6 +-
 drivers/scsi/bfa/bfa.h                           |    2 +-
 drivers/scsi/bfa/bfa_fcpim.h                     |    2 +-
 drivers/scsi/bfa/bfa_ioc.h                       |    4 +-
 drivers/scsi/hosts.c                             |    4 +-
 drivers/scsi/hpsa.c                              |   30 +-
 drivers/scsi/hpsa.h                              |    2 +-
 drivers/scsi/libfc/fc_exch.c                     |   50 +-
 drivers/scsi/libsas/sas_ata.c                    |    2 +-
 drivers/scsi/lpfc/lpfc.h                         |    8 +-
 drivers/scsi/lpfc/lpfc_debugfs.c                 |   18 +-
 drivers/scsi/lpfc/lpfc_init.c                    |    6 +-
 drivers/scsi/lpfc/lpfc_scsi.c                    |   16 +-
 drivers/scsi/pmcraid.c                           |   20 +-
 drivers/scsi/pmcraid.h                           |    8 +-
 drivers/scsi/qla2xxx/qla_attr.c                  |    4 +-
 drivers/scsi/qla2xxx/qla_gbl.h                   |    4 +-
 drivers/scsi/qla2xxx/qla_os.c                    |    6 +-
 drivers/scsi/qla4xxx/ql4_def.h                   |    2 +-
 drivers/scsi/qla4xxx/ql4_os.c                    |    6 +-
 drivers/scsi/scsi.c                              |    2 +-
 drivers/scsi/scsi_lib.c                          |    6 +-
 drivers/scsi/scsi_sysfs.c                        |    2 +-
 drivers/scsi/scsi_tgt_lib.c                      |    2 +-
 drivers/scsi/scsi_transport_fc.c                 |    8 +-
 drivers/scsi/scsi_transport_iscsi.c              |    6 +-
 drivers/scsi/scsi_transport_srp.c                |    6 +-
 drivers/scsi/sd.c                                |    2 +-
 drivers/scsi/sg.c                                |    2 +-
 drivers/spi/spi.c                                |    2 +-
 drivers/staging/octeon/ethernet-rx.c             |   12 +-
 drivers/staging/octeon/ethernet.c                |    8 +-
 drivers/staging/ramster/tmem.c                   |   54 +-
 drivers/staging/rtl8712/rtl871x_io.h             |    2 +-
 drivers/staging/sbe-2t3e3/netdev.c               |    2 +-
 drivers/staging/usbip/vhci.h                     |    2 +-
 drivers/staging/usbip/vhci_hcd.c                 |    6 +-
 drivers/staging/usbip/vhci_rx.c                  |    2 +-
 drivers/staging/vt6655/hostap.c                  |    7 +-
 drivers/staging/vt6656/hostap.c                  |    7 +-
 drivers/staging/zcache/tmem.c                    |    4 +-
 drivers/staging/zcache/tmem.h                    |    2 +
 drivers/target/target_core_device.c              |    2 +-
 drivers/target/target_core_transport.c           |    2 +-
 drivers/tty/cyclades.c                           |    6 +-
 drivers/tty/hvc/hvc_console.c                    |   14 +-
 drivers/tty/hvc/hvcs.c                           |   21 +-
 drivers/tty/ipwireless/tty.c                     |   27 +-
 drivers/tty/moxa.c                               |    2 +-
 drivers/tty/n_gsm.c                              |    4 +-
 drivers/tty/n_tty.c                              |    3 +-
 drivers/tty/pty.c                                |    4 +-
 drivers/tty/rocket.c                             |    6 +-
 drivers/tty/serial/kgdboc.c                      |   32 +-
 drivers/tty/serial/samsung.c                     |    9 +-
 drivers/tty/serial/serial_core.c                 |    8 +-
 drivers/tty/synclink.c                           |   34 +-
 drivers/tty/synclink_gt.c                        |   28 +-
 drivers/tty/synclinkmp.c                         |   34 +-
 drivers/tty/tty_io.c                             |    2 +-
 drivers/tty/tty_ldisc.c                          |   10 +-
 drivers/tty/tty_port.c                           |   22 +-
 drivers/uio/uio.c                                |   21 +-
 drivers/usb/atm/cxacru.c                         |    2 +-
 drivers/usb/atm/usbatm.c                         |   24 +-
 drivers/usb/core/devices.c                       |    6 +-
 drivers/usb/core/hcd.c                           |    4 +-
 drivers/usb/core/sysfs.c                         |    2 +-
 drivers/usb/core/usb.c                           |    2 +-
 drivers/usb/early/ehci-dbgp.c                    |   16 +-
 drivers/usb/gadget/u_serial.c                    |   22 +-
 drivers/usb/serial/console.c                     |    6 +-
 drivers/usb/wusbcore/wa-hc.h                     |    4 +-
 drivers/usb/wusbcore/wa-xfer.c                   |    2 +-
 drivers/video/aty/aty128fb.c                     |    2 +-
 drivers/video/fbcmap.c                           |    3 +-
 drivers/video/fbmem.c                            |    6 +-
 drivers/video/i810/i810_accel.c                  |    1 +
 drivers/video/udlfb.c                            |   32 +-
 drivers/video/uvesafb.c                          |   39 +-
 drivers/video/vesafb.c                           |   51 +-
 drivers/video/via/via_clock.h                    |    2 +-
 fs/9p/vfs_inode.c                                |    2 +-
 fs/Kconfig.binfmt                                |    2 +-
 fs/aio.c                                         |   11 +-
 fs/autofs4/waitq.c                               |    2 +-
 fs/befs/linuxvfs.c                               |    2 +-
 fs/binfmt_aout.c                                 |   23 +-
 fs/binfmt_elf.c                                  |  604 ++++-
 fs/binfmt_flat.c                                 |    6 +
 fs/bio.c                                         |    6 +-
 fs/block_dev.c                                   |    2 +-
 fs/btrfs/ctree.c                                 |    9 +-
 fs/btrfs/relocation.c                            |    2 +-
 fs/btrfs/super.c                                 |    2 +-
 fs/cachefiles/bind.c                             |    6 +-
 fs/cachefiles/daemon.c                           |    8 +-
 fs/cachefiles/internal.h                         |   12 +-
 fs/cachefiles/namei.c                            |    2 +-
 fs/cachefiles/proc.c                             |   12 +-
 fs/cachefiles/rdwr.c                             |    2 +-
 fs/ceph/dir.c                                    |    2 +-
 fs/cifs/cifs_debug.c                             |   12 +-
 fs/cifs/cifsfs.c                                 |    8 +-
 fs/cifs/cifsglob.h                               |   54 +-
 fs/cifs/link.c                                   |    2 +-
 fs/cifs/misc.c                                   |    4 +-
 fs/cifs/smb1ops.c                                |   80 +-
 fs/cifs/smb2ops.c                                |   84 +-
 fs/cifs/smb2pdu.c                                |    3 +-
 fs/coda/cache.c                                  |   10 +-
 fs/compat.c                                      |    6 +-
 fs/compat_binfmt_elf.c                           |    2 +
 fs/compat_ioctl.c                                |    8 +-
 fs/configfs/dir.c                                |   10 +-
 fs/coredump.c                                    |   24 +-
 fs/dcache.c                                      |    2 +-
 fs/ecryptfs/inode.c                              |    4 +-
 fs/ecryptfs/miscdev.c                            |    2 +-
 fs/ecryptfs/read_write.c                         |    4 +-
 fs/exec.c                                        |  356 ++-
 fs/ext4/ext4.h                                   |   20 +-
 fs/ext4/mballoc.c                                |   44 +-
 fs/fhandle.c                                     |    3 +-
 fs/fifo.c                                        |   22 +-
 fs/fs_struct.c                                   |    8 +-
 fs/fscache/cookie.c                              |   36 +-
 fs/fscache/internal.h                            |  196 +-
 fs/fscache/object.c                              |   28 +-
 fs/fscache/operation.c                           |   30 +-
 fs/fscache/page.c                                |  110 +-
 fs/fscache/stats.c                               |  344 +-
 fs/fuse/cuse.c                                   |   10 +-
 fs/fuse/dev.c                                    |    2 +-
 fs/fuse/dir.c                                    |    2 +-
 fs/gfs2/inode.c                                  |    2 +-
 fs/hugetlbfs/inode.c                             |   13 +-
 fs/inode.c                                       |    4 +-
 fs/jffs2/erase.c                                 |    3 +-
 fs/jffs2/wbuf.c                                  |    3 +-
 fs/jfs/super.c                                   |    2 +-
 fs/libfs.c                                       |   10 +-
 fs/lockd/clntproc.c                              |    4 +-
 fs/locks.c                                       |    8 +-
 fs/namei.c                                       |   15 +-
 fs/namespace.c                                   |    2 +-
 fs/nfs/inode.c                                   |    6 +-
 fs/nfsd/vfs.c                                    |    6 +-
 fs/notify/fanotify/fanotify_user.c               |    4 +-
 fs/notify/notification.c                         |    4 +-
 fs/ntfs/dir.c                                    |    2 +-
 fs/ntfs/file.c                                   |    4 +-
 fs/ocfs2/localalloc.c                            |    2 +-
 fs/ocfs2/ocfs2.h                                 |   10 +-
 fs/ocfs2/suballoc.c                              |   12 +-
 fs/ocfs2/super.c                                 |   20 +-
 fs/pipe.c                                        |   33 +-
 fs/proc/array.c                                  |   20 +
 fs/proc/kcore.c                                  |   32 +-
 fs/proc/meminfo.c                                |    2 +-
 fs/proc/nommu.c                                  |    2 +-
 fs/proc/self.c                                   |    2 +-
 fs/proc/task_mmu.c                               |   39 +-
 fs/proc/task_nommu.c                             |    4 +-
 fs/quota/netlink.c                               |    4 +-
 fs/readdir.c                                     |    2 +-
 fs/reiserfs/do_balan.c                           |    2 +-
 fs/reiserfs/procfs.c                             |    2 +-
 fs/reiserfs/reiserfs.h                           |    4 +-
 fs/seq_file.c                                    |    2 +-
 fs/splice.c                                      |   36 +-
 fs/sysfs/file.c                                  |   10 +-
 fs/sysfs/symlink.c                               |    2 +-
 fs/udf/misc.c                                    |    2 +-
 fs/xattr_acl.c                                   |    4 +-
 fs/xfs/xfs_bmap.c                                |    2 +-
 fs/xfs/xfs_dir2_sf.c                             |   10 +-
 fs/xfs/xfs_ioctl.c                               |    2 +-
 fs/xfs/xfs_iops.c                                |    2 +-
 include/asm-generic/4level-fixup.h               |    2 +
 include/asm-generic/atomic-long.h                |  210 ++
 include/asm-generic/atomic.h                     |    2 +-
 include/asm-generic/atomic64.h                   |   12 +
 include/asm-generic/cache.h                      |    4 +-
 include/asm-generic/emergency-restart.h          |    2 +-
 include/asm-generic/kmap_types.h                 |    4 +-
 include/asm-generic/local.h                      |   13 +
 include/asm-generic/pgtable-nopmd.h              |   18 +-
 include/asm-generic/pgtable-nopud.h              |   15 +-
 include/asm-generic/pgtable.h                    |    8 +
 include/asm-generic/vmlinux.lds.h                |   10 +-
 include/crypto/algapi.h                          |    2 +-
 include/drm/drmP.h                               |    5 +-
 include/drm/drm_crtc_helper.h                    |    2 +-
 include/drm/ttm/ttm_memory.h                     |    2 +-
 include/linux/atmdev.h                           |    2 +-
 include/linux/binfmts.h                          |    1 +
 include/linux/blkdev.h                           |    2 +-
 include/linux/blktrace_api.h                     |    2 +-
 include/linux/cache.h                            |    4 +
 include/linux/cdrom.h                            |    1 -
 include/linux/cleancache.h                       |    2 +-
 include/linux/compiler-gcc4.h                    |   20 +
 include/linux/compiler.h                         |   72 +-
 include/linux/cpu.h                              |    2 +-
 include/linux/crypto.h                           |    6 +-
 include/linux/decompress/mm.h                    |    2 +-
 include/linux/dma-mapping.h                      |    2 +-
 include/linux/dmaengine.h                        |    4 +-
 include/linux/efi.h                              |    1 +
 include/linux/elf.h                              |    2 +
 include/linux/filter.h                           |    4 +
 include/linux/frontswap.h                        |    2 +-
 include/linux/fs.h                               |    3 +-
 include/linux/fs_struct.h                        |    2 +-
 include/linux/fscache-cache.h                    |    4 +-
 include/linux/fsnotify.h                         |    2 +-
 include/linux/ftrace_event.h                     |    2 +-
 include/linux/genhd.h                            |    2 +-
 include/linux/gfp.h                              |   12 +-
 include/linux/highmem.h                          |   12 +
 include/linux/i2c.h                              |    1 +
 include/linux/i2o.h                              |    2 +-
 include/linux/if_pppox.h                         |    2 +-
 include/linux/init.h                             |   33 +-
 include/linux/init_task.h                        |    7 +
 include/linux/interrupt.h                        |    8 +-
 include/linux/kgdb.h                             |    6 +-
 include/linux/kobject.h                          |    2 +-
 include/linux/kref.h                             |    2 +-
 include/linux/kvm_host.h                         |    4 +-
 include/linux/libata.h                           |    2 +-
 include/linux/list.h                             |    3 +
 include/linux/mm.h                               |   91 +-
 include/linux/mm_types.h                         |   22 +-
 include/linux/mmiotrace.h                        |    4 +-
 include/linux/mmzone.h                           |    2 +-
 include/linux/mod_devicetable.h                  |    4 +-
 include/linux/module.h                           |   55 +-
 include/linux/moduleloader.h                     |   18 +-
 include/linux/moduleparam.h                      |    4 +-
 include/linux/namei.h                            |    6 +-
 include/linux/netdevice.h                        |    3 +-
 include/linux/netfilter/ipset/ip_set.h           |    2 +-
 include/linux/netfilter/nfnetlink.h              |    2 +-
 include/linux/notifier.h                         |    3 +-
 include/linux/oprofile.h                         |    4 +-
 include/linux/perf_event.h                       |   10 +-
 include/linux/pipe_fs_i.h                        |    6 +-
 include/linux/platform_data/usb-ehci-s5p.h       |    2 +-
 include/linux/pm_runtime.h                       |    2 +-
 include/linux/poison.h                           |    4 +-
 include/linux/power/smartreflex.h                |    2 +-
 include/linux/random.h                           |    5 +
 include/linux/reboot.h                           |   14 +-
 include/linux/regset.h                           |    3 +-
 include/linux/relay.h                            |    2 +-
 include/linux/rio.h                              |    2 +-
 include/linux/rmap.h                             |    4 +-
 include/linux/sched.h                            |   64 +-
 include/linux/seq_file.h                         |    1 +
 include/linux/skbuff.h                           |   12 +-
 include/linux/slab.h                             |   36 +-
 include/linux/slab_def.h                         |   33 +-
 include/linux/slob_def.h                         |    4 +-
 include/linux/slub_def.h                         |   10 +-
 include/linux/sonet.h                            |    2 +-
 include/linux/sunrpc/clnt.h                      |    8 +-
 include/linux/sunrpc/svc_rdma.h                  |   18 +-
 include/linux/sysrq.h                            |    2 +-
 include/linux/thread_info.h                      |    7 +
 include/linux/tty.h                              |    4 +-
 include/linux/tty_driver.h                       |    2 +-
 include/linux/tty_ldisc.h                        |    2 +-
 include/linux/types.h                            |   16 +
 include/linux/uaccess.h                          |    6 +-
 include/linux/unaligned/access_ok.h              |   12 +-
 include/linux/usb.h                              |    2 +-
 include/linux/usb/renesas_usbhs.h                |    2 +-
 include/linux/vermagic.h                         |   21 +-
 include/linux/vmalloc.h                          |   11 +-
 include/linux/vmstat.h                           |   20 +-
 include/media/v4l2-dev.h                         |    2 +-
 include/media/v4l2-ioctl.h                       |    1 -
 include/net/caif/cfctrl.h                        |    6 +-
 include/net/flow.h                               |    2 +-
 include/net/gro_cells.h                          |    6 +-
 include/net/inet_connection_sock.h               |    2 +-
 include/net/inetpeer.h                           |    8 +-
 include/net/ip_fib.h                             |    2 +-
 include/net/ip_vs.h                              |    4 +-
 include/net/irda/ircomm_tty.h                    |    1 +
 include/net/iucv/af_iucv.h                       |    2 +-
 include/net/neighbour.h                          |    2 +-
 include/net/net_namespace.h                      |    6 +-
 include/net/netdma.h                             |    2 +-
 include/net/netlink.h                            |    2 +-
 include/net/netns/ipv4.h                         |    2 +-
 include/net/protocol.h                           |    4 +-
 include/net/sctp/sctp.h                          |    6 +-
 include/net/sctp/structs.h                       |    4 +-
 include/net/sock.h                               |    6 +-
 include/net/tcp.h                                |    8 +-
 include/net/xfrm.h                               |    4 +-
 include/rdma/iw_cm.h                             |    2 +-
 include/scsi/libfc.h                             |    3 +-
 include/scsi/scsi_device.h                       |    6 +-
 include/scsi/scsi_transport_fc.h                 |    3 +-
 include/sound/soc.h                              |    4 +-
 include/target/target_core_base.h                |    2 +-
 include/trace/events/irq.h                       |    4 +-
 include/uapi/linux/a.out.h                       |    8 +
 include/uapi/linux/byteorder/little_endian.h     |   24 +-
 include/uapi/linux/elf.h                         |   28 +
 include/uapi/linux/screen_info.h                 |    3 +-
 include/uapi/linux/sysctl.h                      |    6 +-
 include/uapi/linux/xattr.h                       |    4 +
 include/video/udlfb.h                            |    8 +-
 include/video/uvesafb.h                          |    1 +
 init/Kconfig                                     |    2 +-
 init/Makefile                                    |    3 +
 init/do_mounts.c                                 |   14 +-
 init/do_mounts.h                                 |    8 +-
 init/do_mounts_initrd.c                          |   22 +-
 init/do_mounts_md.c                              |    6 +-
 init/init_task.c                                 |    4 +
 init/initramfs.c                                 |   40 +-
 init/main.c                                      |   78 +-
 ipc/msg.c                                        |   11 +-
 ipc/sem.c                                        |   11 +-
 ipc/shm.c                                        |   17 +-
 kernel/acct.c                                    |    2 +-
 kernel/audit.c                                   |    8 +-
 kernel/auditsc.c                                 |    4 +-
 kernel/capability.c                              |    3 +
 kernel/compat.c                                  |   40 +-
 kernel/debug/debug_core.c                        |   16 +-
 kernel/debug/kdb/kdb_main.c                      |    4 +-
 kernel/events/core.c                             |   28 +-
 kernel/exit.c                                    |    4 +-
 kernel/fork.c                                    |  167 +-
 kernel/futex.c                                   |    9 +
 kernel/gcov/base.c                               |    7 +-
 kernel/hrtimer.c                                 |    4 +-
 kernel/jump_label.c                              |    5 +
 kernel/kallsyms.c                                |   39 +-
 kernel/kexec.c                                   |    3 +-
 kernel/kmod.c                                    |    2 +-
 kernel/kprobes.c                                 |    8 +-
 kernel/lockdep.c                                 |    7 +-
 kernel/module.c                                  |  333 ++-
 kernel/mutex-debug.c                             |   12 +-
 kernel/mutex-debug.h                             |    4 +-
 kernel/mutex.c                                   |    7 +-
 kernel/notifier.c                                |   17 +-
 kernel/panic.c                                   |    3 +-
 kernel/pid.c                                     |    2 +-
 kernel/posix-cpu-timers.c                        |    4 +-
 kernel/posix-timers.c                            |   20 +-
 kernel/power/process.c                           |   12 +-
 kernel/profile.c                                 |   14 +-
 kernel/ptrace.c                                  |    6 +-
 kernel/rcutiny.c                                 |    4 +-
 kernel/rcutiny_plugin.h                          |    2 +-
 kernel/rcutorture.c                              |   56 +-
 kernel/rcutree.c                                 |   72 +-
 kernel/rcutree.h                                 |   24 +-
 kernel/rcutree_plugin.h                          |   18 +-
 kernel/rcutree_trace.c                           |   22 +-
 kernel/rtmutex-tester.c                          |   24 +-
 kernel/sched/auto_group.c                        |    4 +-
 kernel/sched/core.c                              |    2 +-
 kernel/sched/fair.c                              |    4 +-
 kernel/signal.c                                  |   12 +-
 kernel/smp.c                                     |    2 +-
 kernel/softirq.c                                 |   16 +-
 kernel/srcu.c                                    |    6 +-
 kernel/stop_machine.c                            |    2 +-
 kernel/sys.c                                     |   12 +-
 kernel/sysctl.c                                  |   37 +-
 kernel/sysctl_binary.c                           |   14 +-
 kernel/time/alarmtimer.c                         |    2 +-
 kernel/time/tick-broadcast.c                     |    2 +-
 kernel/time/timer_stats.c                        |   10 +-
 kernel/timer.c                                   |    4 +-
 kernel/trace/blktrace.c                          |    6 +-
 kernel/trace/ftrace.c                            |   20 +-
 kernel/trace/ring_buffer.c                       |   76 +-
 kernel/trace/trace.c                             |    6 +-
 kernel/trace/trace_events.c                      |   25 +-
 kernel/trace/trace_mmiotrace.c                   |    8 +-
 kernel/trace/trace_output.c                      |   12 +-
 kernel/trace/trace_stack.c                       |    2 +-
 lib/Makefile                                     |    2 +-
 lib/bitmap.c                                     |    8 +-
 lib/bug.c                                        |    2 +
 lib/debugobjects.c                               |    2 +-
 lib/devres.c                                     |    4 +-
 lib/dma-debug.c                                  |    4 +-
 lib/inflate.c                                    |    2 +-
 lib/ioremap.c                                    |    4 +-
 lib/list_debug.c                                 |   89 +-
 lib/radix-tree.c                                 |    2 +-
 lib/strncpy_from_user.c                          |    2 +-
 lib/strnlen_user.c                               |    2 +-
 lib/vsprintf.c                                   |   12 +-
 mm/Kconfig                                       |    6 +-
 mm/filemap.c                                     |    2 +-
 mm/fremap.c                                      |    5 +
 mm/highmem.c                                     |    7 +-
 mm/hugetlb.c                                     |   54 +
 mm/internal.h                                    |    1 +
 mm/maccess.c                                     |    4 +-
 mm/madvise.c                                     |   41 +
 mm/memory-failure.c                              |   18 +-
 mm/memory.c                                      |  404 ++-
 mm/mempolicy.c                                   |   26 +
 mm/mlock.c                                       |   16 +-
 mm/mmap.c                                        |  573 +++-
 mm/mprotect.c                                    |  138 +-
 mm/mremap.c                                      |   44 +-
 mm/nommu.c                                       |   11 +-
 mm/page-writeback.c                              |    2 +-
 mm/page_alloc.c                                  |   14 +-
 mm/percpu.c                                      |    2 +-
 mm/process_vm_access.c                           |   14 +-
 mm/rmap.c                                        |   38 +-
 mm/shmem.c                                       |   19 +-
 mm/slab.c                                        |  104 +-
 mm/slab.h                                        |    5 +-
 mm/slab_common.c                                 |    9 +-
 mm/slob.c                                        |  200 +-
 mm/slub.c                                        |   98 +-
 mm/sparse-vmemmap.c                              |    4 +-
 mm/sparse.c                                      |    2 +-
 mm/swap.c                                        |    3 +
 mm/swapfile.c                                    |   12 +-
 mm/util.c                                        |    6 +
 mm/vmalloc.c                                     |   82 +-
 mm/vmstat.c                                      |   12 +-
 net/8021q/vlan.c                                 |    5 +-
 net/9p/trans_fd.c                                |    2 +-
 net/atm/atm_misc.c                               |    8 +-
 net/atm/lec.h                                    |    2 +-
 net/atm/proc.c                                   |    6 +-
 net/atm/resources.c                              |    4 +-
 net/batman-adv/bat_iv_ogm.c                      |    8 +-
 net/batman-adv/hard-interface.c                  |    4 +-
 net/batman-adv/soft-interface.c                  |    4 +-
 net/batman-adv/types.h                           |    6 +-
 net/batman-adv/unicast.c                         |    2 +-
 net/bluetooth/hci_sock.c                         |    2 +-
 net/bluetooth/l2cap_core.c                       |    6 +-
 net/bluetooth/l2cap_sock.c                       |   12 +-
 net/bluetooth/rfcomm/sock.c                      |    4 +-
 net/bluetooth/rfcomm/tty.c                       |   10 +-
 net/bridge/netfilter/ebtables.c                  |    6 +-
 net/caif/cfctrl.c                                |   11 +-
 net/can/af_can.c                                 |    2 +-
 net/can/gw.c                                     |    6 +-
 net/compat.c                                     |   34 +-
 net/core/datagram.c                              |    2 +-
 net/core/dev.c                                   |   16 +-
 net/core/flow.c                                  |    8 +-
 net/core/iovec.c                                 |    4 +-
 net/core/rtnetlink.c                             |    2 +-
 net/core/scm.c                                   |    8 +-
 net/core/sock.c                                  |   24 +-
 net/decnet/sysctl_net_decnet.c                   |    4 +-
 net/ipv4/ah4.c                                   |    2 +-
 net/ipv4/esp4.c                                  |    2 +-
 net/ipv4/fib_frontend.c                          |    6 +-
 net/ipv4/fib_semantics.c                         |    2 +-
 net/ipv4/inetpeer.c                              |    4 +-
 net/ipv4/ip_fragment.c                           |    2 +-
 net/ipv4/ip_sockglue.c                           |    2 +-
 net/ipv4/ipcomp.c                                |    2 +-
 net/ipv4/ipconfig.c                              |    6 +-
 net/ipv4/netfilter/arp_tables.c                  |   12 +-
 net/ipv4/netfilter/ip_tables.c                   |   12 +-
 net/ipv4/ping.c                                  |    2 +-
 net/ipv4/raw.c                                   |   14 +-
 net/ipv4/route.c                                 |    2 +-
 net/ipv4/tcp_input.c                             |    2 +-
 net/ipv4/tcp_probe.c                             |    2 +-
 net/ipv4/udp.c                                   |   10 +-
 net/ipv6/addrconf.c                              |    2 +-
 net/ipv6/ip6_gre.c                               |    2 +-
 net/ipv6/ipv6_sockglue.c                         |    2 +-
 net/ipv6/netfilter/ip6_tables.c                  |   12 +-
 net/ipv6/raw.c                                   |   19 +-
 net/ipv6/udp.c                                   |    8 +-
 net/irda/ircomm/ircomm_tty.c                     |   18 +-
 net/iucv/af_iucv.c                               |    4 +-
 net/iucv/iucv.c                                  |    2 +-
 net/key/af_key.c                                 |    4 +-
 net/mac80211/cfg.c                               |    4 +-
 net/mac80211/ieee80211_i.h                       |    3 +-
 net/mac80211/iface.c                             |   14 +-
 net/mac80211/main.c                              |    2 +-
 net/mac80211/pm.c                                |    6 +-
 net/mac80211/rate.c                              |    2 +-
 net/mac80211/rc80211_pid_debugfs.c               |    2 +-
 net/mac80211/util.c                              |    2 +-
 net/netfilter/ipvs/ip_vs_conn.c                  |    6 +-
 net/netfilter/ipvs/ip_vs_core.c                  |    4 +-
 net/netfilter/ipvs/ip_vs_ctl.c                   |   10 +-
 net/netfilter/ipvs/ip_vs_sync.c                  |    6 +-
 net/netfilter/ipvs/ip_vs_xmit.c                  |    4 +-
 net/netfilter/nfnetlink_log.c                    |    4 +-
 net/netfilter/xt_statistic.c                     |    8 +-
 net/netlink/af_netlink.c                         |    4 +-
 net/packet/af_packet.c                           |   12 +-
 net/phonet/pep.c                                 |    6 +-
 net/phonet/socket.c                              |    2 +-
 net/rds/cong.c                                   |    6 +-
 net/rds/ib.h                                     |    2 +-
 net/rds/ib_cm.c                                  |    2 +-
 net/rds/ib_recv.c                                |    4 +-
 net/rds/iw.h                                     |    2 +-
 net/rds/iw_cm.c                                  |    2 +-
 net/rds/iw_recv.c                                |    4 +-
 net/rds/tcp.c                                    |    2 +-
 net/rds/tcp_send.c                               |    2 +-
 net/rxrpc/af_rxrpc.c                             |    2 +-
 net/rxrpc/ar-ack.c                               |   14 +-
 net/rxrpc/ar-call.c                              |    2 +-
 net/rxrpc/ar-connection.c                        |    2 +-
 net/rxrpc/ar-connevent.c                         |    2 +-
 net/rxrpc/ar-input.c                             |    4 +-
 net/rxrpc/ar-internal.h                          |    8 +-
 net/rxrpc/ar-local.c                             |    2 +-
 net/rxrpc/ar-output.c                            |    4 +-
 net/rxrpc/ar-peer.c                              |    2 +-
 net/rxrpc/ar-proc.c                              |    4 +-
 net/rxrpc/ar-transport.c                         |    2 +-
 net/rxrpc/rxkad.c                                |    4 +-
 net/sctp/ipv6.c                                  |    2 +-
 net/sctp/protocol.c                              |    8 +-
 net/sctp/socket.c                                |    2 +
 net/socket.c                                     |   34 +-
 net/sunrpc/sched.c                               |    4 +-
 net/sunrpc/xprtrdma/svc_rdma.c                   |   38 +-
 net/sunrpc/xprtrdma/svc_rdma_recvfrom.c          |    6 +-
 net/sunrpc/xprtrdma/svc_rdma_sendto.c            |    2 +-
 net/sunrpc/xprtrdma/svc_rdma_transport.c         |   10 +-
 net/tipc/link.c                                  |    6 +-
 net/tipc/msg.c                                   |    2 +-
 net/tipc/subscr.c                                |    2 +-
 net/wireless/wext-core.c                         |   19 +-
 net/xfrm/xfrm_policy.c                           |   16 +-
 net/xfrm/xfrm_state.c                            |    4 +-
 scripts/Makefile.build                           |    2 +-
 scripts/Makefile.clean                           |    3 +-
 scripts/Makefile.host                            |   28 +-
 scripts/basic/fixdep.c                           |   12 +-
 scripts/gcc-plugin.sh                            |   17 +
 scripts/link-vmlinux.sh                          |    2 +-
 scripts/mod/file2alias.c                         |   14 +-
 scripts/mod/modpost.c                            |   25 +-
 scripts/mod/modpost.h                            |    6 +-
 scripts/mod/sumversion.c                         |    2 +-
 scripts/pnmtologo.c                              |    6 +-
 security/Kconfig                                 |  654 ++++-
 security/integrity/ima/ima.h                     |    4 +-
 security/integrity/ima/ima_api.c                 |    2 +-
 security/integrity/ima/ima_fs.c                  |    4 +-
 security/integrity/ima/ima_queue.c               |    2 +-
 security/keys/compat.c                           |    2 +-
 security/keys/keyctl.c                           |    8 +-
 security/keys/keyring.c                          |    6 +-
 security/security.c                              |    9 +-
 security/selinux/hooks.c                         |    2 +-
 security/selinux/include/xfrm.h                  |    2 +-
 security/smack/smack_lsm.c                       |    2 +-
 security/tomoyo/tomoyo.c                         |    2 +-
 sound/aoa/codecs/onyx.c                          |    7 +-
 sound/aoa/codecs/onyx.h                          |    1 +
 sound/core/oss/pcm_oss.c                         |   18 +-
 sound/core/pcm_compat.c                          |    2 +-
 sound/core/pcm_native.c                          |    4 +-
 sound/core/seq/seq_device.c                      |    8 +-
 sound/drivers/mts64.c                            |   14 +-
 sound/drivers/opl4/opl4_lib.c                    |    2 +-
 sound/drivers/portman2x4.c                       |    3 +-
 sound/firewire/amdtp.c                           |    4 +-
 sound/firewire/amdtp.h                           |    2 +-
 sound/firewire/isight.c                          |   10 +-
 sound/firewire/scs1x.c                           |    8 +-
 sound/oss/sb_audio.c                             |    2 +-
 sound/oss/swarm_cs4297a.c                        |    6 +-
 sound/pci/ymfpci/ymfpci.h                        |    2 +-
 sound/pci/ymfpci/ymfpci_main.c                   |   12 +-
 tools/gcc/.gitignore                             |    1 +
 tools/gcc/Makefile                               |   43 +
 tools/gcc/checker_plugin.c                       |  171 +
 tools/gcc/colorize_plugin.c                      |  151 +
 tools/gcc/constify_plugin.c                      |  359 +++
 tools/gcc/generate_size_overflow_hash.sh         |   94 +
 tools/gcc/kallocstat_plugin.c                    |  170 +
 tools/gcc/kernexec_plugin.c                      |  465 +++
 tools/gcc/latent_entropy_plugin.c                |  321 ++
 tools/gcc/size_overflow_hash.data                | 3713 ++++++++++++++++++++++
 tools/gcc/size_overflow_plugin.c                 | 1941 +++++++++++
 tools/gcc/stackleak_plugin.c                     |  327 ++
 tools/perf/util/include/asm/alternative-asm.h    |    3 +
 virt/kvm/kvm_main.c                              |   32 +-
 1311 files changed, 26668 insertions(+), 6394 deletions(-)
commit a00016a11e35e91aec8e2d9b6ec4c6fbb11d6d2b
Merge: 0949bd4 fc53d63
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 22 19:03:44 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit fc53d6338964741b368070ec5c935bc579b8c2a6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 22 19:02:45 2012 -0400

    Update to pax-linux-3.2.12-test33.patch

commit 0949bd46a6455b308f66ad7c993bfee62412db35
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 22 16:56:09 2012 -0400

    Use current_umask() instead of current->fs->umask

commit 22f6432d0fe733619cfcb523782ed7d80c46d645
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 21 19:42:42 2012 -0400

    compile fix

commit 0cad49d6b8fbb32395da924c1665a1110a9a9eef
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 21 19:34:56 2012 -0400

    Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain
    uses of domains with particular hash collisions

commit 47fc52e0a068a29d6cca2f809daf0679cba33c44
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 20:25:49 2012 -0400

    zero kernel_role

commit b00953b43c69238d181d21121ef1577c988d5f6b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 19:29:34 2012 -0400

    zero real_root after releasing it

commit 0b3ab73ce5d34a2c3206955cd65eddd6bdfd32a1
Merge: b724f59 273f98e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 19:11:26 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit 273f98e58cdac555d3b5dce5c1ca168349f95878
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 19:10:52 2012 -0400

    Temporary workaround for (most) size_overflow plugin false-positives
    Increase randomization for brk-managed heap to 21 bits
    Update to pax-linux-3.2.12-test32.patch

commit b724f59125304460c2af8bd4b02921993afbb5d3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 18:58:53 2012 -0400

    compile fix

commit 329f1a9d0f137d0a973316c53bbec18a6eeecd4f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 18:52:23 2012 -0400

    Require default and kernel role

commit a7c5c4f55bdd61cfcd0fb1be7a67160429409878
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 18:47:28 2012 -0400

    Allow policies without special roles
    don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles)

commit 402ec3d24d66d38403dc543c84851f5e72d39e22
Merge: 8e012dc f14661a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 19 18:06:59 2012 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        fs/namei.c

commit f14661aaf202155c97f66626cea0269017bb7775
Merge: eae671f 058b017
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 19 18:05:44 2012 -0400

    Merge branch 'linux-3.2.y' into pax-test

commit 8e012dcf7a50b7cde34c2cec93ecedd049123b75
Author: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
Date:   Fri Mar 16 17:08:39 2012 -0700

    nilfs2: fix NULL pointer dereference in nilfs_load_super_block()
    
    According to the report from Slicky Devil, nilfs caused kernel oops at
    nilfs_load_super_block function during mount after he shrank the
    partition without resizing the filesystem:
    
     BUG: unable to handle kernel NULL pointer dereference at 00000048
     IP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2]
     *pde = 00000000
     Oops: 0000 [#1] PREEMPT SMP
     ...
     Call Trace:
      [<d0d7a87b>] init_nilfs+0x4b/0x2e0 [nilfs2]
      [<d0d6f707>] nilfs_mount+0x447/0x5b0 [nilfs2]
      [<c0226636>] mount_fs+0x36/0x180
      [<c023d961>] vfs_kern_mount+0x51/0xa0
      [<c023ddae>] do_kern_mount+0x3e/0xe0
      [<c023f189>] do_mount+0x169/0x700
      [<c023fa9b>] sys_mount+0x6b/0xa0
      [<c04abd1f>] sysenter_do_call+0x12/0x28
     Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43
     20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72
     48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00
     EIP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc
     CR2: 0000000000000048
    
    This turned out due to a defect in an error path which runs if the
    calculated location of the secondary super block was invalid.
    
    This patch fixes it and eliminates the reported oops.
    
    Reported-by: Slicky Devil <slicky.dvl@gmail.com>
    Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
    Tested-by: Slicky Devil <slicky.dvl@gmail.com>
    Cc: <stable@vger.kernel.org>        [2.6.30+]
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 8067d7f69bf27dc08057a771cf125e71e4575bf2
Author: Haogang Chen <haogangchen@gmail.com>
Date:   Fri Mar 16 17:08:38 2012 -0700

    nilfs2: clamp ns_r_segments_percentage to [1, 99]
    
    ns_r_segments_percentage is read from the disk.  Bogus or malicious
    value could cause integer overflow and malfunction due to meaningless
    disk usage calculation.  This patch reports error when mounting such
    bogus volumes.
    
    Signed-off-by: Haogang Chen <haogangchen@gmail.com>
    Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit e1a90645643f9b0194a5984ec8febd06360d5c8b
Author: Eric Dumazet <eric.dumazet@gmail.com>
Date:   Sat Mar 10 09:20:21 2012 +0000

    tcp: fix syncookie regression
    
    commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit())
    added a serious regression on synflood handling.
    
    Simon Kirby discovered a successful connection was delayed by 20 seconds
    before being responsive.
    
    In my tests, I discovered that xmit frames were lost, and needed ~4
    retransmits and a socket dst rebuild before being really sent.
    
    In case of syncookie initiated connection, we use a different path to
    initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared.
    
    As ip_queue_xmit() now depends on inet flow being setup, fix this by
    copying the temp flowi4 we use in cookie_v4_check().
    
    Reported-by: Simon Kirby <sim@netnation.com>
    Bisected-by: Simon Kirby <sim@netnation.com>
    Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
    Tested-by: Eric Dumazet <eric.dumazet@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 06c6c8628bf38b08b4d97f4c55cde9fdecfb5d65
Author: Stanislav Kinsbursky <skinsbursky@parallels.com>
Date:   Mon Mar 12 02:59:41 2012 +0000

    tun: don't hold network namespace by tun sockets
    
    v3: added previously removed sock_put() to the tun_release() callback, because
    sk_release_kernel() doesn't drop the socket reference.
    
    v2: sk_release_kernel() used for socket release. Dummy tun_release() is
    required for sk_release_kernel() ---> sock_release() ---> sock->ops->release()
    call.
    
    TUN was designed to destroy it's socket on network namesapce shutdown. But this
    will never happen for persistent device, because it's socket holds network
    namespace.
    This patch removes of holding network namespace by TUN socket and replaces it
    by creating socket in init_net and then changing it's net it to desired one. On
    shutdown socket is moved back to init_net prior to final put.
    
    Signed-off-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 46ae7374bd387c58d673a9e58852a9fd31042c5c
Author: Tyler Hicks <tyhicks@canonical.com>
Date:   Mon Dec 12 10:02:30 2011 -0600

    vfs: Correctly set the dir i_mutex lockdep class
    
    9a7aa12f3911853a introduced additional logic around setting the i_mutex
    lockdep class for directory inodes. The idea was that some filesystems
    may want their own special lockdep class for different directory
    inodes and calling unlock_new_inode() should not clobber one of
    those special classes.
    
    I believe that the added conditional, around the *negated* return value
    of lockdep_match_class(), caused directory inodes to be placed in the
    wrong lockdep class.
    
    inode_init_always() sets the i_mutex lockdep class with i_mutex_key for
    all inodes. If the filesystem did not change the class during inode
    initialization, then the conditional mentioned above was false and the
    directory inode was incorrectly left in the non-directory lockdep class.
    If the filesystem did set a special lockdep class, then the conditional
    mentioned above was true and that class was clobbered with
    i_mutex_dir_key.
    
    This patch removes the negation from the conditional so that the i_mutex
    lockdep class is properly set for directory inodes. Special classes are
    preserved and directory inodes with unmodified classes are set with
    i_mutex_dir_key.
    
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Reviewed-by: Jan Kara <jack@suse.cz>
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

commit 603590b0d2eca61ce26499eac9c563bc567a18c9
Author: Jan Kara <jack@suse.cz>
Date:   Mon Feb 20 17:54:00 2012 +0100

    udf: Fix deadlock in udf_release_file()
    
    udf_release_file() can be called from munmap() path with mmap_sem held.  Thus
    we cannot take i_mutex there because that ranks above mmap_sem. Luckily,
    i_mutex is not needed in udf_release_file() anymore since protection by
    i_data_sem is enough to protect from races with write and truncate.
    
    Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
    Reviewed-by: Namjae Jeon <linkinjeon@gmail.com>
    Signed-off-by: Jan Kara <jack@suse.cz>
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

commit ca79ab9034f3c2f7e3f65c35e0d9ed3ecea529bf
Author: Miklos Szeredi <mszeredi@suse.cz>
Date:   Tue Mar 6 13:56:33 2012 +0100

    vfs: fix double put after complete_walk()
    
    complete_walk() already puts nd->path, no need to do it again at cleanup time.
    
    This would result in Oopses if triggered, apparently the codepath is not too
    well exercised.
    
    Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
    CC: stable@vger.kernel.org
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

commit 13885ba2b18400f3ef6540497d30f1af896605e5
Author: Miklos Szeredi <mszeredi@suse.cz>
Date:   Tue Mar 6 13:56:34 2012 +0100

    vfs: fix return value from do_last()
    
    complete_walk() returns either ECHILD or ESTALE.  do_last() turns this into
    ECHILD unconditionally.  If not in RCU mode, this error will reach userspace
    which is complete nonsense.
    
    Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
    CC: stable@vger.kernel.org
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    
    Conflicts:
    
        fs/namei.c

commit f5ab7572c99ffb58953eb1070622307e904c3b7f
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Sat Mar 10 17:07:28 2012 -0500

    restore smp_mb() in unlock_new_inode()
    
    wait_on_inode() doesn't have ->i_lock
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

commit f3e758cd08e3881982d4b78eb72fe8a1ead6b872
Author: David S. Miller <davem@davemloft.net>
Date:   Tue Mar 13 18:19:51 2012 -0700

    sparc32: Add -Av8 to assembler command line.
    
    Newer version of binutils are more strict about specifying the
    correct options to enable certain classes of instructions.
    
    The sparc32 build is done for v7 in order to support sun4c systems
    which lack hardware integer multiply and divide instructions.
    
    So we have to pass -Av8 when building the assembler routines that
    use these instructions and get patched into the kernel when we find
    out that we have a v8 capable cpu.
    
    Reported-by: Paul Gortmaker <paul.gortmaker@windriver.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 66276ec78b2a971d2e704e5ef963cdc8b6a049a4
Author: Thomas Gleixner <tglx@linutronix.de>
Date:   Fri Mar 9 20:55:10 2012 +0100

    x86: Derandom delay_tsc for 64 bit
    
    Commit f0fbf0abc093 ("x86: integrate delay functions") converted
    delay_tsc() into a random delay generator for 64 bit.  The reason is
    that it merged the mostly identical versions of delay_32.c and
    delay_64.c.  Though the subtle difference of the result was:
    
     static void delay_tsc(unsigned long loops)
     {
    -   unsigned bclock, now;
    +   unsigned long bclock, now;
    
    Now the function uses rdtscl() which returns the lower 32bit of the
    TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64
    bit this fails when the lower 32bit are close to wrap around when
    bclock is read, because the following check
    
           if ((now - bclock) >= loops)
                        break;
    
    evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0
    because the unsigned long (now - bclock) of these values results in
    0xffffffff00000001 which is definitely larger than the loops
    value. That explains Tvortkos observation:
    
    "Because I am seeing udelay(500) (_occasionally_) being short, and
     that by delaying for some duration between 0us (yep) and 491us."
    
    Make those variables explicitely u32 again, so this works for both 32
    and 64 bit.
    
    Reported-by: Tvrtko Ursulin <tvrtko.ursulin@onelan.co.uk>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Cc: stable@vger.kernel.org # >= 2.6.27
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 2d0ddb60f5031bdf79b4d51225f9f2d5856255bf
Author: Al Viro <viro@ZenIV.linux.org.uk>
Date:   Thu Mar 8 17:51:19 2012 +0000

    aio: fix the "too late munmap()" race
    
    Current code has put_ioctx() called asynchronously from aio_fput_routine();
    that's done *after* we have killed the request that used to pin ioctx,
    so there's nothing to stop io_destroy() waiting in wait_for_all_aios()
    from progressing.  As the result, we can end up with async call of
    put_ioctx() being the last one and possibly happening during exit_mmap()
    or elf_core_dump(), neither of which expects stray munmap() being done
    to them...
    
    We do need to prevent _freeing_ ioctx until aio_fput_routine() is done
    with that, but that's all we care about - neither io_destroy() nor
    exit_aio() will progress past wait_for_all_aios() until aio_fput_routine()
    does really_put_req(), so the ioctx teardown won't be done until then
    and we don't care about the contents of ioctx past that point.
    
    Since actual freeing of these suckers is RCU-delayed, we don't need to
    bump ioctx refcount when request goes into list for async removal.
    All we need is rcu_read_lock held just over the ->ctx_lock-protected
    area in aio_fput_routine().
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
    Acked-by: Benjamin LaHaise <bcrl@kvack.org>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 002124c055afbf09b52226af65621999e8316448
Author: Al Viro <viro@ZenIV.linux.org.uk>
Date:   Wed Mar 7 05:16:35 2012 +0000

    aio: fix io_setup/io_destroy race
    
    Have ioctx_alloc() return an extra reference, so that caller would drop it
    on success and not bother with re-grabbing it on failure exit.  The current
    code is obviously broken - io_destroy() from another thread that managed
    to guess the address io_setup() would've returned would free ioctx right
    under us; gets especially interesting if aio_context_t * we pass to
    io_setup() points to PROT_READ mapping, so put_user() fails and we end
    up doing io_destroy() on kioctx another thread has just got freed...
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Acked-by: Benjamin LaHaise <bcrl@kvack.org>
    Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit a1cd2719b8ed8e40dbd98c87713ac23a2169f6d8
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Thu Mar 15 15:17:12 2012 -0700

    drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode
    
    strict_strtoul() writes a long but ->gamma_mode only has space to store an
    int, so on 64 bit systems we end up scribbling over ->gamma_table_count as
    well.  I've changed it to use kstrtouint() instead.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Acked-by: Inki Dae <inki.dae@samsung.com>
    Signed-off-by: Florian Tobias Schandinat <FlorianSchandinat@gmx.de>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit cf83f735a5571f4341ee6eab947a1f7d833cea6e
Merge: e4b05b6 eae671f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 16 21:04:27 2012 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        security/Kconfig

commit eae671fafe93f04685c04a089cc13efebc05d600
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 16 20:58:01 2012 -0400

    Update to pax-linux-3.2.11-test31.patch
    Introduction of the size_overflow plugin from Emese Revfy
    Many thanks to Emese for her hard work :)

commit e4b05b65c645c412eceb9c950ee7b4771627e6b1
Merge: e55aa68 258c015
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 15 20:59:19 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit 258c0159fa6dd5044ca984eeaad57bb6e21bacea
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 15 20:59:05 2012 -0400

    fix ARM compilation

commit e55aa68f4bb20e75cd7423123aa612c2a69590c0
Merge: 8f95ea9 55b7573
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 14 19:33:41 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit 55b7573f6c2f3be26fb39c7bd6a9d742d02811ca
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 14 19:33:15 2012 -0400

    Update to pax-linux-3.2.10-test28.patch

commit 8f95ea9f718c293794a1f6bdd2a5f5f336f7bd64
Merge: c8786a2 886ac5e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 13 17:38:13 2012 -0400

    Merge branch 'pax-test' into grsec-test
    
    Greets and thanks to snq for his assistance in testing/debugging REFCOUNT on ARM :)

commit 886ac5eeb1835e87cf7398b8aae9e9ba6b36bf77
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 13 17:37:44 2012 -0400

    Update to pax-linux-3.2.10-test26.patch

commit c8786a2abed5e5327f68efa520c04db99bb6a63a
Merge: 219c982 c061fcf
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 13 17:25:06 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit c061fcfa6b78f3774800821144d8ac2d94d7da3e
Merge: 89373d2 3f4b3b2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 13 17:25:02 2012 -0400

    Merge branch 'linux-3.2.y' into pax-test

commit 219c982a05abe47be4ea7d749e1b408e0cb86f1f
Merge: 54e19a3 89373d2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 12 17:23:57 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit 89373d2abafb9bda97f78bdb157d1d05cf21e008
Merge: a778588 7459f11
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 12 17:23:49 2012 -0400

    Merge branch 'linux-3.2.y' into pax-test

commit 54e19a3979978fca902b14ae25125f26fbbbc7a7
Merge: c4650f1 a778588
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 12 16:51:25 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit a778588c9d1b75c48c1f09aac98c1b28bd87a749
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 12 16:51:12 2012 -0400

    Update to pax-linux-3.2.9-test24.patch

commit c4650f14b13f84735fe3de06a1f3ff5776473eff
Merge: fb2abee 1015790
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 11 21:08:28 2012 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        security/Kconfig

commit 101579028a736c224e590c7e12a7357018c424e1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 11 21:07:27 2012 -0400

    Update to pax-linux-3.2.9-test22.patch

commit fb2abee4b9b49f5f18342a8cdf7aa3ba2b7c9100
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 11 11:02:17 2012 -0400

    Allow 4096 CPUs

commit 96bae28cbe6a41d48e3b56e5904814096e956000
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 11 10:25:58 2012 -0400

    Use a per-cpu 48-bit counter instead of a global atomic64
    Initialize each counter to have the cpu number in the lower 16 bits
    instead of incrementing the counter each time by 1, perform the increments
    above the cpu number so that wrapping/exhausting the counter doesn't corrupt
    any state
    idea from PaX Team

commit b975688101da6e966aebb1bc6b8c5c5983974f9c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 10 20:33:12 2012 -0500

    Special vnsec edition! :)
    Further reduce argv/env allowance for suid/sgid apps to 512KB
    Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap)
    Clear 3GB personality on suid/sgid binaries
    Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64)
      with the main purpose of throwing off program stack -> arg/env alignment
    Update documentation

commit e5cfa902c4e891d11dd2086543d2555aa0c27d33
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 10 19:54:47 2012 -0500

    Resolve skbuff.h warnings that turn into errors during compilation in
    the grsecurity directory with -Werror

commit 2023210ad43a944033fcacc660ce410888f562ee
Merge: ece4383 5f66adf
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 9 19:48:01 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 5f66adf72f83730a07bc79a2fab56afed6dbbd0e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 9 19:47:06 2012 -0500

    Add colorize plugin

commit ece4383e5e91c92d138c4df84225a70b552f4d69
Merge: a366d0e ab4a5a1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 9 17:56:46 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit ab4a5a1a67289c3585e2ff8aa64ecece7bd17eea
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 9 17:56:26 2012 -0500

    Update to pax-linux-3.2.9-test21.patch

commit a366d0ed963ce93fce10121c1100989d5f064e75
Author: Mikulas Patocka <mpatocka@redhat.com>
Date:   Sun Mar 4 19:52:03 2012 -0500

    mm: fix find_vma_prev
    
    Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory
    management on PA-RISC.
    
    After application of the patch, programs that allocate big arrays on the
    stack crash with segfault, for example, this will crash if compiled
    without optimization:
    
      int main()
      {
        char array[200000];
        array[199999] = 0;
        return 0;
      }
    
    The reason is that PA-RISC has up-growing stack and the stack is usually
    the last memory area.  In the above example, a page fault happens above
    the stack.
    
    Previously, if we passed too high address to find_vma_prev, it returned
    NULL and stored the last VMA in *pprev.  After "simplify find_vma_prev"
    change, it stores NULL in *pprev.  Consequently, the stack area is not
    found and it is not expanded, as it used to be before the change.
    
    This patch restores the old behavior and makes it return the last VMA in
    *pprev if the requested address is higher than address of any other VMA.
    
    Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
    Acked-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 9cd8dd4d56051099f11563f72fcd91cd0ce19604
Author: Hugh Dickins <hughd@google.com>
Date:   Tue Mar 6 12:28:52 2012 -0800

    mmap: EINVAL not ENOMEM when rejecting VM_GROWS
    
    Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP
    from shared anonymous: hoist the file case's -EINVAL up for both.
    
    Signed-off-by: Hugh Dickins <hughd@google.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 97745dce6c87f9d9ca5b4be9bd4c2fc1684ca04c
Author: Al Viro <viro@ZenIV.linux.org.uk>
Date:   Mon Mar 5 06:38:42 2012 +0000

    aout: move setup_arg_pages() prior to reading/mapping the binary
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 3b20ce55ae8cffee43cb4afdf5be438b5ac4fef0
Author: Jan Beulich <JBeulich@suse.com>
Date:   Mon Mar 5 16:49:24 2012 +0000

    vsprintf: make %pV handling compatible with kasprintf()
    
    kasprintf() (and potentially other functions that I didn't run across so
    far) want to evaluate argument lists twice.  Caring to do so for the
    primary list is obviously their job, but they can't reasonably be
    expected to check the format string for instances of %pV, which however
    need special handling too: On architectures like x86-64 (as opposed to
    e.g.  ix86), using the same argument list twice doesn't produce the
    expected results, as an internally managed cursor gets updated during
    the first run.
    
    Fix the problem by always acting on a copy of the original list when
    handling %pV.
    
    Signed-off-by: Jan Beulich <jbeulich@suse.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 4146896ab9674f51d4909f3a52bc7fe80f04e4cb
Author: Al Viro <viro@ZenIV.linux.org.uk>
Date:   Mon Mar 5 06:39:47 2012 +0000

    VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit a831bd53764695ea680cc1fa3c98759a610ed2ac
Author: Christian König <deathsimple@vodafone.de>
Date:   Tue Feb 28 23:19:20 2012 +0100

    drm/radeon: fix uninitialized variable
    
    Without this fix the driver randomly treats
    textures as arrays and I'm really wondering
    why gcc isn't complaining about it.
    
    Signed-off-by: Christian König <deathsimple@vodafone.de>
    Reviewed-by: Jerome Glisse <jglisse@redhat.com>
    Signed-off-by: Dave Airlie <airlied@redhat.com>

commit aa2cd55f97f3cc03bdd895b6e8ba99619ee69dfc
Author: H. Peter Anvin <hpa@zytor.com>
Date:   Fri Mar 2 10:43:48 2012 -0800

    regset: Prevent null pointer reference on readonly regsets
    
    The regset common infrastructure assumed that regsets would always
    have .get and .set methods, but not necessarily .active methods.
    Unfortunately people have since written regsets without .set methods.
    
    Rather than putting in stub functions everywhere, handle regsets with
    null .get or .set methods explicitly.
    
    Signed-off-by: H. Peter Anvin <hpa@zytor.com>
    Reviewed-by: Oleg Nesterov <oleg@redhat.com>
    Acked-by: Roland McGrath <roland@hack.frob.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 072ddd99401c79b53c6bf6bff9deb93022124c79
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 5 18:12:57 2012 -0500

    Fix compiler errors reported on forums

commit 1606774b48af24e6f99d99c624c0e447d4b66474
Merge: 3127bd5 4ca2ffd
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 5 17:31:35 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 4ca2ffd9da024f4ba2d0cb6245ba1b2726169452
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 5 17:31:21 2012 -0500

    Update to pax-linux-3.2.9-test20.patch

commit 3127bd581a292966b1057c7433219dac188c3720
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 2 21:30:37 2012 -0500

    Fix memory leak on logged exec_id check failure in /proc/pid/statm
    Thanks to Djalal Harouni for the report

commit d9f1a3be0e97e0632f97379322712d8deeb3ce23
Merge: 0a56be8 9aa8288
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 2 18:38:22 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 9aa8288a09e6e03ce37c08136b26bff17a093b5c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 2 18:37:43 2012 -0500

    Update to pax-linux-3.2.9-test19.patch

commit 0a56be884bbd7ce733cac0b879c45383494d73b0
Merge: 9e66745 3f5c52a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 1 20:18:01 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 3f5c52aba100b3bb252980f9d363aafde52da1a2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 1 20:16:56 2012 -0500

    Update to pax-linux-3.2.9-test18.patch

commit ae53ec231d12719a36bf871f8c5841020ed692ee
Merge: b255baf 44fb317
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 1 20:15:31 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test

commit 9e667456c03eadea2f305be761abe4de9a5877a3
Merge: 5e4e200 b255baf
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 27 20:53:59 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit b255baf50365d39b406f43aab2c64745607baaa2
Merge: 340ce90 1de504e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 27 20:53:29 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test
    Update to pax-linux-3.2.8-test17.patch
    
    Conflicts:
        arch/x86/include/asm/i387.h
        arch/x86/kernel/process_32.c
        arch/x86/kernel/traps.c

commit 5e4e200ac530452884b625cb75de240e1e98c731
Merge: 44306d7 340ce90
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 27 18:02:13 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 340ce90d98a043fa8e4ed9ffc229d4c1f86e2fec
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 27 18:01:48 2012 -0500

    Update to pax-linux-3.2.7-test17.patch

commit 44306d7b3097f77e73040dd25f4f6750751bae7a
Merge: 29d0b07 521c411
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 26 19:04:15 2012 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        Makefile

commit 521c411bb4ca66ce01146fde8bac9dd22414076d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 26 19:03:33 2012 -0500

    Update to pax-linux-3.2.7-test16.patch

commit 29d0b07290bb9a10cdfcc3c30058e16265330dea
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 26 17:12:44 2012 -0500

    fix typo

commit 344f6d84e5d3fdc6ec40a078fc2f5861d340b2ef
Merge: f45b3be caa8f83
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 20:59:27 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit caa8f83456c4d0b204beefffaa1d1993f2348d08
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 20:59:12 2012 -0500

    Update to pax-linux-3.2.7-test15.patch

commit f45b3be34a345502a302e736af9a65742ddef7cb
Merge: 62f35fd 9f1309b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 11:40:15 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 9f1309b0b935e3b30fc87a9e3009b84cf943ef47
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 11:39:57 2012 -0500

    Update to pax-linux-3.2.7-test14.patch

commit 62f35fdbecc58f2988fe13638d907b87a15776bb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 09:08:55 2012 -0500

    We could log on attempted exploits of writing /proc/self/mem, but the current
    log function declares the access a read, so just swap the ordering for now

commit 066ee8f9c26f1549b4ad893508777b549c8d4b79
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 08:46:14 2012 -0500

    Log /proc/pid/mem attempts

commit 674471e581893a94d475acac3e3c4496209b3ac9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 08:15:00 2012 -0500

    Make use of f_version for protecting /proc file structs (fine since we're not a directory
    or seq_file)

commit eab42cfdd237ffcdd8ec24bedecc275a3a9e987f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 24 20:02:19 2012 -0500

    Fix ia64 compilation

commit 50dfea412fd395e0183c2ade368efa525d38b267
Merge: 12db845 4c6f99b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 24 19:00:53 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 4c6f99bf338e03966356b147d0360cb3b522a44f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 24 19:00:36 2012 -0500

    (6:57:09 PM) pipacs: but you can be proactive
    (Fix other-arch atomic64/REFCOUNT compilation failures)

commit 12db8453f6bb0a756f369c9151668ba1249bc478
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 23 21:10:12 2012 -0500

    Remove unnecessary copies, as suggested by solar

commit cc02cab84368467ea03cb35f861a8a7092d91ab4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 23 20:59:35 2012 -0500

    Make global_exec_counter static, as suggested by solar

commit e642091a475ebb3a30e81f85e7751233d0c2af43
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 23 19:00:26 2012 -0500

    sync with stable tree

commit 6df09c3d8e371905b7b8fe90c4188f23614c6be5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 23 18:48:47 2012 -0500

    Remove unneeded gr_acl_handle_fchmod, as the code is shared now by gr_acl_handle_chmod
    Remove handling of old kludge in chmod/fchmod

commit 815cb62f2ca7b58efc39778b3a855feb675ab56c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 23 18:18:49 2012 -0500

    Apply umask checks to chmod/fchmod as well, as requested by sponsor
    Union the enforced umask with the existing one to produce minimal privilege
    Change umask type to u16

commit 0e7668c6abbdbcd3f7f9759e3994d6f4bc9953f0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 22 18:16:11 2012 -0500

    Add per-role umask enforcement to RBAC, requested by a sponsor

commit ad5ac943fe58199f1cc475912a39edb157acb77b
Merge: dda0bb5 41722e3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 20 20:04:42 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 41722e342e116d95f3d3556d66c97c888d752d39
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 20 20:04:00 2012 -0500

    Merge changes from pax-linux-3.2.7-test12.patch, fixes KVM incompatibility with
    KERNEXEC plugin

commit dda0bb57137846a476a866c60db2681aaf6052c0
Merge: 4fd554e d70927a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 20 20:01:41 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit d70927afec977d489a54c106a3c3ddc32e953050
Merge: 1daebf1 9d0231c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 20 20:01:33 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test

commit 4fd554e3a097b22c5049fcdc423897477deff5ef
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 20 09:17:57 2012 -0500

    Fix wrong logic on capability checks for switching roles, broke policies
    Thanks to Richard Kojedzinszky for reporting

commit 12f97d52ac603f24344f8d71569c412a307e9422
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 21:20:10 2012 -0500

    sparc64 compile fix

commit 07af3d8e76a6a47ce1836e5b20ed8c0f879c8201
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 18:38:32 2012 -0500

    Update configuration help and name for GRKERNSEC_PROC_MEMMAP

commit 5ced6f8def06c2176b40b5fa07345fc723dc4dcb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 18:18:01 2012 -0500

    optimize the check a bit

commit 03159050f64989be44ae03be769cbed62a7cd2e5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 18:00:45 2012 -0500

    smile VUPEN :D
    (limit argv+env to 1MB for suid/sgid binaries)

commit dd759d8800d225a397e4de49fe729c7d601298d2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 17:49:33 2012 -0500

    Address Space Protection -> Memory Protections (suggested on IRC for consistency)

commit 4de635bda8ebfb85312e3bf851bdbff93de400da
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 17:45:06 2012 -0500

    Change the long long type for exec_id to the proper u64

commit 4feb07e7cb64b3d0f0f8cca1aef70bc725cae6fa
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Thu Feb 9 00:46:47 2012 +0000

    isdn: type bug in isdn_net_header()
    
    We use len to store the return value from eth_header().  eth_header()
    can return -ETH_HLEN (-14).  We want to pass this back instead of
    truncating it to 65522 and returning that.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Acked-by: Neil Horman <nhorman@tuxdriver.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 134ac8545b47f0f27d550ea6e1edb3a1ed7a9748
Author: Heiko Carstens <heiko.carstens@de.ibm.com>
Date:   Sat Feb 4 10:47:10 2012 +0100

    exec: fix use-after-free bug in setup_new_exec()
    
    Setting the task name is done within setup_new_exec() by accessing
    bprm->filename. However this happens after flush_old_exec().
    This may result in a use after free bug, flush_old_exec() may
    "complete" vfork_done, which will wake up the parent which in turn
    may free the passed in filename.
    To fix this add a new tcomm field in struct linux_binprm which
    contains the now early generated task name until it is used.
    
    Fixes this bug on s390:
    
      Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000
      Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818)
      Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374)
      Call Trace:
      ([<0000000000282e2c>] setup_new_exec+0x38/0x374)
       [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4
       [<0000000000280a42>] search_binary_handler+0x38e/0x5bc
       [<0000000000282b6c>] do_execve_common+0x410/0x514
       [<0000000000282cb6>] do_execve+0x46/0x58
       [<00000000005bce58>] kernel_execve+0x28/0x70
       [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140
       [<00000000005bc8da>] kernel_thread_starter+0x6/0xc
       [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc
      Last Breaking-Event-Address:
       [<00000000002830f0>] setup_new_exec+0x2fc/0x374
    
      Kernel panic - not syncing: Fatal exception: panic_on_oops
    
    Reported-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
    Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit d758ee9f5230893dabb5aab737b3109684bde196
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Fri Feb 10 09:03:58 2012 +0100

    relay: prevent integer overflow in relay_open()
    
    "subbuf_size" and "n_subbufs" come from the user and they need to be
    capped to prevent an integer overflow.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Cc: stable@kernel.org
    Signed-off-by: Jens Axboe <axboe@kernel.dk>

commit 40ed7b34848b8e0d7bf9a3fc21a7c75ce1ae507c
Merge: b1baadf 1daebf1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 13 17:47:04 2012 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        fs/proc/base.c

commit 1daebf1d623fe5b0efdd329f78562eb7078bc772
Merge: 1413df2 c2db2e2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 13 17:45:54 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test

commit b1baadf5047ab67cf61cd20bf58c6afb09c37c7d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 12 16:44:05 2012 -0500

    add missing declaration

commit 3981059c35e8463002517935c28f3d74b8e3703c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 12 16:36:04 2012 -0500

    Require CAP_SETUID/CAP_SETGID in a subject in order to change roles
    in addition to existing checks (this handles the setresuid ruid = euid case)

commit 0beab03263c773f463412c350ad9064b44b6ede0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 12 16:13:40 2012 -0500

    Revert setreuid changes when RBAC is enabled, breaks freeradius
    I'll fix the learning issue Lavish reported a different way through
    gradm modifications
    
    This reverts commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111.

commit 0c61cb1cfbbfec7d07647268c922d51434d22621
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 11 14:22:46 2012 -0500

    copy exec_id on fork

commit 000c08e0890630086b2ed04084050ed856a7ec31
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 10 20:00:36 2012 -0500

    compile fix

commit 54b8c8f54484e5ee18040657827158bc4b63bccc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 10 19:19:52 2012 -0500

    Introduce enhancement to CONFIG_GRKERNSEC_PROC_MEMMAP
    denies reading of sensitive /proc/pid entries where the file descriptor
    was opened in a different task than the one performing the read

commit dd19579049186e2648b9ae5e42af04cfda7ab2dc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 10 17:43:24 2012 -0500

    Remove duplicate signal check

commit 6ff60c34155bb73a4eec7bbfe6f59e9d35e1c0c6
Merge: 4eba97e 1413df2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 8 19:24:34 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 1413df258d4664d928b876ffb57e1bdc1ccd06f6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 8 19:24:08 2012 -0500

    Merge changes from pax-linux-3.2.4-test11.patch

commit 4eba97eda7f7d25b7ab6ad5c9de094545e749044
Merge: 0e058dd 8dd90a2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 6 17:50:12 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 8dd90a21adfeefd86134d1fedf77b958bc59eaa3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 6 17:49:07 2012 -0500

    Merge changes from pax-linux-3.2.4-test10.patch, fixes BPF JIT double-free

commit a6b5dfed0937a0eb386b4b519a387f8e8177ffdc
Merge: 7e4169c 6133971
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 6 17:48:57 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test

commit 0e058dd6d14e0c67c44dd332a871f1fe1bb06095
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 5 19:24:45 2012 -0500

    We now allow configurations with no PaX markings, giving the system no way to override the defaults

commit 9afb0110287e31c3c56d861b4927f64f8dbd7857
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 5 10:01:23 2012 -0500

    Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory

commit a6a0ad24a5f7bef90236d94c1bdfe21d291fc834
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 4 21:01:16 2012 -0500

    Improve security of ptrace-based monitoring/sandboxing
    See:
    http://article.gmane.org/gmane.linux.kernel.lsm/15156

commit ca4ca5a1027b41f9528794e52a53ce9c47926101
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 20:42:55 2012 -0500

    fix typo

commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 20:25:38 2012 -0500

    Reported by lavish on IRC:
    If a suid/sgid binary did not learn any setuid/setgid call during learning,
    we would not any CAP_SETUID/CAP_SETGID capability to the task, nor
    any restrictions on uid/gid changes.  uid and gid can however be changed
    within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to
    euid/egid.
    
    My fix:
    POSIX doesn't specify whether unprivileged users can perform the above
    setresuid/setresgid as an unprivileged user, though Linux has historically
    permitted them.  Modify this behavior when RBAC is enabled to require
    CAP_SETUID/CAP_SETGID for these operations.
    
    Thanks to Lavish for the report!
    
    Conflicts:
    
        kernel/sys.c

commit e55be1f30908f1ad4450cb0558cde71ff5c7247f
Merge: ba586eb 7e4169c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 20:10:21 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 7e4169c6c880ec9641f1178c88545913c8a21e1f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 20:10:05 2012 -0500

    Merge changes from pax-linux-3.2.4-test9.patch

commit ba586ebbcd0ed781e38a99c580a757a00347c6eb
Author: Christopher Yeoh <cyeoh@au1.ibm.com>
Date:   Thu Feb 2 11:34:09 2012 +1030

    Fix race in process_vm_rw_core
    
    This fixes the race in process_vm_core found by Oleg (see
    
      http://article.gmane.org/gmane.linux.kernel/1235667/
    
    for details).
    
    This has been updated since I last sent it as the creation of the new
    mm_access() function did almost exactly the same thing as parts of the
    previous version of this patch did.
    
    In order to use mm_access() even when /proc isn't enabled, we move it to
    kernel/fork.c where other related process mm access functions already
    are.
    
    Signed-off-by: Chris Yeoh <yeohc@au1.ibm.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    Conflicts:
    
        fs/proc/base.c
        mm/process_vm_access.c

commit b9194d60fb9fe579f5c34817ed822abde18939a0
Author: Oleg Nesterov <oleg@redhat.com>
Date:   Tue Jan 31 17:15:11 2012 +0100

    proc: make sure mem_open() doesn't pin the target's memory
    
    Once /proc/pid/mem is opened, the memory can't be released until
    mem_release() even if its owner exits.
    
    Change mem_open() to do atomic_inc(mm_count) + mmput(), this only
    pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count)
    before access_remote_vm(), this verifies that this mm is still alive.
    
    I am not sure what should mem_rw() return if atomic_inc_not_zero()
    fails. With this patch it returns zero to match the "mm == NULL" case,
    may be it should return -EINVAL like it did before e268337d.
    
    Perhaps it makes sense to add the additional fatal_signal_pending()
    check into the main loop, to ensure we do not hold this memory if
    the target task was oom-killed.
    
    Cc: stable@kernel.org
    Signed-off-by: Oleg Nesterov <oleg@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit d4500134f9363bc79556e0e7a1fd811cd8552cc4
Author: Oleg Nesterov <oleg@redhat.com>
Date:   Tue Jan 31 17:14:38 2012 +0100

    proc: mem_release() should check mm != NULL
    
    mem_release() can hit mm == NULL, add the necessary check.
    
    Cc: stable@kernel.org
    Signed-off-by: Oleg Nesterov <oleg@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 5d1c11221a86f233fdbb232312a561f85d0a3a05
Author: Oleg Nesterov <oleg@redhat.com>
Date:   Tue Jan 31 17:14:54 2012 +0100

    note: redisabled mem_write
    
    proc: unify mem_read() and mem_write()
    
    No functional changes, cleanup and preparation.
    
    mem_read() and mem_write() are very similar. Move this code into the
    new common helper, mem_rw(), which takes the additional "int write"
    argument.
    
    Cc: stable@kernel.org
    Signed-off-by: Oleg Nesterov <oleg@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    Conflicts:
    
        fs/proc/base.c

commit af966b421d9f55ab7e1a8b2741beba44b22bc2e0
Merge: 3903f01 01fee18
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 19:50:40 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 01fee1851aef26b898ccba5312cabf1f919b74cb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 19:49:46 2012 -0500

    Merge changes from pax-linux-3.2.4-test8.patch

commit c2490ddbfc3f5dd664dd0e1b8575856c3be01879
Merge: 201c0db 141936c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 19:49:01 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test

commit 3903f0172ecadf7a575ba3535402a1506133640a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jan 30 23:26:44 2012 -0500

    Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT
    
    We'll whitelist required directories for compatibility instead of requiring
    that people disable the feature entirely if they use SELinux, fuse, etc
    
    Conflicts:
    
        fs/sysfs/mount.c

commit e3618feaa7e63807f1b88c199882075b3ec9bd05
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 29 01:12:19 2012 -0500

    perform RBAC check if TPE is on but match fails, matches previous behavior

commit 627b7fe22799a86e2f81a74f0e0c53474bec3100
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jan 28 13:17:06 2012 -0500

    log more information about the reason for a TPE denial for novice users, requested by a sponsor

commit efefd67008cbad8a8591e2484410966a300a39a5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:58:53 2012 -0500

    merge upstream sha512 changes

commit 8a79280377db78fb2091fe01eddb9e24f75d9fe1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:49:07 2012 -0500

    drop lock on error in xfs_readlink
    
    http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0

commit aa5f2f63e37f426bf2211c5fb8f7bc70de14f08a
Author: Li Wang <liwang@nudt.edu.cn>
Date:   Thu Jan 19 09:44:36 2012 +0800

    eCryptfs: Infinite loop due to overflow in ecryptfs_write()
    
    ecryptfs_write() can enter an infinite loop when truncating a file to a
    size larger than 4G. This only happens on architectures where size_t is
    represented by 32 bits.
    
    This was caused by a size_t overflow due to it incorrectly being used to
    store the result of a calculation which uses potentially large values of
    type loff_t.
    
    [tyhicks@canonical.com: rewrite subject and commit message]
    Signed-off-by: Li Wang <liwang@nudt.edu.cn>
    Signed-off-by: Yunchuan Wen <wenyunchuan@kylinos.com.cn>
    Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>

commit a7607747d0f74f357d78bb796d70635dd05f46e8
Author: Tyler Hicks <tyhicks@canonical.com>
Date:   Thu Jan 19 20:33:44 2012 -0600

    eCryptfs: Check inode changes in setattr
    
    Most filesystems call inode_change_ok() very early in ->setattr(), but
    eCryptfs didn't call it at all. It allowed the lower filesystem to make
    the call in its ->setattr() function. Then, eCryptfs would copy the
    appropriate inode attributes from the lower inode to the eCryptfs inode.
    
    This patch changes that and actually calls inode_change_ok() on the
    eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call
    would happen earlier in ecryptfs_setattr(), but there are some possible
    inode initialization steps that must happen first.
    
    Since the call was already being made on the lower inode, the change in
    functionality should be minimal, except for the case of a file extending
    truncate call. In that case, inode_newsize_ok() was never being
    called on the eCryptfs inode. Rather than inode_newsize_ok() catching
    maximum file size errors early on, eCryptfs would encrypt zeroed pages
    and write them to the lower filesystem until the lower filesystem's
    write path caught the error in generic_write_checks(). This patch
    introduces a new function, called ecryptfs_inode_newsize_ok(), which
    checks if the new lower file size is within the appropriate limits when
    the truncate operation will be growing the lower file.
    
    In summary this change prevents eCryptfs truncate operations (and the
    resulting page encryptions), which would exceed the lower filesystem
    limits or FSIZE rlimits, from ever starting.
    
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Reviewed-by: Li Wang <liwang@nudt.edu.cn>
    Cc: <stable@vger.kernel.org>

commit 0d96f190a39505254ace4e9330219aaeda9b64e3
Author: Tyler Hicks <tyhicks@canonical.com>
Date:   Wed Jan 18 18:30:04 2012 -0600

    eCryptfs: Make truncate path killable
    
    ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a
    page, zeroes out the appropriate portions, and then encrypts the page
    before writing it to the lower filesystem. It was unkillable and due to
    the lack of sparse file support could result in tying up a large portion
    of system resources, while encrypting pages of zeros, with no way for
    the truncate operation to be stopped from userspace.
    
    This patch adds the ability for ecryptfs_write() to detect a pending
    fatal signal and return as gracefully as possible. The intent is to
    leave the lower file in a useable state, while still allowing a user to
    break out of the encryption loop. If a pending fatal signal is detected,
    the eCryptfs inode size is updated to reflect the modified inode size
    and then -EINTR is returned.
    
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Cc: <stable@vger.kernel.org>

commit a02d0d2516b9e92edffeb8fca87462bca49c1f6f
Author: Tyler Hicks <tyhicks@canonical.com>
Date:   Tue Jan 24 10:02:22 2012 -0600

    eCryptfs: Fix oops when printing debug info in extent crypto functions
    
    If pages passed to the eCryptfs extent-based crypto functions are not
    mapped and the module parameter ecryptfs_verbosity=1 was specified at
    loading time, a NULL pointer dereference will occur.
    
    Note that this wouldn't happen on a production system, as you wouldn't
    pass ecryptfs_verbosity=1 on a production system. It leaks private
    information to the system logs and is for debugging only.
    
    The debugging info printed in these messages is no longer very useful
    and rather than doing a kmap() in these debugging paths, it will be
    better to simply remove the debugging paths completely.
    
    https://launchpad.net/bugs/913651
    
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Reported-by: Daniel DeFreez
    Cc: <stable@vger.kernel.org>

commit b1c44d3054dc7f293b2e0a98c0e9e5e03e01f04c
Author: Tyler Hicks <tyhicks@canonical.com>
Date:   Thu Jan 12 11:30:44 2012 +0100

    eCryptfs: Sanitize write counts of /dev/ecryptfs
    
    A malicious count value specified when writing to /dev/ecryptfs may
    result in a a very large kernel memory allocation.
    
    This patch peeks at the specified packet payload size, adds that to the
    size of the packet headers and compares the result with the write count
    value. The resulting maximum memory allocation size is approximately 532
    bytes.
    
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Reported-by: Sasha Levin <levinsasha928@gmail.com>
    Cc: <stable@vger.kernel.org>

commit 96dcb7282d323813181a1791f51c0ab7696b675b
Merge: 6c09fa5 201c0db
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:44:15 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 201c0dbf177527367676028151e36d340923f033
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:43:24 2012 -0500

    Merge changes from pax-linux-3.2.2-test6.patch, fixes 0 order vmalloc allocation errors
    on loading modules with empty sections

commit 6c09fa566a7c29f00556ca12f343f2db91c4f42b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:42:13 2012 -0500

    compile fix

commit 917ae526b4fcec2b3e1afefa13de9dff7d8a5423
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:39:28 2012 -0500

    use LSM flags instead of duplicating checks

commit 0cf3be2ea2ae43c9dd4933fb26c0429041b8acb8
Merge: 44b9f11 558718b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 18:56:23 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 558718b2217beff69edf60f34a6f9893d910e9ac
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 18:56:04 2012 -0500

    Merge changes from pax-linux-3.2.2-test6.patch

commit 44b9f1132b2de7cbf5f57525fe0f7f9fb0a76507
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 18:53:55 2012 -0500

    don't increase the size of task_struct when unnecessary
    change ptrace_readexec log message

commit a9c9626e054adb885883aa64f85506852894dd33
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 18:16:28 2012 -0500

    Update documentation for CONFIG_GRKERNSEC_PTRACE_READEXEC --
    the protection applies to all unreadable binaries.

commit 98fdf4ab69eba7a72efb2054295daafdbbc2fb8f
Merge: 7b3f3af 05a1349
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 25 20:52:09 2012 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        block/scsi_ioctl.c
        drivers/scsi/sd.c
        fs/proc/base.c

commit 05a134966efb9cb9346ad3422888969ffc79ac1d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 25 20:47:36 2012 -0500

    Resync with pax-linux-3.2.2-test5.patch

commit 5ecaafd81b229aeeb5656df36f9c8da86307f82a
Merge: c6d443d 3499d64
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 25 20:45:16 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test (and pax-linux-3.2.2-test5.patch)
    
    Conflicts:
        ipc/shm.c

commit 7b3f3afd7444613c759d68ff8c2efaebfae3bab1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 24 19:42:01 2012 -0500

    Add two new features, one is automatic by enabling CONFIG_GRKERNSEC
    (may be changed if it breaks some userland), the other has its own
    config option
    
    First feature requires CAP_SYS_ADMIN to write to any sysctl entry via
    the syscall or /proc/sys.
    
    Second feature requires read access to a suid/sgid binary in order
    to ptrace it, preventing infoleaking of binaries in situations where
    the admin has specified 4711 or 2711 perms.  Feature has been
    given the config option CONFIG_GRKERNSEC_PTRACE_READEXEC and
    a sysctl entry of ptrace_readexec

commit 11a7bb25c411c9dccfdca5718639b4becdffd388
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 22 14:37:10 2012 -0500

    Compilation fixes

commit cd400e21c7c352baba47d6f375297a7847afb33a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 22 14:20:27 2012 -0500

    Initial port of grsecurity 2.2.2 for Linux 3.2.1
    Note that the new syscalls added to this kernel for remote process read/write
    are subject to ptrace hardening/other relevant RBAC features
    /proc/slabinfo is S_IRUSR via mainline now, so I made slab_allocators S_IRUSR by default
    as well
    pax_track_stack has been removed from support for this kernel -- if you're running this kernel
    you should be using a version of gcc with plugin support

commit c6d443d1270f455c56a4ffe0f1dd3d3e7ec12a2f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 22 11:47:31 2012 -0500

    Import pax-linux-3.2.1-test5.patch
commit bfd7db842f835f9837cd43644459b3a95b0b488d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 22 11:02:02 2012 -0500

    Allow processes to access others' /proc/pid/maps files (subject to the normal modification of data)
    instead of returning -EACCES
    thanks to Wraith from irc for the report

commit 873ac13576506cd48ddb527c2540f274e249da50
Merge: 34083dd 8a44fcc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 20 18:04:02 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 8a44fcc90cf3368003dc84e1ed013b2e4248c9b2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 20 18:02:15 2012 -0500

    Merge the diff between pax-linux-3.2.1-test4.patch and pax-linux-3.2.1-test5.patch
    Denies executable shared memory when MPROTECT is active
    Fixes ia32 emulation crash on 64bit host introduced in a recent patch

commit 34083ddf5c0b2b1c0f5e9f7d9e32ddcba223446b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jan 19 20:23:14 2012 -0500

    Introduce new GRKERNSEC_SETXID implementation
    We're not able to change the credentials of other threads in the process until at most
    one syscall after the first thread does it, since we mark the threads as needing rescheduling
    and such work occurs on syscall exit.
    This does however ensure that we're only modifying the current task's credentials
    which upholds RCU expectations
    
    Many thanks to corsac for testing

commit 5f900ad54d3992a4e1cda88273acc2f897a42e71
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jan 19 17:42:48 2012 -0500

    Simplify backport

commit f02e444f7b2fb286f99d3b4031ff4e44a4606c37
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jan 19 17:08:16 2012 -0500

    Commit the latest silent fix for a local privilege escalation from Linus
    Also disable writing to /proc/pid/mem
    http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc

commit 814d38c72b1ee3338294576a05af4f6ca9cffa6c
Merge: 0394a3f 7e6299b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 18 20:22:09 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 7e6299b4733c082dde930375dd207b63237751ec
Merge: 83555fb 9bb1282
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 18 20:21:37 2012 -0500

    Merge branch 'linux-3.1.y' into pax-test

commit 0394a3f36c6195dcaf22e265c94d11bb7338c6f7
Author: Jesper Juhl <jj@chaosbits.net>
Date:   Sun Jan 8 22:44:29 2012 +0100

    audit: always follow va_copy() with va_end()
    
    A call to va_copy() should always be followed by a call to va_end() in
    the same function.  In kernel/autit.c::audit_log_vformat() this is not
    always done.  This patch makes sure va_end() is always called.
    
    Signed-off-by: Jesper Juhl <jj@chaosbits.net>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: Eric Paris <eparis@redhat.com>
    Cc: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit fcbb39319e88bfdf70efe3931cf80a9f23b1a4d9
Author: Andi Kleen <ak@linux.intel.com>
Date:   Thu Jan 12 17:20:30 2012 -0800

    panic: don't print redundant backtraces on oops
    
    When an oops causes a panic and panic prints another backtrace it's pretty
    common to have the original oops data be scrolled away on a 80x50 screen.
    
    The second backtrace is quite redundant and not needed anyways.
    
    So don't print the panic backtrace when oops_in_progress is true.
    
    [akpm@linux-foundation.org: add comment]
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
    Cc: Michael Holzheu <holzheu@linux.vnet.ibm.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 22e4717d04333e2aff6d5d1b2c1b16045f367a1f
Author: Miklos Szeredi <mszeredi@suse.cz>
Date:   Thu Jan 12 17:59:46 2012 +0100

    fsnotify: don't BUG in fsnotify_destroy_mark()
    
    Removing the parent of a watched file results in "kernel BUG at
    fs/notify/mark.c:139".
    
    To reproduce
    
      add "-w /tmp/audit/dir/watched_file" to audit.rules
      rm -rf /tmp/audit/dir
    
    This is caused by fsnotify_destroy_mark() being called without an
    extra reference taken by the caller.
    
    Reported by Francesco Cosoleto here:
    
      https://bugzilla.novell.com/show_bug.cgi?id=689860
    
    Fix by removing the BUG_ON and adding a comment about not accessing mark after
    the iput.
    
    Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
    CC: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 1a90cff66ed00cd57bf00a990d13e95060fa362c
Author: Paolo Bonzini <pbonzini@redhat.com>
Date:   Thu Jan 12 16:01:28 2012 +0100

    block: fail SCSI passthrough ioctls on partition devices
    
    Linux allows executing the SG_IO ioctl on a partition or LVM volume, and
    will pass the command to the underlying block device.  This is
    well-known, but it is also a large security problem when (via Unix
    permissions, ACLs, SELinux or a combination thereof) a program or user
    needs to be granted access only to part of the disk.
    
    This patch lets partitions forward a small set of harmless ioctls;
    others are logged with printk so that we can see which ioctls are
    actually sent.  In my tests only CDROM_GET_CAPABILITY actually occurred.
    Of course it was being sent to a (partition on a) hard disk, so it would
    have failed with ENOTTY and the patch isn't changing anything in
    practice.  Still, I'm treating it specially to avoid spamming the logs.
    
    In principle, this restriction should include programs running with
    CAP_SYS_RAWIO.  If for example I let a program access /dev/sda2 and
    /dev/sdb, it still should not be able to read/write outside the
    boundaries of /dev/sda2 independent of the capabilities.  However, for
    now programs with CAP_SYS_RAWIO will still be allowed to send the
    ioctls.  Their actions will still be logged.
    
    This patch does not affect the non-libata IDE driver.  That driver
    however already tests for bd != bd->bd_contains before issuing some
    ioctl; it could be restricted further to forbid these ioctls even for
    programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO.
    
    Cc: linux-scsi@vger.kernel.org
    Cc: Jens Axboe <axboe@kernel.dk>
    Cc: James Bottomley <JBottomley@parallels.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    [ Make it also print the command name when warning - Linus ]
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit b41a1178caa15bd7d6d5b36c04c7b1ead05717e2
Author: Paolo Bonzini <pbonzini@redhat.com>
Date:   Thu Jan 12 16:01:27 2012 +0100

    block: add and use scsi_blk_cmd_ioctl
    
    Introduce a wrapper around scsi_cmd_ioctl that takes a block device.
    
    The function will then be enhanced to detect partition block devices
    and, in that case, subject the ioctls to whitelisting.
    
    Cc: linux-scsi@vger.kernel.org
    Cc: Jens Axboe <axboe@kernel.dk>
    Cc: James Bottomley <JBottomley@parallels.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 97a79814903fc350e1d13704ea31528a42705401
Author: Kees Cook <keescook@chromium.org>
Date:   Sat Jan 7 10:41:04 2012 -0800

    audit: treat s_id as an untrusted string
    
    The use of s_id should go through the untrusted string path, just to be
    extra careful.
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Acked-by: Mimi Zohar <zohar@us.ibm.com>
    Signed-off-by: Eric Paris <eparis@redhat.com>

commit 2d3f39e9dd73f26a8248fd4442f110d983c5b419
Author: Xi Wang <xi.wang@gmail.com>
Date:   Tue Dec 20 18:39:41 2011 -0500

    audit: fix signedness bug in audit_log_execve_info()
    
    In the loop, a size_t "len" is used to hold the return value of
    audit_log_single_execve_arg(), which returns -1 on error.  In that
    case the error handling (len <= 0) will be bypassed since "len" is
    unsigned, and the loop continues with (p += len) being wrapped.
    Change the type of "len" to signed int to fix the error handling.
    
        size_t len;
        ...
        for (...) {
                len = audit_log_single_execve_arg(...);
                if (len <= 0)
                        break;
                p += len;
        }
    
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Signed-off-by: Eric Paris <eparis@redhat.com>

commit 1b3dc2ea3204fb22b9d0d30b2b7953991f5be594
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Tue Jan 17 03:28:51 2012 -0300

    [media] ds3000: using logical && instead of bitwise &
    
    The intent here was to test if the FE_HAS_LOCK was set.  The current
    test is equivalent to "if (status) { ..."
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>

commit 36522330dc59d2fc70c042f3f081d75c32b6259a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jan 16 13:10:38 2012 -0500

    Ignore the 0 signal for protected task RBAC checks

commit d513acd55f7a683f6e146a4f570cdb63300479ab
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jan 16 11:56:13 2012 -0500

    whitespace cleanup

commit ced261c4b82818c700aff8487f647f6f3e5b5122
Merge: d48751f 83555fb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 13 20:12:54 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 83555fb431e5be6c0e09687ff3bdc583f0caf9d9
Merge: fcd8129 93dad39
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 13 20:12:43 2012 -0500

    Merge branch 'linux-3.1.y' into pax-test

commit d48751f3919ae855fda0ff6c149db82442329253
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 11 19:05:47 2012 -0500

    Call our own set_user when forcing change to new id

commit 26d9d497f6b926bc1699980aa18c360a3d3c52a0
Merge: e6578ff fcd8129
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 10 16:00:10 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit fcd8129277601f2e2d5a2066120cf8b2472d7d1f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 10 15:58:43 2012 -0500

    Merge changes from pax-linux-3.1.8-test23.patch

commit e6578ff3e7629c432ed9b99bde6af2a1c00279b5
Merge: 8859ec3 a120549
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 21:45:56 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit a12054967a77090de1caa07c41e694a77db4e237
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 21:45:30 2012 -0500

    Merge changes from pax-linux-3.1.8-test22.patch

commit 8859ec32f9815c274df65448f9f2960176c380d3
Merge: a5016b4 ddd4114
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 21:26:08 2012 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        fs/binfmt_elf.c
        security/Kconfig

commit ddd41147e158a79704983a409b7433eba797cf66
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 21:12:42 2012 -0500

    Resync with PaX patch (whitespace difference)

commit 29e569df8205c5f0e043fe4803aa984406c8b118
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 21:09:47 2012 -0500

    Merge changes from pax-linux-3.1.8-test21.patch

commit a5016b4f9c09c337b17e063a7f369af1e86d944d
Merge: 0124c92 04231d5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 18:52:20 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 04231d52dc8d0d6788a6bc6709dc046d3eb37097
Merge: 7bdddeb a919904
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 18:51:50 2012 -0500

    Merge branch 'linux-3.1.y' into pax-test
    
    Conflicts:
        include/net/flow.h

commit 0124c9264234c450904a0a5fa2f8c608ab8e3796
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 18:33:05 2012 -0500

    Make GRKERNSEC_SETXID option compatible with credential debugging

commit 69919c6da7cf8a781439da15b597a7d6bc9b3abe
Author: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Date:   Wed Dec 28 15:57:11 2011 -0800

    mm/mempolicy.c: refix mbind_range() vma issue
    
    commit 8aacc9f550 ("mm/mempolicy.c: fix pgoff in mbind vma merge") is the
    slightly incorrect fix.
    
    Why? Think following case.
    
    1. map 4 pages of a file at offset 0
    
       [0123]
    
    2. map 2 pages just after the first mapping of the same file but with
       page offset 2
    
       [0123][23]
    
    3. mbind() 2 pages from the first mapping at offset 2.
       mbind_range() should treat new vma is,
    
       [0123][23]
         |23|
         mbind vma
    
       but it does
    
       [0123][23]
         |01|
         mbind vma
    
       Oops. then, it makes wrong vma merge and splitting ([01][0123] or similar).
    
    This patch fixes it.
    
    [testcase]
      test result - before the patch
    
        case4: 126: test failed. expect '2,4', actual '2,2,2'
                case5: passed
        case6: passed
        case7: passed
        case8: passed
        case_n: 246: test failed. expect '4,2', actual '1,4'
    
        ------------[ cut here ]------------
        kernel BUG at mm/filemap.c:135!
        invalid opcode: 0000 [#4] SMP DEBUG_PAGEALLOC
    
        (snip long bug on messages)
    
      test result - after the patch
    
        case4: passed
                case5: passed
        case6: passed
        case7: passed
        case8: passed
        case_n: passed
    
      source:  mbind_vma_test.c
    ============================================================
     #include <numaif.h>
     #include <numa.h>
     #include <sys/mman.h>
     #include <stdio.h>
     #include <unistd.h>
     #include <stdlib.h>
     #include <string.h>
    
    static unsigned long pagesize;
    void* mmap_addr;
    struct bitmask *nmask;
    char buf[1024];
    FILE *file;
    char retbuf[10240] = "";
    int mapped_fd;
    
    char *rubysrc = "ruby -e '\
      pid = %d; \
      vstart = 0x%llx; \
      vend = 0x%llx; \
      s = `pmap -q #{pid}`; \
      rary = []; \
      s.each_line {|line|; \
        ary=line.split(\" \"); \
        addr = ary[0].to_i(16); \
        if(vstart <= addr && addr < vend) then \
          rary.push(ary[1].to_i()/4); \
        end; \
      }; \
      print rary.join(\",\"); \
    '";
    
    void init(void)
    {
        void* addr;
        char buf[128];
    
        nmask = numa_allocate_nodemask();
        numa_bitmask_setbit(nmask, 0);
    
        pagesize = getpagesize();
    
        sprintf(buf, "%s", "mbind_vma_XXXXXX");
        mapped_fd = mkstemp(buf);
        if (mapped_fd == -1)
                perror("mkstemp "), exit(1);
        unlink(buf);
    
        if (lseek(mapped_fd, pagesize*8, SEEK_SET) < 0)
                perror("lseek "), exit(1);
        if (write(mapped_fd, "\0", 1) < 0)
                perror("write "), exit(1);
    
        addr = mmap(NULL, pagesize*8, PROT_NONE,
                    MAP_SHARED, mapped_fd, 0);
        if (addr == MAP_FAILED)
                perror("mmap "), exit(1);
    
        if (mprotect(addr+pagesize, pagesize*6, PROT_READ|PROT_WRITE) < 0)
                perror("mprotect "), exit(1);
    
        mmap_addr = addr + pagesize;
    
        /* make page populate */
        memset(mmap_addr, 0, pagesize*6);
    }
    
    void fin(void)
    {
        void* addr = mmap_addr - pagesize;
        munmap(addr, pagesize*8);
    
        memset(buf, 0, sizeof(buf));
        memset(retbuf, 0, sizeof(retbuf));
    }
    
    void mem_bind(int index, int len)
    {
        int err;
    
        err = mbind(mmap_addr+pagesize*index, pagesize*len,
                    MPOL_BIND, nmask->maskp, nmask->size, 0);
        if (err)
                perror("mbind "), exit(err);
    }
    
    void mem_interleave(int index, int len)
    {
        int err;
    
        err = mbind(mmap_addr+pagesize*index, pagesize*len,
                    MPOL_INTERLEAVE, nmask->maskp, nmask->size, 0);
        if (err)
                perror("mbind "), exit(err);
    }
    
    void mem_unbind(int index, int len)
    {
        int err;
    
        err = mbind(mmap_addr+pagesize*index, pagesize*len,
                    MPOL_DEFAULT, NULL, 0, 0);
        if (err)
                perror("mbind "), exit(err);
    }
    
    void Assert(char *expected, char *value, char *name, int line)
    {
        if (strcmp(expected, value) == 0) {
                fprintf(stderr, "%s: passed\n", name);
                return;
        }
        else {
                fprintf(stderr, "%s: %d: test failed. expect '%s', actual '%s'\n",
                        name, line,
                        expected, value);
    //          exit(1);
        }
    }
    
    /*
          AAAA
        PPPPPPNNNNNN
        might become
        PPNNNNNNNNNN
        case 4 below
    */
    void case4(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        mem_bind(0, 4);
        mem_unbind(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("2,4", retbuf, "case4", __LINE__);
    
        fin();
    }
    
    /*
           AAAA
     PPPPPPNNNNNN
     might become
     PPPPPPPPPPNN
     case 5 below
    */
    void case5(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        mem_bind(0, 2);
        mem_bind(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("4,2", retbuf, "case5", __LINE__);
    
        fin();
    }
    
    /*
            AAAA
        PPPPNNNNXXXX
        might become
        PPPPPPPPPPPP 6
    */
    void case6(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        mem_bind(0, 2);
        mem_bind(4, 2);
        mem_bind(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("6", retbuf, "case6", __LINE__);
    
        fin();
    }
    
    /*
        AAAA
    PPPPNNNNXXXX
    might become
    PPPPPPPPXXXX 7
    */
    void case7(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        mem_bind(0, 2);
        mem_interleave(4, 2);
        mem_bind(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("4,2", retbuf, "case7", __LINE__);
    
        fin();
    }
    
    /*
        AAAA
    PPPPNNNNXXXX
    might become
    PPPPNNNNNNNN 8
    */
    void case8(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        mem_bind(0, 2);
        mem_interleave(4, 2);
        mem_interleave(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("2,4", retbuf, "case8", __LINE__);
    
        fin();
    }
    
    void case_n(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        /* make redundunt mappings [0][1234][34][7] */
        mmap(mmap_addr + pagesize*4, pagesize*2, PROT_READ|PROT_WRITE,
             MAP_FIXED|MAP_SHARED, mapped_fd, pagesize*3);
    
        /* Expect to do nothing. */
        mem_unbind(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("4,2", retbuf, "case_n", __LINE__);
    
        fin();
    }
    
    int main(int argc, char** argv)
    {
        case4();
        case5();
        case6();
        case7();
        case8();
        case_n();
    
        return 0;
    }
    =============================================================
    
    Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
    Acked-by: Johannes Weiner <hannes@cmpxchg.org>
    Cc: Minchan Kim <minchan.kim@gmail.com>
    Cc: Caspar Zhang <caspar@casparzhang.com>
    Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
    Cc: Christoph Lameter <cl@linux.com>
    Cc: Hugh Dickins <hugh.dickins@tiscali.co.uk>
    Cc: Mel Gorman <mel@csn.ul.ie>
    Cc: Lee Schermerhorn <lee.schermerhorn@hp.com>
    Cc: <stable@vger.kernel.org>                [3.1.x]
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit f3a1082005781777086df235049f8c0b7efe524e
Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Date:   Tue Dec 27 22:32:41 2011 -0500

    packet: fix possible dev refcnt leak when bind fail
    
    If bind is fail when bind is called after set PACKET_FANOUT
    sock option, the dev refcnt will leak.
    
    Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 915f8b08dac68839dc7204ee81cf9852fda16d24
Author: Haogang Chen <haogangchen@gmail.com>
Date:   Mon Dec 19 17:11:56 2011 -0800

    nilfs2: potential integer overflow in nilfs_ioctl_clean_segments()
    
    There is a potential integer overflow in nilfs_ioctl_clean_segments().
    When a large argv[n].v_nmembs is passed from the userspace, the subsequent
    call to vmalloc() will allocate a buffer smaller than expected, which
    leads to out-of-bound access in nilfs_ioctl_move_blocks() and
    lfs_clean_segments().
    
    The following check does not prevent the overflow because nsegs is also
    controlled by the userspace and could be very large.
    
                if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment)
                        goto out_free;
    
    This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and
    returns -EINVAL when overflow.
    
    Signed-off-by: Haogang Chen <haogangchen@gmail.com>
    Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 006afb6eb7a7398edc0068c3a7b9510ffaf80f72
Author: Kautuk Consul <consul.kautuk@gmail.com>
Date:   Mon Dec 19 17:12:04 2011 -0800

    mm/vmalloc.c: remove static declaration of va from __get_vm_area_node
    
    Static storage is not required for the struct vmap_area in
    __get_vm_area_node.
    
    Removing "static" to store this variable on the stack instead.
    
    Signed-off-by: Kautuk Consul <consul.kautuk@gmail.com>
    Acked-by: David Rientjes <rientjes@google.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 461ecdf221edb089e5fa0d5563e1688cd0a36f66
Author: Michel Lespinasse <walken@google.com>
Date:   Mon Dec 19 17:12:06 2011 -0800

    binary_sysctl(): fix memory leak
    
    binary_sysctl() calls sysctl_getname() which allocates from names_cache
    slab usin __getname()
    
    The matching function to free the name is __putname(), and not putname()
    which should be used only to match getname() allocations.
    
    This is because when auditing is enabled, putname() calls audit_putname
    *instead* (not in addition) to __putname().  Then, if a syscall is in
    progress, audit_putname does not release the name - instead, it expects
    the name to get released when the syscall completes, but that will happen
    only if audit_getname() was called previously, i.e.  if the name was
    allocated with getname() rather than the naked __getname().  So,
    __getname() followed by putname() ends up leaking memory.
    
    Signed-off-by: Michel Lespinasse <walken@google.com>
    Acked-by: Al Viro <viro@zeniv.linux.org.uk>
    Cc: Christoph Hellwig <hch@infradead.org>
    Cc: Eric Paris <eparis@redhat.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 0a2cd3ef50c0bae70d59c74a77db0455d26fde56
Author: Sean Hefty <sean.hefty@intel.com>
Date:   Tue Dec 6 21:17:11 2011 +0000

    RDMA/cma: Verify private data length
    
    private_data_len is defined as a u8.  If the user specifies a large
    private_data size (> 220 bytes), we will calculate a total length that
    exceeds 255, resulting in private_data_len wrapping back to 0.  This
    can lead to overwriting random kernel memory.  Avoid this by verifying
    that the resulting size fits into a u8.
    
    Reported-by: B. Thery <benjamin.thery@bull.net>
    Addresses: <http://bugs.openfabrics.org/bugzilla/show_bug.cgi?id=2335>
    Signed-off-by: Sean Hefty <sean.hefty@intel.com>
    Signed-off-by: Roland Dreier <roland@purestorage.com>

commit 6b618c54aaec99078629ec5b9575cb7d6fc31176
Author: Xi Wang <xi.wang@gmail.com>
Date:   Sun Dec 11 23:40:56 2011 -0800

    Input: cma3000_d0x - fix signedness bug in cma3000_thread_irq()
    
    The error check (intr_status < 0) didn't work because intr_status is
    a u8.  Change its type to signed int.
    
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Signed-off-by: Dmitry Torokhov <dtor@mail.ru>

commit e27f34e383d7863b2528a63b81b23db09781f6b6
Author: Xi Wang <xi.wang@gmail.com>
Date:   Fri Dec 16 12:44:15 2011 +0000

    sctp: fix incorrect overflow check on autoclose
    
    Commit 8ffd3208 voids the previous patches f6778aab and 810c0719 for
    limiting the autoclose value.  If userspace passes in -1 on 32-bit
    platform, the overflow check didn't work and autoclose would be set
    to 0xffffffff.
    
    This patch defines a max_autoclose (in seconds) for limiting the value
    and exposes it through sysctl, with the following intentions.
    
    1) Avoid overflowing autoclose * HZ.
    
    2) Keep the default autoclose bound consistent across 32- and 64-bit
       platforms (INT_MAX / HZ in this patch).
    
    3) Keep the autoclose value consistent between setsockopt() and
       getsockopt() calls.
    
    Suggested-by: Vlad Yasevich <vladislav.yasevich@hp.com>
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 8ebdfaad2f46ff0ac9fef9858e436bcc712a1ac8
Author: Xi Wang <xi.wang@gmail.com>
Date:   Wed Dec 21 05:18:33 2011 -0500

    vmwgfx: fix incorrect VRAM size check in vmw_kms_fb_create()
    
    Commit e133e737 didn't correctly fix the integer overflow issue.
    
    -   unsigned int required_size;
    +   u64 required_size;
        ...
        required_size = mode_cmd->pitch * mode_cmd->height;
    -   if (unlikely(required_size > dev_priv->vram_size)) {
    +   if (unlikely(required_size > (u64) dev_priv->vram_size)) {
    
    Note that both pitch and height are u32.  Their product is still u32 and
    would overflow before being assigned to required_size.  A correct way is
    to convert pitch and height to u64 before the multiplication.
    
        required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height;
    
    This patch calls the existing vmw_kms_validate_mode_vram() for
    validation.
    
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Reviewed-and-tested-by: Thomas Hellstrom <thellstrom@vmware.com>
    Signed-off-by: Dave Airlie <airlied@redhat.com>
    
    Conflicts:
    
        drivers/gpu/drm/vmwgfx/vmwgfx_kms.c

commit eb8f0bd01fb994c9abc77dc84729794cd841753d
Author: Xi Wang <xi.wang@gmail.com>
Date:   Thu Dec 22 13:35:22 2011 +0000

    rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt()
    
    Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will
    cause a kernel oops due to insufficient bounds checking.
    
        if (count > 1<<30) {
                /* Enforce a limit to prevent overflow */
                return -EINVAL;
        }
        count = roundup_pow_of_two(count);
        table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count));
    
    Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as:
    
        ... + (count * sizeof(struct rps_dev_flow))
    
    where sizeof(struct rps_dev_flow) is 8.  (1 << 30) * 8 will overflow
    32 bits.
    
    This patch replaces the magic number (1 << 30) with a symbolic bound.
    
    Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 648188958672024b616c42c1f6c98c8cfc85619d
Author: Xi Wang <xi.wang@gmail.com>
Date:   Fri Dec 30 10:40:17 2011 -0500

    netfilter: ctnetlink: fix timeout calculation
    
    The sanity check (timeout < 0) never works; the dividend is unsigned
    and so is the division, which should have been a signed division.
    
        long timeout = (ct->timeout.expires - jiffies) / HZ;
        if (timeout < 0)
                timeout = 0;
    
    This patch converts the time values to signed for the division.
    
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

commit ab03a0973cee73f88655ff4981812ad316a6cd59
Merge: 76f82df 7bdddeb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 3 17:42:50 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 7bdddebd9d274a344a1c57a561152160c9e9a32a
Merge: 3e59cb5 55cc81a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 3 17:42:36 2012 -0500

    Merge branch 'linux-3.1.y' into pax-test

commit 76f82df18ba181687f454426fa9ced7a92b2ac1f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 22 20:15:02 2011 -0500

    Only further restrict futex targeting another process -- our modified
    permission check also happened to allow a case where a process retaining
    uid 0 could issue futex syscalls against other uid 0 tasks, despite the euid
    being non-zero (reported on forums by ben_w)

commit 6b235a4450a5fea41663ec35fa0608988b6078c6
Merge: 97c16f0 3e59cb5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 22 19:11:06 2011 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        fs/hfs/btree.c

commit 3e59cb503d4ca6ce0954b8d3eb508cf7d1a31f50
Merge: 285eb4e c26f60b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 22 19:09:57 2011 -0500

    Merge branch 'linux-3.1.y' into pax-test
    
    Conflicts:
        arch/x86/kernel/process.c

commit 97c16f0fcff592160c1787bd1c56ae7ad070ac17
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Dec 19 21:54:01 2011 -0500

    Add new option: "Enforce consistent multithreaded privileges"

commit 7d125a16a5245b2bafc9184b8f93e864394ba1cb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Dec 7 19:58:31 2011 -0500

    Remove harmless duplicate code -- exec_file would be null already so the
    second check would never pass.

commit 4e3304e94aa72737810bc50169519af157dce4ce
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Dec 7 19:50:39 2011 -0500

    Revert back to (possibly?) undocumented /proc/pid behavior that gdb
    depended on for attaching to a thread.  Entries exist in /proc for
    threads, but are not visible in a readdir.

commit 1bd899335f23815cfe8deac44c6b346398f3b95e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 18:03:28 2011 -0500

    Put the already-walked path if in RCU-walk mode

commit ec7ae36b7159f10649709779443a988662965d66
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 17:35:21 2011 -0500

    Fix memory leak introduced by recent (unpublished) commit
    75ab998b94a29d464518d6d501bdde3fbfcbfa14

commit 1e2318a8ea2e67eaf17236be374b5da8a5ba5e04
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 13:56:10 2011 -0500

    Explicitly check size copied to userland in override_release to silence gcc

commit c30a85d0fff67e0724e726febb934c0b6fa01c6c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 13:54:02 2011 -0500

    Initialize variable to silence erroneous gcc warning

commit 2cf8e7a3bf4e97b2cd3de9ebc453bc505dc7eb78
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 13:47:47 2011 -0500

    Future-proof other potential RCU-aware locations where we can log.

commit 0c904e8c7ea0338c47c7ae825e093a152dc8f8a8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 13:02:54 2011 -0500

    Fix freeze reported by 'vs' on the forums.  Bug occurred due to
    MAY_NOT_BLOCK added to Linux 3.1.  Our logging code, when a capability used
    in generic_permission() was in the task's effective set but disallowed by
    RBAC, would block when acquiring locks resulting in the freeze.
    
    Also update the ordering of checks so that CAP_DAC_READ_SEARCH isn't logged
    as being required when CAP_DAC_OVERRIDE is present (consistent with
    older patches).

commit ab694e5eccfbc369baa593ebc1269d1908cf16dc
Author: Xi Wang <xi.wang@gmail.com>
Date:   Tue Nov 29 09:26:30 2011 +0000

    sctp: better integer overflow check in sctp_auth_create_key()
    
    The check from commit 30c2235c is incomplete and cannot prevent
    cases like key_len = 0x80000000 (INT_MAX + 1).  In that case, the
    left-hand side of the check (INT_MAX - key_len), which is unsigned,
    becomes 0xffffffff (UINT_MAX) and bypasses the check.
    
    However this shouldn't be a security issue.  The function is called
    from the following two code paths:
    
     1) setsockopt()
    
     2) sctp_auth_asoc_set_secret()
    
    In case (1), sca_keylength is never going to exceed 65535 since it's
    bounded by a u16 from the user API.  As such, the key length will
    never overflow.
    
    In case (2), sca_keylength is computed based on the user key (1 short)
    and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still
    will not overflow.
    
    In other words, this overflow check is not really necessary.  Just
    make it more correct.
    
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Cc: Vlad Yasevich <vladislav.yasevich@hp.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit e565e28c3635a1d50f80541fbf6b606d742fec76
Author: Josh Boyer <jwboyer@redhat.com>
Date:   Fri Aug 19 14:50:26 2011 -0400

    fs/minix: Verify bitmap block counts before mounting
    
    Newer versions of MINIX can create filesystems that allocate an extra
    bitmap block.  Mounting of this succeeds, but doing a statfs call will
    result in an oops in count_free because of a negative number being used
    for the bh index.
    
    Avoid this by verifying the number of allocated blocks at mount time,
    erroring out if there are not enough and make statfs ignore the extras
    if there are too many.
    
    This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792
    
    Signed-off-by: Josh Boyer <jwboyer@redhat.com>
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

commit 6e134e398ec1a3f428261680e83df4319e64bed9
Author: Julia Lawall <julia@diku.dk>
Date:   Tue Nov 15 14:53:11 2011 -0800

    drivers/gpu/vga/vgaarb.c: add missing kfree
    
    kbuf is a buffer that is local to this function, so all of the error paths
    leaving the function should release it.
    
    Signed-off-by: Julia Lawall <julia@diku.dk>
    Cc: Jesper Juhl <jj@chaosbits.net>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Dave Airlie <airlied@redhat.com>

commit 2b9057b321e36860e8d63985b5c4e496f254b717
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Dec 3 21:33:28 2011 -0500

    Import changes between pax-linux-3.1.4-test18.patch and grsecurity-2.2.2-3.1.4-201112021740.patch

commit 5dfe6091dca281a456eaff5e7b4692d768a05cfd
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Dec 3 21:29:37 2011 -0500

    Import pax-linux-3.1.4-test18.patch

commit 285eb4ea45d853ae00426b3315a61c1368080dad
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Dec 10 18:33:46 2011 -0500

    Import changes from pax-linux-3.1.5-test20.patch

commit a6bda918fc90ec1d5c387e978d147ad2044153f1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 8 20:55:54 2011 -0500

    Import changes from pax-linux-3.1.4-test19.patch

commit e6d987bdb782b280f882cc20055e3d9cb28ad3a5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Dec 3 21:29:37 2011 -0500

    Import pax-linux-3.1.4-test18.patch